View
224
Download
0
Tags:
Embed Size (px)
Citation preview
Use of Honey-pots to Detect Exploited Systems Across Large
Enterprise Networks
Ashish Gupta
Network Security
May 2004
http://project.honeynet.org/misc/project.html
Overview
• Motivation• What are Honeypots?
– Gen I and Gen II
• The GeorgiaTech Honeynet System– Hardware/Software– IDS– Logging and review
• Some detected Exploitations– Worm exploits– Sage of the Warez Exploit
• Words of Wisdom• Conclusions
Security: A serious Problem
Firewall IDS
A Traffic Cop
Problems:
Internal Threats
Virus Laden Programs
Detection and Alert
Problems:
False Positives
False Negatives
• Captures all inbound/outbound data
• Standard production systems
• Intended to be compromised
• Data Capture– Stealth capturing– Storage location – away from the honeynet
• Data control– Protect the network from honeynets
Two types
Gen I Gen II
Good for simpler attacks
Unsophisticated targets
Limited Data Control
Sophisticated Data Control : Stealth Fire-walling
Gen I chosen
GATech Honeynet System
Huge network
4 TB data processing/day
CONFIG Sub-standard systems
Open Source Software
Simple Firewall Data Control
IDSInvisible SNORT Monitor
Promiscuous mode
Two SNORT Sessions
Session 1 Signature Analysis Monitoring
Session 2 Packet Capture DATA CAPTURE
Data Analysis
One hour daily !
Requires human resources
Forensic Analysis
SNORT DATA CAPTURE
All packet logs stored
Ethereal used
Honey Net traffic is Suspicious
Heuristic for worm detection:Frequent port scans
Specific OS-vulnerability monitoring possible
Captured traffic helps signature development
DETECTING WORM EXPLOITS
SAGA of the WAREZ Hacker
Helped locate a compromised host
Honeynet
IIS Exploit Warez Server
+ Backdoor
Very difficult to detect otherwise !
Words of Wisdom
• Start small
• Good relationships help
• Focus on Internal attacks
• Don’t advertise
• Be prepared to spend time
Conclusion
• Helped locate compromised systems
• Can boost IDS research– Data capture
• Distributed Honey nets ?