1 / 26

Honeypots and Honeynets A New Response to Cybercrime Analysis NAAG Seattle 04

Agenda. The Honeynet ProjectThe EnemyHoneypot BasicsHoneypots In UseLegal Implications. Honeynet Project Goals. Awareness: To raise awareness of the different types of honeypots that existInformation: To teach and inform about the application of honeypotsResearch: To spur thought provoking dis

iokina
Download Presentation

Honeypots and Honeynets A New Response to Cybercrime Analysis NAAG Seattle 04

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Honeypots and Honeynets A New Response to Cybercrime Analysis NAAG Seattle 04/14/03 Know Your Enemy is the purpose of the Honeynet Project. The book you see listed above was written by the Project based on their two years of research . You can find out more about the book online at http://www.honeynet.org/book/Know Your Enemy is the purpose of the Honeynet Project. The book you see listed above was written by the Project based on their two years of research . You can find out more about the book online at http://www.honeynet.org/book/

    2. Agenda The Honeynet Project The Enemy Honeypot Basics Honeypots In Use Legal Implications

    3. Honeynet Project Goals Awareness: To raise awareness of the different types of honeypots that exist Information: To teach and inform about the application of honeypots Research: To spur thought provoking discussion and help drive innovation and research in this emerging space

    4. The Threat is Real The blackhat community is extremely active 20+ unique scans a day (20/hour on UW network) Fastest time honeypot manually compromised, 15 minutes: worm, 92 seconds Default RH 6.2 life expectancy is 72 hours (fresh Windows 2000 install on UW network: 2 hours) 100% - 900% increase of activity from 2000 to 2001 Its only getting worse http://www.honeynet.org/papers/stats/ Keep in mind this statistical information was gathered during 2000-2001. We fully believe that the threats on the Internet are exponentially more active due to the release of highly automated tools, such as worms and auto-rooters.Keep in mind this statistical information was gathered during 2000-2001. We fully believe that the threats on the Internet are exponentially more active due to the release of highly automated tools, such as worms and auto-rooters.

    5. Know Your Enemy

    6. Rising Attack Sophistication Black hats have the initiative; attack whatever they want, whenever they want Public knows very little about the black hats (Who are they? How do they attack? Why?) Arms races, and the bad guys are always ahead

    7. Methodology One of the most common tactics seen is attacking targets of opportunity Drive by shootings on the information superhighway Scanning as many systems as possible and going for the easy kill If only 1% of systems are vulnerable, and you scan over 1 million hosts, you can potentially hack into 10,000 systems

    8. What are they looking for? Keep in mind this statistical information was gathered during 2000-2001. We fully believe that the threats on the Internet are exponentially more active due to the release of highly automated tools, such as worms and auto-rooters.Keep in mind this statistical information was gathered during 2000-2001. We fully believe that the threats on the Internet are exponentially more active due to the release of highly automated tools, such as worms and auto-rooters.

    9. Evolution Firewalls Early 90s Must have deployed before anything else Intrusion Detection System (IDS) Mid to late 90s We cant guard everything, so lets watch the network for suspicious traffic Honeypots Early 2000 Not only do we want to know when the black hats are attacking, but also answer the question, Why? Lets learn rather than just react

    10. Concept of Honeypots A security resource whos value lies in being probed, attacked or compromised Has no production value; anything going to/from a honeypot is likely a probe, attack or compromise Used for monitoring, detecting and analyzing attacks

    11. The Role Of Honeypots In The Enterprise Augments Firewalls and IDS Research Incident Response / Forensics Deception / Deterrence

    12. Advantages Fidelity Information of high value Reduced false positives Reduced false negatives Simple concept Not resource intensive Return on Investment

    13. Disadvantages Labor/skill intensive Risk Limited field of view Does not protect vulnerable systems

    14. Today's honeypots Military, government organizations, security companies applying the technologies Primarily to identify threats and learn more about them Commercial application increasing everyday

    15. Utility Identifying new exploits

    16. Future Honeypots are now where firewalls were eight years ago Beginning of the hype curve Predict you will see five more commercial honeypots by the end of 2003 Enhanced policy enforcement capabilities Advance development in Open Source solutions Integrated firewall/IDS/honeypot appliances

    17. Gen II Honeynet

    18. Virtual Honeynet

    19. Live Demo

    20. Top 10 attacked ports

    21. Attacks logged

    22. IRC traffic plugin output

    23. Legal Issues Entrapment Liability Privacy

    24. Entrapment Applies only to law enforcement Useful only as defense in criminal prosecution Still, most legal authorities consider honeypots non-entrapment

    25. Liability Any organization may be liable if their honeypot is used to attack or damage third parties. Civil issue, not criminal Example: T.J. Hooper v. Northern Barge Corp. (No weather radios) Decided at state level, not federal This is why the Honeynet Project focuses so much attention on Data Control.

    26. Privacy No single federal statute (USA) concerning privacy Electronic Communications Privacy Act (amends Title III of the Omnibus Crime Control and Safe Streets Act of 1968) Title I: Wiretap Act (18 USC 2510-22) Title II: Stored Communications Act (18 USC 2701-11) Title III: Pen/Trap Act (18 USC 3121-27)

    27. Questions? Email dittrich@u.washington.edu Slides available at: http://staff.washington.edu/dittrich/talks/NAAG.ppt

More Related