Discover LinuxSecurity Features
Know The Enemy: Upgrade Your Threat Detection Strategy with Honeynets - Data Capture
Data Capture encompasses the capturing of all malicious activities that occur within a honeynet. It is these activities that are then analyzed to learn about the blackhat community. The challenge is to capture as much data as possible, without blackhats figuring out what is going on. This is done with as few modifications as possible, if any, to a honeypot. Also, data captured must be stored remotely - it cannot be stored locally on the honeypot. Information stored locally could potentially be detected by the blackhat, alerting them that the system is a Honeynet. Data stored locally is at risk of being lost or destroyed.
Successful Data Capture is done in layers - no single layer will capture adequate information. Rather - data must be gathered from a variety of resources. Only a multi-layered approach reveals “the big picture”.
The first layer of logging activity is the firewall. The firewall logs all connections initiated to and from the Honeynet. This information is critical, as all connections are suspicious. Firewalls should be designed not only to log all connections, but to also alert the administrator whenever a connection is attempted. This is extremely useful for tracking scanning patterns. Additionally, a firewall can detect backdoors or proprietary ports. Most exploits create a shell or backdoor on a system. These backdoors are easy to detect when the firewall alerts of a connection on a system on a random high port. The firewall should also send an alert when a honeypot on the Honeynet initiates an outbound connection. The firewall once again logs this activity - indicating that a system was compromised.
Another critical layer is the IDS system, which has two purposes. The first, and by far most important, is to capture all network activity. The primary job of the IDS is to capture and record every packet that hits the wire. The IDS system resides on a 'port monitoring' port, so it can record all network activity. These records are then used to analyze blackhats’ activities. The second function of the IDS system is to alert an administrator of any suspicious activity within the honeynet. Most IDS systems have a database of signatures. When a packet on the network matches a signature, an alert is generated. This function is not as critical for a Honeynet, as any activity is considered suspicious by nature. However, IDS systems can provide detailed information about a specific connection.