Risk Management The Big Picture – Part V

Welcome, let’s take a minute and revisit what we have learned so far. We started out with anexample attack and then focused on one tool that would have given a lot of bang for the buck, afirewall. If you reflect back carefully on the firewalls and ways to avoid firewalls then you realizewe introduced the concepts of threats and countermeasures. We covered the history of the threat asfar back as 1995 to the most recent type of attacks.
Nội dung trích xuất từ tài liệu:
Risk Management The Big Picture – Part V Risk Management The Big Picture – Part V Honeynets and Honeypots Information Risk Management - SANS ©2001 1Welcome, let’s take a minute and revisit what we have learned so far. We started out with anexample attack and then focused on one tool that would have given a lot of bang for the buck, afirewall. If you reflect back carefully on the firewalls and ways to avoid firewalls then you realizewe introduced the concepts of threats and countermeasures. We covered the history of the threat asfar back as 1995 to the most recent type of attacks. Then we began to explore detection, coveringsensors and logging for both host and network-based platforms. Along the way you were introducedto a number of commands and tools. Have you started working with those? Do you now haveTCPdump, Windump, or Ethereal running on your system? SANS Security Essentials teaches a lotof theory and teaches you about a lot of things, but that is not the focus of the course. The course isdesigned to equip you to face the threat and we cannot achieve that if you do not put the lessons intopractice. You are going to need these tools as we progress to networking, so if not, perhaps it wouldbe better to go do that, and begin this lesson later.This segment of risk management, the big picture will deal with honeypots. They are critical to findand analyze new attacks. 5-1 Honeypots • What are they? • Why you might need a honeypot • Example honeypots: – DTK – Honeynet Information Risk Management - SANS ©2001 2There are a number of technologies that can be used for a honeypot and everyone has a strongopinion about their approach. Obviously the more sophisticated attackers are only going to be fooledby an operating system that exactly mirrors what they expect and this includes when they“compromise” it, the system must fail correctly.The only honeypot that will work at that level of fidelity is an operating system itself; this is theapproach Lance uses. This is a very advanced and dangerous technique, since the system can easilybe used to attack others. To make his system work, he relies on multiple layers of monitoring and hasmodified the syslog facility to do a lot of logging, but not in a way attackers will notice. He has alsomodified the operating system shell to log commands to the syslog facility and then monitorseverything with a Snort IDS. Still, when he published his work, the attackers figured out they hadbeen had and laid waste to the system. This is evidence a few more safety measures would be a goodthing! 5-2 Honeypots (2) • What are they? – A host trap - they run real services on a sacrificial computer or simulated instrumented services, (or fake a core dump) – A network trap – the intruder thinks they found a vulnerable organization Information Risk Management - SANS ©2001 3Are there safer alternatives? We will talk about DTK in some depth. 5-3 What are They? • A decoy - if a machine becomes “hot”, change the IP address and name and put in a honeypot • DNS, Mail, Web servers make great honeypots on their unused ports Information Risk Management - SANS ©2001 4Attackers will not succeed in being able to crack it to attack other systems. Of course, smap is notsendmail and just changing the banner from “smap” to “sendmail” will not fool the wise attacker.The higher the fidelity of the honeypot, the greater the risk.Where do you put a honeypot? How do you make it effective? Well to be sure, every IP address getsattacked - ask any cable modem user. However, there are things you can do to optimizeperformance. Perhaps the most effective honeypots are machines that have become “hot”. In such acase, it is a good idea to move that machine to a new name and IP address, (think “witness protectionprogram”), and deploy a honeypot on that system’s address.Domain name servers, mail servers and web servers’ non-service ports make a great place to puthoneypot code. 5-4 Why you Need a Honeypot Firewall 14 ...