Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots...
Transcript of Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots...
![Page 1: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/1.jpg)
Honeypots
Mathias Gibbens Harsha vardhan Rajendran
April 22, 2012
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 1 / 28
![Page 2: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/2.jpg)
Outline
1 Introduction2 History3 Types of honeypots4 Deception techniques using Honeypots5 Honeyd6 Service-specific honeypots7 Deployment strategies8 Pros / Cons9 Real life uses10 Improvements11 Conclusion
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 2 / 28
![Page 3: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/3.jpg)
Introduction
1 What is a honeypot?
2 What are the uses for a honeypot?
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 3 / 28
![Page 4: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/4.jpg)
Introduction
1 What is a honeypot?2 What are the uses for a honeypot?
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 3 / 28
![Page 5: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/5.jpg)
Introduction
Figure: The key characters in our drama.
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 4 / 28
![Page 6: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/6.jpg)
Introduction
1 Example of a logged attack: http://goo.gl/phnI3
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 5 / 28
![Page 7: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/7.jpg)
History
1 Origin of the name
2 Early manual entrapment by the Military3 Cheswick at AT&T Bell
“I wanted to watch the cracker’s keystrokes, to trace him, learn histechniques, and warn his victims. The best solution was to lure himto a sacrificial machine and tap the connection. ... Though the Jailwas an interesting and educational exercise, it was not worth theeffort. It is too hard to get it right, and never quite secure. A betterarrangement involves a throwaway machine with real security holes,and a monitoring machine on the same Ethernet to capture thebytes.”
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 6 / 28
![Page 8: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/8.jpg)
History
1 Origin of the name2 Early manual entrapment by the Military
3 Cheswick at AT&T Bell“I wanted to watch the cracker’s keystrokes, to trace him, learn histechniques, and warn his victims. The best solution was to lure himto a sacrificial machine and tap the connection. ... Though the Jailwas an interesting and educational exercise, it was not worth theeffort. It is too hard to get it right, and never quite secure. A betterarrangement involves a throwaway machine with real security holes,and a monitoring machine on the same Ethernet to capture thebytes.”
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 6 / 28
![Page 9: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/9.jpg)
History
1 Origin of the name2 Early manual entrapment by the Military3 Cheswick at AT&T Bell
“I wanted to watch the cracker’s keystrokes, to trace him, learn histechniques, and warn his victims. The best solution was to lure himto a sacrificial machine and tap the connection. ... Though the Jailwas an interesting and educational exercise, it was not worth theeffort. It is too hard to get it right, and never quite secure. A betterarrangement involves a throwaway machine with real security holes,and a monitoring machine on the same Ethernet to capture thebytes.”
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 6 / 28
![Page 10: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/10.jpg)
History
Figure: Honeypot development milestones.
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 7 / 28
![Page 11: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/11.jpg)
Types of honeypots
1 There are many ways to classify honeypots
2 The most common is by the amount of interaction provided to themalicious user: high, medium, or low
3 Other ways are by looking at the data collected and whether or notmore than one honeypot is being used
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 8 / 28
![Page 12: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/12.jpg)
Types of honeypots
1 There are many ways to classify honeypots2 The most common is by the amount of interaction provided to the
malicious user: high, medium, or low
3 Other ways are by looking at the data collected and whether or notmore than one honeypot is being used
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 8 / 28
![Page 13: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/13.jpg)
Types of honeypots
1 There are many ways to classify honeypots2 The most common is by the amount of interaction provided to the
malicious user: high, medium, or low3 Other ways are by looking at the data collected and whether or not
more than one honeypot is being used
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 8 / 28
![Page 14: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/14.jpg)
Types of honeypotsInteractive
1 Low-interaction Emulates a single service; must be simple
2 Medium-interaction Emulates a group of services that could beexpected on a server
3 High-interaction Full OS is presented to attacker; most useful, butalso most risky
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 9 / 28
![Page 15: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/15.jpg)
Types of honeypotsInteractive
1 Low-interaction Emulates a single service; must be simple2 Medium-interaction Emulates a group of services that could be
expected on a server
3 High-interaction Full OS is presented to attacker; most useful, butalso most risky
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 9 / 28
![Page 16: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/16.jpg)
Types of honeypotsInteractive
1 Low-interaction Emulates a single service; must be simple2 Medium-interaction Emulates a group of services that could be
expected on a server3 High-interaction Full OS is presented to attacker; most useful, but
also most risky
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 9 / 28
![Page 17: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/17.jpg)
Types of honeypotsType of data collected
1 Various types of data can be collected:
2 Events3 Attacks4 Intrusions
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 10 / 28
![Page 18: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/18.jpg)
Types of honeypotsType of data collected
1 Various types of data can be collected:2 Events
3 Attacks4 Intrusions
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 10 / 28
![Page 19: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/19.jpg)
Types of honeypotsType of data collected
1 Various types of data can be collected:2 Events3 Attacks
4 Intrusions
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 10 / 28
![Page 20: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/20.jpg)
Types of honeypotsType of data collected
1 Various types of data can be collected:2 Events3 Attacks4 Intrusions
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 10 / 28
![Page 21: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/21.jpg)
Types of honeypotsSystem configuration
1 Stand alone
2 Honeyfarm presenting a unified appearance to attacker
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 11 / 28
![Page 22: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/22.jpg)
Types of honeypotsSystem configuration
1 Stand alone2 Honeyfarm presenting a unified appearance to attacker
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 11 / 28
![Page 23: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/23.jpg)
Uses of honeypots
1 Production environments to provide information and warning
2 Security research trying to keep a step ahead of new attacks
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 12 / 28
![Page 24: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/24.jpg)
Uses of honeypots
1 Production environments to provide information and warning2 Security research trying to keep a step ahead of new attacks
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 12 / 28
![Page 25: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/25.jpg)
Uses of honeypots
Figure: A example of an exposed honeypot.
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 13 / 28
![Page 26: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/26.jpg)
Honeypots as mobile code throttlers
1 Principle: Infected machines make more connections than regular ones
2 Sacrifice a few machines for the common good3 Prevents a virus from spreading across the network, but cannot save
the system
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 14 / 28
![Page 27: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/27.jpg)
Honeypots as mobile code throttlers
1 Principle: Infected machines make more connections than regular ones2 Sacrifice a few machines for the common good
3 Prevents a virus from spreading across the network, but cannot savethe system
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 14 / 28
![Page 28: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/28.jpg)
Honeypots as mobile code throttlers
1 Principle: Infected machines make more connections than regular ones2 Sacrifice a few machines for the common good3 Prevents a virus from spreading across the network, but cannot save
the system
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 14 / 28
![Page 29: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/29.jpg)
Honeypots as mobile code throttlers
Figure: Virus throttling
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 15 / 28
![Page 30: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/30.jpg)
Honeytokens (cost-effective honeypots)
1 Reiterate Honeypot definition: an information system resource whosevalue lies in the unauthorized or illicit use of that resource.
2 Honeytoken is a Honeypot which is not a computer, but a digitalentity.
3 Hospital DB example
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 16 / 28
![Page 31: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/31.jpg)
Honeytokens (cost-effective honeypots)
1 Reiterate Honeypot definition: an information system resource whosevalue lies in the unauthorized or illicit use of that resource.
2 Honeytoken is a Honeypot which is not a computer, but a digitalentity.
3 Hospital DB example
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 16 / 28
![Page 32: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/32.jpg)
Honeytokens (cost-effective honeypots)
1 Reiterate Honeypot definition: an information system resource whosevalue lies in the unauthorized or illicit use of that resource.
2 Honeytoken is a Honeypot which is not a computer, but a digitalentity.
3 Hospital DB example
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 16 / 28
![Page 33: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/33.jpg)
Honeytokens (cost-effective honeypots)
Figure: Honeytoken
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 17 / 28
![Page 34: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/34.jpg)
Honeyd - Introduction
1 Honeyd - Low interaction virtual honeypot
2 Deception through simulation of network stack
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 18 / 28
![Page 35: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/35.jpg)
Honeyd - Introduction
1 Honeyd - Low interaction virtual honeypot2 Deception through simulation of network stack
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 18 / 28
![Page 36: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/36.jpg)
Honeyd - Architecture
Figure: Honeyd architecture.
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 19 / 28
![Page 37: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/37.jpg)
Service-specific honeypots
1 Simpler honeypots running for a specific service
2 SSH honeypot (kippo)3 Logs interactions for later analysis4 Fairly safe to run on a computer, even if not dedicated5 This idea can be applied to other services as well
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 20 / 28
![Page 38: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/38.jpg)
Service-specific honeypots
1 Simpler honeypots running for a specific service2 SSH honeypot (kippo)
3 Logs interactions for later analysis4 Fairly safe to run on a computer, even if not dedicated5 This idea can be applied to other services as well
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 20 / 28
![Page 39: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/39.jpg)
Service-specific honeypots
1 Simpler honeypots running for a specific service2 SSH honeypot (kippo)3 Logs interactions for later analysis
4 Fairly safe to run on a computer, even if not dedicated5 This idea can be applied to other services as well
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 20 / 28
![Page 40: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/40.jpg)
Service-specific honeypots
1 Simpler honeypots running for a specific service2 SSH honeypot (kippo)3 Logs interactions for later analysis4 Fairly safe to run on a computer, even if not dedicated
5 This idea can be applied to other services as well
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 20 / 28
![Page 41: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/41.jpg)
Service-specific honeypots
1 Simpler honeypots running for a specific service2 SSH honeypot (kippo)3 Logs interactions for later analysis4 Fairly safe to run on a computer, even if not dedicated5 This idea can be applied to other services as well
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 20 / 28
![Page 42: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/42.jpg)
Deployment strategies
1 Sacrificial lamb
2 Deception ports on production systems3 Proximity decoys4 Redirection shield5 Minefield
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 21 / 28
![Page 43: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/43.jpg)
Deployment strategies
1 Sacrificial lamb2 Deception ports on production systems
3 Proximity decoys4 Redirection shield5 Minefield
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 21 / 28
![Page 44: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/44.jpg)
Deployment strategies
1 Sacrificial lamb2 Deception ports on production systems3 Proximity decoys
4 Redirection shield5 Minefield
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 21 / 28
![Page 45: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/45.jpg)
Deployment strategies
1 Sacrificial lamb2 Deception ports on production systems3 Proximity decoys4 Redirection shield
5 Minefield
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 21 / 28
![Page 46: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/46.jpg)
Deployment strategies
1 Sacrificial lamb2 Deception ports on production systems3 Proximity decoys4 Redirection shield5 Minefield
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 21 / 28
![Page 47: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/47.jpg)
Deployment strategies
Figure: Redirection shield.Figure: Minefield.
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 22 / 28
![Page 48: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/48.jpg)
Honeypot Pros
1 Shield real servers from attacks
2 Gather information about current attack strategies3 Limit risk to real data
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 23 / 28
![Page 49: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/49.jpg)
Honeypot Pros
1 Shield real servers from attacks2 Gather information about current attack strategies
3 Limit risk to real data
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 23 / 28
![Page 50: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/50.jpg)
Honeypot Pros
1 Shield real servers from attacks2 Gather information about current attack strategies3 Limit risk to real data
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 23 / 28
![Page 51: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/51.jpg)
Honeypot Cons
1 At best, just a copy of the real target
2 Potentially prone to the same weaknesses as their copy3 Additional time required to develop and maintain, in addition to real
servers
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 24 / 28
![Page 52: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/52.jpg)
Honeypot Cons
1 At best, just a copy of the real target2 Potentially prone to the same weaknesses as their copy
3 Additional time required to develop and maintain, in addition to realservers
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 24 / 28
![Page 53: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/53.jpg)
Honeypot Cons
1 At best, just a copy of the real target2 Potentially prone to the same weaknesses as their copy3 Additional time required to develop and maintain, in addition to real
servers
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 24 / 28
![Page 54: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/54.jpg)
Real life uses
1 Honeypots can play a vital role in a layered security setup
2 At Utah State University as part of protecting their SSH servers:“[Honeypots] make it easy to automate blocking SSH attackers, withvirtually no chance of false positives.”
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 25 / 28
![Page 55: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/55.jpg)
Real life uses
1 Honeypots can play a vital role in a layered security setup2 At Utah State University as part of protecting their SSH servers:
“[Honeypots] make it easy to automate blocking SSH attackers, withvirtually no chance of false positives.”
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 25 / 28
![Page 56: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/56.jpg)
Improvements
1 There is a constant battle between security researchers and hackers
2 Honeypots need to be updated to emulate newer servers and fiximplementation bugs
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 26 / 28
![Page 57: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/57.jpg)
Improvements
1 There is a constant battle between security researchers and hackers2 Honeypots need to be updated to emulate newer servers and fix
implementation bugs
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 26 / 28
![Page 58: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/58.jpg)
Conclusion
1 Honeypots can be very useful as part of a comprehensive securitysetup
2 Let us see the interactions of malicious users without their beingaware
3 Versatile: many possible uses
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 27 / 28
![Page 59: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/59.jpg)
Conclusion
1 Honeypots can be very useful as part of a comprehensive securitysetup
2 Let us see the interactions of malicious users without their beingaware
3 Versatile: many possible uses
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 27 / 28
![Page 60: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/60.jpg)
Conclusion
1 Honeypots can be very useful as part of a comprehensive securitysetup
2 Let us see the interactions of malicious users without their beingaware
3 Versatile: many possible uses
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 27 / 28
![Page 61: Honeypots - cs.arizona.educollberg/Teaching/466-566/2014/Resources/... · 22.04.2012 · Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha](https://reader034.fdocuments.in/reader034/viewer/2022050717/5ecd0fb82b8a7e25b34f8b40/html5/thumbnails/61.jpg)
Conclusion
Questions?
Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 28 / 28