introduction 1. introduction goal of this presentation: to give a better understanding of the...
TRANSCRIPT
1. IntroductionIntroduction
Goal of this Presentation:Goal of this Presentation:
To give a better understanding of the To give a better understanding of the overview of our project. Such as:overview of our project. Such as:
ResearchesResearches Project PlansProject Plans Customer ExpectationsCustomer Expectations Business CaseBusiness Case Cost BudgetCost Budget Unsolved Issues, etcUnsolved Issues, etc
2.0 Project Assumptions and 2.0 Project Assumptions and ObjectivesObjectives
Project ExplanationProject Explanation Track attacks and log their pathsTrack attacks and log their paths Create a complete packageCreate a complete package
BackgroundBackground 1990, first concepts of Honeypot by Clifford Stolls1990, first concepts of Honeypot by Clifford Stolls 1997, first toolkit released: Fred Cohen’s 1997, first toolkit released: Fred Cohen’s
Deception ToolkitDeception Toolkit Other releases: CyberCop, Back Officer Friendly Other releases: CyberCop, Back Officer Friendly
and Honeynet Projectand Honeynet Project ““Know Your Enemy”, publications Know Your Enemy”, publications
2.0 Project Assumptions and 2.0 Project Assumptions and ObjectivesObjectives
ScopeScope Raytheon allows a great deal of freedomRaytheon allows a great deal of freedom Add, modify and combine individual Add, modify and combine individual
componentscomponents Wireless Linksys routerWireless Linksys router Honeypot softwareHoneypot software Logging stationLogging station
Create automatic script for setupCreate automatic script for setup
2.0 Project Assumptions and 2.0 Project Assumptions and ObjectivesObjectives
Major ObjectivesMajor Objectives Modify wireless Linksys routerModify wireless Linksys router
Add authentication capability to routerAdd authentication capability to router Modify honeypot open sourceModify honeypot open source
Add unique element to open sourceAdd unique element to open source Add logging stationAdd logging station
Separate logging from the honeypot to eliminate the Separate logging from the honeypot to eliminate the chance of logging being compromisedchance of logging being compromised
Hack our systemHack our system Try hack our system and then fix and upgrade Try hack our system and then fix and upgrade
features throughout the processfeatures throughout the process
Project Assumptions and Objectives
2.0 Project Assumptions and 2.0 Project Assumptions and ObjectivesObjectives
ExpectationsExpectations Unique modification to honeypot open Unique modification to honeypot open
source codesource code Slow down attacks in real-time to limit Slow down attacks in real-time to limit
their bandwidththeir bandwidth Provide a quick and easy setupProvide a quick and easy setup
Annual QuantityAnnual Quantity Raytheon may possibly continue this Raytheon may possibly continue this
project in house and sell it as a package project in house and sell it as a package to customtersto customters
3.0 Customer Expectations3.0 Customer Expectations
Wants and Needs of the customer:Wants and Needs of the customer: The wants and needs of the customer are The wants and needs of the customer are
exactly the results of the effort that our team exactly the results of the effort that our team puts in.puts in.
Not usually the norm, but its Raytheon’s only Not usually the norm, but its Raytheon’s only expectation that we create a working honeypot that expectation that we create a working honeypot that shows off our team’s imagination and innovation. shows off our team’s imagination and innovation.
Relative importance:Relative importance: Strong research and development into creating a unique Strong research and development into creating a unique
honeypot (priority 1)honeypot (priority 1) Creating a bundled software and hardware product that Creating a bundled software and hardware product that
reflects our R & D. (priority 2)reflects our R & D. (priority 2)
3.0 Customer Expectations3.0 Customer Expectations
Product SpecificationsProduct Specifications TechnicalTechnical
Creating a functioning honeypot, that can be used on an Creating a functioning honeypot, that can be used on an infrastructure network and can effectively log and divert infrastructure network and can effectively log and divert intruders from the production network.intruders from the production network.
PerformancePerformance Emulation of all the traffic directed through the router as Emulation of all the traffic directed through the router as
though it was traveling through the actual production though it was traveling through the actual production network.network.
QualityQuality An effective logging system to monitor which parts of the An effective logging system to monitor which parts of the
production network are being attacked.production network are being attacked. Overall GoalOverall Goal
Provide a product that slows down an attacker by creating Provide a product that slows down an attacker by creating a simulated network environment, applicable in real world a simulated network environment, applicable in real world scenarios, which can log an attacker’s intentions and paths, scenarios, which can log an attacker’s intentions and paths, with the potential for collecting materials able to be with the potential for collecting materials able to be admissible in a court of law .admissible in a court of law .
3.0 Customer Expectations3.0 Customer Expectations
Measurable Engineering Characteristics Measurable Engineering Characteristics based on customer expectationsbased on customer expectations Accuracy Accuracy of logging softwareof logging software SpeedSpeed of packet-sniffing algorithm of packet-sniffing algorithm SizeSize of logged information storage of logged information storage Speed & AccuracySpeed & Accuracy of IDS (Intrusion of IDS (Intrusion
Detection System)Detection System) ReliabilityReliability of logged information of logged information
(Spoofing detection)(Spoofing detection)
Project Assumptions and Objectives
3.0 Customer Expectations3.0 Customer Expectations
Relationship of product specifications to customer’s Relationship of product specifications to customer’s wants and needs:wants and needs: Difficult to define since the customer in this case is Difficult to define since the customer in this case is
allowing the product specifications to be their “wants and allowing the product specifications to be their “wants and needs”. needs”.
Specifics:Specifics: Technical aspect of our product specification is the creation of Technical aspect of our product specification is the creation of
a functioning honeypot. a functioning honeypot. (high priority)(high priority) The performance of our system should be similar to existing The performance of our system should be similar to existing
honeypot and honeynet systems, but different in that ours honeypot and honeynet systems, but different in that ours adds some innovative and unique designs (which our ad-hoc adds some innovative and unique designs (which our ad-hoc application should provide). application should provide). (medium priority)(medium priority)
The product being created, although not explicitly The product being created, although not explicitly manufactured for future retail value, should be a finished manufactured for future retail value, should be a finished product complete with bundled hardware and software. While product complete with bundled hardware and software. While this is not a “need” of the customer, it could potentially be a this is not a “need” of the customer, it could potentially be a “want”. “want”. (low priority)(low priority)
4.0 Analysis of Competitive Products
To our knowledge, there are no products To our knowledge, there are no products that are similar enough to ours to be that are similar enough to ours to be considered competitors. our system is considered competitors. our system is in its own class because of the features in its own class because of the features that will be implemented with it.that will be implemented with it.
4.0 Analysis of Competitive Products
However, we have looked at other However, we have looked at other products that have some of our products that have some of our product’s functionalities, such as:product’s functionalities, such as:
Symantec MantrapSymantec Mantrapmonitor intrusions instantlymonitor intrusions instantly
look and act exactly like full-function serverslook and act exactly like full-function servers
SnortSnorttraffic analysis and packet logging on IP networkstraffic analysis and packet logging on IP networks
5.0 Concept Selection and 5.0 Concept Selection and DescriptionDescription
Slow down an attackSlow down an attack
the honeypot will act as a diversion to provide time the honeypot will act as a diversion to provide time to take the to take the appropriate measures and keep harmful appropriate measures and keep harmful traffic away from the traffic away from the production networkproduction network
Simulate a real network environmentSimulate a real network environment
create the illusion of a real network so outsiders are create the illusion of a real network so outsiders are none the none the wiserwiser
Log incoming and outgoing dataLog incoming and outgoing data
determine vulnerabilities in our own network and determine vulnerabilities in our own network and prevent prevent future attacksfuture attacks
Do not interfere with production networkDo not interfere with production network
keep honeypot separate to avoid complications with keep honeypot separate to avoid complications with production production network in case the honeypot is compromisednetwork in case the honeypot is compromised
5.0 Concept Selection and 5.0 Concept Selection and DescriptionDescription
Setup Of A Honeypot:
6.0 Project Plan, Resources, Schedules
Major Check Points and DeliverablesMajor Check Points and Deliverables Setup Network Setup Network (10/4 - 10/11)(10/4 - 10/11)
Comprehensive Plan Comprehensive Plan (10/22 - 11/2)(10/22 - 11/2)
Prototypes Plan Prototypes Plan (10/12 – 10/27)(10/12 – 10/27)
Modify Linksys BIOS Modify Linksys BIOS (10/22 – 11/30)(10/22 – 11/30)
Configure dedicated machines for Configure dedicated machines for specific use specific use (11/15 – 12/09)(11/15 – 12/09)
Project Plan Review Project Plan Review (01/3 – 01/10)(01/3 – 01/10)
Prototype Results Prototype Results (01/3 – 01/10)(01/3 – 01/10)
6.0 Project Plan, Resources, Schedules
Major Check Points and Deliverables Major Check Points and Deliverables (con.)(con.) Stimulate Real World Attacks Stimulate Real World Attacks (01/5 – 02/16)(01/5 – 02/16)
Code integration and test/build Code integration and test/build (02/07 – 02/14)(02/07 – 02/14)
Modification to system Modification to system (02/07 – 02/14)(02/07 – 02/14)
Final Packaging and Documentation Final Packaging and Documentation (02/23 (02/23 – 03/29)– 03/29)
6.0 Project Plan, Resources, Schedules
Responsibilities for each memberResponsibilities for each member We are at the point that we feel it’s We are at the point that we feel it’s
better to work as a teambetter to work as a team More specific tasks will be assigned later More specific tasks will be assigned later
in the project to pairs of members as in the project to pairs of members as needed. needed.
7.0 Business Case7.0 Business Case
With industrial espionage and particularly, With industrial espionage and particularly, computer based industrial espionage on the rise, computer based industrial espionage on the rise, companies are all going many steps further to companies are all going many steps further to protect their information. The most commonly protect their information. The most commonly seen threat to a company’s computer network is seen threat to a company’s computer network is something as simple as a virus or worm. While something as simple as a virus or worm. While these scripts do cause slow downs in production these scripts do cause slow downs in production and monetary loss, another threat that is not as and monetary loss, another threat that is not as often thought about is theft of intellectual often thought about is theft of intellectual property. The wireless honeypot appliance is part property. The wireless honeypot appliance is part of a solution to curb the efforts of outsiders of a solution to curb the efforts of outsiders wanting to gain access to our corporate network, wanting to gain access to our corporate network, be it for malicious or theft reasons.be it for malicious or theft reasons.
7.0 Business Case7.0 Business Case
Assumptions:Assumptions: Internal use only – Not for saleInternal use only – Not for sale Still has (positive) financial impact by Still has (positive) financial impact by
preventing unauthorized information preventing unauthorized information from being “stolen” from Raytheon.from being “stolen” from Raytheon.
Estimated Product Cost: Estimated Product Cost:
$20,000.00 in R&D$20,000.00 in R&D Approximately $100.00 to replicateApproximately $100.00 to replicate All software either developed in-All software either developed in-
house or under the GPL licensehouse or under the GPL license
Support Costs:Support Costs:
Low support costsLow support costs ““Setup and Go”Setup and Go” Costs may increase if threat is found Costs may increase if threat is found
as a matter of protectionas a matter of protection
Return on InvestmentReturn on Investment
As stated before, no actual dollar As stated before, no actual dollar amount can be assigned to the value amount can be assigned to the value of this project, however the liability of this project, however the liability that Raytheon employees assume that Raytheon employees assume will be greatly decreased.will be greatly decreased.
8. Issues8. Issues
• list of areas in the design that are not list of areas in the design that are not too well understood too well understood • parts, components, subsystem parts, components, subsystem sourcing for prototypes sourcing for prototypes • prototype testing prototype testing
List of areas in the design that are List of areas in the design that are not too well understood not too well understood
- Flashing the BIOS of the linksys router. - Flashing the BIOS of the linksys router. - General knowledge of hacking to - General knowledge of hacking to
simulate an attack on the honeypot simulate an attack on the honeypot - Adding to the kernel of a linux operating - Adding to the kernel of a linux operating
system system - Using IDS and logging tools to record - Using IDS and logging tools to record
information from attacks information from attacks - An understanding of networking in - An understanding of networking in
general (packets, ports, protocols, etc) general (packets, ports, protocols, etc) - Legal Issues regarding honeypots- Legal Issues regarding honeypots
Parts, Components, Subsystem Parts, Components, Subsystem sourcing for prototypes sourcing for prototypes
- Linkysys Wireless Router with - Linkysys Wireless Router with Speedbooster WRT54GS (Speedbooster Speedbooster WRT54GS (Speedbooster model provides double flash memory)model provides double flash memory)
- 3 Computers- 3 Computers 1-Running Honeypot "Usermode Linux, Honeyd" 1-Running Honeypot "Usermode Linux, Honeyd" 2-Running Snort "Logs Activity from Router", 2-Running Snort "Logs Activity from Router", 3-Running System logger "Logs activity in 3-Running System logger "Logs activity in
honeypot“honeypot“ A wireless network to implement our A wireless network to implement our
honeypot systemhoneypot system Other Computers to simulate attacks on the Other Computers to simulate attacks on the
honeypothoneypot
Prototype testing Prototype testing
Evolutionary PrototypingEvolutionary Prototyping Build a bicycle first, then build a carBuild a bicycle first, then build a car Start with barebone honeypot systemStart with barebone honeypot system
TestTest Implement additions one by one from a list Implement additions one by one from a list
of prioritized featuresof prioritized features Repeat until features or time run outRepeat until features or time run out