Daniel Meier & Stefan Badertscher

Size: px

Start display at page:

Download "Daniel Meier & Stefan Badertscher"

Lee Parks
8 years ago
Views:

1 Daniel Meier & Stefan Badertscher

2 1. The definition of Honeypots 2. Types of Honeypots 3. Strength and Weaknesses 4. Honeypots in action 5. Conclusions 6. Questions 7. Discussion

3 A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. -Lance Spitzner

4 Honeypots are decoy computer resources with the goal to attract people who want to attack or compromise the honeypot By definition, it should not be accessed. Every access is considered to be illegal and/or not provided, because no special services are on it Occurrences: Physical / Virtual Machines Programs / Files / Database Entries Login information Credit Card Numbers

5 Observe your enemies, for they first find out your faults. -Antisthenes

6 Honeynets Honeytokens Virtual Honeypots

7 A honeynet is a network, placed behind a reverse firewall, that captures all inbound and outbound data Has by definition no traffic 1st generation: Effective for automated and beginner attacks; easily recognizable 2nd generation: Effective for advanced target attacks; more complex to install and maintain Can detect attacks which bypass Firewalls

9 Topology of a 2 nd generation honeynet Honeywall Gateway Layer 2 bridging device Layer 2 = data link layer Sicherungsschicht

10 Features that a Honeywall should implement: Data Control: Minimize risk that an attacker can take over other non honeypot systems Ensure that a Honeynet doesn t get uncovered Adjusting the risk of a Honeynet for the Organization Data Capture: Logging and monitoring honeynet activities Collecting preferentially all data of a threat Data Collection: Centralized Collection of all distributed honeynet data for better and deeper threat analysis

11 A honeytoken is a resource, which is used as a decoy A honeytoken is information Examples: Credit Card Numbers Powerpoint presentations, Excel spreadsheets, Word documents Database entries Login and Password data etc

12 Any interaction with a honeytoken is per default suspicious and unauthorized Detecting threats from inside a network but from outside Leads to information about an insider threat Tracking of the information and the individual who is trying to access it Honeytokens are information, so there are no limitations of the different shapes of it

13 No physical machines, just simulations of different Operating Systems and their Network Stack Honeyd Framework: Simulate Network Stack Implements ICMP, TCP and UDP services Scripts for different simulated services Possibility to simulate thousands of virtual machines

14 Honeyd simulating four honeypots with different operating systems

15 If you think technology can solve your security problems, then you don t understand the problems and you don t understand the technology. -Bruce Schneier

16 Advantages: Small Data Sets Easy change of its identity Highly flexible Only a few false positives Only a few false negatives Handling encryption Minimal resources Disadvantages: Risk of other attacks Limited filed of view Being discovered

17 You can t defend. You can t prevent. The only thing you can do is detect and respond. -Bruce Schneier

18 Detection of a possible security breach or an insider threat by placing important looking information into an simple A malicious insider thinks that he found usable information which presents a certain value

19 Example of a honeytoken

20 Allocate big IPv4 address spaces to virtual honeypots trying elevate the possibility of a worm detection/infection Automatic detection of payloads and creating suitable (N)IDS signatures

21 The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards. -Gene Spafford

22 Honeypots are a young and interesting solution for addressing today's security problems Honeytokens are an interesting and viable way to detect insider threats Important is the right design which fits to a given environment, otherwise these solutions are pretty useless These technologies alone won t help, important is the right mix with other technologies like IDS and Firewalls Information security isn t a question of ROI, more important is the ROSI aspect and a overall ESM solution and what could happen without suitable security solutions

24 In God We Trust, all others we monitor. -Intercept Operator s motto

25 Are honeypots really a viable security solution for large corporate networks with a vast amount of employees? Are there other necessary arrangements to take with the main goal protecting a corporate network? (Think for example that we are a huge government contractor in the Military-industrial sector and of possible security threats) Honeypots as a partial solution.

26 In 2003 there has been a security breach at Valve Software. An attacker gained access to the corporate network and leaked the source code of an early version of the ego shooter Half-Life 2 to the internet. Can you think about a specific honeypot technology that could have prevented that disaster for Valve? A scenario where perhaps a honeypot could have helped protecting corporate data

27 In 2007 there was a serious security breach at various German government networks. Chinese hackers have placed Trojans and copied known more than 160GB of data. This year a botnet from Chinese hackers has been discovered with over 1295 computers infected of different foreign ministry's, consulates and even on some NATO computers. Do you think that honeypots can become a defense weapon against (future) cyber warfare? The great Government Firewall vs. Chinese Hackers - Cyberwarfare

HONEYPOT SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region

HONEYPOT SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region HONEYPOT SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without