Honeypots And Honeynets

Honeypots and Honeynets Pravesh Gaonjur

University of Technology, Mauritius School of Business Informatics and Software Engineering La Tour Koenig, Pointes Aux Sables, Mauritius Email : [email protected]

Abstract A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. Honeynets are nothing more than a type of honeypot which is “a security resource whose value lies in being probed, attacked or compromised”. Usually, honeypots and honeynets are used to gather information about threats that organizations might face and therefore protect them. They are often classified by the level of interactivity they allow attackers. Some characteristics of both types of honeypots are well known among the research community. Low interactivity honeypots are used for production purposes because they are easy to deploy and maintain, involve few risks for the organizations using them but still gather valuable information. High-interactivity honeypots are more difficult to deploy and maintain, gather extensive amount of information but involve more risks for organizations. However, no work has been done so far to validate these statements. This is what this work will focus on. Our main goal is to point out the main differences between honeypots and honeynets. Describe and discuss the importance of both these technologies. Introduce the concept of distributed honeypots. Determine how security can be enhanced using honeypots, honeynets, distributed honeynets or a combination of them.

-1-

TABLE OF CONTENT List of Figures ...................................................................................................................... 3 1.0 2.0 2.1

INTRODUCTION............................................................................................................................. 4 HONEYPOTS ................................................................................................................................. 4 Type of Honeypots .................................................................................................................. 5

2.1.1 2.1.2

2.2

Value of honeypots.................................................................................................................. 6

2.2.1 2.2.2 2.2.3

2.3 2.4 2.5 3.0 3.1 3.2 3.3 3.4 4.0 4.1 4.2 4.3 5.0 6.0

Production/Research.......................................................................................................................... 5 Low/High Interactivity ...................................................................................................................... 5 Prevention ......................................................................................................................................... 6 Detection ........................................................................................................................................... 7 Response ........................................................................................................................................... 7

Advantages of Honeypots ....................................................................................................... 7 Disadvantages of Honeypots .................................................................................................. 8 Risks with Honeypots.............................................................................................................. 8 HONEYNETS ................................................................................................................................. 9 Requirements of Honeynets .................................................................................................. 10 Types of Honeynets............................................................................................................... 11 How honeynet works............................................................................................................. 11 Risks with Honeynets ............................................................................................................ 12 IMPORTANCE OF USING HONEYPOTS AND HONEYNETS ............................................................... 12 Possible Information gain on attacks by honeynets.............................................................. 12 Possible increased security by using Honeynets as a decoy................................................. 14 Possible increased security by using aggressive Honeynets for redirection ........................ 14 RAISING SECURITY AWARENESS ................................................................................................. 15 CONCLUSION .............................................................................................................................. 15

References.......................................................................................................................... 16

-2-

List of Figures

Figure 1 – Honeynet Architecture....................................................................................... 9

-3-

1.0

Introduction

Many organizations today use firewalls and intrusion detection systems (IDSs) as part of their network security defenses. Apart from these two technologies which are now commonly used, a honeypot has received much attention in recent years. A honeypot can be thought of as a decoy computer system that uses deception to lure intruders so that we can learn their behaviors. The honeypot is usually a system that is deliberately made vulnerable with fake services to make it look and act like a real system. Intruders who discover the honeypot may choose to compromise it since it is a relatively easy task. As a result, system administrators can investigate the traces left by intruders to learn about their tools and techniques in detail.

In this regard, we are going to analyze honeypots, honeynets and distributed honeynets in order to determine how we can recommend measures to enhance security using these technologies.

2.0

Honeypots

Honeypots are a highly flexible tool that comes in many forms and contribute to the overall security of a given network. They can be used for anything from detecting new attack methods to capturing the latest techniques and tools of attackers. This flexibility, while giving the honeypots their true power, leads to a big confusion and misunderstanding about what honeypots really are. Lance Spitzner defines the term Honeypot as follow:

“A Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.”

Conceptually, all the honeypots work the same. No connection should be expected since they are not supposed to provide any valuable service. That means that any interaction with the Honeypot is most likely unauthorized or anomalous activity.

-4-

2.1

Type of Honeypots

There are basically 2 ways to classify honeypots. The first classification is based on what the purposes of the honeypots are: production or research purpose. The other way is based on one of the main characteristics of the honeypots: low- or high-interactivity honeypots.

2.1.1

Production / Research

Production honeypots are usually used by commercial organizations to help mitigate risks. This kind of honeypots adds value to the security measures of an organization. They tend to be easy to deploy and maintain and their simplicity keeps the related risks low. Due to their nature and onpurpose lack of flexibility, these honeypots offer very little opportunities for attackers to exploit them in order to perform actual attacks.

Research honeypots are designed to gather information about the attackers. They do not provide any direct value to a specific organization but are used to collect information about what threats organizations may face and therefore better protection methods can be developed and deployed against these threats. They are more complex and involve more risks than the production Honeypots simply because they are real machines rather than emulated OSes and services. They also tend to be more difficult to administer.

2.1.2

Low / High Interactivity

Interaction defines the level of activity a honeypot allows an attacker.

Low-interactivity honeypots do not implement actual functional services, but provide an emulated environment that can masquerade as a real OS running services to connecting clients. These limited functionalities are often scripts that emulate simple services making the assumption of some predefined behaviour of the attacker. His possibilities to interact with these emulated services are limited, which make the low-interactivity honeypots less risky than the highinteractivity honeypot. Indeed, there is no real OS or service for the attacker to log on to and therefore the honeypot cannot be used to attack or harm other systems. The primary value of lowinteractivity honeypots is detection of scans or unauthorized connection attempts but tend to be

-5-

not good for finding unknown attacks and unexpected behaviour. Low-interactivity honeypots are often used as production honeypots.

High-interactivity honeypots, on the other hand, do not emulate anything and gives the attacker a real system to interact with where almost nothing is restricted which makes them more risky than the low-interactivity honeypots. These types of honeypots should be placed behind a firewall to limit the risks. They tend to be difficult to deploy and maintain but it is believed that they provide a vast amount of information about attackers allowing the research community to learn more about the blackhat community behaviour and motives. They are usually used as research honeypots.

2.2

Value of honeypots

The value of honeypots depends closely on what kind of honeypot we are dealing with. Production honeypots are used to help organizations protecting themselves against attackers, which include preventing, detecting and responding to attacks. Research honeypots are used to collect information that will be analysed to develop better protection methods.

2.2.1

Prevention

Prevention means keeping the threat out of the productions systems. This can be done by several means such as firewalls, authentication and encryption. However, honeypots add a little value to prevention. While honeypots can prevent the spreading of a worm across the network (sticky honeypots), they also prevent from human attackers. Two concepts are involved in human prevention: deception and deterrence. Deception is making the attacker waste his time and resources attacking honeypots. The deterrence concept is when the attacker doesn’t want to attack some network because he knows that there are honeypots in that network fearing to be logged and caught.

-6-

2.2.2

Detection

Detection is to identify a failure or a breakdown in the prevention. This can be also done by several means such as Intrusion Detection Systems (IDS) but honeypots address effectively some weaknesses of such prevention systems: false positives, false negatives and value of data gathered. Because honeypots have no productions purposes, they generate very few false positives. Because all the traffic to and from the honeypots is suspicious, they also address the false negative issue. Because of their simplicity and design, honeypots gather little amount of data with very high value.

2.2.3

Response

The challenge that organizations face when they want to react to an attack is evidence collection. This is an important issue when the organization wants to prosecute the attacker as well as when they want to defend themselves against this threat. Honeypots address these problems in 2 ways. First, the only traffic on the honeypot is the attacker traffic and it makes it easier to analyse the attacker behaviour in honeypots than in production systems since the only data retrieved from the honeypot is malicious data. Second, it is much simpler to pull offline the honeypot for further analysis without affecting other business activities of the organizations.

2.3

Advantages of Honeypots

Fidelity – Small data sets of high value Reduced false positives Reduced false negatives New tools and tactics Not resource intensive Simplicity

-7-

2.4

Disadvantages of Honeypots

Labor/skill intensive Limited view Does not directly protect vulnerable systems Risks

2.5

Risks with Honeypots

Identifying Honeypots Black-hats know which systems to avoid. Feed honeypot false or bogus information. Eliminate fingerprinting. Chess problem!

Exploiting Honeypots It is expected for attackers to gain privileged control of the honeypots. Step stone to harm other systems. Several layers of data control. Human intervention.

-8-

3.0

Honeynets

Before we can know what a honeynet is we need to know what a honeypot is. A honeypot is an isolated network that has been designed with the intent of capturing intruders and logging intruder’s movements within the attacked isolated network. All traffic entering and leaving the honeypot is logged. A Honeynet is an actual network of computers left in their default (and insecure) configuration. This network sits behind a firewall where all inbound and outbound data is contained, captured and controlled. This captured information is then analyzed to learn the tools, tactics, and motives of the hacker community.

The concept of the honeynet first began in 1999 when Mr. Lance Spitzner, founder of the Honeynet Project published the paper “To Build a Honeypot”. In this paper, Mr. Spitzner proposed that instead of developing technology that emulated systems to be attacked, why not deploy real systems behind firewalls waiting to be hacked.

In the most basic sense, a honeynet is a type of honeypot, more specifically, a type of high interaction honeypot. And thus being a high interaction honeypot, nothing is emulated; all services, applications and operating systems are as real as in any production environment. An important characteristic that separates a high interaction honeypot from a honeynet is that a honeynet contains one or more honeypots. It is a network of multiple systems creating an illusion of a production network. It is through this network, specifically through the network access device, is where hacker activity is monitored, recorded and controlled. Based on all of this, we can construct the basic definition of a honeynet:

A honeynet is a network of high interaction honeypots that simulates a production network and configured such that all activity is monitored, recorded and in a degree, discretely regulated.

Figure 1 – Honeynet Architecture

-9-

3.1

Requirements of Honeynets

Data Control Reduce risk – cannot be used to harm others Data Capture Detect and capture all the blackhat’s activities Data Analyze Analyze what the blackhat has done

Data Control is the containment of activity. The primary purpose of this requirement is the risk mitigation. Risk mitigation entails that all attacker activities be confined within the honeynet. Since honeynets are high interaction honeypots, attackers are interacting with real systems, they have more freedom to do their activities and subsequently, it also provides us more opportunity to learn from the attackers activities. This provides an unusual dilemma of whether allowing the attackers to do their activities and learn more or curb their activities and prevent them from possibly damaging non-honeypot systems. This thin line is what you have to thread each time you implement a honeynet. Each answer would be different depending on your goals but one must remember that data control takes precedence over all requirements. The attacker should not be able to attack or cause damage to any systems outside the honeynet. Once it does harm to other systems, your honeynet implementation would not only have failed but is already a danger to your networks and the networks of others.

The second requirement of honeynets is Data Capture. Data Capture is the monitoring and logging of attacker activities within the honeynet. These activities are what form the basis of our data and the core of our research and analysis. For a more complete data capture and to better piece together activities of the attacker, it is necessary to have multiple mechanisms for capturing these activities. These could be in form of tcpdump logs, IDS logs, Sebek data and firewall logs among others. This is also important so that a failure in one of these mechanisms would still allow you to collect one form of data or another to prevent a total blackout of activity data.

There is actually a third honeynet requirement called Data Collection, which only applies to distributed honeynet implementations such as the Honeynet Research Alliance, which the Philippine Honeynet Project is a part of. Among the aspects included here are naming conventions, secure transfer of data and anonymization techniques are a part of this requirement.

- 10 -

These requirements are important in any honeynet implementation of which there are a number of types based on how they implement the said requirements.

3.2

Types of honeynets

1. Gen I Honeynets 2. Gen II Honeynets 3. Gen III Honeynets 4. Distributed Honeynets 5. Virtual Honeynets

Gen I honeynets were the first attempts of the Honeynet Project in deploying honeynet technologies. They are generally obsolete already but are good case studies for the actual principles and requirements involved. Gen II honeynets are honeynets with more advanced data control and data capture mechanisms. Gen III honeynets are the latest in honeynet technologies. They are very easy to deploy and generally use the same principles as with the older versions but using more advanced tools. Distributed honeynets are multiple honeynets deployed across large networks across the Internet. Virtual honeynets are self-contained honeynets deployed on the single system.

3.3

How Honeynet works

A honeynet, just like honeypots, works by creating a highly controlled environment. Honeynets as opposed to honeypots though takes the concept one step further. Instead of just one computer or a number of unconnected computers, a network is set up in such a way that everything in the honeynet appears like a normal network. All applications and services are real though all systems running within the honeynet are considered honeypots. No modifications are done to the system such as placing monitoring tools or creating jailed environments like chroot within the host. This kind of setup makes the honeynet the most interactive and authentic of all honeypots.

- 11 -

3.4

Risks with honeynets

•

Honeynets introduce additional risk to an environment by attracting attention to their seemingly insecure configuration.

•

Require constant maintenance and administration.

•

Data Analysis is very time consuming. A single compromise on average requires 30-40 hours of analysis.

Finally, as with honeypots, any honeynet implementation has its corresponding risk. In fact, the basic risks and disadvantages of honeypots are the same risks as with honeynets. The only difference is the complexity of it all. Since honeynets are much more complex and extensive, there is much greater risk involved. There is also a great deal of work involved not only in maintaining the honeynet but in making sure that risk is mitigated. To better avert risks involved in honeynets, human monitoring and customization is a required.

4.0

Importance of using Honeypots and honeynets

Deployment of Honeynets results in information gathered and possibly an increased security for the operator of the Honeynet.

4.1

Possible Information Gain on Attacks by Honeynets

Honeynets can gain information on the attacks against them. We assume that a Honeynet can basically gather two different qualities of Information: After starting his attack at ta the attacker is unaware of the fact that he is attacking a Honeynet the data gathered shows the attacker’s typical actions against the class of system the Honeynet is emulating. At a certain point in time the attacker realizes that he is confronted with a Honeynet. At this point labeled td the attacker’s motivation shifts which should also result in a change of behavior. td can be even before ta if an attacker is able to gather information about the Honeynet out of band and attacks with the knowledge that he is attacking a Honeynet. td also can be in infinitive future if the attacker isn’t willing or able to find out that he is attacking an Honeynet.

- 12 -

It is safe to assume that after td the attacker will be more reluctant to act in a way which will allow the observer to gather further information. The attacker usually will completely stop the attack and vanish. But we also know of one instance where attackers using the Honeynet as an IRC proxy just ignored the fact that they where observed.

While attacking the attacker will try to escalate his privileges. He will increase his privileges in zero or more steps. The higher he was able to escalate his privileges the more likely he is to find out the true nature of the host he is attacking which results in td moving into future. It is therefore safe to assume that sophisticated attackers td is relatively early. A sophisticated attacker will be able to escalate his privileges relatively fast increasing his chances of detection. For attackers with full local privileges detecting a Honeynet is trivial.

Honeynets can not collect informations on all kind of attackers equally. Honeynets are able to gather representative data on attackers which choose their targets more or less randomly like autonomous malware and very unsophisticated attackers do. Gathering data more on focused attackers can be only done for attackers actively choosing to attack the operators systems.

An attacker not penetrating systems in a random fashion must be tricked into attacking a honeynet by making it look like a worthwhile target. It can be assumed that the more sophisticated the attacker is the less likely he will fouled by such deceptions.

So while Honeynets might be able to gather relatively much Information about unsophisticated attackers or autonomous malware like worms, with the same investment much less Information can be gathered about sophisticated attackers.

- 13 -

4.2

Possible increased security by using Honeynets as an decoy

It is claimed that Honeynets can increase the search space for finding valuable systems in a network and thus increasing security by luring attackers into spending effort attacking the Honeynets instead of the real thing. This claim has to be evaluated against different adversary scenarios.

Attackers attacking random hosts in your network have a bigger search space. But only extremely unsophisticated attackers like autonomous malware can be assumed to attack completely random hosts. Also these attackers can only be significantly slowed down when a significant percentage of a network are Honeynets which is unlikely.

More sophisticated attackers will choose their target based on their objectives and on a systems perceived value to complete this objectives. Simply by their existence Honeynets will slow down the attackers target selection process. To foul the attacker in attacking the Honeynet the Honeynet has to look more attractive than the target the attacker is aiming for or the “real” system has to be hidden in a way that the attacker will not be able to detect it.

4.3

Possible increased security by using aggressive Honeynets for redirection

There are also attempts to deploy honeypots as part of active network security. It is tried to reroute attackers from a production server to a Honeynet distracting the attacker and allowing further gathering of data.

The detection of the attack triggering the rerouting is a non trivial problem. Also the Honeynet must mirror very closely the production host to make rerouting seamless and less detectable.

- 14 -

5.0

Raising security awareness

Many people are not aware of the security risks their computer system faces. Further, they jeopardize their personal or company data. In fact, many people do not even notice that their system has been compromised. An attacker has an interest in concealing his or her activities to be able to keep access to a compromised system. Today’s operating systems are insecure when they come freshly out-of-the-box and need to be patched. This is mainly due to the pace that security vulnerabilities are discovered. If an unprotected system is connected to the Internet simply to download the needed security fixes, it might get comprised in that short period of time—possibly unnoticed by the user of the system.

Honeynets can serve to make such threats visible. By its nature, a honeynet is closely monitored so that researchers can see what is going on under the hood. It can make people aware that a system running a standard out-of-the-box operating system and just connected to the Internet with an Internet address advertised nowhere will get scanned and eventually compromised after a short period of time. People get tricked by the assumption that just because a system is not known to anybody else on the Internet it will not be found soon.

6.0

Conclusion

This white paper serves as a reference and purposely highlights the definitions of Honeynets and Honeypots with the intention enabling the reader to make a choice in securing their networks with these technologies. Many organizations allude to the fact that it may not be necessary to know what your typical intruders are doing. Using this approach is equivalent to pushing a blind person into a shark tank. It is of paramount importance to know the different types of honeynets and honeypots and to understand the best method to deploy them customized to the respective organizations needs. Knowing the difference between distributed Honeynets and traditional honeynets allows a swift decision to be made about using honeynet as it becomes apparent that the capital and resource require to build a state of the art Virtual honeynet is very affordable to most organizations.

- 15 -

References:

The Honeynet Project, “Know http://honeynet.org/papers/stats/.

Your

Enemy:

Statistics,”

available

online:

The Honeynet Project, “Know Your Enemy: Sebek,” available online: http://honeynet.org/papers/sebek.pdf. The Honeynet Project, “Know Your Enemy: GenII Honeynets,” available online: http://honeynet.org/papers/gen2/. L. Spitzner, Honeypots: Tracking Hackers, Addison-Wesley, hackers.com/book. “Honeyd—Network Rhapsody for http://www.citi.umich.edu/u/provos/honeyd/.

You,”

2002; www.tracking-

available

“Virtual Honeynets” available online: http://www.windowsecurity.com/articles/Understanding_Virtual_Honeynets.html

“Honeynets definition”, available online: http://www.philippinehoneynet.org/docs/Honeynets_definition.pdf

“Intro to honeypot and honeynet”, available online: http://www.icst.pku.edu.cn/honeynetweb/reports/Introduction to Honeypot & Honeynet.ppt

- 16 -

online: