Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks
description
Transcript of Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks
![Page 1: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/1.jpg)
Use of Honey-pots to Detect Exploited Systems Across Large
Enterprise Networks
Ashish GuptaNetwork Security
May 2004
http://project.honeynet.org/misc/project.html
![Page 2: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/2.jpg)
Overview
• Motivation• What are Honeypots?
– Gen I and Gen II• The GeorgiaTech Honeynet System
– Hardware/Software– IDS– Logging and review
• Some detected Exploitations– Worm exploits– Sage of the Warez Exploit
• Words of Wisdom• Conclusions
![Page 3: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/3.jpg)
Why Honeynets ?
An additional layer of security
![Page 4: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/4.jpg)
Security: A serious Problem
Firewall IDS
A Traffic Cop
Problems:
Internal Threats
Virus Laden Programs
Detection and Alert
Problems:
False Positives
False Negatives
![Page 5: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/5.jpg)
The Security Problem
Firewall IDS
HoneyNets
An additional layer of security
![Page 6: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/6.jpg)
• Captures all inbound/outbound data• Standard production systems• Intended to be compromised• Data Capture
– Stealth capturing– Storage location – away from the honeynet
• Data control– Protect the network from honeynets
![Page 7: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/7.jpg)
Two types
Gen I Gen II
Good for simpler attacks
Unsophisticated targets
Limited Data Control
Sophisticated Data Control : Stealth Fire-walling
Gen I chosen
![Page 8: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/8.jpg)
![Page 9: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/9.jpg)
GATech Honeynet System
Huge network
4 TB data processing/day
CONFIG Sub-standard systems
Open Source Software
Simple Firewall Data Control
![Page 10: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/10.jpg)
IDSInvisible SNORT Monitor
Promiscuous mode
Two SNORT Sessions
Session 1 Signature Analysis Monitoring
Session 2 Packet Capture DATA CAPTURE
![Page 11: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/11.jpg)
![Page 12: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/12.jpg)
Data Analysis
One hour daily !
Requires human resources
Forensic Analysis
SNORT DATA CAPTURE
All packet logs stored
Ethereal used
![Page 13: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/13.jpg)
Detected Exploitations
16 compromises detected
Worm attacks Hacker Attacks
![Page 14: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/14.jpg)
Honey Net traffic is Suspicious
Heuristic for worm detection:Frequent port scans
Specific OS-vulnerability monitoring possible
Captured traffic helps signature development
DETECTING WORM EXPLOITS
![Page 15: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/15.jpg)
SAGA of the WAREZ Hacker
Helped locate a compromised host
Honeynet
IIS Exploit Warez Server
+ Backdoor
Very difficult to detect otherwise !
![Page 16: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/16.jpg)
Words of Wisdom
• Start small• Good relationships help• Focus on Internal attacks• Don’t advertise• Be prepared to spend time
![Page 17: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/17.jpg)
Conclusion
• Helped locate compromised systems• Can boost IDS research
– Data capture• Distributed Honey nets ?
![Page 18: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks](https://reader035.fdocuments.in/reader035/viewer/2022081604/5681682a550346895dddbd9b/html5/thumbnails/18.jpg)
Discussion
• The usefulness of the extra layer ?• Dynamic HoneyNets• Comparison with IDS: are these a
replacement or complementary ?
HONEYNET
IDS