"Network Security" Honeypot to Honeynet Getting Started Guide (2) Origin, Function and Classification of Honeypot

Originality is not easy, just like it! Feel free to appreciate if you like it.

Preface

Hello, everyone, "Network Security" Honeypot to Honeynet Getting Started Guide" enters the second chapter.

In the first article, we started with network security, from the shallower to the deeper, and introduced the concept of honeypot.
Starting from this article, we will continue to write follow-up content mainly around honeypots ( honeypot) and Minet ( honeynet).

The development of any technology is a long process! After a long time of screening, we can always leave content that satisfies us.

Past review

Contents of this article

1. The origin of honeypot
Second, the role of honeypots
Third, the classification of honeypots

1. The origin of honeypot

The concept of honeypot does not appear out of thin air. It first appeared in a novel: "The Cuckoo's Egg" .
Author Cliff Stolloriginally a astronomers, the life force, after the redeployment, lucky enough to be a network administrator. Cliff StollBased on my own experience, it tells the story of how I tracked down and discovered a commercial spy after becoming a network administrator.

Cliff Stoll Is a real computer security genius expert, he proposed in 1988: "Honeypot is an effective means to understand hackers" 。

tip: Friends who want to read this novel, I have English version and Chinese translation versionpdf , private message on the public account, I will send it to you. WeChat public account name: programmer's day .

After the concept of honeypot was put forward, it did not receive attention immediately.
Until 1990years, Bill Cheswickhe published a 《An Evening with Berferd in Which a Cracker Is Lured, Endured, and Studied》paper: .

In this paper, the author discusses the concept of honeypots more from a technical perspective.
The author created a real honeypot and discussed how security personnel should conduct research on hackers when they are attacking and destroying large-scale systems, and discover how the attackers behave.

The content of the thesis is quite exciting, but the catch is that it still does not accurately define the meaning of honeypots, nor does it discuss the value of honeypots in the security field.

After the Bill Cheswickpublication of the paper, honeypot technology began to gradually attract the attention of the security community. So far, security researchers have researched and developed many different types of honeypot products, and they have been widely used in different situations.

The development process of honeypot technology can be roughly divided into three stages. Let's take a brief look.

1.1, the first stage of honeypot development

From the introduction of the honeypot concept in 1990 to 1998, honeypot technology was in the first stage.
At this time, honeypots are only limited to one idea. Usually, only professional network managers will use honeypots to track down attacks by deceiving hackers.

The honeypots at this stage are often hosts and systems that are really hacked.

1.2, the second stage of honeypot development

Since 1998, honeypot technology has attracted the attention of a group of security researchers.
Industry professional researchers have developed a number of tools designed to deceive honeypot hackers, as Fred Cohendeveloped by DTK(cheat kit) and Niels Provosdevelopment of Honeydother open source products. At the same time, some commercial honeypot products such as KFSensor, Specteretc. have also appeared .

The honeypot at this stage uses honeypot tools to simulate a virtual operating system or network service. We can call it a virtual honeypot .

Virtual honeypots can respond to hackers' attacks, thereby deceiving hackers.

In addition, the emergence of virtual honeypot tools makes honeypot deployment easier.

tip: Virtual honeypots have been used for a long time and have become easy to be identified by hackers. If you directly use the above honeypots, you need to be cautious.

1.3, the third stage of honeypot development

Because the virtual honeypot in the second stage has a low degree of interaction, it is easy to be identified by hackers. Therefore, since 2000, security researchers are more inclined to use real hosts, operating systems, and applications to build honeypots.

Unlike before, the third stage honeypot incorporates powerful tools such as data capture, data analysis, and data control, and integrates the honeypot into a complete honeypot network system, making it easier for researchers to track cyber attacks , And analyze the offensive behavior.

At this stage, not a single honeypot deployment, often combined log audit systems, management systems, alarm systems, front-end web, the formation of a unified network, we call this network: honeynet ( honeynet).

tip: A honeypot is a honeypot, and a dense net is a dense net. Honeypot belongs to the core module of Minet.

The emergence of dense networks allows us to deploy and manage honeypots in the cloud. In addition, through the webhumanized display of the page, data such as attack logs, number of attacks, and source of attacks are clear at a glance.
The dense network effectively lowers the threshold for users. Even if you are not a professional network administrator, you can quickly discover attacks through the dense network.

Honeynet technology is a new technology gradually developed in honeypot technology. In dense net technology, honeypot is the core! Therefore, we will continue to study and discuss honeypots later. After the dense net technology is put into the honeypot, we will talk about it separately. Welcome everyone to continue to pay attention.

Second, the role of honeypot

In the last article, we said: Honeypot is a kind of security resource, its value lies in being scanned, attacked and compromised.
Considering the development of honeypots, we can conclude that the main functions of honeypots are:Deceive hackers, induce attacks, capture attacks。

In addition, honeypots also protect real businesses and delay attacks to a certain extent .

Imagine that there are two databases deployed on a server, one is a real business database and the other is a honeypot database. Then, the probability of a hacker attacking a real business database becomes one-half.
Nowadays, in dense network technology, the deployment of honeypots mostly adopts node drainage, which is very convenient. It is not impossible to deploy 100 honeypot nodes on a server... _exaggerated

Hacker: "It's a good harvest today. There are 100 assets exposed on this server. Which one should I attack first...?"

Finally, honeypots also based on behavioral analysis, found that 0dayunknown attacks.

tip: The harm of the 0day vulnerability, no one knows before the attack!

Third, the classification of honeypots

From different perspectives, honeypots can be classified in different ways.
However, most classifications are not strict and do not have much practical significance to us. Here are mainly introduced several common classification methods, just understand.

3.1 According to purpose

According to different purposes, honeypots can be divided into: producing honeypots and researching honeypots.

Production honeypot

Used to capture attacks in the production environment and protect the production environment, mainly used by the company. Production honeypots are organized and placed in the production network together with other production servers to improve their overall security status. Usually production honeypots are low-interaction and medium-interaction honeypots, which are easy to deploy.

Research honeypot

Mainly used for research activities, such as how to attract attacks, collect information, detect new types of attacks, etc., as well as understand the background, purpose and activity patterns of hackers and hacker groups. Therefore, research honeypots are very valuable for writing new intrusion detection rules and discovering system vulnerabilities.

3.2. According to the degree of interaction

The key to the success of deception and disguise lies in the authenticity of the honeypot. The higher the degree of interaction, the more real the honeypot looks and the greater the effect.

According to different levels of interaction, honeypots can be divided into low-interaction honeypots, medium-interaction honeypots, and high-interaction honeypots.

Low interaction honeypot

Generally, by simulating the main features of the service, hackers are restricted from moving within a specified range, and only a small amount of interaction is allowed. For example, honeypots listen on specific ports and record all incoming and outgoing traffic data, which can be used to detect illegal scans and connections.

Most companies will simulate TCPand IPwait for the agreement, which makes the attacker think they are connecting to a real system rather than a honeypot environment.

A low-interaction honeypot may not be effective enough to be easily spotted by attackers, and it is not sufficient to capture complex threats such as 0dayattacks. However, low-interaction honeypots are easy to deploy, have low maintenance costs, and are relatively safe. They do not allow access to real system services.

Interaction Honeypot

The Chinese interactive honeypot provides more interactive information, but still does not provide a real operating system or service. Through this higher degree of interaction, more sophisticated attack methods can be recorded and analyzed. A Chinese interactive honeypot is a simulation of various behaviors of a real operating system or service. In this simulated behavior system, users can perform various configurations at will, so that the honeypot looks no different from a real operating system.

Considering the comprehensive factors such as development cost, maintenance cost, and safety, the most commonly used in the project is the interaction honeypot.

High interaction honeypot

A high-interaction honeypot is not a simple simulation, it usually provides a real operating system or service. High-interaction honeypots greatly reduce the probability of a honeypot being detected and greatly increase the degree of attracting attackers. But at the same time, the danger has also increased. One of the purposes of hackers entering the system is to obtain root privileges. A honeypot with a high level of interaction just provides such an environment.

High-interaction honeypots have great effects and high risks. Network isolation must be done to prevent honeypots from becoming a springboard for hackers to attack other hosts in the same network.

3.3, according to implementation

According to different implementation methods, honeypots can be divided into real service honeypots and simulated service honeypots.

Real service honeypot

Similar high-interaction honeypot system, often a real physical host or virtual machine, is an independent with a ipreal system, we have made of such a service based on real honeypot known as: real service honeypot.

Virtual service honeypot

Low-interaction and mid-interaction honeypots are honeypots that are implemented through code and simulate part of the real service functions. We call them: simulated service honeypots.

One question from the soul: What type of honeypot does the secondary development remove part of its functions? _{Don’t pay too much attention to honeypot classification...}

3.4 According to whether to charge

According to whether there is a charge, honeypots can be divided into open source honeypots and commercial honeypots.

Open source honeypot

A honeypot developed by cute and handsome industry experts, free to share, open source, and available to everyone to use and learn. It is called an open source honeypot.
The development of open source honeypots usually does not have a complete software life cycle management, and functions can be achieved. The development cycle is relatively slow and cannot be compared with commercial honeypot products.

Commercial honeypot

A fee-based honeypot developed by a professional team and operated by a professional company with the main purpose of making money is called a commercial honeypot.

Compared with the confidentiality of commercial honeypots, open source honeypots are easier to identify. Commercial honeypots are used for large funds, and open source honeypots are used for insufficient funds...no _problem

Digression

After the first publication of "Network Security" Honeypot to Honeynet Getting Started Guide, almost no one paid attention. This makes me lose the motivation to update, who would be willing to write an article that no one cares about?

Until, a reader asked me in a private message to what extent the series will be written. I realized that I was wrong and regained my creative motivation. As long as there is a reader, I will continue!

END.

An ordinary programmer, forge ahead on the road of struggle. I like to write things outside of work, involving programming , life , hot spots, etc. Interested WeChat friends can search for: [ Programmer's Day ], welcome attention and support, thank you!