HONEYPOTS TRACKING HACKERS By Nishesh Bakshi
A WORD ON SECURITY
“The secret to a good defense is good offense” - Anonymous
Brief Background • Who is a Hacker? – A Hacker is a person who tries to gain unauthorized access to a network.
How a hacker affect a server? • Steals confidential data. • Imposes someone else. • Causes loss of resources. • Sometimes causes even hardware loss.
What are the security issues? • To provide secure connection between the client and the server. • E.g. email service provided by various web-sites.
How Hackers work • Gathers information about the server • Chooses the weakest link • Start exploiting that link
How Honeypots work.
Definition of Honeypots “ A honeypot is a security resource whose value is in being probed, attacked or compromised “
HONEYPOT ? • HoneyPots are not a single tool but a highly flexible technology. • HoneyPots come in variety of shapes and sizes. everything from a simple windows system emulating a few services to an entire network of production systems waiting to be hacked !!!
• HoneyPots have a variety of values.
everything from a burglar alarm that detects an intruder to a research tool that can be used to study the motives of the black hat community !!!
QUESTIONS ON HPs ?
• What are the different values this unique technology can have? What are the different HoneyPot technologies available today? • What the advantages and disadvantages of using HoneyPots? • Are there any deployment and maintenance issues associated with HoneyPots? • Are all HoneyPots offensive in nature?
IS THIS A HONEYPOT ? On a network, install a firewall which restricts all outbound traffic. Attackers can get into the network but not use this network to spread out the infection.
CONCERNS (THE “WHAT-IF” FACTOR) • What if the attacker is lured into a HoneyPot? He/She will be infuriated by the deception and retaliate against the organisation. • What if the HoneyPot is misconfigured?
THEN WHY USE HONEYPOTS ? • At the end of year 2000, the life expectancy of a default installation of Red Hat 6.2 was less than 72 hrs ! • One of the fastest recorded times a HoneyPot was compromised was 15 min. This means that within 15 min of being connected to the internet, the system was found, probed, attacked, and successfully exploited by the attacker! The record for capturing a worm was 90 sec !! • During an 11 month period (Apr 2000 – Mar 2001), there was a 100% increase in IDS alerts based on Snort. • In the beginning of 2002, a home network was scanned on an average by three different systems a day. • The year 2001 saw a 100% increase in reported incidents from 21,756 to 52,658 reported attacks.
WHAT CAN HONEYPOTS DO ? • Can they capture known attacks ?
• Can they detect unknown attacks ?
ADVANTAGES OF USING HONEYPOTS • Data Value HoneyPots collect very little data, but they collect is essentially of very high value. HoneyNet project research group collects less than 1 MB data per day !
• Resources HoneyPots typically donot have problems of resource exhaustion.
• Simplicity No fancy algorithms to develop. No signature databases to maintain. No rule-bases to misconfigure !
DISADVANTAGES OF HONEYPOTS
• Narrow field of view HoneyPots only see the activity directed against them.
• Fingerprinting An incorrectly implemented HoneyPot can identify itself and others of the same kind.
CLASSIFICATION OF HONEYPOTS (1/2)
[Based on level of INTERACTION] Are you hoping to catch the attackers in action and learn about their tools and tactics? OR
Are you interested in detecting unauthorized activity ? OR
Are you hoping to capture latest worm for analysis ?
CLASSIFICATION OF HONEYPOTS (2/2)
LEVEL OF
WORK TO INSTALL
WORK TO DEPLOY
INFORMATION
LEVEL OF
INTERACTION
AND CONFIGURE
AND MAINTAIN
GATHERING
RISK
Low
Easy
Easy
Limited
Low
Medium
Involved
Involved
Variable
Medium
High
Difficult
Difficult
Extensive
High
Conclusion • Honeypots are good resources for tracing hackers. • The value of Honeypots is in being Hacked. • Honeypots have their own pros and cons and this technology is still developing.
REFERENCES
• • • • • •
WWW.SNORT.ORG WWW.HACKINGEXPOSED.COM WWW.INFOSECWRITERS.COM WWW.SECURITYFOCUS.COM WWW.SANS.ORG WWW.SPECTER.COM