1 / 22

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks

http://project.honeynet.org/misc/project.html. Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks. Ashish Gupta Network Security May 2004. Overview. Motivation What are Honeypots? Gen I and Gen II The GeorgiaTech Honeynet System Hardware/Software IDS

porchej
Download Presentation

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. http://project.honeynet.org/misc/project.html Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

  2. Overview • Motivation • What are Honeypots? • Gen I and Gen II • The GeorgiaTech Honeynet System • Hardware/Software • IDS • Logging and review • Some detected Exploitations • Worm exploits • Sage of the Warez Exploit • Words of Wisdom • Conclusions

  3. Why Honeynets ? An additional layer of security

  4. Security: A serious Problem Firewall IDS A Traffic Cop Problems: Internal Threats Virus Laden Programs Detection and Alert Problems: False Positives False Negatives

  5. The Security Problem Firewall IDS HoneyNets An additional layer of security

  6. Properties • Captures all inbound/outbound data • Standard production systems • Intended to be compromised • Data Capture • Stealth capturing • Storage location – away from the honeynet • Data control • Protect the network from honeynets

  7. Two types Gen I Gen II Good for simpler attacks Unsophisticated targets Limited Data Control Sophisticated Data Control : Stealth Fire-walling Gen I chosen

  8. GATech Honeynet System Huge network 4 TB data processing/day CONFIG Sub-standard systems Open Source Software Simple Firewall Data Control

  9. IDS Invisible SNORT Monitor Promiscuous mode Two SNORT Sessions Signature Analysis Monitoring Session 1 Packet Capture DATA CAPTURE Session 2

  10. Data Analysis SNORT DATA CAPTURE Requires human resources All packet logs stored One hour daily ! Ethereal used Forensic Analysis

  11. Detected Exploitations 16 compromises detected Worm attacks Hacker Attacks

  12. DETECTING WORM EXPLOITS Honey Net traffic is Suspicious Heuristic for worm detection:Frequent port scans Specific OS-vulnerability monitoring possible Captured traffic helps signature development

  13. SAGA of the WAREZ Hacker Helped locate a compromised host Honeynet Very difficult to detect otherwise ! IIS Exploit  Warez Server + Backdoor

  14. Words of Wisdom • Start small • Good relationships help • Focus on Internal attacks • Don’t advertise • Be prepared to spend time

  15. Conclusion • Helped locate compromised systems • Can boost IDS research • Data capture • Distributed Honey nets ? • Hunting down Honeypots • http://www.send-safe.com/honeypot-hunter.php

  16. Discussion • The usefulness of the extra layer ? • Dynamic HoneyNets • Comparison with IDS: are these a replacement or complementary ? IDS HONEY NET

  17. IDS vs HoneyNet • IDS – primary function is detection and alerting • Honeynets – use IDS to detect and alert – but nothing is done to control the threat • Primary intent is to log and capture effects and activities of the threat Honeynets do not protect the network – they have protection as a benefit, not intent

More Related