TERM PAPER OF SUBJECT: - Cyber incident handling and reporting

Cap-!"# $

TOP%C:- Foc&': (oney pot'

Submitted To Lovely Professional University, Phagwara For the partial fulfillment of the degree of MCA !th S"M

S&b)itted To:

S&b)itted By:

Parvesh Mor 'Le(turer)

#ame$ A%ay &umar *oll #o$ +,"-. *eg/ #o$,,0-1,02

AC*+O,-E./EME+T
3t is not until you underta4e the pro%e(t li4e this one that you reali5e how massive the effort it really is, or how mu(h you must rely upon the Selfless efforts and goodwill of others/ There are many who helped us with this pro%e(t, and we want to than4 them all from the (ore of our 6earts/ 7e owe spe(ial words of than4s to our Tea(her Par0e'h Mor for their vision, thoughtful (ounselling and en(ouragement at every step of the pro%e(t/ 7e are also than4ful to the tea(hers of the +epartment for giving us the best of 4nowledge and guidan(e throughout the pro%e(t/ And last but not the least, we find no words to a(4nowledge the Analog (lo(4 appli(ation 8 moral support rendered by our parents in ma4ing the effort a su((ess/ All this has be(ome reality be(ause of their blessings and above all by the gra(e of god/

A1ay *&)ar

Table o2 content'
A(4nowledgement//////////////////////////////////////////////, 3ntrodu(tion/////////////////////////////////////////////////////////! 6oneypot 9asi(s///////////////////////////////////////////////////////////////. Types of 6oneypots::://///////////////////////////////////////////////; +ifferent 6oneypots////////////////////////////////////////////////////////< =alue of 6oneypots/////////////////////////////////////////////////////////,. Merits and +emerits:::///////////////////////////////////////////////,> Future of 6oneypots:////////////////////////////////////////////////////0, Con(lusion/////////////////////////////////////////////////////////00 *eferen(es///////////////////////////////////////////////////////////01

%+TRO.UCT%O+:The 3nternet is growing fast and doubling its number of websites every .1 days and the number of people using the internet is also growing/ 6en(e, global (ommuni(ation is getting more important every day/ At the same time, (omputer (rimes are also in(reasing/ Countermeasures are developed to dete(t or prevent atta(4s most of these measures are based on 4nown fa(ts, 4nown atta(4 patterns/ Countermeasures su(h as firewalls and networ4 intrusion dete(tion systems are based on prevention, dete(tion and rea(tion me(hanism? but is there enough information about the enemy@ As in the military, it is important to 4now, who the enemy is, what 4ind of strategy he uses, what tools he utili5es and what he is aiming for/ Aathering this 4ind of information is not easy but important/ 9y 4nowing atta(4 strategies, (ountermeasure s(an be improved and vulnerabilities (an be fiBed/ To gather as mu(h information as possible is one main goal of a honeypot/ Aenerally, su(h information gathering should be done silently, without alarming an atta(4er/ All the gathered information leads to an advantage on the defending side and (an therefore be used on produ(tive systems to prevent atta(4s/ A honeypot is primarily an instrument for information gathering and learning/ 3ts primary purpose is not to be an ambush for the bla(4hat (ommunity to (at(h them in a(tion and to press (harges against them/ The fo(us lies on a silent (olle(tion of as mu(h information as possible about their atta(4 patterns, used programs, purpose of atta(4 and the bla(4hat (ommunity itself/ All this information is used to learn more about the bla(4hat pro(eedings and motives, as well as their te(hni(al 4nowledge and abilities/ This is %ust a primary purpose of a honeypot/ There are a lot of other possibilities for a honeypot divert ha(4ers from produ(tive systems or (at(h a ha(4er while (ondu(ting an atta(4 are %ust two possible eBamples/ They are not the perfe(t solution for solving or preventing (omputer (rimes/

(O+E3POT BAS%CS:4
6oneypots are an eB(iting new te(hnology with enormous potential for the se(urity (ommunity/ The (on(epts were first introdu(ed by several i(ons in (omputer se(urity, spe(ifi(ally Cliff Stoll in the boo4 CThe Cu(4ooDs "ggE , and 9ill Cheswi(4Fs paper GAn "vening with 9erferdE/ Sin(e then, honeypots have (ontinued to evolve, developing into the powerful se(urity tools they are today/ The main aim of the honeypot is to lure the ha(4ers or atta(4er so as to (apture their a(tivities/ This information proves to be very useful sin(e information (an be used to study the vulnerabilities of the system or to study latest te(hniHues used by atta(4ers et(/ For this the honeypot will (ontain enough information 'not ne(essarily real) so that the atta(4ers get tempted/ '6en(e the name 6oneypot I a sweet temptation for atta(4ers)Their value lies in the bad guys intera(ting with them/ Con(eptually almost all honeypots wor4 they same/ They are a resour(e that has no authori5ed a(tivity, they do not have any produ(tion value/ Theoreti(ally, a honeypot should see no traffi( be(ause it has no legitimate a(tivity/ This means any intera(tion with a honeypot is most li4ely unauthori5ed or mali(ious a(tivity/ Any (onne(tion attempts to a honeypot are most li4ely a probe, atta(4, or (ompromise/ 7hile this (on(ept sounds very simple 'and it is), it is this very simpli(ity that give honeypots their tremendous advantages 'and disadvantages)/

T3PES OF (O+E3POTS
6oneypots (ome in many shapes and si5es, ma4ing them diffi(ult to get a grasp of/ To better understand honeypots and all the different types, they are bro4en down into two general (ategories, low intera(tion and high intera(tion honey pots/ These (ategories help to understand what type of honey pot one is dealing with, its strengths, and wea4nesses/ 3ntera(tion defines the level of a(tivity a honey pot allows an atta(4er/ Low-interaction honeypots have limited intera(tion? they normally wor4 by emulating servi(es and operating systems/ Atta(4er a(tivity is limited to the level of emulation by the honeypot/ For eBample, an emulated FTP servi(e listening on port 0, may %ust emulate a FTP login, or it may support a variety of additional FTP (ommands/ The advantages of a low intera(tion honeypot are their simpli(ity/ These honeypots tend to be easier to deploy and maintain, with minimal ris4/ Usually they involve installing software, sele(ting the operating systems and servi(es you want to emulate and monitor, and letting the honeypot go from there/ This plug and play approa(h ma4es deploying them very easy for most organi5ations/ Also, the emulated servi(es mitigate ris4 by (ontaining the atta(4erFs a(tivity, the atta(4er never has a((ess to an operating system to atta(4 or harm others/ The main disadvantages with low intera(tion honeypots is that they log only limited information and are designed to (apture 4nown a(tivity/ The emulated servi(es (an only do so mu(h/ Also, its easier for an atta(4er to dete(t a low intera(tion honeypot, no matter how good the emulation is, s4illed atta(4er (an eventually dete(t their presen(e/ "Bamples of low intera(tion honeypots in(lude Spe(tre, 6oneyd, and &F Sensor/ High-interaction honeypots are different they are usually (ompleB solutions as they involve real operating systems and appli(ations/ #othing is emulated, the atta(4ers are given the real thing/ 3f one wants a LinuB honeypot running an FTP server, they build a real LinuB system running a real FTP server/ The advantages with su(h a solution are twofold/ First, eBtensive amounts of information are (aptured/ 9y giving atta(4ers real systems to intera(t with, one (an learn the full eBtent of the atta(4ers behavior, everything from new root4its to international 3*C sessions/ The se(ond advantage is high intera(tion honeypots ma4e no assumptions on how an atta(4er will behave/ 3nstead, they provide an open environment that (aptures all a(tivity/ This allows high intera(tion solutions to learn behavior one otherwise would not eBpe(t/ An eB(ellent eBample of this is how a 6oneynet (aptured en(oded ba(4 door (ommands on a non standard 3P proto(ol/ 6owever, this also in(reases the ris4 of the honeypot as atta(4ers (an use these real operating system to atta(4 non honeypots systems/ As result, additional te(hnologies have to be implemented that prevent the atta(4er from harming other non honeypots systems/ 3n general, high intera(tion honeypots (an do everything low intera(tion honeypots (an do and mu(h more/ 6owever, they (an be more (ompleB to deploy and maintain/ "Bamples of high intera(tion honeypots in(lude Symante( +e(oy Server and 6oneynets/

Low-interaction =
Solution emulates operating systems and servi(es ,/ "asy to install and deploy/ 0/ Captures limited amounts of information/ 1/ Minimal ris4, as the emulated servi(es (ontrols atta(4ers

High-interaction=
#o emulation, real JS and servi(es are provided/ ,/ Can (apture far more information 0/ Can be (ompleB to install or deploy 1/ 3n(reased ris4, as atta(4ers are provided real JS to intera(t with/

Some people also (lassify honeypots as low, mid and high intera(tion honeypots? where mid intera(tion honeypots are those with their intera(tion level between that of low and high intera(tion honeypots/

.%FFERE+T (O+E3POTS
Bac5O22icer Friendly 9JF 'as it is (ommonly (alled) is a very simple but highly useful honeypot developed by Mar(us *anum and (rew at #F*/ 3t is an eB(ellent eBample of a low intera(tion honeypot/ 3t is a great way to introdu(e a beginner to the (on(epts and value of honeypots/ 9JF is a program that runs on most 7indow based operating system/ All it (an do is emulate some basi( servi(es, su(h as http, ftp, telnet, mail, or 9a(4Jrrifi(e/ 7henever some attempts to (onne(t to one of the ports 9JF is listening to, it will then log the attempt/ 9JF also has the option of Gfa4ing repliesG, whi(h gives the atta(4er something to (onne(t to/ This way one (an log http atta(4s, telnet brute for(e logins, or a variety of other a(tivity 'S(reenshot)/ The value in 9JF is in dete(tion, similar to a burglar alarm/ 3t (an monitor only a limited number of ports, but these ports often represent the most (ommonly s(anned and targeted servi(es/

Specter
Spe(ter is a (ommer(ial produ(t and it is another Flow intera(tionF produ(tion honeypot/ 3t is similar to 9JF in that it emulates servi(es, but it (an emulate a far greater range of servi(es and fun(tionality/ 3n addition, not only (an it emulate servi(es, but emulate a variety of operating systems/ Similar to 9JF, it is easy to implement and low ris4/ Spe(ter wor4s by installing on a 7indows system/ The ris4 is redu(ed as there is no real operating system for the atta(4er to intera(t with/ For eBample, Spe(ter (an emulate a web server or telnet server of the any operating system/ 7hen an atta(4er (onne(ts, it is then prompted with an http header or login banner/ The atta(4er (an then attempt to gather web pages or login to the
8

system/ This a(tivity is (aptured and re(orded by Spe(ter, however there is little else the atta(4er (an do/ There is no real appli(ation for the atta(4er to intera(t with, instead %ust

some limited, emulated fun(tionality/ Spe(ters value lies in dete(tion/ 3t (an Hui(4ly and easily determine who is loo4ing for what/ As a honeypot, it redu(es both false positives and false negatives, simplifying the dete(tion pro(ess/ Spe(ter also supports a variety of alerting and logging me(hanisms/ Kou (an see an eBample of this fun(tionality in a s(reen shot of Spe(ter/ One o2 the &ni6&e 2eat&re' o2 Specter i' that it al'o allo7' 2or in2or)ation gathering8 or the a&to)ated ability to gather )ore in2or)ation abo&t the attac5er4 So)e o2 thi' in2or)ation gathering i' relati0ely pa''i0e8 '&ch a' ,hoi' or .+S loo5&p'4 (o7e0er8 'o)e o2 thi' re'earch i' acti0e8 '&ch a' port 'canning the attac5er4

(o)e)ade (oneypot'
Another (ommon honeypot is homemade/ These honeypots tend to be low intera(tion/ Their purpose is usually to (apture spe(ifi( a(tivity, su(h as 7orms or s(anning a(tivity/ These (an be used as produ(tion or resear(h honeypots, depending on their purpose/ Jn(e again, there is not mu(h for the atta(4er to intera(t with, however the ris4 is redu(ed be(ause there is less damage the atta(4er (an do/ Jne (ommon eBample is (reating a servi(e that listens on port <- 'http) (apturing all traffi( to and from the port/ This is (ommonly done to (apture 7orm atta(4s 6omemade honeypots (an be modified to do 'and emulate) mu(h more, reHuiring a higher level of involvement, and in(urring a higher level of ris4/ For eBample, Free9S+ has a %ail fun(tionality, allowing an administrator to (reate a (ontrolled environment within the operating system/ The atta(4er (an then intera(t with this (ontrolled environment/ The value here is the more the atta(4er (an do, the more (an be potentially learned/ 6owever, (are must be ta4en, as the more fun(tionality the atta(4er (an intera(t with, the more (an go wrong, with the honeypot potentially (ompromised/

(oneyd
Created by #iels Provos,6oneyd is an eBtremely powerful, JpenSour(e honeypot/ +esigned to run on UniB systems, it (an emulate over !-- different operating systems and thousands of different (omputers, all at the same time/ 6oneyd introdu(es some eB(iting new features/ First, not only does it emulate operating systems at the appli(ation level, li4e Spe(ter, but it also emulates operating systems at the 3P sta(4 level/This means when someone #maps the honeypot, both the servi(e and 3P sta(4 behave as the emulated operating system/ Currently no other honeypot has this (apability/ Se(ond, 6oneyd (an emulate hundreds if not thousands of different (omputers all at the same time/ 7hile most honeypots (an only emulate one (omputer at any point in time, 6oneyd (an assume the identity of thousands of different 3P addresses/Third, as an JpenSour(e solution,not only is it free to use, but it will eBpotentially grow as members of the se(urity (ommunity develop (ode/
9

6oneyd is primarily used for dete(ting atta(4s/ 3t wor4s by monitoring 3P addresses that are unused, that have no system assigned to them/ 7henever an atta(4er attempts to probe or atta(4 an non eBistant system, 6oneyd, through Arp spoofing, assumes the 3P address of the vi(tim and then intera(ts with the atta(4er through emulated servi(es/ These emulates servi(es are nothing more then s(ripts that rea(t to predetermined a(tions/ For eBample, a s(ript (an be developed to behave li4e a Telnet servi(e for a Cis(o router, with the Cis(o 3JS login interfa(e/ 6oneydFs emulated servi(es are also Jpen Sour(e, so anyone (an develop and use their own/ The s(ripts (an be written in almost any language, su(h as shell or Perl/ Jn(e (onne(ted, the atta(4er believes they are intera(ting with a real system/ #ot only (an 6oneyd dynami(ally intera(t with atta(4ers, but it (an dete(t a(tivity on any port/ Most low intera(tion honeypots are limited to dete(ting atta(4s only on the ports that have emulated servi(es listening on/ 6oneyd is different, it dete(ts and logs (onne(tions made to any port, regardless if there is a servi(e listening/ The (ombined (apabilities of assuming the identity of non eBistant systems, and the ability to dete(t a(tivity on any port, gives 6oneyd in(redible value as a tool to dete(t unauthori5ed a(tivity/ 3 highly en(ourage people to (he(4 it out, and if possible to (ontribute new emulated servi(es/

10

Mantrap
Produ(ed by *e(ourse, Mantrap is a (ommer(ial honeypot/ 3nstead of emulating servi(es, Mantrap (reates up to four sub systems, often (alled F%ailsF/ These F%ailsF are logi(ally dis(rete operating systems separated from a master operating system 'see +iagram/) Se(urity administrators (an modify these %ails %ust as they normally would with any operating system, to in(lude installing appli(ations of their (hoi(e, su(h as an Jra(le database or Apa(he web server/ This ma4es the honeypot far more fleBible, as it (an do mu(h more/ The atta(4er has a full operating system to intera(t with, and a variety of appli(ations to atta(4/ All of this a(tivity is then (aptured and re(orded/ #ot only (an we dete(t port s(ans and telnet logins, but we (an (apture root4its, appli(ation level atta(4s, 3*C (hat session, and a variety of other threats/ 6owever, %ust as far more (an be learned, so (an more go wrong/ Jn(e (ompromised, the atta(4er (an used that fully fun(tional operating system to atta(4 others/ Care must be ta4en to mitigate this ris4/ As su(h, it (an be (ategori5ed this as a mid high level of intera(tion/ Also, these honeypots (an be used as either a produ(tion honeypot 'used both in dete(tion and rea(tion) or a resear(h honeypot to learn more about threats/ There are limitations to this solution/ The biggest one is that we are limited to only what the vendor supplies us/ Currently, Mantrap only eBists on Solaris operating system/

(oneynet'
6oneynets represent the eBtreme of resear(h honeypots/ They are high intera(tion honeypots, one (an learn a great deal, however they also have the highest level of ris4/

11

Their primary value lies in resear(h, gaining information on threats that eBist in the 3nternet (ommunity today/ A 6oneynet is a networ4 of produ(tion systems/ Unli4e many of the honeypots dis(ussed so far, nothing is emulated/ Little or no modifi(ations are made to the honeypots/ The idea is to have an ar(hite(ture that (reates a highly (ontrolled networ4, one where all a(tivity is (ontrolled and (aptured/ 7ithin this networ4 we pla(e our intended vi(tims, real (omputers running real appli(ations/ The bad guys find, atta(4, and brea4 into these systems on their own initiative/ 7hen they do, they do not reali5e they are within a 6oneynet/ This gives the atta(4ers a full range of systems, appli(ations, and fun(tionality to atta(4/ All of their a(tivity, from en(rypted SS6 sessions to emails and files uploads, are (aptured without them 4nowing it/ This is done by inserting 4ernel modules on the vi(tim systems that (apture all of the atta(4erFs a(tions/ From this we (an learn a great deal, not only their tools and ta(ti(s, but their methods of (ommuni(ation, group organi5ation, and motives/ 6owever, with this (apability (omes a great deal of ris4/ A variety of measures must be ta4en to ensure that on(e (ompromised, a 6oneynet (annot be used to atta(4 others/ 6oneynets do this using a 6oneywall gateway/ This gateway allows inbound traffi( to the vi(tim systems, but (ontrols the outbound traffi( using intrusion prevention te(hnologies/ This gives the atta(4er the fleBibility to intera(t with the vi(tim systems, but prevents the atta(4er from harming other non 6oneynet (omputers/ 6oneynets are primarily resear(h honeypots/ They (ould be used as produ(tion honeypots, spe(ifi(ally for dete(tion or rea(tion, however it is most li4ely not worth the time and effort ,e ha0e re0ie7ed 'i9 di22erent type' o2 honeypot'4 +o one honeypot i' better than the other8 each one ha' it' ad0antage' and di'ad0antage'8 it all depend' on 7hat i' to be achie0ed4 To )ore ea'ily de2ine the capabilitie' o2 honeypot'8 7e ha0e categori:ed the) ba'ed on their le0el o2 interaction4 The greater interaction an attac5er ha'8 the )ore 7e can learn8 b&t the greater the ri'54 For e9a)ple8 BOF and Specter repre'ent lo7 interaction' honeypot'4 They are ea'y to deploy and ha0e )ini)al ri'54 (o7e0er8 they are li)ited to e)&lating 'peci2ic 'er0ice' and operating 'y'te)'8 &'ed pri)arily 2or detection4 Mantrap and (oneynet' repre'ent )id-to-high interaction honeypot'4 They can gi0e 2ar greater depth o2 in2or)ation8 ho7e0er )ore 7or5 and greater ri'5 i' in0ol0ed Sometimes, honeypots are also (lassified as 6ardware based and Software based honeypots/ Hardware-based honeypots are servers, swit(hes or routers that have been partially disabled and made attra(tive with (ommonly 4nown mis(onfigurations/ They sit on the internal networ4, serving no purpose but to loo4 real to outsiders/ The operating system of ea(h boB, however, has been subtly disabled with twea4s that prevent ha(4ers from really ta4ing it over or using it to laun(h new atta(4s on other servers/ Software emulation honeypots, on the other hand, are elaborate de(eption programs that mimi( real LinuB or other servers and (an run on ma(hines as low power as a 011 M65 PC/ Sin(e an intruder is %ust dan(ing with a software de(oy, at no time does he (ome (lose to a(tually sei5ing (ontrol of the hardware, no
12

matter what the fa4e prompts seem to indi(ate/ "ven if the ha(4er figures out that itFs a software honeypot, the boB on whi(h itFs running should be so se(ure or isolated that he (ouldnFt do anything but leave anyway/Software emulation might be more useful for (orporate environments where business se(rets are being safeguarded/

;A-UE OF (O+E3POTS
#ow that we have understanding of two general (ategories of honeypots, we (an fo(us on their value/ Spe(ifi(ally, how we (an use honeypots/ Jn(e again, we have two general (ategories, honeypots (an be used for produ(tion purposes or resear(h/ 7hen used for produ(tion purposes, honeypots are prote(ting an organi5ation/ This would in(lude preventing, dete(ting, or helping organi5ations respond to an atta(4/ 7hen used for resear(h purposes, honeypots are being used to (olle(t information/ This information has different value to different organi5ations/ Some may want to be studying trends in atta(4er a(tivity, while others are interested in early warning and predi(tion, or law enfor(ement/ 3n general, low intera(tion honeypots are often used for produ(tion purposes, while high intera(tion honeypots are used for resear(h purposes/ 6owever, either type of honeypot (an be used for either purpose/ 7hen used for produ(tion purposes, honeypots (an prote(t organi5ations in one of three ways? prevention, dete(tion, and response/ 7e will ta4e a more in depth loo4 at how a honeypot (an wor4 in all three/ 1. Prevention : 6oneypots (an help prevent atta(4s in several ways/ The first is against automated atta(4s, su(h as worms or auto rooters/ These atta(4s are based on tools that randomly s(an entire networ4s loo4ing for vulnerable systems/ 3f vulnerable systems are found, these automated tools will then atta(4 and ta4e over the system 'with worms self repli(ating, (opying themselves to the vi(tim)/ Jne way that honeypots (an help defend against su(h atta(4s is slowing their s(anning down, potentially even stopping them/ Called sti(4y honeypots, these solutions monitor unused 3P spa(e/ 7hen probed by su(h s(anning a(tivity, these honeypots intera(t with and slow the atta(4er down/ They do this using a variety of TCP tri(4s, su(h as a 7indows si5e of 5ero, putting the atta(4er into a holding pattern/ This is eB(ellent for slowing down or preventing the spread of a worm that has penetrated the internal organi5ation/ Jne su(h eBample of a sti(4y honeypot is La9rea Tarpit/ Sti(4y honeypots are most often low intera(tion solutions 'one (an almost (all them Fno intera(tion solutionsF, as they slow the atta(4er down to a (rawl )/ 6oneypots (an also be used to prote(t the organi5ation from human atta(4ers/ The (on(ept is de(eption or deterren(e/ The idea is to (onfuse an atta(4er, to ma4e him waste his time and resour(es intera(ting with honeypots/ Meanwhile, the organi5ation being atta(4ed would dete(t the atta(4erFs a(tivity and have the time to respond and stop the atta(4er/ This (an be even ta4en one step farther/ 3f an atta(4er 4nows an organi5ation is using honeypots, but does not 4now whi(h systems are honeypots and whi(h systems are
13

legitimate (omputers, they may be (on(erned about being (aught by honeypots and de(ided not to atta(4 your organi5ations/ Thus the honeypot deters the atta(4er/ An eBample of a honeypot designed to do this is +e(eption Tool4it, a low intera(tion honeypot/ 2. Detection : The se(ond way honeypots (an help prote(t an organi5ation is through dete(tion/ +ete(tion is (riti(al, its purpose is to identify a failure or brea4down in prevention/ *egardless of how se(ure an organi5ation is, there will always be failures, if for no other reasons then humans are involved in the pro(ess/ 9y dete(ting an atta(4er, you (an Hui(4ly rea(t to them, stopping or mitigating the damage they do/ Traditionally, dete(tion has proven eBtremely diffi(ult to do/ Te(hnologies su(h as 3+S sensors and systems logs have proved ineffe(tive for several reasons/ They generate far too mu(h data, large per(entage of false positives 'i/e/ alerts that were generated when the sensor re(ogni5ed the (onfigured signature of an Gatta(4G, but in reality was %ust valid traffi(), inability to dete(t new atta(4s, and the inability to wor4 in en(rypted or 3Pv; environments/ 6oneypots eB(el at dete(tion, addressing many of these problems of traditional dete(tion/ Sin(e honeypots have no produ(tion a(tivity, all (onne(tions to and from the honeypot are suspe(t by nature/ 9y definition, anytime a (onne(tion is made to the honeypot, this is most li4ely an unauthori5ed probe, s(an, or atta(4/ Anytime the honeypot initiates a (onne(tion, this most li4ely means the system was su((essfully (ompromised/ This helps redu(e both false positives and false negatives greatly simplifying the dete(tion pro(ess by (apturing small data sets of high value, it also (aptures un4nown atta(4s su(h as new eBploits or polymorphi( shell(ode, and wor4s in en(rypted and 3Pv; environments/ 3n general, low intera(tion honeypots ma4e the best solutions for dete(tion/ They are easier to deploy and maintain then high intera(tion honeypots and have redu(ed ris4/ . !esponse : The third and final way a honeypot (an help prote(t an organi5ation is in reponse/ Jn(e an organi5ation has dete(ted a failure, how do they respond@ This (an often be one of the greatest (hallenges an organi5ation fa(es/ There is often little information on who the atta(4er is, how they got in, or how mu(h damage they have done/ 3n these situations detailed information on the atta(4erFs a(tivity are (riti(al/ There are two problems (ompounding in(iden(e response/ First, often the very systems (ompromised (annot be ta4en offline to analy5e/ Produ(tion systems, su(h as an organi5ationFs mail server, are so (riti(al that even though its been ha(4ed, se(urity professionals may not be able to ta4e the system down and do a proper forensi( analysis/ 3nstead, they are limited to analy5e the live system while still providing produ(tion servi(es/ This (ripples the ability to analy5e what happened, how mu(h damage the atta(4er has done, and even if the atta(4er has bro4en into other systems/ The other problem is even if the system is pulled offline, there is so mu(h data pollution it (an be very diffi(ult to determine what the bad guy did/ 9y data pollution, 3 mean there has been so mu(h a(tivity 'userFs logging in, mail a((ounts read, files written to databases, et() it (an be diffi(ult to determine what is normal day to day a(tivity, and what is the atta(4er/ 6oneypots (an help address both problems/ 6oneypots ma4e an eB(ellent in(ident resonse tool, as they (an Hui(4ly and easily be ta4en offline for a full forensi( analysis, without impa(ting
14

day to day business operations/ Also, the only a(tivity a honeypot (aptures is unauthori5ed or mali(ious a(tivity/ This ma4es ha(4ed honeypots mu(h easier to analy5e then ha(4ed produ(tion systems, as any data you retrieve from a honeypot is most li4ely related to the atta(4er/ The value honeypots provide here is Hui(4ly giving organi5ations the in depth information they need to rapidly and effe(tively respond to an in(ident/ 3n general, high intera(tion honeypots ma4e the best solution for response/ To respond to an intruder, you need in depth 4nowledge on what they did, how they bro4e in, and the tools they used/ For that type of data you most li4ely need the (apabilities of a high intera(tion honeypot/ Up to this point we have been tal4ing about how honeypots (an be used to prote(t an organi5ation/ 7e will now tal4 about a different use for honeypots, resear(h/ 6oneypots are eBtremely powerful, not only (an they be used to prote(t your organi5ation, but they (an be used to gain eBtensive information on threats, information few other te(hnologies are (apable of gathering/ Jne of the greatest problems se(urity professionals fa(e is a la(4 of information or intelligen(e on (yber threats/ 6ow (an we defend against an enemy when we donFt even 4now who that enemy is@ For (enturies military organi5ations have depended on information to better understand who their enemy is and how to defend against them/ 7hy should information se(urity be any different@ *esear(h honeypots address this by (olle(ting information on threats/ This information (an then be used for a variety of purposes, in(luding trend analysis, identifying new tools or methods, identifying atta(4ers and their (ommunities, early warning and predi(tion, or motivations/ Jne of the most well 4nown eBamples of using honeypots for resear(h is the wor4 done by the 6oneynet Pro%e(t, an all volunteer, non profit se(urity resear(h organi5ation/ All of the data they (olle(t is with 6oneynet distributed around the world/ As threats are (onstantly (hanging, this information is proving more and more (riti(al/

MER%TS A+. .EMER%TS

Merit': Honeypots have a large number of merits in its favour. They are : LSmall data sets of high value$ 6oneypots (olle(t small amounts of information/ 3nstead of logging a one A9 of data a day, they (an log only one M9 of data a day/ 3nstead of generating ,-,--- alerts a day, they (an generate only ,- alerts a day/ *emember, honeypots only (apture bad a(tivity, any intera(tion with a honeypot is most li4ely unauthori5ed or mali(ious a(tivity/ As su(h, honeypots redu(e FnoiseF by (olle(tin only small data sets, but information of high value, as it is only the bad guys/ This means its mu(h easier 'and (heaper) to analy5e the data a honeypot (olle(ts and derive value from it/ LNew tools and tactics: 6oneypots are designed to (apture anything thrown at them, in(luding tools or ta(ti(s never seen before/

15

L Minimal

resources: 6oneypots reHuire minimal resour(es, they only (apture bad a(tivity/ This means an old Pentium (omputer with ,0<M9 of *AM (an easily handle an entire (lass 9 networ4 sitting off an JC ,0 networ4/
L Encryption

or !v": Unli4e most se(urity te(hnologies 'su(h as 3+S systems) honeypots wor4 fine in en(rypted or 3Pv; environments/ 3t does not matter what the bad guys throw at a honeypot, the honeypot will dete(t and (apture it/ nformation: 6oneypots (an (olle(t in depth information that few, if any other te(hnologies (an mat(h/
L

L #implicty:

Finally, honeypots are (on(eptually very simple/ There are no fan(y algorithms to develop, state tables to maintain, or signatures to update/ The simpler a te(hnology, the less li4ely there will be mista4es or mis(onfigurations/

Demerits:
Li4e any te(hnology, honeyopts also have their wea4nesses/ 3t is be(ause of this they do not repla(e any (urrent te(hnology, but wor4 with eBisting te(hnologies/ LLimited view: 6oneypots (an only tra(4 and (apture a(tivity that dire(tly intera(ts with them/ 6oneypots will not (apture atta(4s against other systems, unless the atta(4er or threat intera(ts with the honeypots also/

L$is%:

All se(urity te(hnologies have ris4/ Firewalls have ris4 of being penetrated, en(ryption has the ris4 of being bro4en, 3+S sensors have the ris4 of failing to dete(t atta(4s/ 6oneypots are no different, they have ris4 also/ Spe(ifi(ally, honeypots have the ris4 of being ta4en over by the bad guy and being used to harm other systems/ This ris4 various for different honeypots/ +epending on the type of honeypot, it (an have no more ris4 then an 3+S sensor, while some honeypots have a great deal of ris4/

16

FUTURE OF (O+E3POTS
Mr/ Lan(e spit5ner who has played a ma%or role in the development of honeypots has made (ertain predi(tions about the future of honeypots/ They are as follows$ L&overnment pro'ects$ Currently honeypots are mainly used by organi5ations, to dete(t intruders within the organi5ation as well as against eBternal threats and to prote(t the organi5ation/ 3n future, honeypots will play a ma%or role in the government pro%e(ts, espe(ially by the military, to gain information about the enemy, and those trying to get the government se(rets/
LEase

of use$ 3n future honeypots will most probably appear in prepa(4aged solutions, whi(h will be easier to administer and maintain/ People will be able to install and develop honeypots at home and without diffi(ulty/
L(loser

integration$ Currently honeypots are used along with other te(hnologies su(h as firewall, tripwire, 3+S et(/ As te(hnologies are developing, in future honeypots will be used in (loser integration with them/ For eBample honeypots are being developed for 73 F3 or wireless (omputers/ 6owever the development is still under resear(h/
L #pecific

purpose$ Already (ertain features su(h as honeyto4ens are under development to target honeypots only for a spe(ifi( purpose/ "g$ (at(hing only those attempting (redit (ard fraud et(/
L 6oneypots

will be used widely for eBpanding resear(h appli(ations in future/

17

CO+C-US%O+
This paper has given an in depth 4nowledge about honeypots and their (ontributions to the se(urity (ommunity/ A honeypot is %ust a tool/ 6ow one uses this tool is upto them/ 6oneypots are in their infan(y and new ideas and te(hnologies will surfa(e in the neBt time/ At the same time as honeypots are getting more advan(ed, ha(4ers will also develop methods to dete(t su(h systems/ A regular arms ra(e (ould start between the good guys and the bla(4 hat (ommunity/ LetDs hope that su(h a te(hnology will be used to restore the pea(e and prosperity of the world and not to give the world a devastating end

REFERE+CES
,/

Spit5ner, Lan(e/ C6oneypots Tra(4ing 6a(4ersE. Addison 7esley$ 9oston,0--0 ,/ Spit5ner, Lan(e/ EThe value of 6oneypots, Part Two$ 6oneypot Solutions and legal 3ssuesE ,-#ov/0--0
0/ 1/

Mhttp$NNonline/se(urityfo(us/(omNinfo(usN,!><O

Spit5ner, Lan(e/ C&now Kour "nemy$ 6oneynetsE/ ,< Sep/ 0--0/ Mhttp$NNpro%e(t/honeynet/orgNpapersNhoneynetNO/
!/

C6oneypots Turn the table on ha(4ersE Pune 1-,0--1 Mwww/itmanagement/earthweb/(omNse(uNarti(le/phpN,!1 ;0>,O Mwww/tra(4ing ha(4ers/(om O

./ ;/

Posted 9y$ 9rian 6at(h C6oneypotsQ7hat the 6ell are They@E Published 9y$ New )rder ,,N;N0--1 ,,$1; Mwww/linuBse(urity/(omO

///////////////////////////////Than4s///////////////////////

18