Use of Honey-pots to Detect Exploited Systems Across Large Enterprise NetworksAshish GuptaNetwork SecurityMay 2004

http://project.honeynet.org/misc/project.html

OverviewMotivationWhat are Honeypots?Gen I and Gen IIThe GeorgiaTech Honeynet SystemHardware/SoftwareIDSLogging and reviewSome detected ExploitationsWorm exploitsSage of the Warez ExploitWords of WisdomConclusions

Why Honeynets ?An additional layer of security

MotivationSecurity a serious problemMethods for detection/protection/defense:Firewall: The Traffic copIDS: detection and alertThese have shortcomings:Internal threatsVirus laden programsFalse Positives and False negativesHoneynet: An additional layerNot a panacea

Security: A serious ProblemFirewallIDSA Traffic CopProblems:Internal ThreatsVirus Laden ProgramsDetection and AlertProblems:False PositivesFalse Negatives

The Security ProblemFirewallIDSHoneyNetsAn additional layer of security

PropertiesCaptures all inbound/outbound dataStandard production systemsIntended to be compromisedData CaptureStealth capturingStorage location away from the honeynetData controlProtect the network from honeynets

Two typesGen IGen IIGood for simpler attacksUnsophisticated targetsLimited Data ControlSophisticated Data Control : Stealth Fire-wallingGen I chosen

GATech Honeynet SystemHuge network4 TB data processing/dayCONFIGSub-standard systemsOpen Source SoftwareSimple Firewall Data Control

IDSInvisible SNORT MonitorPromiscuous modeTwo SNORT SessionsSession 1Signature AnalysisMonitoringSession 2Packet CaptureDATA CAPTURE

Data AnalysisOne hour daily !Requires human resourcesForensic AnalysisSNORTDATA CAPTUREAll packet logs storedEthereal used

Detected Exploitations16 compromises detectedWorm attacksHacker Attacks

DETECTING WORM EXPLOITSHoney Net traffic is SuspiciousHeuristic for worm detection: Frequent port scansSpecific OS-vulnerability monitoring possibleCaptured traffic helps signature development

SAGA of the WAREZ HackerHelped locate a compromised host HoneynetIIS Exploit Warez Server+ BackdoorVery difficult to detect otherwise !

Words of WisdomStart smallGood relationships helpFocus on Internal attacksDont advertiseBe prepared to spend time

ConclusionHelped locate compromised systemsCan boost IDS researchData captureDistributed Honey nets ?Hunting down Honeypotshttp://www.send-safe.com/honeypot-hunter.php

DiscussionThe usefulness of the extra layer ?Dynamic HoneyNetsComparison with IDS: are these a replacement or complementary ?HONEYNETIDS

IDS vs HoneyNetIDS primary function is detection and alertingHoneynets use IDS to detect and alert but nothing is done to control the threatPrimary intent is to log and capture effects and activities of the threat

Honeynets do not protect the network they have protection as a benefit, not intent

Introduce the project.Introduce the project.Honeynets are not a panacea for security but only an additional level of protection