1. Introduction

1
1. Introduction

• Goal of this Presentation
• To give a better understanding of the overview
  of our project. Such as
• Researches
• Project Plans
• Customer Expectations
• Business Case
• Cost Budget
• Unsolved Issues, etc

2
2.0 Project Assumptions and Objectives

• Project Explanation
• Track attacks and log their paths
• Create a complete package
• Background
• 1990, first concepts of Honeypot by Clifford
  Stolls
• 1997, first toolkit released Fred Cohens
  Deception Toolkit
• Other releases CyberCop, Back Officer Friendly
  and Honeynet Project
• Know Your Enemy, publications

3
2.0 Project Assumptions and Objectives

• Scope
• Raytheon allows a great deal of freedom
• Add, modify and combine individual components
• Wireless Linksys router
• Honeypot software
• Logging station
• Create automatic script for setup

4
2.0 Project Assumptions and Objectives

• Major Objectives
• Modify wireless Linksys router
• Add authentication capability to router
• Modify honeypot open source
• Add unique element to open source
• Add logging station
• Separate logging from the honeypot to eliminate
  the chance of logging being compromised
• Hack our system
• Try hack our system and then fix and upgrade
  features throughout the process

Project Assumptions and Objectives
5
2.0 Project Assumptions and Objectives

• Expectations
• Unique modification to honeypot open source code
• Slow down attacks in real-time to limit their
  bandwidth
• Provide a quick and easy setup
• Annual Quantity
• Raytheon may possibly continue this project in
  house and sell it as a package to customters

6
3.0 Customer Expectations

• Wants and Needs of the customer
• The wants and needs of the customer are exactly
  the results of the effort that our team puts in.
• Not usually the norm, but its Raytheons only
  expectation that we create a working honeypot
  that shows off our teams imagination and
  innovation.
• Relative importance
• Strong research and development into creating a
  unique honeypot (priority 1)
• Creating a bundled software and hardware product
  that reflects our R D. (priority 2)

7
3.0 Customer Expectations

• Product Specifications
• Technical
• Creating a functioning honeypot, that can be used
  on an infrastructure network and can effectively
  log and divert intruders from the production
  network.
• Performance
• Emulation of all the traffic directed through the
  router as though it was traveling through the
  actual production network.
• Quality
• An effective logging system to monitor which
  parts of the production network are being
  attacked.
• Overall Goal
• Provide a product that slows down an attacker by
  creating a simulated network environment,
  applicable in real world scenarios, which can log
  an attackers intentions and paths, with the
  potential for collecting materials able to be
  admissible in a court of law .

8
3.0 Customer Expectations

• Measurable Engineering Characteristics based on
  customer expectations
• Accuracy of logging software
• Speed of packet-sniffing algorithm
• Size of logged information storage
• Speed Accuracy of IDS (Intrusion Detection
  System)
• Reliability of logged information (Spoofing
  detection)

Project Assumptions and Objectives
9
3.0 Customer Expectations

• Relationship of product specifications to
  customers wants and needs
• Difficult to define since the customer in this
  case is allowing the product specifications to be
  their wants and needs.
• Specifics
• Technical aspect of our product specification is
  the creation of a functioning honeypot. (high
  priority)
• The performance of our system should be similar
  to existing honeypot and honeynet systems, but
  different in that ours adds some innovative and
  unique designs (which our ad-hoc application
  should provide). (medium priority)
• The product being created, although not
  explicitly manufactured for future retail value,
  should be a finished product complete with
  bundled hardware and software. While this is not
  a need of the customer, it could potentially be
  a want. (low priority)

10
4.0 Analysis of Competitive Products

• To our knowledge, there are no products that are
  similar enough to ours to be considered
  competitors. our system is in its own class
  because of the features that will be implemented
  with it.

11
4.0 Analysis of Competitive Products

• However, we have looked at other products that
  have some of our products functionalities, such
  as
• Symantec Mantrap
• monitor intrusions instantly
• look and act exactly like full-function servers
• Snort
• traffic analysis and packet logging on IP networks

12
5.0 Concept Selection and Description

• Slow down an attack
• the honeypot will act as a diversion to provide
  time to take the appropriate measures and keep
  harmful traffic away from the production
  network
• Simulate a real network environment
• create the illusion of a real network so
  outsiders are none the wiser
• Log incoming and outgoing data
• determine vulnerabilities in our own network
  and prevent future attacks
• Do not interfere with production network
• keep honeypot separate to avoid complications
  with production network in case the honeypot is
  compromised

13
5.0 Concept Selection and Description
Setup Of A Honeypot
14
6.0 Project Plan, Resources, Schedules

• Major Check Points and Deliverables
• Setup Network (10/4 - 10/11)
• Comprehensive Plan (10/22 - 11/2)
• Prototypes Plan (10/12 10/27)
• Modify Linksys BIOS (10/22 11/30)
• Configure dedicated machines for specific use
  (11/15 12/09)
• Project Plan Review (01/3 01/10)
• Prototype Results (01/3 01/10)

15
6.0 Project Plan, Resources, Schedules

• Major Check Points and Deliverables (con.)
• Stimulate Real World Attacks (01/5 02/16)
• Code integration and test/build (02/07 02/14)
• Modification to system (02/07 02/14)
• Final Packaging and Documentation (02/23 03/29)

16
6.0 Project Plan, Resources, Schedules

• Responsibilities for each member
• We are at the point that we feel its better to
  work as a team
• More specific tasks will be assigned later in the
  project to pairs of members as needed.

17
7.0 Business Case

• With industrial espionage and particularly,
  computer based industrial espionage on the rise,
  companies are all going many steps further to
  protect their information. The most commonly
  seen threat to a companys computer network is
  something as simple as a virus or worm. While
  these scripts do cause slow downs in production
  and monetary loss, another threat that is not as
  often thought about is theft of intellectual
  property. The wireless honeypot appliance is
  part of a solution to curb the efforts of
  outsiders wanting to gain access to our corporate
  network, be it for malicious or theft reasons.

18
7.0 Business Case

• Assumptions
• Internal use only Not for sale
• Still has (positive) financial impact by
  preventing unauthorized information from being
  stolen from Raytheon.

19
Estimated Product Cost

• 20,000.00 in RD
• Approximately 100.00 to replicate
• All software either developed in-house or under
  the GPL license

20
Support Costs

• Low support costs
• Setup and Go
• Costs may increase if threat is found as a matter
  of protection

21
Return on Investment

• As stated before, no actual dollar amount can be
  assigned to the value of this project, however
  the liability that Raytheon employees assume will
  be greatly decreased.

22
8. Issues

• list of areas in the design that are not too
  well understood
• parts, components, subsystem sourcing for
  prototypes
• prototype testing

23
List of areas in the design that are not too
well understood

• - Flashing the BIOS of the linksys router.
• - General knowledge of hacking to simulate an
  attack on the honeypot
• - Adding to the kernel of a linux operating
  system
• - Using IDS and logging tools to record
  information from attacks
• - An understanding of networking in general
  (packets, ports, protocols, etc)
• - Legal Issues regarding honeypots

24
Parts, Components, Subsystem sourcing for
prototypes

• - Linkysys Wireless Router with Speedbooster
  WRT54GS (Speedbooster model provides double flash
  memory)
• - 3 Computers
• 1-Running Honeypot "Usermode Linux, Honeyd"
• 2-Running Snort "Logs Activity from Router",
• 3-Running System logger "Logs activity in
  honeypot
• A wireless network to implement our honeypot
  system
• Other Computers to simulate attacks on the
  honeypot

25
Prototype testing

• Evolutionary Prototyping
• Build a bicycle first, then build a car
• Start with barebone honeypot system
• Test
• Implement additions one by one from a list of
  prioritized features
• Repeat until features or time run out