CHAPTER
ONE
1.1. INTRODUCTION
In the era of
information and technology, computer security is a topic that swiftly advances.
Over the past few years, as the number of inter-connected systems has rapidly
increased, the threat landscape evolved just as fast. As the number of complex
attacks on computer networks has increased, the demand for improved early
warning detection solutions and better countermeasures that prevent adversaries
to gain access to computer systems have appeared. The traditional approach to
information security has been defensive throughout the years, but new
strategies in more aggressive forms appear to supplement the existing methods.
The current state-of-the-art solution involves the use of various honeypots
typically grouped into honeynets or honeyfarms, which aim to help security
experts learn from the attacks and improve the security of their systems.
The aim of this thesis
is to introduce the reader to the world of honey-pots, present an overview of
the functionalities such systems provide and explain the concepts behind them.
Furthermore, this paper will de-scribe the implementation process of a
standalone honeypot software solution created in the scope of this work. The
honeypot framework will supplement the current solutions and add new features
to the existing Honeyd design. The improvements aim to modernize Honeyd’s model
by providing new logging capabilities, easier deployment methods and enhancing
its proxy functionality.
1.2. BACKGROUND OF THE STUDY
Today''s world
increasingly relies on computer networks. The use of network resources is
growing and network infrastructures are gaining in size and complexity. This
increase is followed by a rising volume of security problems. New threats and
vulnerabilities are found every day, and computers are far from being secure.
In the first half of 2008, 3,534 vulnerabilities were disclosed by vendors,
researchers and independents [42]. Between 8 and 16% of these vulnerabilities
were exploited the day they were released by malicious programs [42]. The
consequences affect users and companies at critical levels, from privacy issues
to financial losses [68].
To address this
concern, network operators and security researchers have developed and deployed
a variety of solutions. The goal of these solutions is two-fold: first to
monitor, and second to protect network assets. Monitoring allows researchers to
understand the different threats. Data are being collected to better
characterize and quantify malicious activity. The goal of this dissertation is
to introduce an innovative framework to better measure malicious threats in the
organization network. The framework is based on a flexible hybrid honeypot
architecture that we integrate with the organization network using network
flows.
Honeyd was a widely
used honeypot, but since its maintenance has been neglected, its popularity has
decreased. Honeyd is capable of simulating an arbitrary network topology and
deceiving attackers by emulating services that appear legitimate to popular
scanning and fingerprinting tools such as Nmap. Honeyd can also play the role
of a proxy, which allows the honeypot to forward network connections to a
different machine.
Honeyd achieves this by
acting as a Man-in-the-middle, but this result that attacker-related
information is lost during the transmission and the origin of the attack on the
target ma-chine becomes the Honeyd server. The primary goal of this thesis is
to develop a honeypot that provides the core functionalities of Honeyd tailored
to current security trends. Another intention of the thesis is to improve the
proxy functionality and logging capabilities of Honeyd.
In our honeypot
solution, we address the issue of losing attack-related information and propose
a method to ensure that information about the source of the attacks are
properly transferred to the target host. Honeyd logs attempted and completed
connections for all protocols, and additional information can be gathered from
the emulated services. The obtained information is stored on the system using
Syslog. Our implementation extends the basic logging capabilities by adding
support to local and remote database logging and logging through HP feeds
protocol, which is a lightweight publish-subscribe protocol for data exchange.
Nowadays HP feeds is
used as one of the most common methods to gather logs from honeypots. In order
to provide a solution to the problem of difficult and time-consuming deployment
and management procedures for honeypots, our solution leverages the Modern
Honey Network utility that allows automated methods of deployment,
configuration, and management of honeypots. The Modern Honey Network also
supports storage; HP feeds logging and real-time visualization of
attack-related data.
Our honeypot also implements
a web server that provides statistical information about the attacks on the
network. The thesis aims to familiarize the reader with the basic theory of
honeypots and document the development process of the solution. An additional
aspect of this work is to discuss the expediency of the realized improvements
with members of the National Cyber Security Centre (NCSC).
1.3. AIMS AND OBJECTIVES
The aim of this thesis is to
introduce the reader to the world of honey-pots, present an overview of the
functionalities such systems provide and explain the concepts behind them.
Furthermore, this paper will de-scribe the implementation process of a
standalone honeypot software solution created in the scope of this work. The
honeypot framework will supplement the current solutions and add new features
to the existing Honeyd design. The improvements aim to modernize Honeyd’s model
by providing new logging capabilities, easier deployment methods and enhancing
its proxy functionality.
Two or more honeypots on a network
form a honeynet. Typically, a honeynet is used for monitoring and/or more
diverse network in which one honeypot may not be sufficient. Honeynets are
usually implemented as parts of larger network intrusion-detection systems.
Honeynet is a network of production systems. Honeynets represent the extreme of
research honeypots. Their primary value lies in research, gaining information
on threats that exists in the Internet community today.
The two main reasons why honeypots
are deployed are:
1. To learn how intruders probe and
attempt to gain access to your systems and gain insight into attack
methodologies to better protect real production systems.
2. To gather forensic information
required to aid in the apprehension or prosecution of intruders.
1.4. STATEMENT OF THE PROBLEMS
Honeypots can be involved in different aspects
of information security, such as detection, prevention, and information
gathering. Essentially, a honeypot is a security resource, whose value lies in
unauthorized or illicit use of that resource [19]. Honeypots
have no production value, anything going to or from a honeypot is likely a
probe, attack or com-promise, ensued from its concept: nobody should use a
honeypot, therefore any transaction or interactions with a honeypot are unauthorized
and possibly malicious. This approach excludes the possibility of false alerts
whether positive or negative, granting advantage against other network
monitoring techniques, like intrusion detection systems. Honeypots have
tremendous potential for the security community, and these systems can
accomplish goals few other technologies can. How-ever, like any other
technology, they have some challenges to overcome. Deploying honeypots in a way
that they cannot be identified by attackers is a difficult problem, as the
effectiveness of these systems heavily depends on the assumptions that the
attacker is not aware that he is interacting with a decoy and not a real
production system. In an ideal situation, the differences between a honeypot and
a real system should be negligible. Honeypots are either deployed as virtual
machines or installed on a real system encapsulated by application
virtualization or sandboxing. The issue with virtual honeypots is the
virtualization software may leak information about the emulated hardware, which
can lead to the detection of the honeypot. Honeypots deployed on real systems
face different problems, the operating-system-level virtualization software is
typically not designed for security use, therefore the identification and
circumvention of these protective barriers is an issue that can lead to system
compromise. Security events have to be exported from the honeypot and stored on
a different host, due to the reason that logged data cannot be trusted in case
of a system compromise. The significance of this thesis is to help address some
of these issues in the research field of honeypot systems and contribute the
created honeypot solution to the security community.
1.5. SIGNIFICANCE OF THE STUDY
The significance of this work is to understand
how honeypot-based security systems help to provide protection against
different kinds of attacks and learn the terms, concepts, and architectures
used in the realm of these systems. The main initiative behind this thesis is
to design and implement a standalone honeypot solution that is practical to use
in real-life scenarios and can serve as a base point for further development.
Gathering more data about malicious attacks can contribute to the advancement
of future protective measures and can improve sensitive information protection
policies.
1.8. LIMITATION
The project covers the
implementation of a new honeypot design. More precisely this design is an
actualization of an existing honeypot extended with new functionalities. The
scope of the project was limited to defined areas of design in accordance with
the assignment. Since the focus of the design is narrowed to the given task the
created software has some limitations on other areas that can be further developed.
The given time frame and the available equipment do not allow addressing the
full potential of the implemented design.
1.9. SCOPE OF THE STUDY
The main advantage of Honeypot is that it provides
security to the actual server means if an attacker penetrates the weakness then
only the decoy system(Honeypot) get affected, not your real server. Honeypot
creates a log files and collect information from this file about the tools and
software used by the attackers to harm your system. By this information system
administrator provides an additional security to your system and be confident
that no sensitive data is leaked to an attacker.
1.10. PURPOSE OF THE STUDY
The purpose of our
study is to develop efficient solutions to overcome current honeypot
limitations. We addressed the issue of the size and the location of honeynets
by correlating network flows with darknet data. We solved the problem of
scalability of high interaction honeypot by implementing an advanced hybrid
honeypot architecture called Honeybrid. We solved the problem of configuring
honeynets in large organization network by using a server and scanner discovery
program based on network flows.
1.11. SIGNIFICANT OF THE STUDY
Its primary purpose is
not to be an ambush for the black hat community to catch them in action and to
press charges against them. The focus lies on a silent collection of as much
information as possible about their attack patterns, used programs, and the
black hat community itself. All this information is used to learn more about
the black hat proceedings and motives, as well as their technical knowledge and
abilities. This is just a primary purpose of a honeypot. There are a lot other
possibilities for a honeypot- divert hackers from productive systems or seize a
hacker while conducting an attack are just two possible examples.
1.12. DEFINITION OF TERMS
Network
sensor: is defined as an unused IP address instrumented to
collect information about suspicious traffic. We separate sensors into two
categories: passive sensors, which simply collect data without any interaction
with the source of traffic; and active sensors, which can interact with the
source of traffic to collect additional information.
Honeypot:
is defined as a network device that provides a mechanism for completing network
connections not normally provided on a system and logging those connection
attempts. We note that honeypot and active network sensor are synonyms.
Darknet:
is defined as a network of passive sensors.
Honeynet:
is defined as a network of honeypots.
Honeypot
architecture: we mean a specific combination of
software solutions to administrate a honeynet.
Honeypot
framework: we mean the combination of honeypot architecture
and a data processing solution to analyze malicious network activity.