8/3/2019 himani gaur honeypot
1/18
1
8/3/2019 himani gaur honeypot
2/18
2
Agenda
Introduction to HoneyPot
Classification of HoneyPot
Working of HoneyPot Value Of HoneyPot
Conclusion
Q&A
8/3/2019 himani gaur honeypot
3/18
3
Introduction
They are a trap set to detect, deflect & counteractattempts at unauthorized use of informationsystems.
Flexible security tool. They prevent multiple problems. They detect a problem. They gather information. It is an information system resource whose value
lies in unauthorized or illicit use of that resource.
8/3/2019 himani gaur honeypot
4/18
4
A HoneyPot is an intrusion detection tool used tostudy hackers movements.
Virtual machine that sits after a private network.
What is HoneyPot ?
8/3/2019 himani gaur honeypot
5/18
5
Goals of HoneyPot
Should look as real as possible! Should include files that are of interest to the
hacker Should be able to do logging and auditing of
all the activities of hacker
8/3/2019 himani gaur honeypot
6/18
6
Why HoneyPot ..??
Security: A serious Problem
Firewall IDS
A Traffic Cop
Problems:
Internal Threats
Virus Laden Programs
Detection and Alert
Problems:
False Positives
False Negatives
8/3/2019 himani gaur honeypot
7/18
7
Standards:
Security: A serious ProblemFirewall IDS
HoneyNets
An additional layer of security
8/3/2019 himani gaur honeypot
8/18
8
Classification of HoneyPot
Classification Of HoneyPot
By Level Of Interaction
High
Low
By Implementation
Virtual
Physical
By Purpose
Production
Research
8/3/2019 himani gaur honeypot
9/18
9
Low Interaction HoneyPot
Limited interaction. Work by emulating services and operating
systems.
Simulate only services that cannot be exploited toget complete access to the Honeypot.
Attacker activity is limited to the level of emulation.Examples :Specter, Honeyd, and KFsensor.
8/3/2019 himani gaur honeypot
10/18
10
High Interaction HoneyPot
They involve real operating systems andapplications.
Nothing is emulated, the attackers are given thereal thing.
A high-interaction Honeypot can be compromisedcompletely.
Allowing an adversary to gain full access to thesystem.Examples :
Symantec Decoy Server and Honeynets.
8/3/2019 himani gaur honeypot
11/18
11
Physical Vs Virtual HoneyPot
Physical Real machines
Own IP Addresses
Often high-interactive
Virtual Simulated by other machines that:
Respond to the traffic sent to the Honeypot May simulate a lot of (different) virtual
Honeypot at the same time
8/3/2019 himani gaur honeypot
12/18
12
Production Vs Research HoneyPot
Production Honeypot They capture only limited information Are used by limited organization Easy to use They help to keep bad element out
Research HoneyPot These are complex to deploy but capture
extensive information which is primarily used byresearch, military or government organizations.
8/3/2019 himani gaur honeypot
13/18
13
Working of Honeynet(High interaction HoneyPot)
Honeynet has 3 components:
1. Data control2. Data capture
3. Data analysis
8/3/2019 himani gaur honeypot
14/18
14
Working of Honeyd(Low interaction HoneyPot)
Open Source and
designed to run on
Unix systems
Concept - Monitoringunused IP space
8/3/2019 himani gaur honeypot
15/18
15
Advantages:
Small data sets of high value.
Easier and cheaper to analyze the data
Designed to capture anything thrown at them, including
tools or tactics never used before
Require minimal resources
Work fine in encrypted or IPv6 environments
Can collect in-depth information
Conceptually very simple
8/3/2019 himani gaur honeypot
16/18
16
Disadvantages
All security technologies have risk
Building, configuring, deploying and maintaining ahigh-interaction HoneyPot is time consuming
High interaction HoneyPot introduces a high level of risk
Low interaction Honeypot are easily detectable by skilledattackers
8/3/2019 himani gaur honeypot
17/18
17
Conclusion
Not a solution!
Can collect in depth data which no other technology can
Different from others its value lies in being attacked,
probed or compromised
Extremely useful in observing hacker movements andpreparing the systems for future attacks
8/3/2019 himani gaur honeypot
18/18
18