We have expanded our operations and are currently running three honeynets (each with different technologies) and experimenting with a fourth technology. We are still running our wonderful GEN II Honeynet with high-interaction honeypots and nepenthes sensors. We've also started a Global Distributed Honeynet. Through relationships with the distributed honeynet guys, William McCammon and Albert Gonzalez, I've started a node on their network. Lastly, we are trying to start a dynamic honeyfarm using a "live" version of the honeymole technology. Our honeyfarm resembles Xuxian Jiang's Callapsar project.
We still haven't figured out how to use sebek correctly, so we use trojaned binaries, which seems to work pretty well. We still use our own custom-made reporting program similar to honeysnap that we call honey reports. We still use the Flow Analysis Database for trend analysis and informational queries.
Our main goal this year was to ease the maintenance of the honeynet (so I can do my thesis work), and to expand our IP visibility through the use of distributed honeynet technologies. During the winter sometime, we had to move our honeynet and was down for over a month, our longest (by many orders of magnitude) outage since our honeynet started 5 years ago.
The records for reconstructing the timeline are offline at the time of this report. Please tune in later.
Nothing terribly exciting that we can recall.
We are using our own custom tools for data analysis: HoneyReport, TrojanSSH, Flowtag. Please see Section 4 for more details on our custom tools.
We are continuing our work on visualization techniques to aid in honeynet maintenance, attack response, and data trend analysis. To this work we have added an emphasis on post attack forensics and are developing tools that extend the functionality of existing forensic toolkits by providing more information about the events that have transpired on a honeypot.
More HoneyClient technologies and data analysis techniques.
Honeymole allows a computer to act as a front while acting only to foward traffic back and forth between the honeynet and the attacker. This is done by using an encrypted tunnel to encapsulate ethernet, much like the distributed-honeynets project. Chris Lee, of the Georgia Tech Honeynet, originated the idea to place honeymole onto a live CD, such that participants would only need to insert the CD during off-usage hours and traffic would be forwarded to the honeynet. Specifically, for each mole, a virtual machine (honeypot) would be allocated at the honeynet honeymole server to actually participate in any in bound connections to the mole (because the mole forwards the traffic over the VPN to the honeypot). This system allows rapid deployment into many IP spaces, highly-flexible allocation of vulnerable virtual machines, and centralized data collection and control.
The second project builds upon a previously proposed project, Live Honeymole, to capture attacks happening on and within the Georgia Tech LAWN IP space. The monitors will receive a Lawn IP and will use a special login provided by OIT (so they can track the nodes and they won't expire once I graduate or change my password), and redirect any traffic directed toward their IP to the honeynet using the Honeymole client. Note that they will not be in promiscuous mode and will not see other people's traffic. Since they are forwarding all traffic to the honeynet, the sensors cannot be accessed or remotely compromised. Since the LAWN is already considered outside the departmental IP space, we believe that no special mitigation mechanisms, outside our normal rate limiting, is required to reduce the risk to the network.
None that we can talk about right now.
We would be happy to discuss ideas for possible publications.
Christopher P. Lee presented "HoneyNet Technologies" at NoVA Sec in March.
C. P. Lee and J. A. Copeland. Flowtag: a collaborative attack-analysis, reporting, and sharing tool for security researchers. In Proceedings of the 3rd international Workshop on Visualization For Computer Security (Alexandria, Virginia, USA, November 03 - 03, 2006). VizSEC '06. ACM Press, New York, NY, 103-108. DOI= http://doi.acm.org/10.1145/1179576.1179597
K. Fairbanks, C. P. Lee, Y. Xia, H. Owen III. TimeKeeper: A Metadata Archiving Method for Honeypot Forensics. Proceedings of the 2007 IEEE Workshop on Information Assurance. United States Military Academy, West Point, NY 20-22 June 2007.
Kevin Fairbanks will be transitioning to act as the lead of the Georgia Tech HoneyNet while Christopher Lee will be transitioning to a lesser role. Currently Christopher Lee is the primary honeynet administrator and Kevin Fairbanks is the assistant honeynet administrator and both are responsible for daily maintenance, status reports (including this one), communicating with other alliance members, recruiting researchers, and sharing results. Julian Grizzard has graduated.