Transcript Group 1C
Comp 4027 Forensic and Analytical Computing
Honeypot Research
Hung Nguyen
Brendan Roberts
Overview
• Scope
• What is Needed
– How will Honeypot Software help?
– What will the intended result be?
• Risks and Mitigation Strategies
• Pros/Cons of Honeypot Software
• Recommendations
Scope
• Supervisor has assigned us the task of gathering
evidence of illicit activity on a host machine.
• Supervisor expresses concerns that a particular
server has been infiltrated in the past. And So...
– We need to be able to detect any intrusions
– We need to be able to gather enough information
about the intrusion so as to prosecute the
perpetrators(s).
What is needed?
• Deployment of Honeypot Software suggested…
– Need to maintain the integrity of the system
– Need to be able to detect that an intrusion has occurred
– Need to be able to log illicit activity that occurs.
How Will Honeypot Software Help?
• Allows us to set up a decoy system
– A system that is designed to be attacked
– Imitates the original server, without exposing the server
to further illicit activity when intrusion occurs
– Gives us the tools to monitor this activity to be used as
evidence.
Intended Results…
• Work out if intrusions are occurring
– Workout how these intrusions are occurring and what
the target of the intrusion is
– Preventing intrusions in this way in the future, if
possible
• Catching the perpetrator
– Having enough evidence that they are doing something
wrong by accessing the network
– Prosecution
Risks and Mitigation Strategies
• Allowing the Network to be further exposed by the
Decoy system (preventing jump-off attacks)
– Need to consider where in the system architecture the
decoy system is placed
• We are assuming that intruders are ‘hacking in’, rather than
the perpetrator being inside the organisation.
• Can Either place the Honeypot external to the network, or if a
Demilitarised Zone exists, place it there.
Risks and Mitigation Strategies
• Honeypot Discovery
– If the Honeypot is discovered, the intruder may be
deterred from doing something wrong.
• Can by mitigated by making sure the victim/decoy system is
as clean as possible of any evidence of anything about
Honeypots or Intrusion Detection Systems.
Risks and Mitigation Strategies
• Honeypot is too enticing, inviting and entrapping
perpetrators
• Don’t Advertise/invite the perpetrators in
• Keep everything on the decoy system as it was on the real
system, rather than being more enticing.
Risks and Mitigation Strategies
• Sensitivity of content on the real system
– If the content on the real system is
• Sensitive
• Imperative to the smooth running of workflow in the
institution
• Private or Confidential
– .. Is it possible to make false data to go on to the decoy
system so as to avoid exposing the real data
Pros/Cons
• Pros:
– Allows detection and dealing with intrusions without compromising the
original system, by setting up a decoy / victim system.
• Cons:
– If the Honeypot system is broken out of, then what? Is the system
compromised again?
– Incorrect server architecture may not correctly identify the intruder (for
example if an insider can intrude from inside the network, then having a
Honeypot on the external or DMZ won’t matter much)
Recommendations
• Implement a Honeypot
– Interest has been sparked over HoneyD Software
• Open Source software developed by Niels Provos
• Offers tools for detection of intrusion, as well as the ability to
set up virtual (Decoy) hosts on a system as various services,
such as ftp or mail servers etc.
• Allows the virtual host to take up some or all of the unused IP
addresses on the network to detect other malicious potential
issues, such as worms and IP sniffing.
• Has the ability to assign multiple IP Addresses to the one
virtual host.
References
•
http://www.honeyd.org/general.php HoneyD.org
•
http://www.securityfocus.com/infocus/1659 Spitzner, L, 2003
http://www.philippinehoneynet.org/index2.php?option=com_docman&task=doc_view&gid=4&Itemid
=29
http://www.certconf.org/presentations/2002/Tracks2002Expert_files/HE-1&2.pdf
http://www.honeypots.net
•
http://en.wikipedia.org/wiki/Honeypot_(computing)