Transcript Characterization of Attackers* Activities in Honeypot Traffic Using

Using Honeypots to Improve Network
Security
Dr. Saleh Ibrahim Almotairi
Research and Development Centre
National Information Centre - Ministry of Interior
Dec 21, 2009
Content








Introduction
Defence-in-Depth Protection Strategy
Network Monitoring Methods
Honeypots
Honeypot Technologies
Existing Honeypot Soultions
Honeypot Deployment Challenges
Conclusion
2
Introduction
 Number of attacks and number of
new vulnerabilities are on the rise:
 increased financial/other incentives
 high prevalence of exploitable
vulnerabilities
 availability of vulnerability information
and attack tools
 Lack/long delay of patches from vendors
3
Introduction
 Source of vulnerabilities can be
attributed to many factors:
 the design of the protocols and services
themselves
 the flawed implementation of these
protocols and services
 To counter this advance in threats:
 security managers need to implement
multiple layers of security defence
4
Defence-in-Depth Protection
Strategy








Awareness
Policy
Patching
Firewalls
Anti-virus
Encryption
Intrusion Detection Systems
Monitoring
5
Network Monitoring Methods
 Two methods of monitoring network
traffic for malicious activities are
commonly used:
 live network monitoring such as
firewalls, network intrusion detection
systems, and NetFlow
 unsolicited traffic monitoring, such as
darknets and honeypots.
6
Firewalls
 Comprises software and hardware
that protects one network from
another network
 Make decisions at layer 3 (IP address)
and layer 4 (port) and might
incorporate IPS functionality, layer 7
 Can not see local traffic and are
vulnerable to mis-configuration
7
Intrusion Detection System
(IDS)
 An IDS is a security system that monitors
computer systems and network traffic for
attacks and anomalous activity
 Intrusion prevention system (IPS) is an
access control device, like a firewall
 IDSs are classified based on the
information source into:
 network-based
 host-based
8
Intrusion Detection System
(IDS)
 IDSs can be classified further based
on their detection methodologies
into:
 Anomaly based IDSs, which measure any
deviation from normality and raise
alarms whenever the predefined
threshold level is exceeded
 Signature based IDSs, which rely on a
knowledge base of predefined patterns of
attack or signatures
9
Anomaly detection
 Mainly based on statistical techniques
 The basic concept of the statistical
technique, in detecting anomalies, is:
 to build a profile of normal behaviours
 measure large deviations from the profile
 test them against a predefined threshold
value
 anomalous behaviours are flagged when
these deviations exceed the threshold
10
Network-based IDSs (NIDS)
 detect attacks by analysing network
packets
 do not interfere with the normal
operation of a network
 easy to deploy and manage
 operating systems independent
 are not able to analyse encrypted traffic
 are not able to cope with high traffic in
large or busy networks
11
Host-based IDSs (HIDS):
 are installed locally on host machines
 operate on information collected from
within the host system being protected
 Are more accurate
 generate fewer false positives alarms
 handle encryption
 Are harder to manage
 Are operating system dependent
 affect the performance of the host system
12
Honeypots
 First use of Honeypot concept:
 Cliff Stoll in his book “The Cuckoo's Egg” in 1986
 Bill Cheswick in his paper “An Evening with Berferd:
In Which a Cracker is Lured” in 1990
 The term Honeypot was first introduced by
Lance Spitzner in 1999
 Honeypot definition:
 a honeypot as a security resource whose value lies in
being probed, attacked, or compromised (Spitzner)
 a closely monitored computing resource that we want
to be probed, attacked, or compromised (Provos)
13
Honeypot..
 These definitions of a honeypot implies that:
 it can be of any computer resource type, such as a
firewall, a web server, or even an entire site
 it runs no real production services any contact with it
is considered potentially malicious
 traffic sent to or from a honeypot is considered either
an attack or a result of the honeypot being
compromised
14
Honeypots….
 An example of a virtual
honeypot setup that
emulates two operating
systems:


Windows Server with
open ports TCP: 80,445
UDP:37
Unix Server with open
ports,
TCP: 21, 25, 80
Host Machine
Virtual Honeypots
Internet
xx.xx.xx.02
TCP 80
TCP 445
UDP 137
Windows
Linux
xx.xx.xx.01
xx.xx.xx.03
TCP 21
TCP 25
TCP 80
Honeypot
Router
Traffic Logger
15
Honeypots….
 Notable features of honeypots include:
 collect small volumes of higher value traffic
 are capable of observing previously
unknown attacks
 detect and capture all attackers’ activities
including encrypted traffic and commands,
and
 require minimal resources
16
Honeypots Technologies
 Divided based on their level of interactions
into:
 low, response only to connections
 medium, are connected to scripts to emulate basic
protocol behaviors
 high, run real operating systems with real services
 Divided based on their intended use into:
 production honeypots (Honeynets)
 research honeypots (Leurre.com)
17
Honeypots Technologies..
 Divided based on their hardware deployment
into:
 physical honeypots (Honeynets)
 virtual honeypots (Argos)
 Divided based on their attack role into:
 server side honeypots ( Honeyd)
 client side honeypots (HoneyMonkey)
18
Some of the Existing Honeypot
Solutions
 Automatic generation of IDS
signature:
 Honeycomb
 Worm detection systems
 Honeystat
 SweetBait
 Malware Collection:
 Nepenthes
 Honeytrap
 IBM Billy Goat
19
Honeypot Deployment Challenges
 Approaches for analysing data collected
from honeypots are presently immature
 Current analysis techniques are manual
and focus mainly on identifying existing
attacks
 Honeypots will introduce medium to
high level risk to networks
 Requires continuous monitoring
20
Conclusion
 Honeypots are essential tools for
gathering useful information on a
variety of malicious activities
 Analysis of anomalous activities in
honeypot traffic present a good
research area
 deploying honeypots would improve
security of networks through:
 providing less and clean traffic data that
are not mixed with real production traffic
21
Conclusion...
 provide an early alerts of newly and
unseen attacks
 enable organizations to conduct forensics
investigations of incidents without the
need of stoping production networks
 Our ongoing research focuses on
utilizing honeypots in improving the
security of web servers, which are the
most attacked targets
22
Thank You
Questions?
23