Friday, July 26, 2013
HONEYPOT
AND
INTRUSION DETECTION
Abstract
The Internet has undoubtedly
become the largest public data network in the world, enabling and facilitating
both personal and business communications worldwide. Widespread use of the
Internet has opened the door to an increasing number of security threats.
Intrusion Detection is the art of detecting inappropriate, incorrect, or
anomalous activity. Network intrusion detection systems (NIDS) are an important
part of any network security architecture. They provide a layer of defense,
which monitors network traffic for predefined suspicious activity or patterns,
and alert system administrators when potential hostile traffic is detected.
This paper deals with one of such systems, which uses 'Honeypots' for Intrusion
Detection.
The paper helps to learn what a honeypot is
and how it can help safeguard your network from internal intruders. A honeypot
is a tool that can help protect for network from unauthorized access. It is a
system that is designed specifically to look vulnerable so that attacker thinks
it's easy prey. Attackers who probe the machine find a system that's easy to
attack and that they believe might contain sensitive information. On the back
end, the system logs all the intruders' probes and attacks. A honeypot can lure
attackers so that administrator can study their methods of operation and
resource integrity tools can tell whether a user or possibly an intruder has
altered the files or other system resources.
Honey Pots do not replace
other traditional Internet security systems; they are an additional level or
system. The goals behind setting up a honeypot, the advantages and
disadvantages of honeypot solutions are also discussed.
Honey Pots can be setup
inside, outside or in the DMZ of a firewall design or even in all of the
locations although they are most often deployed inside of a firewall for
control purposes. In a sense, they are variants of standard Intruder Detection
Systems (IDS) but with more of a focus on information gathering and deception.
The paper also discusses about the different levels or layers of tracking.
The honeypot solutions
discussed in the paper explain how to build a honeypot, what all features a
honeypot should have. Also some commercial honeypot systems are discussed.
Introduction
With
the current growth of the Internet and e-commerce, networks are becoming
increasingly vulnerable to damaging attacks. At the same time, downtime from
networks that carry critical business applications can result in production
losses and directly affect a company's bottom line. The volume of traffic
moving over the Internet and corporate networks is expanding exponentially
every day as mobile workers, telecommuters, and branch offices use e-mail and
the Internet to remotely connect to corporate networks. No individual-whether a
noncomputer user, a casual Internet surfer, or even a large enterprise-is
immune to network-security breaches. With proper planning, however, network
security breaches can often be prevented. General fear and suspicion of computers
still exists and with that comes a distrust of the Internet. This distrust can
limit the business opportunities for companies, especially those that are
completely Web-based.
Simply put,
an intrusion can be defined as any set of actions that attempt to
compromise the integrity, confidentiality or availability of a resource. An intrusion
detection system, or IDS for short, attempts to detect an intruder breaking
into the system or a legitimate user misusing system resources. The IDS will
run constantly on the system, working away in the background, and only
notifying when it detects something it considers suspicious or illegal.
There are
two types of potential intruders, Outside Intruders and Inside Intruders.
Despite the fact that most security measures are put in place to protect
the inside from a malevolent outside world, most intrusion attempts actually
occur from within an organization. A mechanism is needed to detect both
types of intrusions - a break-in attempt from the outside, or a knowledgeable
insider attack. An effective intrusion detection system detects both types of
attacks.
Several
species of butterfly have developed "eyes" on their wings. These
fools predators into thinking it's looking in a direction it isn't, and gives
them a "target" that isn't really there. (Big eyes mean a big body
behind it.)
Some forms
of protection for computers follow the same principle - giving the illusion of
common vulnerabilities, appearing to have a port active when it isn't, or even
pretending to be an entire network, just waiting to be portscanned - none of it
real. Since any activity on these "non-existent" ports or networks
has to be from an intruder, it becomes trivial to identify when an attack is
taking place, and much easier to identify which packets are from the intruder
and which are innocent.
The world
of computer hackers is a constant cat-and-mouse game between "white
hats" and "black hats." Some white hats use
"honeypots" to learn about their enemy. Honeypots look like normal
Web servers to a black hat, but they are really traps with special software
that allow white hats to track every step a computer vandal takes.
Topic Details
What is a honeypot?
Honey Pot Systems are decoy
servers or systems setup to gather information regarding an attacker or
intruder into your system. These are programs that simulate one or more network
services that you designate on your computer's ports. An attacker assumes
you're running vulnerable services that can be used to break into the machine.
A honeypot can be used to log access attempts to those ports including the
attackers' keystrokes.
A honeypot
is a network server designed to trap would-be attackers before they invade the
real servers and services. The honeypot contains no data or applications
critical to the company but has enough interesting data to lure a hacker. It is
a system designed to teach how black-hats probe for and exploit a system.
The idea
behind a honey pot is to setup a "decoy" system that has a
non-hardened operating system or one that appears to have several
vulnerabilities for easy access to its resources. The decoy system should be
loaded with numerous fake files, directories, and other information that may
look real. By making the honey pot appear to be a legitimate machine with
legitimate files, it leads the hacker to believe that they have gained access
to important information. With a little luck the intruder will stay around in
an attempt to collect data while the honey pot collects information about the
intruder and the source of his or her attack.
Ideally
honey pots provide an environment where intruders can be trapped or
vulnerabilities accessed before an attack is made on real assets. Decoys are
setup not to capture the bad guy but to monitor and learn from their moves,
find how they probe and exploit the system and how those exploitations can be
prevented in production systems and doing this all without detection from the
hacker.
How do honey pots work?
Honey pots
work on the idea that all traffic to a honeypot should be deemed suspicious. As
stated before honey pots are generally based on a real server, real operating
system, and with data that appears to be real. One of the main differences is
the location of the machine in relation to the actual servers. The decoy
machine are usually placed somewhere in the DMZ. This ensures that the internal
network is not exposed to the hacker. Honey pots work by monitoring the
intruder during their use of the honeypot. This can done whether the attack
came from the outside or the inside of the network, depending on the location
of the decoy system. Honey pots are generally designed to audit the activity of
an intruder, save log files, and record such events as the processes started,
compiles, file adds, deletes, changes, and even key strokes. By collecting such
data the honey pots work to improve a corporation’s overall security system. If
enough data is collected it may be used to prosecute in serious situations. In
cases where you do not wish to prosecute the data collected can be used to
measure the skill level of hackers, their intent, and in some cases, even their
identity. All in all the honey pot helps a company prepare for attacks and
respond to those attacks by learning from information gathered
Classification of Honeypots
Honepots can
be break up into two broad categories, as "production" and
"research". The purpose of a production honeypot is to help
mitigate risk in an organization. The honeypot adds value to the security
measures of an organization. The second category, research, is honeypots
designed to gain information on the blackhat community. These honeypots do not
add direct value to a specific organization. Instead they are used to research
the threats organizations face, and how to better protect against those
threats. This information is then used to protect against those threats.
The
honeypots can also be categorized as Hardware-based and Software-based
honeypots. Hardware-based honeypots are servers, switches or routers that have
been partially disabled and made attractive with commonly known misconfigurations.
They sit on the internal network, serving no purpose but to look real to
outsiders. The operating system of each box, however, has been subtly disabled
with tweaks that prevent hackers from really taking it over or using it to
launch new attacks on other servers.
Software
emulation honeypots, on the other hand, are elaborate deception programs that
mimic real Linux or other servers and can run on machines as low-power as a
233-MHz PC. Since an intruder is just dancing with a software decoy, at no time
does he come close to actually seizing control of the hardware, no matter what
the fake prompts seem to indicate. Even if the hacker figures out that it's a
software honeypot, the box on which it's running should be so secure or
isolated that he couldn't do anything but leave anyway.
Levels or Layers of tracking
Honey Pots
can be setup inside, outside or in the DMZ of a firewall design or even in all
of the locations although they are most often deployed inside of a firewall for
control purposes. In a sense, they are variants of standard Intruder Detection
Systems (IDS) but with more of a focus on information gathering and deception.
Many
firewalls allow to place a network in the demilitarized zone (DMZ). This is a
network added between an internal network and an external network in order to
provide an additional layer of security. Sometimes it is also called a
perimeter network. The other option is to place it on a separate, dedicated
Internet connection. Ideally, all traffic to and from the honeypot should also
be routed through its own dedicated firewall.
The information provided on an intruder depends on the levels of tracking that you’ve enabled on your Honey Pot. Common tracking levels include the firewall, system logs on the Honey Pot and sniffer-based tools.
The information provided on an intruder depends on the levels of tracking that you’ve enabled on your Honey Pot. Common tracking levels include the firewall, system logs on the Honey Pot and sniffer-based tools.
Firewall Logs
Firewalls offer the
outermost layer of protection for a network, providing a basic barrier and
restricting points of access. Firewalls are useful as part of the overall Honey
Pot design for many reasons. Most firewalls provide activity-logging
capabilities, which can be used to identify how an intruder is attempting to
get into a Honey Pot. Reviewing the order, sequence, time stamps and type of
packets used by an intruder to gain access to you Honey Pot will help you
identify the tools, methodology being used by the intruder and their
intentions. Most firewalls can be configured to send alerts by email or pager
to notify you of traffic going to or from your Honey Pot. This can be extremely
useful in letting you review intruder activity while it’s happening.
System Logs
Unix and
Microsoft NT seem to have the lion share of the Internet server markets and
both operating systems have logging capabilities built into their operating
systems, which help identify what changes or attempts have been made. There are
also several tools available that greatly increase the information that can be
gathered. Many of the Unix tools are public domain, while many of the Microsoft
NT tools are not.
Sniffer Tools
Sniffer
tools provide the capability of seeing all of the information or packets going
between the firewall and the Honey Pot system. Using a sniffer tool allows you
to interrogate packets in more detail to determine which methods the intruder
is trying to use in much more detail than firewall or system logging alone. An
additional benefit to sniffer tools is that they can also create and store log
files. The log files can then be stored and used for forensic purposes.
Setting A Honeypot
Implementation of a Honey Pot solution as part of a security system
first involves the decision of whether to purchase a commercial solution or
decide to develop your own. A Honey Pot system is setup to be easier prey for intruders than true
production systems but with minor system modifications so that their activity
can be logged of traced. The general thought is that once an intruder breaks
into a system, they will come back for subsequent visits. During these
subsequent visits, additional information can be gathered and additional
attempts at file, security and system access on the Honey can be monitored and
saved.
Building a Honey Pot
There is a
variety of public domain tools and software available that can be useful to
help you setup a Honey Pot. ' Set up a server and fill it with tempting files.
Make it hard but not impossible to break into. Then sit back and wait for the
crackers to show up. Observe them as they cavort around in the server. Log
their conversations with each other. Study them like you'd watch insects under
a magnifying glass' . That's the basic concept behind honeypots, systems that
are set up specifically so that the security experts can secretly observe
crackers in their natural habitats.
When setting up a Honey Pot is
that certain goals have to be considered.
Those goals are:
1. The Honey Pot system should appear as generic as possible
2. You need to be careful in what traffic you allow the intruder to
send back out to the Internet for you don’t want to become a launch point for
attacks against other entities on the Internet. (One of the reasons for
installing a Honey Pot inside of the firewall!)
You will
want to make your Honey Pot an interesting site by placing "Dummy"
information or make it appear as though the intruder has found an
"Intranet" server, etc. Expect to spend some time making your Honey
Pot appear legitimate so that intruders will spend enough time investigating
and perusing the system so that you are able to gather as much forensic
information as possible.
Any
enterprise firewall package will be sufficient for building a honeypot system..
However, when setting up this firewall, you’ll want to reverse your normal
rules. The goal is to allow all inbound traffic and restrict outbound traffic
to the bare minimum i.e. outbound ICMP, DNS, and Telnet/FTP to a noncompromised
IP address. If all outbound services are closed, intruders will lose interest
and attack elsewhere.
Commercial Honey Pot Systems
There are a
variety of commercial Honey Pot systems available. The operating systems most
widely supported are Microsoft NT and Unix. Some of the commercial Honey Pot
systems available are:
Deception ToolKit (DTK)
It is a
toolkit designed to give defenders a couple of orders of magnitude advantage
over attackers.
The basic
idea is not new. We use deception to counter attacks. In the case of DTK, the
deception is intended to make it appear to attackers as if the system running
DTK has a large number of widely known vulnerabilities. DTK's deception is
programmable, but it is typically limited to producing output in response to
attacker input in such a way as to simulate the behavior of a system, which is
vulnerable to the attackers method. This has a few interesting side effects:
·
It increases the attacker's
workload because they can't easily tell which of their attack attempts works
and which fail.
·
It allows us to track attacker
attempts at entry and respond before they come across a vulnerability we are
susceptible to.
·
It sours the milk - so to
speak. If one person uses DTK, they can see attacks coming well ahead of time.
If a few others start using it, we will probably exhaust the attackers and they
will go somewhere else to run their attacks. If a lot of people use DTK, the
attackers will find that they need to spend 100 times the effort to break into
systems and that they have a high risk of detection well before their attempts
succeed.
·
If enough people adopt DTK and
work together to keep it's deceptions up to date, we will eliminate all but the
most sophistocated attackers, and all the copy-cat attacks will be detected
soon after they are released to the wide hacking community. This will not only
sour the milk, it will also up the ante for would-be copy-cat attackers and, as
a side effect, reduce the "noise" level of attacks to allow us to
more clearly see the more serious attackers and track them down.
·
If DTK becomes very widespread,
one of DTK's key deceptions will become very effective. This deception is port
365 - which we have staked a claim for as the deception port. Port 365
indicates whether the machine you are attempting to connect to is running a
deception defense. Naturally, attackers who wish to avoid deceptive defenses
will check there first, and eventually, simply running the deceptive defense
notifier will be adequate to eliminate many of the attackers. Of course some of
us defenders will not turn on the deception anouncement message so we can track
new attack attempts by those who avoid deceptive defenses, so... the attacker's
level of uncertainty rises, and the information world becomes a safer place to
work.
FakeBO
This program fakes trojan servers
and logs every attempt from client. It is possible to log attempts to file,
stdout, stderr or to syslog. It can send fake pings and replies back to trojan
client. The trojans supported are Back Orifice (BO) and NetBus
CyberCop Sting by Network Associates
This product is designed to run on Windows NT and is able to emulate
several different systems including Linux, Solaris, Cisco IOS, and NT. It is
made to appeal to hackers for looking as if it has several well-known
vulnerabilities.
BackOfficer Friendly by NFR
This product is designed to emulate a Back Orifice server.
Tripwire
This product is for use on NT and Unix
machines and is designed to compare binaries and inform the server operator,
which have been altered. This helps protect machines from would be hackers and
is an excellent way to determine if a system has been compromised
Value
of Honeypots
Honeypots have certain advantages (and disadvantages) as security tools. It is the advantages that help define the value of a honeypot. The beauty of a honeypot's lies in its simplicity. It is a device intended to be compromised, not to provide production services. This means there is little or no production traffic going to or from the device. Any time a connection is sent to the honeypot, this is most likely a probe, scan, or even attack. Any time a connection is initiated from the honeypot, this most likely means the honeypot was compromised. As there is little production traffic going to or from the honeypot, all honeypot traffic is suspect by nature. Now, this is not always the case. Mistakes do happen, such as an incorrect DNS entry or someone from accounting inputing the wrong IP address. But in general, most honeypot traffic represents unauthorized activity.
Because of
this simplistic model, honeypots have certain inherent advantages and
disadvantages. Some of them are :
1. Advantage - Data
Collection
Honeypots collect very
little data, and what they do collect is normally of high value. This cuts the
noise level down, make it much easier to collect and archive data. One of the
greatest problems in security is wading through gigabytes of data to find the
data you need. Honeypots can give you the exactly the information you need in a
quick and easy to understand format.
2. Advantage - Resources
Many security tools can be
overwhelmed by bandwidth or activity. Network Intrusion Detection Devices may
not be able to keep up with network activity, dropping packets, and potentially
attacks. Centralized log servers may not be able to collect all the system
events, potentially dropping some events. Honeypots do not have this problem,
they only capture that which comes to them.
1. Disadvantage - Single Data Point
Honeypots all share one huge
drawback; they are worthless if no one attacks them. Yes, they can accomplish
wonderful things, but if the attacker does not send any packets to the
honeypot, the honeypot will be blissfully unware of any unauthorized activity.
2. Disadvantages - Risk
Honeypots can introduce risk
to your environment. As we discuss later, different honeypots have different
levels of risk. Some introduce very little risk, while others give the attacker
entire platforms from which to launch new attacks. Risk is variable, depending
on how one builds and deploys the honeypot.
Honeynet Project
A honeypot
is easy enough to build, but if an experienced cracker succeeds in compromising
it, he could use it to launch other attacks. A safer option might be to create
an entire network of honeypots, such as the HoneyNet. We call it a 'honeynet'
because it's not a single system, it's actually a network of honeypots, full of
real hardware, including Cisco switches and Windows NT, Linux and Solaris
boxes, all partially disabled.
The
Honeynet Project, a group of 30 researchers from academia and the commercial
sector, is trying to change that. The group obtains information through the use
of a Honeynet--a computer network on the Internet that's designed to be
compromised. The network is made up of various production systems complete with
sensors as well as a suitably enticing name and content. (The actual IP address
changes regularly and isn't published.) Hackers' actions are recorded as they
happen: how the culprits try to break in, when they're successful and what they
do when they succeed.
A Honeynet
is a type of honeypot designed specifically for research. A Honeynet is
different from traditional honeypots, it is what we would categorize as a
research honeypot. This does not make it a better solution then traditional
honeypots, merely it has a different purpose. Instead of its value being
detecting or deceiving attackers, its value is gaining information on threats.
The two biggest design differences from a classic honeypot are:
·
It is not a single system but a
network of multiple systems. This network sits behind an access control device
where all inbound and outbound data is controlled and captured. This captured
information is then analyzed to learn the tools, tactics, and motives of the
blackhat community. Honeynets can utilize multiple systems at the same time,
such as Solaris, Linux, Windows NT, Cisco router, Alteon switch, etc. This
creates a network environment that more realistically mirrors a production
network. Also, by having different systems with different applications, such as
a Linux DNS server, a Windows IIS webserver, and a Solaris Database server, we
can learn about different tools and tactics. Perhaps certain blackhats target
specific systems, applications, or vulnerabilities. By having a variety of
operating systems and applications, we are able to accurately profile specific
blackhat trends and signatures.
·
All systems placed within the
Honeynet are standard production systems. These are real systems and
applications, the same you find on the Internet. Nothing is emulated nor is
anything done to make the systems less secure. The risks and vulnerabilities
discovered within a Honeynet are the same that exist in many organizations
today. One can simply take a system from a production environment and place it
within the Honeynet.
Conceptually,
Honeynets are a simple mechanism. We create a network similar to a fishbowl,
where we can see everything that happens inside it. Similar to fish in a
fishbowl, we can watch and monitor attackers in our network. Also just like a
fishbowl, we can put almost anything in there we want. This controlled network,
becomes our Honeynet. The captured activity teaches us the tools, tactics, and
motives of the blackhat community.
Like all
honeypots, the Honeynet solves this problem of data overload through
simplicity. A Honeynet is a network designed to be compromised, not to be used
for production traffic. Any traffic entering or leaving the network is
suspicious by definition. Any connection initiated from outside the Honeynet
into the network is most likely some type of probe, attack, or other malicious
activity. Any connection initiated from the Honeynet to an outside network
indicates that a system was compromised. An attacker has initiated a connection
from his newly hacked computer and is now going out to the Internet. This
concept of no production traffic greatly simplifies the data capture and
analysis.
Over the
past several years the Honeynet Project has been dedicated to learning the
tools, tactics, and motives of the blackhat community and sharing the lessons
learned. The primary tool used to gather this information is the Honeynet.
Honeynets
(also called honeypots) are a new tool in computer security for luring and
containing a hacker. Like a surveillance camera, the honeypot allows you to
observe hacker behaviour and captures every action a hacker takes. Using real
examples of compromised systems, this volume shows how the bad guys accomplish
what they do, and teaches technical skills to properly study an attack and how
to learn from it. It explains how to build and maintain a honeynet.
Conclusion
A
honeypot are just a tool. How you use that tool is up to you. There are a
variety of honeypot options, each having different value to organizations. We
have categorized two types of honeypots, production and research. Production
honeypots help reduce risk in an organization. While they do little for
prevention, they can greatly contribute to detection or reaction. Research
honeypots are different in that they are not used to protect a specific
organization. Instead they are used as a research tool to study and identify
the threats in the Internet community. Regardless of what type of honeypot you
use, keep in mind the 'level of interaction'. This means that the more your
honeypot can do and the more you can learn from it, the more risk that
potentially exists. You will have to determine what is the best relationship of
risk to capabilities that exist for you. Honeypots will not solve an
organization's security problems. Only best practices can do that. However,
honeypots may be a tool to help contribute to those best practices. Honeypots
can act as decoys and can keep intruders away from your other systems.
While not a network security
panacea, deception is another option for the security-conscious organization,
especially for monitoring insider threats. Honeynets and honeypots are best
used to track, trap and trace crackers who have already entered a particular
system.
