The Honeynet p r o j e c t p r o y e c t o
Presented by Kirby Kuehl • Background Mi historia • Feel Free to Ask Questions Sensación libremente para hacer preguntas • Email: firstname.lastname@example.org
Overview • Introduction to the Honeynet Project Introducción al proyecto del Honeynet • Honeypots and Honeynets • Generation 1 Honeynet Design Diseño del honeynet de la generación una • Honeynet Research Alliance • Generation 2 Honeynet Design Diseño del honeynet de la generación dos • Conclusion Conclusión
Introduction Security has traditionally focused on defensive actions such as firewalls, Intrusion Detection Systems, and encryption. The bad guys have had the initiative. Organizations could only sit and wait for a failure in their defenses. The Honeynet Project attempts to proactively gather information on hacker activity. La seguridad de computadoras es generalmente defensiva.
The Honeynet ProjectSobre el proyecto del honeynet The group informally began in April 1999 as the Wargames mailing list. The Honeynet Project officially formed in June 2000 and became a non-profit corporation in September 2001. The Honeynet Project is made up of thirty security professionals who volunteer our own time and resources to research the hacker community. Intitially treinta voluntarios de la seguridad de computadoras.
Honeynet Project GoalsMetas del proyecto de Honeynet • To learn the tools, tactics, and motives of the hacker community. Aprenda las herramientas, las táctica, y los motivos. • Raise security awareness through the release of information gathered from our research. Aumente la seguridad compartiendo la información con la comunidad. • Provide information to better secure and defend your resources. • Share intelligence gathering methods.
“Know Your Enemy” WhitepapersDocumentos The Honeynet Project has released several “Know Your Enemy” security whitepapers which share technical, statistical, and forensic information gathered from our research. http://project.honeynet.org/papers/
Scan of the MonthExploración del mes This monthly project challenges the security community to analyze and identify hacker attack signatures. The scan of the month challenge will resume in the spring of 2002. http://project.honeynet.org/scans/
Forensic ChallengeCompetencia de forensics de computadoras. Challenged the security community to conduct a COMPLETE forensic analysis of an actual compromised system. Published our own detailed analysis as well as each of the contestants. The Honeynet Project will be conducting another forensic challenge in the near future. http://project.honeynet.org/challenge/
“Know Your Enemy” Book Libro http://project.honeynet.org/book/
What is a honeypot?Qué es un honeypot? A Honeypot is an application designed to lure in a hacker, allow the hacker to attack and compromise the system, and learn the hacker’s motive without harm to any real systems or real data.
How do honeypots work?Cómo el honeypot funciona Commercialproducts such as ManTrap from Recourse Technologies and Specter are applications that run on a single host and emulate multiple operating systems running various vulnerable services. Attackers are contained in a controlled environment within the honeypot software and their actions are logged.
Commercial HoneypotsHoneypots de venta • Mantrap from Recourse Technologies (requires Solaris) -Ability to emulate up to 4 hosts (each running Solaris) running various services. You can run virtually any application in a chrooted cage. • Specter (requires Windows NT) -Can emulate 11 operating systems. Limited to emulating 13 different vulnerable services. • Netfacade (requires Solairs)- Can simulate up to a class C. Able to simulate 8 different Oses and 13 different services. • Deception Toolkit - Set of PERL scripts that can emulate various vulnerable services.
What is a Honeynet?Qué es el Honeynet? A Honeynet is an actual network of computers left in their default (and insecure) configuration. This network sits behind a firewall where all inbound and outbound data is contained, captured and controlled. This captured information is then analyzed to learn the tools, tactics, and motives of the hacker community.
Worth the Risk and Effort?Aceptable el riesgo y el esfuerzo • Honeynets introduce additional risk to an environment by attracting attention to their seemingly insecure configuration. • Require constant maintenance and administration. • Data Analysis is very time consuming. A single compromise on average requires 30-40 hours of analysis.
How the Honeynet worksCómo el honeynet funciona • A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed. • All traffic entering or leaving the Honeynet is suspect by nature.
Data Control: FirewallControl de datos The Checkpoint FW-1 Firewall is our primary tool for controlling inbound and outbound connections. Our firewall is designed to allow any inbound connection and limit the number of outbound connections to five. FW-1 Script FW-1 Alert
Data Control: RouterControl de datos The Cisco router supplements the firewall and is used to protect against spoofed or ICMP based attacks. The router allows only packets with the source IP address of the Honeynet to leave the router (ingress filtering).
Data Capture: IDSCapturar de datos The firewall logs all connections initiated to and from the Honeynet. The Snort IDS logs ALL data in tcpdump format utilizing UTC timestamps. Snort is also configured to send an alert when certain attack signatures are seen.
Data Capture: SyslogCapturar de datos The central syslog server is a hardened host within the honeynet. It’s role is to attract more sophisticated attacks once a blackhat has compromised one of the default configuration honeynet systems.
The Threat is IncreasingLa amenaza está aumentando The hacker community is extremely aggressive. • 17+ unique scans a day. • Fastest honeypot compromise was 15 minutes. • Default RedHat 6.2 life expectancy is 72 hours. • 100% - 900% increase of activity in past year. http://project.honeynet.org/papers/stats/
Hacker Goals and MotivesMetas y motivos del hacker The motives of hackers vary as much as their tools. However, they often share the same goal, to compromise as many systems as possible. • Elevate gang status. • Launch Denial of Service. • Web Server Defacement. • Hopping point for IRC or other attacks.
A more realistic honeynetMás realista honeynet A variety of measures can be taken to make the Generation Honeynets more realistic: • Place production systems in the Honeynet. • Subscribe user accounts to mailing lists. • Add cron jobs to generate system activity. • Place offline systems (previous production hosts) on the Honeynet. * Not necessary for automated attacks such as auto-rooters and worms.
Beyond the Generation 1 Honeynet Bulk scanners are often written by less sophisticated hackers and are used to aggressively probe the Internet searching for a specific vulnerability. The Generation 1 Honeynet did not host any production machines and unfortunately only saw this type of randomly targeted traffic.
Honeynet Research Alliance • Honeynet Research Forum for organizations that are developing Honeynets to share ideas and experiences. This will also help ensure everyone is using the same definitions and requirements. • Distributed Honeynets One of the long term goals of the Project is distributed Honeynets. This alliance has the potential for creating the infrastructure for distributed Honeynets.
Definitions, Standards, and RequirementsDefiniciones, estándares, y requisitos • Allows various organizations to independently research, develop, and deploy their own Honeynets using the same guidelines. • Promotes sharing of ideas, experiences and findings utilizing a closed mailing list. http://project.honeynet.org/alliance/requirements.html
Hogwash runs on top of Snort and acts like an inline Layer 2 firewall (No IP Stack). Hogwash drops or modifies specific packets based on signature matches. In Generation 2 Honeynets, Hogwash will combine the Data Capture functionality of the Snort IDS and Data Control functionality of the Checkpoint FW-1 used in Generation 1 onto one machine. Generation 2 DesignDiseño de la generación dos
Generation 2 Data CollectionCapturar de datos • Transmitting the captured data from sensors to the collector in a secure fashion, ensuring the confidentiality, integrity, and authenticity of the data. • Organizations have the option of anonymizing the data. • Distributed Honeynets are expected to standardize on NTP. • The central collection point will have an active MySQL database for Alert collection and archiving which can then be queried.
The Honeynet Project Website: http://project.honeynet.org Email: email@example.com