TCP-IP.NU

 Home



Honeypots
By Victor Garcia

Today I would like to speak to you all about honeypots. The purpose of this term paper is to provide you all with a detail analyze of what are honeypots, what are some of their characteristics, and to even the different types of honeypots. The pro.s and con.s of honeypots, to even the actual mechanics of how honeypots work, and who uses them. The methods of how can they prevent attacks, and of course their value as a technology form common user.s use to corporate value.

The word .honeypot. originated from an espionage technique used during the Cold War, with it origins based on sexual entrapment. The term "honeypot" was used to describe the use of female agent sexual entrapment of a male official of the other side for the purpose to gain information. For example, handling over top secret information for his eyes only type stuff, not knowing her true intension as informative spy to hand over our troop movements by: land, air, sea; supply line, to the future plans deployment of invasion or evacuation of troops. Not know the agents true intension, that movie Hostel. So now is the computer term of what is a honeypot. A honeypot is a decoy resource that pretends to be a real target setting up a trap expecting to be attacked or compromised. The main goals are as a distraction of an attacker and the gain of information about the attacker, his methods of attack, and his tools. Pretty much a honeypot attracts attacks to them because of their act of being a weakened system and as an entrance to their target, .it like the fire leading a moth to the flame..

I feel honeypot are an effective countermeasure in the attempts at preventing unauthorized use of critical information systems on the network. Here the basis characteristic to honeypots one they are highly flexible systems, two their able to detect attackers movements and behaviors, and three the capture of the latest spreads of on-line vulnerabilities to the networks for administration team analyze and fix for a stronger network. Where are Honeypots being used for and by whom? Honeypots are being used at Government building, big businesses, other Non-Profit Organizations, and Schools like here at ECU. As you will read and be explained the Government, big businesses, and other Non-Profit Organization will use the honeypot technology for production purposes as support from attacks attempt to invade secure system and bring them down. Instead the attacker will attack the decoy honeypot and serve it purpose. As for the Schools they would use the honeypot technology for research purposes for study to teach future security major the weakness of different attacks gained for the honeypots and as a method of developing new tools for future defense to add to network.



Honeypots come in all shapes and sizes, and there is a design topology for every network. Honeypots are broken down into two general categories: there is a low-interaction and there is a high-interaction. By knowing each of these categories we can know what type of honeypot we are dealing with, their strengths, and of course their weaknesses. Let.s first start off with the explanation of the word interaction which defined as the level of activity allowed between the honeypot and its attacker. Low-interaction honeypots are allowed limited interaction and work by emulating operating systems and services. Attacker activity is limited to the level of emulation by the honeypot. The advantages and characteristics of a low-interaction honeypot are their simplicity. They are easy to install, deploy, and maintain. Usually requires simply install and configuring software on a computer. All you have to do is installing software, selecting the operating systems and services you want to emulate and monitor, and letting the honeypot go from there it.s the plug and play approach. There are disadvantages with using low-interaction honeypots the first one being that there is minimal risk, as the emulated services control what attackers can and cannot do. Second disadvantage is they only log and captures limited amounts of information, mainly transactional data and some limited interaction. The third one being that it is chance for an attacker to detect a low-interaction honeypot, no matter how good the emulation ruse is there will be people who have seen, experience them or design them. Even sometimes a skilled attacker can get lucky and catch a brake and detect the presence of these low-interaction honeypots.

The second category of honeypots that we will discuss is called high-interaction honeypots. High-interaction honeypots do everything low-interaction can do and a whole lot more, there is no emulation which gives attackers opening into real system, everything is based on real operating systems and services are provided. They have lots of characteristics and advantages, but I will only talk about the key ones. The first one is that they are more complex solutions to deploy and maintain as they involve real operating systems and applications. Second advantage, is by giving an attackers a real systems to play and interact with your honeypot is you can capture extensive amounts of log information. Causing you to learn the full extent of the attacker.s behavior, characteristic, damage, keystrokes, and even the tools they use from new rootkits to communication on the international IRC sessions. The third advantage of using a high-interaction is the capture of all activity in an open environment makes no assumptions on how an attacker will behave allowing high-interaction solutions to learn behavior that attacker.s we would not expect or give up. There are disadvantage to using high-interaction honeypots such as a increased risk of vulnerability created be administrator to network allows attacker real operating system to interact and cause havoc to network.

Next you need to know the Pro.s and the Con.s to Honeypots. What give them their strength.s and where do there weakness end at?

Pro.s or Advantages of Honeypots:

1. Small data sets of high value: Honeypots collect small amounts of information only when attacker interacts with them. Remember that honeypots only capture bad activity and any interaction with a honeypot is most likely unauthorized or malicious activity. Honeypots reduce 'noise' by collecting only small data sets, but information of high value, as it is only the bad guys. This means it.s much easier (and cheaper) to analyze the data a honeypot collects and derives value from it.

2. Deter attacker: Honeypots will prevent intruders from invading network because attackers might realize that there is a honeypot deterring them because they don.t know which the honeypot and which is the system. So they take a walk and pass capture.

3. Encryption: Unlike most security technologies (such as IDS systems) honeypots work fine in encrypted. It does not matter what the bad guys throw at a honeypot, the honeypot will detect and capture it. Encryption deter attackers efforts by eating all their time educating the honeypots owner.s to strengthen system and end result of the attackers capture.

4. Information: Collect in-depth information that educates research and production purpose to provide updates on methods used to attack system. Providing new tools and tactics to implement in the security of network.

5. Simplicity: Very simple to prevent misconfiguration, there are no fancy algorithms to develop, state tables to maintain, or signatures to update.

Con.s or Disadvantages: It is because of this honeypots are no stand-alone security measure, they do not replace any current technology, but they work with existing technologies. Disadvantages=weaknesses.

1. Limited view: Only able to track and capture activity that directly interacts with them. Honeypots will not capture attacks against other systems, unless the attacker or threat interacts with the honeypots as well.

2. Risk: All security technologies out in the market have their problems and have their own risk. No one has made a product 100% or even 95% accurate that can product the user and the network all the time. Honeypots are no different, they have risk also. Specifically, honeypots have the risk of being taken over by the attacker and even being used to harm other systems. This risks various for different honeypots to even different setting levels of security applied the honeypot. Depending on the type of honeypot, it can have no more risk then other IDS security, while some honeypots have a great deal of risk some don.t because environment and setting.

So how does the honeypot work? Well typically a honeypot consists of a computer, data or a network site that appears to be part of a large exist network, but which is actually isolated and protected, and which seems to contain information of value or a resource that would be of value and interest to attackers. It a secondary network that is setup exactly like the real network that can is or could become part of an already existing network, but just think of a honeypot as an ambush trap waiting for prey or victim to enter. Once again their value lies in the bad guys interacting with them. They are a resource that has no authorized activity; they do not have any production value. A honeypot should see no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or malicious activity. Any connection attempts to a honeypot are most likely a probe, attack, or compromise. As you can from the picture below in most honeypots both the actual network share similar security measures, they are both protected by the ADSL router basic built-in low level packet filtering firewalls a pass or denial system. Next is the checkpoint Firewall where malware, virus, Trojans, and worms from attacker try for entire. Like I said no security is 100% or even close, so if the firewall failure there is a chose of which way to go at the bay network hub. Either the easy route where there is a hidden honeypot existing in a decoy network look-a-like which offer an easy access point with potential valuable information or the hard route which access is not grant without the criteria. Sometime the honeypot is so much like the real deal even the people that run them can.t tell the difference between them.

So what the value of this technology? There are another two categories on how honeypot are used and that what I will touch a little on, they can be used either for production purposes or research purposes. When used for production purposes, honeypots are used for protection of business purpose of an organization. This would include features of preventing, detecting, or helping organizations respond and avoidance to an attack on the network. When honeypots are used for research purposes, they are being used for the collection of information gathering. This information has different value to different researchers. Some would study trends in attacker activity, while others are interested in surveillance features, early warning system, and prediction tools. However low-interaction honeypots are often used for production purposes, while high-interaction honeypots are used for research purposes, either type of honeypot can be used for either purpose. There is no defiant this is only for this and that for is when deal with honeypots. Production purposes provide three ways that honeypots can protect organizations: prevention, detection, and response.

How can honeypots help to prevent attacks through use of the production purpose to their networks? There are several ways that honeypots can help to prevent and minimize attacks from occurring to their networks:

1. First way that honeypots can help defend against such attacks is by the prevention through monitoring unused IP spaces and slowing their scanning down to stopping them. They do this by using a variety of TCP tricks, such as a Windows size of zero, putting the attacker into a holding pattern. The idea is to confuse an attacker, to make him waste his time and resources. interacting with a decoy meanwhile, your organization has detected the attacker.s activity and has the time to respond and stop the attacker.

2. Second way is through detection. The purpose of detection is to identify a failure or breakdown in prevention this is critical. By detecting an attacker, you can quickly react to them, stopping or mitigating the damage they do. Technologies such as IDS sensors and systems logs haven proven ineffective they generate large percentage of false positives, inability to detect new attacks in encrypted or IPv6 environments. Honeypots reduce false positives by capturing small data sets of high value, capture unknown attacks such as new exploits or polymorphic shellcode, and work in encrypted and IPv6 environments.

3. Third way is in response to information of who the attacker is, how they got in, or how much damage they have done. In situations like this detailed information on the attacker's activity are critical. Honeypots can help address this problem. Honeypots make an excellent incident response tool, as they can quickly and easily be taken offline for a full forensic analysis, without impacting day-to-day business operations. The only activity a honeypot captures is unauthorized or malicious activity make there value to provide in-depth information that organization need to rapidly and effectively respond to an incident. In-depth knowledge on what they have done, how they broke in, and the tools they used.

In the end I hope you all finish reading this paper will the understanding of the purpose that I tried to provide with a detail analyze of what are honeypots, what were some of their characteristics, and to even the different types of honeypots and their purposes. The pro.s and con.s of honeypots of why we use them, to even the actual mechanics of how honeypots work. The methods of how can they prevent attacks, and of course their value as a technology for security professionals. Honeypots provide us with an education on advancing computer security knowledge on how to strengthen systems we design and acquire knowledge from our enemies that wish to do our network harm without their knowledge. I leave you with this thought, a honeypots is only a tool, how you use that tool is up to you.

References:

1. * Ryan Naraine. (2006, February 23). Malware Honeypot Projects Merge. Eweek. [Electric Version] http://www.eweek.com/article2/0,1759,1930735,00.asp
2. * Curtis Franklin Jr. (2005, February 25). Getting Active on Defense. Network Computing, [Electric Version] http://www.networkcomputing.com/showArticle.jhtml?articleID=60402936
3. * David Raikow. (2001, September 24). Sweet Temptation. Eweek. [Electric Version] http://www.eweek.com/article2/0,1759,1243624,00.asp
4. * Raynal, F.; Berthier, Y.; Biondi, P.; Kaminsky, D.; (2004, Sept.-Oct.). Honeypot forensics, part 2: analyzing the compromised host. Security & Privacy Magazine, IEEE. (Volume 2, Issue 5). (pp.77 . 80) [Electronic Version] http://ieeexplore.ieee.org/iel5/8013/29552/01341417.pdf?tp=&arnumber=1341417&isnumber=29552
5. * Raynal, F.; Berthier, Y.; Biondi, P.; Kaminsky, D.; (2004, July-August). Honeypot forensics, part 1: analyzing the network. Security & Privacy Magazine, IEEE. (Volume 2, Issue 4). (pp.72 . 78) [Electronic Version] http://ieeexplore.ieee.org/iel5/9379/29787/01356776.pdf?tp=&arnumber=135

Article Source: http://EzineArticles.com/?expert=Victor_Garcia