Get Started. It's Free
or sign up with your email address
Honeypots by Mind Map: Honeypots

1. Client Honeypot

1.1. allows detection of malware in client applications

1.1.1. end user is becoming weakest link in security architecture

1.2. instead of passively waiting simulating human behaviour

1.3. other possible client applications to build a client honeypot upon besides web browser

1.3.1. IRC client

1.3.2. e-mail

1.3.3. peer-to-peer

1.3.4. instant messaging

1.4. 2 kinds

1.4.1. passive

1.4.1.1. waiting for an event to happen

1.4.1.1.1. e.g. e-mail clients

1.4.2. active

1.4.2.1. connect to server, send commands, get back results

1.4.2.1.1. e.g. web browser

2. High Interaction

2.1. convential computer systems

2.1.1. equipped with additional software to constantly monitor system and collect information about system activity

2.2. Attacker gains full Control over System

2.2.1. Security Measures

2.2.1.1. Honeywall

2.2.1.1.1. Principles

2.2.1.1.2. Acts as Transparent Bridge

2.2.1.1.3. Seperate Management NIC

2.3. Complete Analysis of Attack possible

2.4. dynamic taint analysis

2.4.1. implemented in argos

2.4.2. all data received via network is marked

2.4.3. detects if marked data is used to influence execution flow

2.4.3.1. e.g. via a JMP instruction

2.4.3.2. execution is stopped

2.4.3.3. memory footprint is generated

2.4.3.4. detections happens on execution not on overwrite of memory

2.4.4. advantages

2.4.4.1. automated detection and possible analysis of exploit

2.4.4.2. attacker never gets control of the system

2.4.4.3. can be utilized to automatically create attack signatures

2.4.5. disadvantages

2.4.5.1. doesn't execute anything from the attacker

2.4.5.1.1. no malware samples are caught

2.4.5.1.2. no analysis of attacker behaviour possible

2.4.5.2. only effective against buffer overflow attacks

3. Physical Honeypot

4. Virtual Honeypot

4.1. advisable to run HP on linux

4.1.1. most exploits and malware are targeted on windows

4.2. can be restored to previous state fast and easily

4.2.1. as a technique to disinfect the system restore base image

4.3. attacker may detect being in a virtual machine

5. Low Interaction

5.1. emulates services

5.1.1. reacts on input with defined output, without usually implementing large parts of the protocol logic

5.2. Evaluation

5.2.1. Advantages

5.2.1.1. Easy to Set Up

5.2.1.2. Easy to Maintain

5.2.1.3. Low Computing Resources needed

5.2.1.4. Provides only limited Access to the Operating System for Adversary

5.2.1.4.1. Attacker shouldn't be able to compromise the LI HP itself

5.2.1.5. Measure Attack Frequency

5.2.1.6. Collecting Maleware for Analysis

5.2.2. Disadvantages

5.2.2.1. Detectable

5.2.2.2. Not designed for 0dayz

5.2.2.3. Not designed for unknown/unimplemented

5.3. Tarpit

5.3.1. LaBrea

5.3.2. Slow Down Spammers (and Sequential Worms)

5.3.3. Two Ways

5.3.3.1. Throttling

5.3.3.1.1. Very Small Window Size

5.3.3.1.2. Connection still progresses, but slows Down Attacker

5.3.3.2. Persistent Capture

5.3.3.2.1. Advertise Receiver Window Size 0

5.3.3.2.2. Attacker keeps Connection Alive and sends periodically "Window Probe" Packets

5.3.3.2.3. Can Persist Indefinitely

6. Hybrid approach

6.1. Use lo interaction HP for known attacks

6.1.1. if unknown attack forward traffic to hi interaction HP

6.1.1.1. replay against hi interaction HP what happened so far

6.1.1.2. bring hi interaction HP into state reached so far

6.2. Shadow Honeypots

6.2.1. Hybrid System

6.2.1.1. Honeypot

6.2.1.2. Anomaly Detection

6.2.2. Request is handled by either a normal productive host or an high interaction honeypot if an anomaly is detected

6.2.2.1. Both systems share the state, so that if the honeypot doesn't find anything, the changes go live, otherwise changes are discarded