• Home

  • Documents

  • Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network...
18
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004 http://project.honeynet.org/misc/p roject.html

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

  • View
    224

  • Download
    0

Tags:

Embed Size (px)

Citation preview

Page 1: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Use of Honey-pots to Detect Exploited Systems Across Large

Enterprise Networks

Ashish Gupta

Network Security

May 2004

http://project.honeynet.org/misc/project.html

http://project.honeynet.org/misc/project.html
Page 2: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Overview

• Motivation• What are Honeypots?

– Gen I and Gen II

• The GeorgiaTech Honeynet System– Hardware/Software– IDS– Logging and review

• Some detected Exploitations– Worm exploits– Sage of the Warez Exploit

• Words of Wisdom• Conclusions

Page 3: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Why Honeynets ?

An additional layer of security

Page 4: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Security: A serious Problem

Firewall IDS

A Traffic Cop

Problems:

Internal Threats

Virus Laden Programs

Detection and Alert

Problems:

False Positives

False Negatives

Page 5: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

The Security Problem

Firewall IDS

HoneyNets

An additional layer of security

Page 6: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

• Captures all inbound/outbound data

• Standard production systems

• Intended to be compromised

• Data Capture– Stealth capturing– Storage location – away from the honeynet

• Data control– Protect the network from honeynets

Page 7: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Two types

Gen I Gen II

Good for simpler attacks

Unsophisticated targets

Limited Data Control

Sophisticated Data Control : Stealth Fire-walling

Gen I chosen

Page 8: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
Page 9: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

GATech Honeynet System

Huge network

4 TB data processing/day

CONFIG Sub-standard systems

Open Source Software

Simple Firewall Data Control

Page 10: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

IDSInvisible SNORT Monitor

Promiscuous mode

Two SNORT Sessions

Session 1 Signature Analysis Monitoring

Session 2 Packet Capture DATA CAPTURE

Page 11: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
Page 12: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Data Analysis

One hour daily !

Requires human resources

Forensic Analysis

SNORT DATA CAPTURE

All packet logs stored

Ethereal used

Page 13: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Detected Exploitations

16 compromises detected

Worm attacks Hacker Attacks

Page 14: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Honey Net traffic is Suspicious

Heuristic for worm detection:Frequent port scans

Specific OS-vulnerability monitoring possible

Captured traffic helps signature development

DETECTING WORM EXPLOITS

Page 15: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

SAGA of the WAREZ Hacker

Helped locate a compromised host

Honeynet

IIS Exploit Warez Server

+ Backdoor

Very difficult to detect otherwise !

Page 16: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Words of Wisdom

• Start small

• Good relationships help

• Focus on Internal attacks

• Don’t advertise

• Be prepared to spend time

Page 17: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Conclusion

• Helped locate compromised systems

• Can boost IDS research– Data capture

• Distributed Honey nets ?

Page 18: Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Discussion

• The usefulness of the extra layer ?

• Dynamic HoneyNets

• Comparison with IDS: are these a replacement or complementary ?

HONEYNET

IDS


SUBSTRATE POTS - SUBSTRATE TROUGHS ......3 A complete range of substrate pots with various content volumes for any crop. Mul-ti-use pots, light-weight one-off pots, large volume pots,

SUBSTRATE POTS - SUBSTRATE TROUGHS ......3 A complete range of substrate pots with various content volumes for any crop. Mul-ti-use pots, light-weight one-off pots, large volume pots,

Documents
EXPLOITED DREAMS:

EXPLOITED DREAMS:

Documents
Pots Awareness

Pots Awareness

Health & Medicine
POTS & PABX

POTS & PABX

Documents
MAKING POTS

MAKING POTS

Documents
08 ZIGBEE EXPLOITED

08 ZIGBEE EXPLOITED

Documents
POTS ATALOGUE

POTS ATALOGUE

Documents
Pots & Plants

Pots & Plants

Documents
Standard Pots

Standard Pots

Documents
Ashish Kamra, Elisa Bertino Purdue University Presenter: Ashish Kundu 1

Ashish Kamra, Elisa Bertino Purdue University Presenter: Ashish Kundu 1

Documents
Chimeny Pots

Chimeny Pots

Technology
ASHISH

ASHISH

Documents
pots carton

pots carton

Documents
ashish malhotra

ashish malhotra

News & Politics
Segregated & Exploited

Segregated & Exploited

Documents
Ashish Karamchandani

Ashish Karamchandani

Documents
Ashish Ppt

Ashish Ppt

Documents
Ashish amritsar

Ashish amritsar

Spiritual
Honey pots

Honey pots

Technology
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks

Documents
Fifty Pots

Fifty Pots

Entertainment & Humor
Coil Pots!

Coil Pots!

Documents
Pinch Pots

Pinch Pots

Documents
Melting pots

Melting pots

Education
ExploitEd labour

ExploitEd labour

Documents
LITTLE POTS

LITTLE POTS

Documents
POTS - pbx

POTS - pbx

Documents
186 ashish

186 ashish

Technology
Pots Management

Pots Management

Technology
Macetas / Pots

Macetas / Pots

Documents