Data Capture - Page 6 - Results from #5 |


Feature Articles

Need an in-depth introduction to a new security topic? Our features articles will bring up up-to-date on everything from buffer overflows to SE Linux policy development.

Discover LinuxSecurity Features

Know The Enemy: Upgrade Your Threat Detection Strategy with Honeynets - Data Capture

Article Index

Know The Enemy: Upgrade Your Threat Detection Strategy with Honeynets - Data Capture

Data Capture 

Data Capture encompasses the capturing of all malicious activities that occur within a honeynet. It is these activities that are then analyzed to learn about the blackhat community. The challenge is to capture as much data as possible, without blackhats figuring out what is going on. This is done with as few modifications as possible, if any, to a honeypot. Also, data captured must be stored remotely - it cannot be stored locally on the honeypot. Information stored locally could potentially be detected by the blackhat, alerting them that the system is a Honeynet. Data stored locally is at risk of being lost or destroyed. 

Successful Data Capture is done in layers - no single layer will capture adequate information. Rather - data must be gathered from a variety of resources. Only a multi-layered approach reveals “the big picture”.

The first layer of logging activity is the firewall. The firewall logs all connections initiated to and from the Honeynet. This information is critical, as all connections are suspicious. Firewalls should be designed not only to log all connections, but to also alert the administrator  whenever a connection is attempted. This is extremely useful for tracking scanning patterns. Additionally, a firewall can detect backdoors or proprietary ports. Most exploits create a shell or backdoor on a system. These backdoors are easy to detect when the firewall alerts of a connection on a system on a random high port. The firewall should also send an alert when a honeypot on the Honeynet initiates an outbound connection. The firewall once again logs this activity - indicating that a system was compromised. 

Another critical layer is the IDS system, which has two purposes. The first, and by far most important, is to capture all network activity. The primary job of the IDS  is to capture and record every packet that hits the wire. The IDS system resides on a 'port monitoring' port, so it can record all network activity. These records are then used to analyze blackhats’ activities. The second function of the IDS system is to alert an administrator of any suspicious activity within the honeynet. Most IDS systems have a database of signatures. When a packet on the network matches a signature, an alert is generated. This function is not as critical for a Honeynet, as any activity is considered suspicious by nature. However, IDS systems can provide detailed information about a specific connection. 

Comments (0)

There are no comments posted here yet

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.