Nowadays networks which are connected to the Internet are under permanent attack by intruders and automated attacks of worms. A variety of detection tools exist such as Intrusion Detection Systems (IDS) and firewalls, but the main problem is that they only react on preconfigured and known attacks. Although there exist a number of security tools that are available today, none of these tools can easily address all of the security goals of an organization. As computer attacks evolve, new responses are essential. Thus organisations look for more advanced tools which are effective in detecting security attacks and recovering from them.
In order to monitor the activities of hackers, the methodology adopted is to deceive, by giving them some emulated set of services on a system which appears to be legitimate. The hackers’ activities are then logged and monitored to gain insight into their employed tactics. This idea is adopted in Honeypots, a system whose value lies in being probed, attacked and compromised. 1. 1 What are honeypots Honeypots are an upcoming technology that can be used to detect and analyze network attacks. A honeypot is an apparently vulnerable system deployed to be hacked.
Some tests have shown that honeypots are exposed to lots of known attacks and noise that hide the valuable information about new attacks and vulnerabilities. Nowadays, they are also being extensively used by the research community to study issues in network security. Using honeypots provides a cost-effective solution to increase the security posture of an organization. Through our paper we found that the use of honeypots is an effective educational tool to study issues in network security. Honeypots. don’t catch only the lame hackers.
Sometimes they catch the new tools and are able to reduce their effectiveness by letting security practitioners quickly react before they become widespread. They don’t catch just the attackers outside our firewall but the hackers who work for our own company. They don’t catch just unimportant stuff; sometimes they catch industrial spies. They can be time- and effort-consuming to set up and operate, but they’re, instructive, and a terrific way for a good guy to gain an education on computer forensics in a real-world environment. Honeypots keeps the hackers on their toes and do a lot to shatter their ense of invulnerability. Honeypots come in a variety of shapes and sizes—everything from a simple Windows system emulating a few services to an entire network of productions systems waiting to be hacked. 1. 2 ROLES OF HONEYPOTS Honeypots are unique in that they are not a single tool that solves a specific problem. Instead, they are a highly flexible technology that can fulfill a variety of different roles. It is up to us how we want to use and deploy these technologies. A honeypot is very different from most traditional security mechanisms.
It’s a security resource whose value lies in being probed, attacked, or compromised. The idea of building and deploying a computer meant to be hacked seems to be mysterious. The world of hacking, of taking over a computer, has been an area of interest. As in case of other forms of crime, little has been known about how the attackers operate, what tools they use, how they learn to hack, and what motivates them to attack. Honeypots give us an opportunity to peer into this world. By watching attackers when they break into and control our honeypot, we learn how these individuals operate and why.
Honeypots give us the ability to take the offensive. Traditionally, the attacker has always had the initiative. They control whom they attack, when, and how. All we can do in the security community is defend; build security measures, prevent the bad guy from getting in, and then detect whenever those preventive measures fail. As any good military strategist says,” the secret to a good defense is a good offense. ” But organizations have always been limited on how they can take the battle to the attacker. But Honeypots give us the advantage by giving us control: we allow the bad guys to attack them.
They are an incredible tool that can teach us not only about security technologies but also about the enemy. It’s a great idea of turning the tables on the bad guys and building a system to invite them to attack. 1. 3 ATTACKERS Before we start talking about how honeypots work and the problems they solve, we first examine the problem: THE ATTACKER. By understanding who our threat is and how he operates, we will better understand the value and function of honeypots. The type of attacker we are attempting to identify, detect, or capture will also dictate the type of honeypot we build and how we deploy it. . 3. 1 Types of Attackers In general, there are two types of attackers: 1. The kind who want to compromise as many systems as possible. 2. The kind who want to compromise a specific system or systems of high value. It does not matter if these threats are coming from the outside, such as the Internet, or from the inside, such as a disgruntled employee. Most threats tend to fall into one of these two categories. The first type doesn’t care if the computer belongs to a major organization or the average homeowner. His goal is to hack as many systems as possible with as little effort as possible.
These attackers focus on targets of opportunity—the easy kill. Often they are called SCRIPT KIDDIES. Sometimes these attackers have certain requirements, such as hacking systems with a fast connection to the Internet or a large hard drive for storing files. They tend to be less sophisticated, but they are far more numerous, representing the vast majority of probes, scans, and attacks we see today. The second type of attacker focuses on a few systems of high value. These individuals are most likely highly experienced and knowledgeable attackers—the advanced BLACKHATS.
Their attack is usually financially or nationally motivated, such as state-sponsored terrorism. They have a specific target they want to compromise, and they focus only on that one. Though less common and fewer in number, these attackers are far more dangerous due to their advanced skill level. Not only can they penetrate highly secured systems, their actions are difficult to detect and trace. Advanced blackhats make little noise when attacking systems, and they excel at covering their tracks. Even if we have been successfully attacked by such a skilled blackhat, we may never even be aware of it. . 4 MOTIVES OF ATTACKERS 1. Credit Cards Hacked computers have become a form of currency. Blackhats will trade their hacked accounts for stolen credit cards. The more computers one hacks into, the more money-making potential. 2. Political Motives Attacks can be politically motivated. One such example was GFORCE following the terrorist attacks of September 11, 2001. This Pakistani-based hacker group targeted the United States and Great Britain by hacking intoGovernment computers and posting messages threatening to hit major U.
S Military and major British Web sites and very high confidential U. S. data that will be given to the right authorities of Al-Qaeda. 3. Corporate Espionage Organizations may attempt to breach the security of their competitors to gain a competitive advantage. This is a common motive of the more advanced blackhats because it involves financial gain. 1. 5 Methods of Attackers Each group of attackers, has their own method: The first type focuses on targets of opportunity, and the second focuses on targets of choice. Both threats are extremely dangerous.
Highly skilled blackhats focus on high-value targets. Because of their high skill level, they often are successful in compromising their targets. Whereas, the first type of individuals lack in skill or finesse, and are more in numbers. 1. 5. 1 Targets of Opportunity Much of the blackhat community is lazy. Their goal is to hack into as many computers as possible, with the least effort on their part. Their motives may vary, but the goal is the same: to own as many systems as possible. As we mentioned earlier, these tend to be the less sophisticated attackers, often called script kiddies.
Their method is simple: focus on a single vulnerability, then scan as many systems as possible for that vulnerability. Persistence, not advanced technical skills, is how these attackers successfully break into a system. With almost no technical skills or knowledge, anyone can simply download tools from the Internet that do all the work for them. Sometimes these tools combine all of the activity just described into a fully automated weapon that only needs to be pointed at certain systems, or even entire networks, and then launched with the click of a button.
An attacker simply downloads these tools, follows the instructions, launches the attacks, and happily hacks her way into hundreds or even thousands of systems. These tools are rapidly spreading across the Internet, giving access to thousands of attackers. What used to be a highly complex development process is now extremely simple. 1. 5. 2 Targets of Choice While script kiddies and automated attacks represent the largest percentage of attackers, the smaller, more dangerous percentage of attackers are the skilled ones that don’t want anyone to know about their existence.
These advanced blackhats do not release their tools. They only attack and compromise systems of high value, systems of choice. When these attackers are successful, they do not tell the world about it. Instead, they silently infiltrate organizations, collecting information, users accounts, and access to critical resources. Targets of Choice While script kiddies and automated attacks represent the largest percentage of attackers, the smaller, more dangerous percentage of attackers are the skilled ones that don’t want anyone to know about their existence.
These advanced blackhats do not release their tools. They only attack and compromise systems of high value, systems of choice. When these attackers are successful, they do not tell the world about it. Instead, they silently infiltrate organizations, collecting information, users accounts, and access to critical resources. Often organizations have no idea that they have been compromised. Advanced attackers can spend months, even years, no idea that they have been compromised. Advanced attackers can spend months,even years,within a compromised organization without anyone finding out.
These attackers are interested in a variety of targets. It could be an online banking system, where the attacker isafter the database containing millions of credit cards. It could be a case of corporate espionage, where the attacker is attempting to infiltrate a car manufacturer and obtain research designs of future cars. Or it can be as sinister as a foreign government attempting to access highly confidential government secrets, potentially compromising the security of a country. These individuals are highly trained and experienced and they are far more difficult to detect than script kiddies.
Even after they have successfully penetrated an organization, they will take advanced steps to ensure that their presence or activity cannot be detected. Very little is known about these attackers. Unlike unskilled attackers, advanced blackhats do not share the same tools or techniques. Each one tends to develop his own skills, methods, and tool sets specialized for specific activities. As such, when the tools and methods of one advanced attacker are discovered, the information gained may not apply to other advanced blackhats.
