Use of Across Large Enterprise NetworksHoney-pots to Detect Exploited Systems

Ankita Honey-pot(network security)

Introduction Q- What is a Honey Pot? A-A Honey Pot is an intrusion detection technique used to study hacker movements and probing to help better system defenses against later attacks usually made up of a virtual machine that sits on a network or single client.

Why Honeynets ?
An additional layer of security

History

The concepts were first introduced by several icons in computer security, specifically Cliff Stoll in the book "The Cuckoo's Egg" , and Bill Cheswick's paper "An Evening with Berferd". First public honeypot Deception Toolkit (DTK) released 1997 First commerical honeypot cyber cop sting emulated entire network with telnet logins 1998

Three goals

The virtual system should look as real as possible, it should attract unwanted intruders to connect to the virtual machine for study. The virtual system should be watched to see that it isnt used for a massive attack on other systems, ie smurfing The virtual system should look and feel just like a regular system, meaning it must include files, directories, and information that will catch the eye of the hacker

Security: A serious Problem Firewall A Traffic Cop Problems: IDS Detection and Alert Problems:

Internal Threats
Virus Laden Programs

False Positives
False Negatives

The Security Problem Firewall HoneyNets IDS

An additional layer of security

Properties

Captures all inbound/outbound data Standard production systems Intended to be compromised Data Capture
Stealth capturing Storage location away from the honeynet

Data control
Protect the network from honeynets

Two types
Gen I Gen II

Good for simpler attacks Unsophisticated targets Limited Data Control

Sophisticated Data Control : Stealth Fire-walling

Gen I chosen

GATech Honeynet System

Huge network 4 TB data processing/day

CONFIG

Sub-standard systems

Open Source Software

Simple Firewall Data Control

Detected Exploitations

16 compromises detected
Worm attacks Hacker Attacks

Types of software

Three types of softwares:

CyberCop Sting (CyberCop Monitor) Tripwire ManTrap (Symantec)

Types of software

CyberCop Sting: A part of the CyberCop Monitor Package Uses a basic client side application of a honey pot Has the ability to run finger and FTP as a virtual machine Can run multiple machines but uses a lot of resources Relatively inexpensive with a small program file size

Types of software

Tripwire: Uses the current files as 'good' files for data base comparison Can be installed on the server or client side Sends reports to the user when file changes have been detected or when hazard commands are used

Types of softeware

Man Trap: Can send and receive emails on the virtual machine Can record multiple sessions on different nodes at the same time Has a fast response time to unwanted attacks or hazard command use Has the grantee that Symantec offers through great customer service

SAGA of the WAREZ Hacker Helped locate a compromised host Honeynet

Very difficult to detect otherwise !

IIS Exploit Warez Server + Backdoor

Conclusion

Honey pots are an extremely effective tool for observing hacker movements as well as preparing the system for future attacks. Although the down side to using honey pots are the amount of resources used. This is usually countered by implementing a central analysis module, but is still a security risk if that central module goes down.

References

References http://www.sans.org/resources/idfaq/honeypot 3.php http://rfxnetworks.com/docs/honeypotsIDS.htm http://www.thechannelinsider.com/article2/0,1 759,1371605,00.asp http://www.serverwatch.com/news/article.php/ 1399041