Intrusion Detection and Prevention
Transcription
Intrusion Detection and Prevention
Intrusion Detection and Prevention Related Chapters • • • • Chapter 3, Detecting System Intrusions Chapter 4, Preventing System Intrusions Chapter 5, Guarding Against Network Intrusions Chapter 26, Intrusion Prevention and Detection Systems • Chapter 27, TCP/IP Packet Analysis • Chapter 28, The Enemy (The Intruder’s Genesis) 2 Defense in Depth Prevent Detect React/ Survive 3 Defense in Depth in Practice Firewall Intrusion Detection Logging/ Auditing 4 Intrusion detection systems v.s. Firewalls • Intrusion detection systems (IDSs) – Detect unauthorized intrusions • Anomaly-based learn “normal” • Signature-based look for slight variations • Hybrid combines best characteristics • Firewalls offer first line of defense – Secure Firewall combines the five most necessary security systems—firewall, antivirus/spyware/spam, VPN, application filtering, and intrusion prevention/detection systems—into a single appliance. 5 RECAP: BASICS OF NETWORK TECHNOLOGY 6 TCP/IP • Transmission Control Protocol/Internet Protocol – – – – Ubiquitous networking protocol Uses freely available open protocol standards Independent of device and transmission media Consistent addressing scheme • Globally scalable • Vast majority of attacks utilize TCP/IP 7 TCP/IP Data Architecture • Layered stack of functions • Each layer provides services and capabilities to layers above and below – Modular functionality – Details within a function are hidden from other functions • Application layer – Concerned with applications and processes 8 Figure 26.1 TCP/IP Layers Each layer communicates with the layer above and below it. 9 TCP/IP Data Architecture (cont.) • Transport layer – Handles data flow between applications on different network hosts – There are two transport protocols: TCP and UDP • Network layer – Responsible for packet addressing and routing • Physical layer – Responsible for interaction with physical network medium 10 Data Encapsulation • As data handed down the stack: – Each layer adds its own header • IP header • TCP header • UP header • Network attacks can occur at every layer of the TCP/IP stack • Effective intrusion prevention and detection system must inspect each layer 11 Figure 26.2 IP, TCP, and UDP headers Each layer adds its own header, and formats are different. 12 Outgoing Incoming Figure 26.3 TCP/IP encapsulation Headers are added as data packets move through the layers. 13 Figure 26.4 Application and network interaction example The example uses email messages to illustrate header information. 14 15 Definitions • Intrusion – A set of actions aimed to compromise the security goals, namely • Integrity, confidentiality, or availability, of a computing and networking resource • Intrusion detection – The process of identifying and responding to intrusion activities 16 Intrusions • An intrusion is any action taken by an adversary • Negatively impacts information: – Confidentiality – Integrity – Availability • Commonly occurring types of intrusions – Physical theft – Abuse of privileges (insider threat) – Unauthorized access by outsider 17 Intrusion Monitoring and Detection • Must detect and diagnose malicious activities • Monitoring and analysis: passive techniques • Typical IDS response: alert to administrators – Presumes incidents need human expertise and judgment for follow-up • Detection accuracy: critical problem – Minimize false positives and false negatives • Two analysis approaches – Misuse detection and anomaly detection 18 ATTACKS 19 Attackers and Motives • Script kiddy – Attacker with little or no skill using another’s published “script” to perform attack • Joy rider – Attack motive: exploring, usually not malicious • Mercenary – Selling skills to compromise computer systems – Organized crime • Nation-state backed – Espionage against other nations 20 Malicious Software • • • • • • • Virus Worm Backdoor Trojan horse User-level rootkit Kernel-level rootkit Blended malware 21 **Refer to pages 486-487 Malicious Software • Infectious: viruses and worms – Carry a payload (malicious code) • Concealed: Trojan horses and rootkits – Stealth: important feature for malware • Remote control: remote access Trojans (RATs) and bots – Enable covert communications • Data theft: keyloggers and spyware – Record keystrokes or monitor and report user activity 22 Stack-Based Overflow Attacks • Take advantage of poorly-written applications • When a called function is executing, it stores data in the stack (memory buffer) – If this memory region is overwritten, program will crash • Instruction pointer (IP) points to stack location for program to return if it crashes – Attacker can manipulate IP to direct program to execute malware 23 Password Attacks and DDoS Attack • Attacker attempts to locate the file with encrypted passwords • Password cracking tools – Example: “John the Ripper” • Distributed denial of service (DDoS) attack – Generating multiple requests to flood a server – Multiple servers make half-connections to the target server – Usually carried out via botnets of compromised systems 24 Sniffing • Packet sniffing tool – Examples: Wireshark, TCPDump – Placed on a network node – Captures every packet sent to or from that node • Once the data traffic is captured, the hacker would have analyzed the contents of the packets – Hackers would be able to draw inferences about what is being captured. – Hackers would thus have access to port numbers, IP addresses, and application details. 25 IP Address Spoofing • Fools perimeter router into accepting a packet with a spoofed IP address • Difficult to trace back to attacker’s node • Done by IP packet crafting • Ethernet address can also be spoofed • DNS spoofing – Sends Web traffic to attacker’s site instead of legitimate IP address 26 Session Hijacking • Taking over an ongoing active connection between two nodes on a network • Two types – TCP session hijacking – UDP session hijacking • Route table modification – Attacker blocks packets by modifying routing tables 27 Lures and “Pull” Attacks • Network attacks trending towards stealthier attacks – Wait for victims to visit malicious Web sites • Advantages for attackers – Not as “noisy” as active attacks – Web servers have stealthy intelligence – Web server can serve up different attacks • Web-based attack types – Phishing, drive-by download • Challenge: attracting visitor to malicious site 28 Lures and “Pull” Attacks Figure 5.2 Stealthy attacks lure victims to malicious servers. The Web has become the primary vector for infecting computers, in large part because email has become 29 better secured. Reconnaissance • Traditional attacks use sequential steps – Reconnaissance tools • Ping, traceroute, port scan, OS discovery, vulnerability scanner – Compromise tools • Password attacks, exploit attack code, buffer overflows, Structured Query Language (SQL) injection, automated customized attack toolkits, social engineering – Cover-up methods • Change system logs, rootkits, tunneling, encryption, fragment IP packets 30 Reconnaissance Figure 5.1 Steps in directed attacks. Attempt to hit as many targets as quickly as possible without caring about who or what the targets 31are. Active Reconnaissance • The steps of a hacker – Search domain names for those that would contain valuable information – Map domain names to network addresses – Map out the detailed network infrastructure – Discover IP addresses of the network nodes – Attempt to identify different server types • DNS, email, database, Web • Use network tools to gather information about the servers – Design a scheme to attack the network 32 Reconnaissance: Network Mapping • Network mapping is the process of discovering information about the topology of the target network. – finding the IP addresses of gateways, routers, email, Web, FTP servers, and database servers • Sweep the network to find live nodes (pinging target nodes) • Can use traceroute to find paths to each host – Provides information about routers and gateways • Find more information with Nmap – Nmap: Security/network exploration tool and port scanner 33 Figure 28.2 Switched Ethernet network Nanjun is a Linux server, kalidas is an XP Workstation, and kailash is a Windows 2000 server. 34 Figure 28.3 Network mapping of computers in Figure 28.2 Screenshot from network security scanner from GFI Languard. 35 Covering Tracks • Attacker must disguise the fact that there has been an attack • Trojan horse – Disguised as a benign program – Usually has malicious intent • Backdoor – Method to allow attacker to return and continue attack • Rootkit – Run with system privileges 36 INTRUSION DETECTION 37 Intrusion Detection Approaches • Modeling – Features: evidences extracted from audit data – Analysis approach: piecing the evidences together • Misuse detection (a.k.a. signature-based) • Anomaly detection (a.k.a. statistical-based) • Deployment: Network-based or Host-based • Development and maintenance – Hand-coding of “expert knowledge” – Learning based on audit data 38 Host-Based and Network-Based • Host-based IDS – System objects, processes, memory – Concern for possible tampering by an attacker – Drawbacks • Visibility limited to a single host; IDS process consumes resources; attacks not seen until they reached the host • Network-based – Use network packets for reconnaissance, exploits, DoS attacks, malware checks – Complements host-based IDSs 39 Monitoring Hosts vs Network Traffic Network Packets tcpdum p Operating System Events BSM 40 Elements of Intrusion Detection • Primary assumptions: – System activities are observable – Normal and intrusive activities have distinct evidence • Components of intrusion detection systems: – From an algorithmic perspective: • Features - capture intrusion evidences • Models - piece evidences together – From a system architecture perspective: • Audit data processor, knowledge base, decision engine, alarm generation and responses 41 Components of Intrusion Detection System system activities are observable Audit Records Audit Data Preprocessor Activity Data Detection Models Detection Engine normal and intrusive activities have distinct evidence Alarms Decision Table Decision Engine Action/Report 42 Misuse vs Anomaly Detection Figure 5.5 Misuse detection and anomaly detection. These two views are complementary and are often used in combination. 43 Misuse Detection pattern matching intrusion Intrusion Patterns activities Example: if (src_ip == dst_ip && src_port == dst_port) then “land attack” Can’t detect new attacks 44 Misuse Detection: Signature Based • Look for an incident matches a known signature – Signature identifies a specific attack • Central issue – How to define signatures or model attacks • Three inherent drawbacks – Attacks missed if matching signature not known – New signatures require time to develop – New signatures must be distributed continually • Signature-based IDS example – Snort program 45 Figure 26.5 Anti-malware file scanning Signature-based analysis is only as effective as its signature information. 46 Anomaly Detection activity measures probable intrusion 90 80 70 60 50 40 30 20 10 0 normal profile abnormal CPU Process Size Relatively high false positive rate can just be new normal activities. anomalies 47 Anomaly Detection: Behavior Based • Potential to recognize new attacks without a known signature • Define normal behavior in statistical terms – Anything outside definition: suspicious • Challenges – – – – Normal behavior based on past behavior Behavior can and does change over time Anomalies are just unusual events Not good at discerning exact nature of attacks 48 INTRUSION DETECTION @ HOST LEVEL 49 Host-based IDSs • Using OS auditing mechanisms – E.G., BSM on Solaris: logs all direct or indirect events generated by a user – strace for system calls made by a program • Monitoring user activities – E.G., Analyze shell commands • Monitoring executions of system programs – E.G., Analyze system calls made by sendmail 50 Monitoring Key Files in the System • Monitor any changes on the key files (system files) – Eg. /etc/passwd and /etc/shadow in Linux systems • One way is to Log everything happening inside the file system (Example product: LoggedFS). • File integrity monitoring (FIM): – – – – – Internal control or a process Validates operating system and application software integrity Verifies current state versus a baseline Calculates known cryptographic checksum Process generally automated 51 Security Objectives • Watch for changes impacting file or configuration integrity – Credentials, privileges and security settings, content, core attributes and size, hash values, configuration values – Legitimate or somewhat legitimate file names – Additional accounts that do not belong – Events with out of order timestamps • Hide system files and directories – Reduces accidental damage or deletion – Prevents casual snooping 52 Figure 3.1 Screen shot of the nCircle file integrity monitor panel. One of many open-source and commercial software products available to perform file integrity monitoring. 53 Figure 3.2 The wrong symbol. The hacker has a directory on the system named ‘. ‘ Note that one bit or one symbol in the output may make the difference between a compromised and clean system. 54 Figure 3.3 Additional account DBNET. After a compromise, hackers may create a new account on the server and try to mimic some legitimate accounts that should exist. 55 Figure 3.4 Folder modification. Windows malware just loves this folder! Look for any folders or files with a different date modified timestamp. 56 Zero-Day Attacks • A zero-day attack is an attack that exploits a previously unknown vulnerability – meaning that the attack occurs on “day zero” of awareness of the vulnerability. – the developers have had zero days to address and patch the vulnerability • Attack vectors (directions): – Web browsers, e-mail attachments, common file types 57 Zero-Day Attacks (cont.) • Vulnerability window is the time between first exploit and published fix. • Vulnerability management life cycle phases – Analyze, test, report, and mitigate • Many OSs provide protection mechanisms against 0day memory corruption vulnerabilities, such as buffer overflows. • Multiple layers, port knocking, whitelisting, and keeping OS updated are some mechanisms for 0day protection. 58 Good Known State • Watch for backdoors installed by hackers – removing backdoords is not enough • Restore hacked system to a good, clean system – Typically done via OS reinstallation • Monitor running processes for hacker software – May look legitimate • Watch for weird-looking file names 59 Rootkits • Stealthy type of malicious software • Automated or installed with root access • Kernel-mode rootkits – Highest operating system privileges (ring 0) – Add code or replace portions of the OS core – difficult to detect. • User-mode rootkits – Run with other applications as a user (ring 3) • Rootkit search software for live systems (rootkit detection) – Example: “rootkit hunter” 60 Low Hanging Fruit • Deter intrusions – Protect your system better than your neighbor • Hacker will select easier target – Use snow flaking (differentiate your system from normal) • Takes more time to analyze a particular system to gain access • Example: move an SSH port from default TCP/22 to TCP/31234 – Ignore pings to the host • Takes less time to detect those live IPs and scan them for vulnerabilities 61 Homegrown Intrusion Protection • To defeat a hacker; think like a hacker – Examine common files a hacker may look at – Deter a hacker from using information in the file • Subtly hide important directories or file names • Set up dummy directories – If hacker persists • Examine access logs to dummy files to identify the enemy 62 Out-of-band Attack Vectors • People: weak link in corporate security plans – Fall into social engineering attacks – Connect personal devices to corporate network is a huge risk – Demyo plug • Full-blown Linux-based OS with many penetration testing tools preinstalled • Prevention method – Strong policy disallowing connection of non-approved devices – Must be enforceable and be understood by all 63 Figure 3.8 The Demyo plug. Once connected, penetration testers can use it as a jump box to do further penetration testing inside the local area network (LAN) of the corporation. 64 Security Event Management • Real-time analysis of security alerts generated by network hardware and applications • Security Event Management (SEM) – Real-time monitoring, correlation of events, notifications, and console views • Security Information Management (SIM) – Long-term storage, analysis, and reporting • Security Information Event Management (SIEM) – Data Aggregation, correlation, alerting, dashboards, compliance, retention 65 Other Weird Stuff on the System • Possible system compromises – Missing log files – Network interface in promiscuous mode • Controller passes all traffic to the central processing unit (CPU) • Normally used for packet sniffing • Computer may read frames intended for other machines or network devices • Usually requires super user privileges • Often used to diagnose network problems – Stay away from insecure protocols 66 INTRUSION DETECTION @ NETWORK LEVEL 67 Network IDS • Deploying sensors at strategic locations – E.G., Packet sniffing via tcpdump at routers • Inspecting network traffic – Watch for violations of protocols and unusual connection patterns • Monitoring user activities – Look into the data portions of the packets for malicious command sequences • May be easily defeated by encryption – Data portions and some header information can be encrypted • Other problems … 68 Network IDS • Sensors – Monitor and analyze network activity on one or more network segments – Appliance-based and software-only sensors • Provide variety of security capabilities • Collect information on hosts – Operating systems and application versions • Perform extensive logging of data related to detected events 69 Figure 5.6 IDSs monitoring various network zones. (Network-based IDSs) Place outside a firewall for learning about malicious activities on the Internet. Place in the DMZ to see attacks originating from the Internet that are able to get through the outer firewall to public servers. Place in the private network to detect any attacks that are able to successfully penetrate perimeter security. 70 Figure 26.6 Network-based IDS device scanning packets flowing past sensor interface Anomaly detection is accomplished by comparing with a stored baseline. 71 Packet Data Pre-processing tcpdump packet data 10:35:41.5 A > B : . 512:1024(512) ack 1 win 9216 10:35:42.2 C > D: . ack 1073 win 16384 10:35:45.6 E > F: . ack 2650 win 16225 ... connection records tim e dur src d st b y te s srv fla g … 1 0 : 3 5 : 3 9 .1 5 .2 A B 42 h ttp SF … 1 0 : 3 5 : 4 0 .4 2 0 .5 C D 22 u ser REJ … 1 0 : 3 5 : 4 1 .2 1 0 .2 E F 1036 ftp SF … … … … … … ... … … 72 Firewall Versus Network IDS • Firewall – Active filtering – Fail-close • Network IDS – Passive monitoring – Fail-open IDS FW 73 INTRUSION PREVENTION 74 Preventive Measures • • • • • • • • Access Control Vulnerability Testing and Patching Closing unnecessary ports Firewalls Antivirus and Antispyware Tools Spam Filtering Honeypots Network Access Control 75 Defense in Depth • Hinder attacker as much as possible – Use multiple defense layers • Each layer might be surmountable – More valuable assets should be protected behind more layers of defense • Combination of multiple layers – Increased cost for attacker success (time, effort, or equipment) • Cost must be proportional to asset value – Effective against unpredictable attacks • Involves people, technology, operations • Risk assessment determines: – Asset value, possible threats, threat likelihood and impact 76 Know your Enemy • • • • Unauthorized network penetration Types: active and passive Intrusions come from outside and within the network Intruder’s purposes – Make their presence known – Extract critical information • One-time or ongoing parasitic relationship • Access is gained physically, externally or internally 77 Know your Enemy (Hacker vs. Cracker) • Traditional hacker performed good deeds – Built and made the Internet run, created Unix • Crackers’ intentions are normally malicious/criminal in nature • Crackers steal data or create havoc – Lone-wolves, disgruntled employees, hostile governments – Seek out and exploit vulnerabilities • Underground organizations and code available • Cyber ninjas sneak around – Create chains of exploits – Use multiple layers to hide 78 Understand Motives • Goal differs from motive – Goal: penetrate network defenses – Motive: hurt organization or steal information • Grab and dash – Steal credit-card information and resell – Breach network and siphon off data 79 Our “Unsecured” Wireless World • Public wireless activity can affect corporate network security by stealing information from users – Firesheep: a tool used to steal browser cookie information • What tools can crackers use to test for network weak spots? – Wireless sniffers, packet sniffers, port scanners, port knocking, keystroke loggers, remote administration tools, network scanners, password crackers 80 Symptoms of Intrusions • Large numbers of unsuccessful login attempts • Packet inconsistencies • Packets coming from the outside that have local network addresses (IP spoofing) • Odd or unexpected system behavior can be a sign. – changes to system clocks, servers going down, unusually high CPU activity, overflows in file systems 81 What Can You Do? • Balance network security and user needs • Use strong multilayer perimeter defense – Implement dynamic and effective response policy • Educate users: Why is this crucial? • Implement intrusion detection system (IDS) – Must detect and stop intrusion – Can be inline or based on firewall scheme 82 Know Today’s Network Needs • Traditional networks use preventative measures (firewalls) to protect the infrastructure from intrusion. • Mobile computing expanded boundaries • Unified threat management (UTM) system – – – – “Blacklist” approach: game of catch-up “Whitelist” approach: specifies what gets in Specifically allow applications and devices Offer policy-based approach • Recognize remote technologies and the risks • Best practice: educate users on security policy 83 Figure 4.1 Network diagram Key to managing several hundred (or several thousand) users is a good security policy. 84 Security Policies • Security policy is designed to get everyone involved with your network, always a work in progress – must evolve with technology • Conglomeration of policies – computer and network use, forms of authentication, email policies, remote/mobile technology use, and Web surfing policies 85 Security Policies (cont.) • Simplicity works best – Draft policies defining network architecture – Spell out responsibilities, communicate your expectations to users, and lay out the role(s) for your network administrator – Establish a security team • Provide clear policy for handling changes to overall network security 86 Risk Analysis and Vulnerability Testing • Risk analysis determines risk faced based on operations. It may influence network design. • Security policy should include regular vulnerability testing. • Some very good vulnerability testing tools allow you to conduct your own security testing – Eg. WebInspect, Acunetix, GFI LANguard, Nessus, HFNetChk, and Tripwire • Third party companies can be contracted to scan your network for open and/or accessible ports, weaknesses in firewalls, and Web site vulnerability. 87 Digital Forensics • Digital forensics is the “application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence” • Can be divided into two subfields – Network forensics • Captured network traffic and session information – Host-based forensics • collection and analysis of digital evidence collected from individual computer systems 88 Intrusion Prevention Systems (IPSs) • Configurable for autonomous decisions – Application-level threats, IP address or port-level attacks • Threat response mechanisms – Automatically drop suspicious packets – Place intruder into “quarantine” file • Access control pass/fail decisions • Several IPS types – Network-based, host-based, content-based, rate-based • What are characteristics of a good IPS? 89 Intrusion Prevention Capabilities • Agenda for Action for Intrusion Prevention Activities checklist – – – – – – – – – Code analysis Network traffic analysis Network traffic filtering Filesystem monitoring Removable media restriction Audiovisual device monitoring Host hardening Process status monitoring Network traffic sanitization 90 Reactive Measures • When an attack is detected/analyzed, a system admin. must exercise an appropriate response. – responses depend on the circumstances – block, slow, modify, or redirect any malicious traffic. • It is not possible to delineate every possible response. 91 Reactive Measures: Quarantine and Traceback • Quarantine in the context of malware – Prevents infected host from contaminating other hosts – Block traffic using firewalls or routers with access control lists (ACLs) • Almost impossible to discover attacker (Why?) – May trace packet’s route back to intermediary • Store hash of a packet for some amount of time • Stamp packets with a unique router identifier 92 Figure 5.7 Tracking information stored at routers or carried in packets to enable packet traceback. To trace a packet’s route, some tracking information must be either stored at routers when the packet is forwarded or carried in the packet. 93 Reactive Measures: Audits and Recovery • Regular and detailed audits are needed with emphasis on activities near or outside established norm • Ensure clearly established rules – Security, use, and/or policy violations – Attempted or actual intrusions • Recovery of network after attack – Reconfigure to close off exploited opening – Estimate damage • Ensure preemptive disaster recovery plan is available 94 IDS IN PRACTICE 95 Tools of the Trade • • – – – – – – – – – – – – Host-based IDS TCPWrappers (http://coast.cs.purdue.edu/pub/tools/unix) NukeNabber (http://www.amitar.com.au/DOWNLOADS/INTERNET/PROTECTION/NukeNab ber_2_9b.html WRQ's AtGuard (http://www.atguard.com) AXENT (www.axent.com) CyberSafe, (www.cybersafe.com) ISS, (www.iss.net) Tripwire (www.tripwiresecurity.com) Network-based IDS AXENT (www.axent.com) Cisco (www.cisco.com) CyberSafe (www.cybersafe.com) ISS (www.iss.net) Shadow (www.nswc.navy.mil/ISSEC/CID) 96 Snort • Try snort—a nice tool – – – Packet sniffer – outputting all viewed network data to a console device Packet logger – logging of all network packets to a disk Network IDS – performing a variety of functions from analyzing traffic, to filtering and performing actions based on packet analysis. 97 Defend Your hosts with Freeware • Install the most current release of Redhat Linux, Debian Linux, FreeBSD etc. • OS hardening – To protect against misconfiguration-based attacks, install the very good hardening utility Bastille (http://sourceforge.net). Bastille essentially closes all the doors left open in a default installation. • Network services access control – Install Wietse Venema’s TCP Wrapper (ftp://ftp.porcupine.org/pub/security/index.html). This is a simple tool, simple to install, simple to configure and simple in operation. It is an access control list for services run under the control of the Internet daemon. 98 Defend Your hosts with Freeware • Snort --- Intrusion Detection Tool Snort (http://www.snort.org/). – There are both Linux version and Windows version. It will let you see what kinds of messages are observed by your network card and let you to write your own rules for IDS. It is almost infinitely configurable. • Shorewall (http://shorewall.net/) – a freeware firewall/gateway based on linux iptables/ipchains. You may also try Astaro’s Security Linux (http://astaro.com/), which is a freeware sateful inspection gateway that provides proxy and VPN services. 99 Defend Your hosts with Freeware • Secure Remote Access • Never try telnet or ftp. Install OpenSSH (http://www.openssh.com/) for remote access tools (there are both Linux and Windows versions). 100 Defend Your hosts with Freeware • Penetration Testing • After your system is set up, now try to break it. – Install OpenVAS – Test each port to determine what sort of listener is active • Finally, once your security suite is complete, install the freeware version of Tripwire – Tripwire takes a “snapshot” of a large number of critical binaries on your system, and – stores that information encrypted and in an obscure place. 101 Defend Your hosts with Freeware NMAP = Network Mapper Wireshark • • • Freeware for network protocol analysis Open source security scanner Identify – Which hosts – What services are open • potentially vulnerable to attacks – Example of usage: OS fingerprinting • sudo nmap -O -v xyz.com • – Analyze packets & protocols – Used • Primarily for trouble shooting • To a lesser extent for detecting certain (low-grade) malware • www.wireshark.org Web site – www. nmap.org 102 Honeypots/Honeynets • Divert an attacker from accessing critical systems – Collect information about the attackers’ activity – Learn about attacker techniques by attracting attacks to a seemingly vulnerable host. • Encourage the attacker to stay on the system long enough for administrators to respond • Can be passive or active (honey-monkey). • Not used for legitimate services. • A honeypot should have comprehensive and reliable capabilities for monitoring and logging all activities. • Usually monitor unused address space (isolated). 103