Honeypots: the trap is set. (Database And Network Intelligence).A honeypot A server that is configured to detect an intruder by mirroring a real production system. It appears as an ordinary server doing work, but all the data and transactions are phony. Located either in or outside the firewall, the honeypot is used to learn about an intruder's techniques as is used for internet and computer security. It is a resource that is designed to be attacked and compromised to gain more information about the hacker, such as attack techniques and the motives for breaking in. A honeypot can also be used to divert an attacker from one's production network allowing time for the administrator to react. One of the main goals of a honeypot is educational: to allow one to research hacker activity.
In the information security arena, many professionals are fascinated by honeypot because observers can see real live information about an attack and not just hear about it. Many of us hear of websites being defaced de·face
tr.v. de·faced, de·fac·ing, de·fac·es
1. To mar or spoil the appearance or surface of; disfigure.
2. To impair the usefulness, value, or influence of.
3. or a bank being hacked into, but how many of us actually know how they got in and exactly what was done?
With honeypots, one can determine how an attacker broke in and exactly what they did. Lance Spitzner, founder of the Honeynet Project The Honeynet Project, led by Lance Spitzner, is a project to develop and analyze computer honeynet and honeypot data, and to further research into how malicious hackers act.
The project itself is a 501(c)(3) non-profit organization. , defines the term "honeypot" as follows: "A honeypot is a resource whose value is being attacked or compromised. This means that a honeypot is expected to get probed, attacked and potentially exploited. Honeypots do not fix anything. They provide us with additional, valuable information."
Essentially a honeypot is a tool to gather information, learn about malicious activities and to see trends in this type of activity. It is a system designed to be probed and attacked. To gain knowledge requires monitoring and gathering data to and from these systems. Without this, the honeypot tool is useless.
Types of Honeypots
Marty Roesch, creator of Snort An open source network intrusion detection system (NIDS) that is noted for its effectiveness. Developed by Martin Roesch, Snort can also be used just as a packet logger or packet sniffer. For more information, visit www.snort.org. See IDS. , distinguishes between two categories of honeypots: production honeypots and research honeypots. A production honeypot is used to mitigate risk in an organization. A research honeypot is used to gather as much information as possible so that one can learn from it. Some people argue that these devices do not add security value; however, I differ with this. If a honeypot provides 15 to 20 minutes of extra time for an administrator to react so that he can protect his production network, then there is value right there. If a new exploit is learned by using a honeypot, this is also of benefit to information security because appropriate countermeasures can be developed to defend against this new attack.
How can honeypots add security to an organization?
A honeypot is a tool intended to be compromised. All traffic to and from the honeypot is suspicious because there are no production applications on this system. Few logs should be produced on the honeypot unless the honeypot is under heavy attack. Logs should be easy to read and understand. Once a production honeypot is probed or attacked, an administrator can place preventive controls on his `real' production network.
Classes of Honeypots
In addition to their type, honeypots can also be categorized by class. There are different classes of honeypots: low involvement and high involvement. A low involvement honeypot provides a number of fake services such as HTTP HTTP
in full HyperText Transfer Protocol
Standard application-level protocol used for exchanging files on the World Wide Web. HTTP runs on top of the TCP/IP protocol. (Hyper Text Transfer Protocol) or SMTP (Simple Mail Transfer Protocol) The standard e-mail protocol on the Internet and part of the TCP/IP protocol suite, as defined by IETF RFC 2821. SMTP defines the message format and the message transfer agent (MTA), which stores and forwards the mail. (Simple Mail Transfer Protocol See SMTP.
(messaging) Simple Mail Transfer Protocol - (SMTP) A protocol defined in STD 10, RFC 821, used to transfer electronic mail between computers, usually over Ethernet. It is a server to server protocol, so other protocols are used to access the messages. ). Low involvement honeypots allow hackers to connect to services, but do nothing else. With this type of honeypot a hacker usually cannot gain operating system operating system (OS)
Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. access and therefore poses no threat.
A high involvement honeypot produces genuine services and vulnerabilities by providing a real operating system (operating system, abuse) real operating system - The sort the speaker is used to. People from the BSDophilic academic community are likely to issue comments like "System V? Why don't you use a *real* operating system?", people from the commercial/industrial Unix sector are known for the attacker to interact with. This class of honeypot is designed to be compromised so that realistic data can be collected. The difficulty in high involvement honeypots is they must be tightly controlled. A compromised system can become a host to begin an attack on another system. An example of a high involvement honeypot is a personal computer running Windows 2000 server with no service packs and Internet Information Server See IIS.
(World-Wide Web) Internet Information Server - (IIS) Microsoft's web server and FTP server for Windows NT.
IIS is intended to meet the needs of a range of users: from workgroups and departments on a corporate intranet to ISPs hosting websites that receive running as a web server.
Honeynets are a group of honeypots made to simulate a real live network. There is added value Added value in financial analysis of shares is to be distinguished from value added. Used as a measure of shareholder value, calculated using the formula:
There are a number of free and commercially available honeypots on the market today. Their functionalities differ as well as their ease of use.
1. A trap set to catch trespassers or poachers.
2. Slang A woman considered dangerously seductive and scheming.
ManTrap is a commercially available product from Recourse Technologies based in California, USA. The software runs on top of the Solaris 2.x, 7 and 8 operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. . The main concept of ManTrap is so-called cages. A cage is a copy of the host operating system that is connected to a network interface card. On a single machine, ManTrap supports up to four interface cards. Each operating system is run within the cages to provide a real live system. ManTrap is run on one system; however, because each operating system is bound to each network card and has its own unique IP address, it is presented to the network as four different systems, acting like a honeynet.
The Deception Toolkit (DTK DTK Deception Tool Kit
DTK Desired Track
DTK Developer's Tool Kit
DTK Deployment Tool Kit
DTK Diverse Tool Kit ) is a set of freeware tools that allows one to create his own honeypot on Linux systems. DTK works by creating the appearance of a highly vulnerable system and providing known responses to make it seem as though they are attacking a real system.
Specter is a commercially available honeypot from NeoWorx. Specter simulates a complete machine and-allows an attacker to interact with the machine as if it were a real production system. Specter simulates services such as HTTP, SMTP and FTP FTP
in full file transfer protocol
Internet protocol that allows a computer to send files to or receive files from another computer. Like many Internet resources, FTP works by means of a client-server architecture; the user runs client software to connect to allowing responses to a would-be hacker while at the same time tracking and logging every move made. The logs for Specter are stored locally and, since there is no interaction with the operating system actually hosting the Specter software, the logs should remain intact, as the operating system should not be compromised.
Specter can also track down the originator of an attack at the same time an attack is occurring with the use of WHOIS and trace routes. Specter puts its network interface into promiscuous mode The condition in which a node in a network recognizes and accepts all packets regardless of protocol type or destination. If a computer is in promiscuous mode, it could mean it has been compromised. , quietly gathering all the data that enters the system. It can emulate a wide variety of operating systems such as Windows 9x, Windows NT, Windows 2000, Linux, Solaris, and many other flavours of Unix. The Specter software runs on Windows NT and Windows 2000.
BackOffice friendly, or BOF, as it is commonly known, is a freely available low-involvement honeypot created by the developers of Network Flight Recorder (NFR (Near Field Recording) See near field optics and Terastor. ), a commercially available IDS. BOF is a very simple honeypot that runs on most Windows-based operating systems and emulates services. BOF works by emulating services such as HTTP, TELNET A terminal emulation protocol used on the Internet and TCP/IP-based networks. A Telnet program allows a user at a terminal or PC to log into a remote computer and run a program and execute other Unix commands. , FTP and IMAP IMAP - Internet Message Access Protocol 2, and logs to screen any connections that have been made to those ports. It logs the source IP address and also the attempted service.
Home Grown Honeypots
This type of honeypot is created using standard hardware and software. Special configurations are required to be implemented such as remote logging and keystroke key·stroke
A stroke of a key, as on a word processor.
keystroke capturing. An example of a home grown honeypot is a PC, running RedHat linux, with Apache and Sendmail installed to its default configurations. All logging on the system would be sent remotely to a syslog server and the shell would be modified to capture all keystrokes.
The cost of honeypots ranges from versions available as freeware to commercial products on the market that can cost up to $10,000. In my opinion, the best and most effective honeypot is a home grown honeypot. However, the honeypot must be well designed and created. Correctly done, with the proper controls put into place, a home grown honeypot or honeynet can create your best data and can also be an important resource in defending your domain. There is ample assistance on the Internet, as discussions on this topic are growing everyday.
CyberGuard Europe Ltd are exhibiting at Infosecurity Europe, at the Grand Hall at Olympia from 29th April - 1st May 2003. www.infosec.co.uk