This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
The report explains the use of honeypots in our society. The report is aimed at students studying MSc Computer Forensics or Computer Security. The information from this report will help fellow students to gain an understanding of honeypots. Capturing spam emails will also be a aim for this report. Spam email has been on the increase during the last few years, impacting on many organisations and individuals. Organisations and individuals losing money to spammers by fraud activity, this has forced them to implement tighter security. The report begins with the three security concerns, prevention, detection, and reaction. These three topics will be linked together when explaining honeypots. The report explains what honeypots are, how they function, what honeypots do, what are the types of honeypots, and how honeypots capture unusual activity and avoid normal activity. The honyepot project will also be described, briefly the honeypot project aims to capture spam emails and analyses them. Email trap also known as spam trap is a perfect mechanism to capture spam emails. Organisations and individuals should be aware of exploits harming their systems, deploying honeypots may help with following the footsteps of attackers.
Security of computer machines and networks are increasing due to businesses conducted via these systems. The growth of the Internet has expanded rapidly during the last few years. This growth has brought success to organisations and economic status but at the same time brought many problems to our society. (Cisco) "December 15, 2008 - Cisco today released a security report that warns that Internet-based attacks are becoming increasingly sophisticated and specialized as profit-driven criminals continue to hone their approach to stealing data from businesses, employees and consumers". Problems such as, attacks made for financial reasons, hobby reasons, and spam emails sent to many recipients for commercial reasons. There are many ways to avoid spam (this will be discussed later). The main issue the report will present is about honeypots and email traps used to gather details of spammers. Despite years of research and experience, the IT community are still unable to secure computer systems. However, honeypots may change this point by gaining useful information from attacks and use it for research purposes which may change views towards security in the future.
Before discussing what honeypots are and how they add value to security, it would be wise to explain what is meant by security. When discussing security the author would like to break it down into three areas:
2.0.1 Prevention of exploits
Prevention is when you want to stop bad guys attacking the system. If you was suppose to secure your network, you would implement network intrusion prevention systems, configure firewalls, and have alert systems, thus you are doing everything to keep the threat out. The author believes that honeypots will not keep hackers out because encouraging attackers to enter the system can be disturbing if the honeypot is implemented incorrectly. Patching systems and using strong authentication mechanisms will keep attackers out. The author believes honeypots will not stop prevention.
Detection hence the name is detecting the bad guys, when they go past the security measures the sooner the better. Prevention will fail and it would be wise to be notified when this failure happens. Using the network example, the network intrusion prevention system and firewalls did not prevent the attacker so by having a alarm system, the administrator will be alerted when the attacker attacks the network.
We have intrusion detection systems but even with this type of detection method administrators are faced with false positives. The false positives are extremely dangerous as administrators will start ignoring attacks that are positive attacks. An example would be a administrator is alerted of an attack three times, but actually there is no attack and is a false alert. A attacker actually attacks the network and once again the administrator is alerted but ignore this alert as they may think the attack is a false alert again, thus the attacker succeeds.
With reaction you want to react to the bad guys once identified. There is no value if you do not respond to the failure thus when an attack has been detected you should have the ability to respond to the attack.
The author believes that honeypots are important for the incident response teams. The reason behind this is because when a system has become compromised users still tend to use the system and data becomes polluted. With the use of honeypots if the system is compromised the data would not be polluted. For example a organisation has three servers and all three servers are compromised, if one of these three servers is a honeypot the incident response team can take the system offline and begin examining, thus gaining valuable information such as how the attacker got in, what they did, and how they did it.
2.0.4. Explanation of Honeypots
Honeypot is a trap set to detect, deflect, and counteract attempts at unauthorized use of an information system. A honeyot is a resource that relies at it's values being probed, attacked or compromised. It can be deployed at an organisations network site which appears to be part of the network, but is isolated, not protected, and monitored. They have no production value thus any valuable information won't be on the server. However, they may be fake files to make the system look real to the hackers. Aside from information gathering and waiting for the system to be probed, a honeypot has capabilities of distracting attackers from valuable systems on the network and provide information on new attacks.
Honeypots are computers but can take other forms such as, data records, unused IP addresses, or as an open proxy. A honeypot should not see any legitimate traffic, hence whatever the honyepot captures is malicious and unauthorised.
When there is a interaction with the honeypot, this will be classed as malicious activity and capture information on the attack. For example, if an attacker scans your internal honeypot, the honeypot will log this unauthorized activity. The honeypot needs to be on a separate network and behind a firewall. This will avoid hackers attacking other systems and the firewall will log all traffic going through it, thus every move of the attacker can be examined. Some firewalls have alerting capabilities. Administrators can build alerts when the honeypot is attacked. There should be no communication with the honeypots, thus any communication with the honeypot may be an attack.
Honeypots are a flexible tool, they detect encrypted attacks and capture online fraud but most important they examine attackers and capture spam emails. Some honeypots prevent attacks, some detect attacks, and others are used for information gathering and research. Honeypots can be an early warning tool. This provides an advantage to administrators because the administrator can watch the hacker exploit the vulnerabilities thereby learning where the weaknesses are in the system. The hacker could be stopped from obtaining root access and by studying the activities of an attacker designers can create better secure systems. In March 2003, Azusa Pacific University deployed a honeypot to capture exploits. This research was effective as many exploits (DDOS and Slammer worm) were captured. (McCarty, B.) "During the first week of observation, 171 distinct IP addresses accessed the server. Ports targeted by attacks included those shown in Table 1, but several attackers performed complete port scans of the honeypot. In particular, the Slammer worm quickly probed and attacked the honeypot". Organisations can benefit from honeypots and capture information which may be useful to protect their systems.
Some people consider honeypots as a tool for deception, whereas others consider honeypots as an intrusion detection system or a weapon to trap hackers. The author's description of a honeypot is; a security resource whose value lies in being probed, attacked, or compromised. This basically means the honeypots implemented should be attacked and compromised by an attacker so the information about a attack can be examined. However, the author criticises their own point because allowing attackers to attack the decoy system could lead to problems if the honeypot is implemented incorrectly. Below are two diagrams that illustrate honeypots.
This diagram illustrates the attacker attacking a system and being redirected to a honeypotfarm, which examines the attacker. This technique is affective as the honeypot is on a separate network as the internal networks.
This is another diagram illustrating the honeypot being on a separate network and users should not communicate to these honeypots as the log server will log this information.
2.1.0. Production and Research Honeypots
Honeypots can be classified on their level of deployment or their level of involvement, on the level of deployment honeypots can be classified as:
2.1.1. Production Honeypots
A production honeypot will be used to assist a organisation to protect their internal IT infrastructure. A production honeypot is used to help mitigate risk in a organisation. This type of honeypot will collect information about attacks but give less information about attacks than research honeypots. For this reason they are easy to use and capture little amount of information. Production honeypots are low-interaction honeypots and are easy to deploy. The next section will explain how production honeypots apply to the three areas of security mentioned above.
The author personally believes honeypots will not keep the bad guys out. Honeypots probe hackers to attack the decoy system, what keeps the bad guys out is effective security practises such as, good passwords, patching systems, and strong authentication mechanisms. If the honeypot was implemented incorrectly this will make it easier for a hacker to enter the system.
While honeypots do not prevent hackers attacking the system they do deceive hackers to attack the honeypots which draws their attention away from production systems. The author believes organisations are more affective spending their money on resources and time securing the systems rather than waiting for an attacker to probe the system.
Honeypots are affective with detection, the main purpose of honeypots is to trap hackers and detect there every move. Some organisation find it extremely hard to detect attacks due to their production activity and network traffic.
Intrusion detection systems can detect attacks. This mechanism is overwhelming for administrators because IDS systems can produce false positives. These false positives can be dangerous as administrators will start to ignore responses from the intrusion detection systems that are actually intrusions. Honeypots are affective, however this does not mean honeypots will produce alerts that are always positive and accurate, but the amount of false positives will be far more less than IDS systems.
The IDS system may have problems with false negatives. This can cause problems because the system will fail to detect valid attacks but honeypots have no problems with false negatives because honeypots are not defeated by new exploits and zero day attacks are captured by the honeypots.
Once a attack has occurred with a normal system, the administrator could not take the system offline as it would affect the production. However, with honeypots the incident response team could bring the honeypot system offline to conduct a forensic analysis which would not affect other production systems because it is on a separate network and there should be no communication from users.
To summarise, production honeypots are affective to the three security areas mentioned above. They have advantages that organisation can adopt to and they are far more affective to analyse attacks. An example of an intrusion detection system honeypot is KfSensor.
2.2.0. Experiment (KfSensor)
The author decided to download a windows based intrusion detection system honeypot (Kfsensor) and examine how affective is the tool. Kfsensor is a windows based intrusion detection system, "It acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system services and trojans.
By acting as a decoy server it can divert attacks from critical systems and provide a higher level of information that can be achieved by using firewalls and NIDS alone". (KfSensor)
Appendix A shows screen shots taken by the author of the tool in action.
2.2.1 System Requirements for kfsensor
This is suitable for a system exposed on the internet:
Windows XP, Windows 2003 Server, Windows Vista, Windows 2008 Server
Processor 1.5Ghz or greater
500mb hard disk space
SQL Database, e.g. MS SQL Server, MySQL
1 LAN card and/or direct internet connection
Western European language keyboard
This is suitable for an internal network:
Windows XP, Windows 2003 Server
80mb hard disk space
1 LAN card
Western European language keyboard
2.3.0. Research Honeypots
As mentioned earlier we have two categories of honeypots, first one being the production honeypot which was discussed, the second is research honeypot.
Research honeypots are used to gather information on organisations facing threats and learn how to protect against these threats. Research honeypots are complex to implement and maintain and they capture intensive information.
The security community faces the challenge of not knowing information on the enemy. Information such as, who is the threat, how do they attack, and what do they attack. The security community would often not be able to answer these questions. (Lance Spitzner) "One of the greatest challenges the security community faces is lack of information on the enemy. Questions like who is the threat, why do they attack, how do they attack, what are their tools, and when will they strike again often cannot be answered". Project honeypot (discussed later) allows the community to gather useful information and answer such questions.
Organisations such as, military, FBI, and government systems make use of research honeypots to explore the zero day attacks or other attacks that can be used to analyse the hackers moves.
To prevent an attack we first have to know about the attack and the author believes we have less information on this particular area. (Symantec) "To defeat a threat, you have to first know about it. However, in the information security world we have little such information". The more information you gather on threats the easy this will make it for organisations to face these threats.
To summarise research honeypots do not reduce risks. Organisations learn from a research honeypot on how to improve the three security areas, prevention, detection, and reaction. Research honeypots contribute little to the direct security of an organisation whereas production honeypot contribute direct to the security of the production environment. The project honeypot (described later within this report) is a example of using research honeypots to capture information on the bad guys.
2.4.0. Capturing Information
Capturing data designed for a system to be compromised can be tricky. Data can be captured in two ways, however, they all have their drawbacks:
Data capture on a host can capture incoming and out going traffic, unfortunately this method can cause problems. Attackers can disable logs and security tools, making there presence unknown. Tools such as, Snort and Ethereal could be useful to capture and analyse packets.
This may be a safer but more complex solution, it involves the honeypot to log activities and send it to a remote server. The server should be secured as a attacker may realise the traffic leaving the systems. Sebek is a tool that hides data being captured on a honeypot. Below is a diagram showing how a honeypot exports activity onto the Sebek server without an intruder knowing.
This diagram shows The intruder uses SSH to protect communications and the honeypot A computer exports the intruders activity to the Sebek server without the intruder knowing.
2.5.0. Advantages and Disadvantages of Honeypots
Although honeypots are valuable when detecting attacks, they can cause many problems. These problems need to be managed effectively by an administrator or individual. The advantages and disadvantages of honeypots are:
Collect small data sets
Honeypots collect small data which is beneficial for the incident response team to analyse.
Gather important information
Honeypots gather important information on attacks that may be used by institutes such as, government, university, or FBI.
Reduces false negatives
The activity captured by the honeypot is assumed to be unauthorised therefore malicious and maybe an attack therefore false positives should not occur.
Capture zero day attacks
New attacks will be gathered by honeypots whereas normal intrusion detection system will not pick up new attacks.
Limited field of view
Honeypots can only see what interacts with them and does not see interactions with other systems.
Could make it easier for hackers to attack production systems
If the honeypots is not implemented correctly, this could make it easier for an hacker to get to the production systems and attack them by taking over the honeypot.
Honeypots are worthless if they are not attacked, thus time and money would be wasted setting up the honeypot if they are not attacked.
One problem with honeypots is if the honeypot is compromised the honeypot will no longer be useful and the organisation will fail to collect vital information on the attacker. (Jungsuk Song Takakura, H. Okabe)"Although many honeypots have been proposed, there is a common problem that they can be detected by someone(mainly malicious attackers) easily. This is very important in the success or the failure of honeypots because if once an attacker notices that he/she is working on a honeypot, we can no longer observe his/her malicious activities". Honeypots need to be implemented correctly so that attackers believe the system is not a decoy.
To summarise, honeypots bring many advantages and useful data to analyse for administrators to protect their resources and systems. Careful care should be taken as the disadvantages mentioned above may cause problems.
3.0.0. Email Trap (Spam Trap)
Email Traps contribute with honeypots because an email trap is an email address used only for receiving spam. why does anyone want to receive spam? The answer to that is simple; the email address will have honeypot mechanisms that will capture spam and examine spammers. The spam arrives at the destination legitimately as normal emails arrive. The term spam trap has the same meaning as email trap they both do the same job which is to collect spam and examine spammers. While spammers send messages to these email traps important information such as the ip address, response mechanism, and the email addresses used by spammers as targets is gathered.
3.0.1. Spam Trap Function
Spammers attack by using open mail relay. An open mail relay is a simple mail transfer protocol (SMTP) server which allows anyone using the internet to send email addresses to users. Over the past few years open mail relay has become unpopular as spammers and worms have affected many organisations. (Sophos) "IT security and control firm Sophos has warned members of Twitter to be on their guard against an evolving attack which threatens to steal personal information from them. Thousands of Twitter users are reporting having received direct messages from friends inviting them to visit a website". These messages steal information and can be used to make money with credit card information.
Another method is email harvesting. Email harvesting is the process of collecting and obtaining email addresses for the use of spam. The simplest method and well known method is spammers actually obtaining email addresses by other spammers. There are also harvester bots which collect email addresses from public data that is online.
3.1.0. Capturing Spam
3.1.1. Project honeypot
Project honeypot is a research base honeypot as information collected will be used by government, military and education institutes. Project honeypot uses software embedded in websites to collect information such as IP addresses in harvesting email addresses for spam. (Wikipedia 2009)
Project honeypot involves members of the community around the world and agreeing to stop the most dangerous spammers and attackers by using tools and resources gathered together by themselves. Since honeypots were introduced they have been a success. (The Tech Herald Security) "Since the project started in 2004, Project Honeypot has seen 1 billion Spam messages in their traps. When the milestone email arrived on December 9, the project compiled some interesting data based on what they have seen over the years". The author finds this quote astonishing because in the matter of six years one billion spam messages have been examined and captured which is great news and hard to believe but true.
Let's assume an organisation that relies on Microsoft exchange for handling and receiving emails. The system is old and is being replaced but the old system can be used as a honeypot and could be left as it is on the DMZ . There should be no communication with this old system. The old email system becomes a honeypot because the system has no production traffic entering and its main task is to capture spam.
To summarise, spam is on the increase. However, mechanisms such as the honeypot project are doing well by capturing spam emails and examining these emails for future improvements.
3.2.0. Security Issues with Spam
Spam has been on the increase over the past few years and used for many reasons. Script kiddies take it as a hobby whereas blackhat attackers take it to the next level. What was once a safe society with no problems is now a society with many problems. Spam email can be used to advertise and fool a user to purchase certain items or to confirm their details. Phishing is a technique used by an attacker to confirm the victims details used on a website and once the details are entered the details are used or sold.
Another issue with spam is lottery and prize scams. These particular scams trick a victim in thinking they have won amounts of large money or other items. Once the victim believes and is persuaded that he/she has actually won something, they will be asked for personal details and bank details so the funds can be transferred to their bank accounts. What really happens is the victims account will be empty or sold.
To summarise, email fraud and spam are always serious and victims should be careful of any activities occurring. One point to remember is not to open an email attachment if it is suspicious and never give your bank details or personal details by email or any suspicious websites.
From this research above, we can conclude that attackers are very dangerous and honeypots are a useful technique to gather vital information on these attackers. Spam emails is just as dangerous as attacks from hackers. Our society is facing many problems and one of those problems is spam emails. Spam has been on the increase causing problems and bringing a huge amount of money to spammers, thus this issue should be taken very seriously as fraud is damaging are society. Honeypots are very useful and should be used by many organisations and individuals despite the drawbacks mentioned to trap attackers. The honeypot project is a useful project and is gathering many spam messages. Overall many issues have advantages and disadvantages what should be taken into consideration is to implement the honeypot suitably and according to your goals and what you aim to achieve.
5.0.0. Further Work
If time issues and other work did not collide (Project), more information could have been deployed to this research. The types of tools used to detect attackers could have been tested in a suitable environment by the author. The results then could have been applied into a table showing useful information and comparison could have been made with the tools. Most important with more time the author could have set-up a honeypot and experimented with it.