Honeypots
A short introduction to honeypots
Εμμανουήλ Βασιλομανωλάκης
Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED) Συνεργάτης Εργ. Δικτύων ISLAB, ΙΠΤ, ΔΗΜΟΚΡΙΤΟΣ manolis@cased.de
Outline
Introduction Classifications Deployment Architectures Open source vs. nothing 2 Honeypots SURFcert IDS & experiences from Demokritos Future work - ideas
4/21/2013 Telecooperation Group | CASED
Introduction
Definition: “A security resource who's value lies in being probed, attacked or compromised” Doesn’t have to be a system: Honeytokens We want to get compromised! Certainly not a standalone security mechanism. Why? • FUN! • No false-positives! • Research: Malware analysis/reverse engineering • Reducing available attack surface/early warning system
4/21/2013 Telecooperation Group | CASED
Honeypot Classifications
Low interaction: simulate network operations (usually at the tcp/ip stack) [Medium interaction: simulate network operations (with more “sophisticated” ways)] High interaction: real systems (e.g., VMs) Other classifications: • Purpose: Generic, Malware collectors, SSH, etc. • Production – Research (not really useful)
4/21/2013 Telecooperation Group | CASED
Honeypot Deployment Architectures
4/21/2013
Telecooperation Group | CASED
Open Source vs. nothing (really!)
Honeypot Honeyd Nepenthes Dionaea Honeytrap LaBrea Tiny HP HoneyBot Google Hack HP Multipot Glastopf Kojoney Kippo Amun Omnirova BillyGoat Artemisa GHOST
4/21/2013
Type Generic Malware Malware Generic Generic Generic Malware WEB Malware WEB SSH SSH Malware Malware Malware VOIP USB
OS LINUX LINUX LINUX LINUX LINUX LINUX WINDOWS WINDOWS LINUX LINUX LINUX WINDOWS WINDOWS
Language C C PYTHON C C PERL PHP VB 6 PYTHON PYTHON PYTHON PYTHON Borland Delphi ? PYTHON C
GUI N N N N N N Y Y Y Y N N N Y ? N Y
License GNU GNU GNU GNU GNU GNU CLOSED GNU GNU GNU GNU BSD GNU
Εμμανουήλ Βασιλομανωλάκης
Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED) Συνεργάτης Εργ. Δικτύων ISLAB, ΙΠΤ, ΔΗΜΟΚΡΙΤΟΣ manolis@cased.de
Outline
Introduction Classifications Deployment Architectures Open source vs. nothing 2 Honeypots SURFcert IDS & experiences from Demokritos Future work - ideas
4/21/2013 Telecooperation Group | CASED
Introduction
Definition: “A security resource who's value lies in being probed, attacked or compromised” Doesn’t have to be a system: Honeytokens We want to get compromised! Certainly not a standalone security mechanism. Why? • FUN! • No false-positives! • Research: Malware analysis/reverse engineering • Reducing available attack surface/early warning system
4/21/2013 Telecooperation Group | CASED
Honeypot Classifications
Low interaction: simulate network operations (usually at the tcp/ip stack) [Medium interaction: simulate network operations (with more “sophisticated” ways)] High interaction: real systems (e.g., VMs) Other classifications: • Purpose: Generic, Malware collectors, SSH, etc. • Production – Research (not really useful)
4/21/2013 Telecooperation Group | CASED
Honeypot Deployment Architectures
4/21/2013
Telecooperation Group | CASED
Open Source vs. nothing (really!)
Honeypot Honeyd Nepenthes Dionaea Honeytrap LaBrea Tiny HP HoneyBot Google Hack HP Multipot Glastopf Kojoney Kippo Amun Omnirova BillyGoat Artemisa GHOST
4/21/2013
Type Generic Malware Malware Generic Generic Generic Malware WEB Malware WEB SSH SSH Malware Malware Malware VOIP USB
OS LINUX LINUX LINUX LINUX LINUX LINUX WINDOWS WINDOWS LINUX LINUX LINUX WINDOWS WINDOWS
Language C C PYTHON C C PERL PHP VB 6 PYTHON PYTHON PYTHON PYTHON Borland Delphi ? PYTHON C
GUI N N N N N N Y Y Y Y N N N Y ? N Y
License GNU GNU GNU GNU GNU GNU CLOSED GNU GNU GNU GNU BSD GNU