Honeypot to Determine if Dictionary,

¶ … Honeypot to Determine if Dictionary, Brute force and Hybrid Attacks Are Still in Use Today

Using a Honeypot to Determine if Dictionary, Brute force and Hybrid Attacks are Still Threats to it Security Today

The purpose of the proposed study is to use a honeypot as described further below to determine if Dictionary, Brute force and Hybrid attacks are still in use nowadays or if they do not exist anymore. The proposed study is important for a number of reasons. According to Wible (2003), "While the Internet has revolutionized communication and commerce, it has also created the conditions for a type of crime that can be committed anonymously, from anywhere in the world, and with consequences that are unprecedented in scope" (p. 1577). While many of the attacks on legitimate computer systems are not malicious in nature, the literature will show that computer crimes are on the increase and the techniques being used by computer criminals are likewise becoming increasingly sophisticated. In this regard, Wible emphasizes that, "Many of the policies used to deter computer crime have proved ineffective. Despite criminal penalties and regulation through code itself, hackers continue to intrude into private networks with impunity. At the same time, the social response to computer crime remains embryonic" (p. 1577).

Based on the inability of traditional law enforcement methods to resolve such criminal activities, computer crime therefore demands a new approach to deterrence. For instance, in their recent essay, "The Law and Economics of Software Security," Hahn and Layne-Farrar (2006) report, "As the costs of software security breaches become more apparent, there has been a greater interest in developing and implementing solutions for different aspects of the problem. For example, the information technology community is prodigiously developing new fixes, ranging from gate-keeper protections to procedures for constructing more secure software" (p. 283). Among these approaches are so-called "traps and deceptive measures" that are designed to monitor and collect valuable information concerning how unscrupulous and potentially criminal elements are invading legitimate computer systems. These techniques have been shown to be highly effective in collecting relevant data concerning the types of methods typically used by hackers to accomplish these attacks, thereby providing systems analysts with the information they need to develop appropriate countermeasures in a timely fashion and these issues are discussed further below.

In this regard, Wible reports that, "Computer crime comes in many varieties, including online theft and fraud, vandalism, and politically motivated activities. Other hackers simply try to break code, seeking challenge, competition, and bragging rights. Whatever the motivation, intrusions have serious costs" (p. 1577). At a minimum, such attacks on proprietary and legitimate computer systems will require a patch for the hole in security hole and the costs spiral upwards from there. As Wible points out, "Even a nonmalicious trespass disrupts the victim's online services while the breach is fixed. Not knowing whether or not a breach was malicious, companies generally expend resources investigating the matter, often hiring private investigators so that they do not suffer reputational loss. If other hackers become aware of the site's vulnerability, a nonmalicious hack may be the precursor to more malicious attacks" (emphasis added) (p. 1578).

One of the most common computer crimes is the distributed denial of service attack. According to Brenner, "A distributed denial of service attack overloads computer servers and make[s] a computer resource [such as a website] unavailable to its intended users. Distributed denial of service attacks are increasingly used for extortion" (p. 380). Moreover, the potential of such threats may even cause some Web site managers to reevaluate the quality of their content and some may elect to refrain from placing valuable information online in ways that are detrimental to their business and the Web site users (Wible).

Such responses are likely to become even more common given that it is difficult or even impossible to distinguish the source of such computer system attacks. As Brenner (2007) emphasizes, "The speed and anonymity of cyber attacks makes distinguishing among the actions of terrorists, criminals, and nation states difficult. Given the opportunities cyberspace creates for the remote commission of attacks and attacker anonymity, it is more common than not for cybercriminals to go unidentified and unapprehended" (p. 379). In this environment, identifying improved countermeasure approaches to provide better computer system security has assumed new importance and relevance for many companies and individuals alike.

Countermeasures are developed to detect or prevent attacks - most of these measures are based on known facts, known attack patterns - as in the military, it is important to know who your enemy is, what kind of strategy he uses, what tools he uses and what he is aiming for - by knowing attack strategies, countermeasures can be improved and vulnerabilities can be fixed. In order to do that, it is critical that an initiative is used that can provide information and insights concerning hackers' activities.

One of these methods is traps and deceptive measures. Traps and deceptive measures are measures that appear to be real systems, services, environments, and so forth, but they are not. In this regard, a honeypot is a good example of traps and deceptive measures that can be used to gather information concerning hackers' methods and timing, and these issues are the focus of the study envisioned herein. According to Doring and Erbs (2007), "Several Honeypot solutions have been developed since Clifford Stoll described the first use of a computer to trace an intruder. But there is no common framework of deploying Honeypots and especially no common analysis method exists. This causes Honeypot-unfamiliar operators to spend a great amount of time with learning concepts of Honeypots and even more time with interpreting results" (p. 1). Properly implemented and administered, though, honeypots are capable of improving the analysis time and value of countermeasure results, as well as providing benchmarks needed for comparing results of various security initiatives (Doring & Erbs).

Basically, a honeypot is simply a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network but which is actually isolated, unprotected, and monitored, and which seems to contain information or a resource that would be of value to attackers. According to Andress (2003), "Honeypots are an attacker's dream, or at least attackers think they are. A honeypot is a server designed to lure attackers into a secure, controlled environment. You can observe the trapped attacks as they cavort around in the server, log their conversations with one another, and study them as you'd watch insects under a magnifying glass" (p. 475).

There are two types of honeypot-systems that can be used as countermeasures, as follows:

Hardware-based honeypots. Andress describes these as computer systems that have been configured with well-known holes; however, these are disabled in some fashion in order to prevent them from being exploited and used to launch further attacks into the network. As this author advises, "Most honeypots reside on the corporate demilitarized zone (DMZ); they look like normal systems and lure attackers who may otherwise focus on your Web servers. Honeypots are easy to build, but they are difficult to build securely. One wrong move and your honeypot provides easy entry into your entire network" (Andress, p. 475).

Software honeypots. This version of the honeypot countermeasure approach consists of a virtual system that acts like another server (e.g., Linux or Windows). To capture the data needed for timely analysis and avoid additional intrusive measures on the part of the hacker, Andress recommends that software honeypots should be designed to contain all activity to the honeypot only: "Because attackers are working in a purely virtual environment, there is no chance that the attacker can break out of the secure area and move about your network. Even if attackers figure out they are working in a honeypot, the program should be designed where they cannot break out of it" (Andress, p. 476).

Generally speaking, computer hackers tend to use a standard approach to their activities. The majority of computer system attacks, for example, are initiated through the use of automated scripts and they are therefore characterized by the same techniques and individual signature of the hacker (Andress). According to this author, "The script compromises a system, installs a rootkit, downloads some software, such as an Internet Relay Chat (IRC) server, and starts launching attacks on other systems. The rootkit is a suite of tools that give attackers full access to the system" (Andress, p. 476). Therefore, hardware honeypots should be configured on stand-alone, isolated systems; they should not be performing any other function on the network. In an ideal approach, a honeypot should be configured to prevent communication with other systems on a corporate network. As Andress points out, "This arrangement adds just one more layer of protection in case your honeypot system is completely compromised" (p. 476). Just as there are layers of protection involved in computer systems, there are layers of involvement with the various types of honeypot solutions developed in recent years (Spitzner, 2001). An overview of several honeypots and their respective applications, their level of involvement, and demonstrated value to date are provided in Table 1 below.

Table 1.

Types of honeypots by level of involvement.

Honeypot Name/Type

Description

BackOfficer Friendly

BOF (as it is commonly called) is a very simple but highly useful honeypot developed by Marcus Ranum et al. At NFR. It is an excellent example of a low involvement honeypot. BOF is a program that runs on most window-based operating systems. All it can do is emulate some basic services, such as http, ftp, telnet, mail, or Back Orifice. Whenever someone attempts to connect to one of these ports, BOF is listening and will then log the attempt. BOF also has the option of "faking replies," which gives the attacker something to connect to.

Specter

Specter is a commercial product and what I would call another 'low involvement' production honeypot. It is similar to BOF in that it emulates services, but it can emulate a far greater range of services and functionality. In addition, not only can it emulate services, but emulate a variety of operating systems. Similar to BOF, it is easy to implement and is low risk. Specter works by installing on a Windows system. The risk is reduced, as there is no real operating system for the attacker to interact with. For example, Specter can emulate a Web server or telnet server of the operating system of your choice. When an attacker connects, he or she is then prompted with a http header or log-in banner. The attacker can then attempt to gather Web pages or log in to the system. This activity is captured and recorded by Specter; however, there is little else the attacker can do. There is no real application for the attacker to interact with, instead just some limited, emulated functionality. Specter's value lies in detection. It can quickly and easily determine who is looking for what. As a honeypot, it reduces both false positives and false negatives, simplifying the detection process. Specter also support a variety of alerting and logging mechanisms.

Homemade Honeypots

These honeypots tend to be low involvement, as their purpose is usually to capture specific activity, such as Worms or scanning activity. These can be used as production or research honeypots, depending on their purpose. Once again, there is not much for the attacker to interact with; however, the risk is reduced because the attacker can inflict less damage. One common example of a homemade honeypot is to create a service that listens on port 80 (http), capturing all traffic to and from the port. This is commonly done to capture Worm attacks. One such implementation would be using netcat, as follows: netcat -l -p 80 > c:honeypotworm

In the above command, a Worm could connect to netcat listening on port 80. The attacking Worm would make a successful TCP connection and potentially transfer its payload. This payload would then be saved locally on the honeypot, which can be further analyzed by the administrator, who can assess the threat of the Worm. Organizations such as SANS and SecurityFocus.com have had success using homemade honeypots to capture and analyze Worms and automated activity.

Deception Toolkit (DTK)

This is one of the original honeypots and was created by Fred Cohen. Spitzner characterizes the DTK as a low-to-mid involvement honeypot. It can do more then Specter and give us more information, but takes more work to install and has additional risk; however, this is still not a high involvement honeypot, as there is no true OS for the attacker to interact with. DTK is a collection of PERL scripts designed for Unix systems that emulate a variety of known vulnerabilities. The big advantage of DTK is that the toolkit is free and the user has the source. The disadvantage is that these scripts can potentially be exploited to give an attacker access to the system.

Mantrap

Produced by Recourse, Mantrap is a commercial honeypot. Instead of emulating services, Mantrap creates up to four sub-systems, often called "jails." These jails are logically separated operating systems that are separated from a master operating system. Security administrators can modify these jails just as they normally would any operating system, to include installing applications of their choice, such as an Oracle database or Apache Web server. This makes the honeypot far more flexible, as the attacker has a full operating system to interact with, and a variety of applications to attack. All of this activity is then captured and recorded. Not only can we detect port scans and telnet logins, we can also capture rootkits, application level attacks, IRC chat sessions, and a variety of other threats.

Source: Spitzner at p. 2.

One of the constraints to using a virtual honeypot is the complexity of the application required to implement and support it. In this regard, Andress advises that software-emulation honeypots represent a fundamental challenge for many smaller enterprises because they may lack the in-house expertise needed to operate these effectively. In this regard, Andress emphasizes that the above-described Mantrap is especially useful: "Creating a virtual system that can fool an attacker is beyond the skills of most enterprise security administrators. Mantrap, from Recourse Technologies (now part of Symantec), provides all the software necessary to build your own device. It runs on real hardware, looks real to attackers, and is subsequently very attractive to them" (p. 477). On a final note, Andress recommends that companies avoid using honeypots as bait instead of viable protections against attacks on their legitimate corporate services: "As fun as it sounds to watch the attackers, you should consider using honeypots only after you have all the basic security measures implemented. A honeypot does not provide any advantages if hackers are attacking your Web server at the same time. Even if you install honeypots, hackers can still attack a real server instead of this fake one, so relying on the honeypot bait too much might be just asking for trouble" (emphasis added) (Andress, p. 477).

Based on his empirical observations and review of the Honeynet Project (http://project.honeynet.org) over the course of a year, Andress confirmed an increase in attacks as well as the use of honeynets as countermeasures in response. The Honeynet Project employs so-called "honeynets" which are networks comprised of fully operational production systems, to likewise monitor, analyze, and better understand emerging threats on the Internet. Traditionally, honeypots have been used in a single-system approach that was designed to entice attackers from their valuable production systems into these clearly vulnerable targets for their attacks. The logic - and efficacy - of these countermeasures is clear: "Why spend hours on one system when you can basically walk through the front door of the next? Honeynets take a different approach. They are not designed to lure attackers from production systems. Honeynets themselves are production networks designed for research to help security experts better understand the Black Hat community" (Andress, p. 477).

Indeed, learning more about the unseen enemy is a common theme that runs throughout the recent literature concerning computer security and better ways to protect computer systems. In this regard, Krasser, Grizzard, Owen and Levine (2005) report, "An important element of security is understanding the attackers. To learn more about their techniques, tactics, intentions, and motivations, researchers have deployed honeynets. The basic idea is to give attackers vulnerable systems to attack. These systems are monitored closely, and the behavior of the attackers is studied" (p. 3).

One of the more valuable aspects of honeynets is their flexibility and ability to present information in any configuration desired to facilitate analysis and improve the enticement qualities of the Web sites being presented. For instance, Krasser and his associates emphasize that, "Any type of system can be placed within the honeynet. Standard production systems can be used on the honeynet, in order to give the hacker the look and feel of a real system. Moreover, virtual systems can be used to emulate or simulate a number of computer systems inside one physical system, e.g. utilizing software like VMware or honeyd" (p. 3). A typical honeynet configuration is illustrated in Figure 1 below.

Figure 1. Typical honeynet configuration.

Source: Krasser et al. At p. 5.

According to Krasser and his colleagues, "As the most important part, a computer, known as the honeywall, is placed in front of the vulnerable honeypots and is used to limit outgoing attack traffic from the honeypots. The honeywall acts as a gateway to the Internet for the honeypots and has the ability to limit malicious traffic" (pp. 5-6). While these techniques continue to be refined and improved in response to recent and current trends in computer attacks, their applications to date have provided a significant return on the investment of it resources in terms of learning more about what types of attacks are typically employed and what security measures are needed to foil them.

To date, honeypots and honeynets have been shown to be highly effective at gathering the types of information needed by system administrators to help formulate effective security measures (Andress). Based on their analysis of 11 months of data developed by the Honeynet Project, a default Red Hat 6.2 installation can be compromised within 72 hours of being posted online; however, the research to date indicates that the time required is generally far less than that (Andress).

The Honeynet Project continues to analyze data to provide improved predictions concerning attack trends and to identify superior tools that remain outside the purview of legitimate applications. When the Honeynet Project does identify such new attack methods or tools, they notify security alert organizations, such as SANS or the Computer Emergency Response Team (CERT) (Andress). According to this author, "The Honeynet Project started with what they call Generation I Honeynets, which included different systems for data control, capture, and collection. Generation II honeynets, which they are currently developing, will combine these activities into one system, which should make them easier to deploy and maintain. Developers are also working on virtual honeynets" (Andress, p. 477). The Honeynet Project defines virtual systems as those that "combine all elements of a Honeynet into one physical system" which includes the data control, capture, and collection mechanisms and the honeypot systems as well (Andress, p. 477). For this purpose, VMWare has become a useful tool for virtual honeynets (Andress). Not surprisingly, then, honeypots and honeynets as countermeasures have become increasingly popular in recent years and are implementing their own versions in response (Andress).