Client Honeypots - It’S Not Only The Network presented at HITBSecConf Malaysia 2006

by Michael L. Davis,

Tags: Security Web Monitoring Community Analysis Malware

Summary : Presentation Title:Presentation Details:The Client Honeypot is a new implementation of the classic honeypot concept. Honeypots create an environment that is unknown and monitored, therefore, all data entering the environment is suspect as the environment should not receive any data. Honeypots have generally been targeted at researching and analyzing network and operating system level attacks, however, New attacks, such as phishing, have exploited vulnerabilities within client applications such as web browsers in order to increase propagation, perform identity theft, fraud, or general mayhem.Client honeypot are being developed to solve the need of the research community. The community needs a set of tools to help analyze what sources of information are disseminating these threats, what the threats do, and ultimately devise ways to protect users from these threats. The initial implementation of the client honeypot focuses on providing data for use within analysis not automated analysis of the data.A Client Honeypot is a collection of applications that collectively help researchers and end users determine where threats are coming from, by actively searching or scraping the Internet, what those threats exploit to install themselves on the target system, and what information the malware collects. Information such as what files, registry keys, or sockets are accessed or created, in addition to lower level information such as what sites the malware communicates with and how the malware functions can also be obtained.About Michael DavisHe is an active developer and deployer of intrusion detection systems, with contributions to the Snort Intrusion Detection System. Michael is also a member of the Honeynet project where he is working to develop data and network control mechanisms for windows based honeynets.Michael also works with McAfee, Inc. a leader in anti-virus protection and vulnerability management, as a Special Projects Research Scientist where he performs confidential and cutting edge security research. Michael has also worked for companies such as 3com and managed two Internet Service Providers.Lastly, Michael is an active developer in the Open Source community and has ported many popular network security applications to the Windows platform including snort and honeyd. Currently, Michael is a contributing author to Hacking Exposed, the number one book on hacker methodology.Accomplishments:. Author of “Hacking Exposed”, the definitive Computer Security book. Speaker and trainer at security conferences including: Defcon, NSA/NIC Honeynet Security Conference, and FINSEC. Taught a Secure Programming course at Moraine Valley Community College. Porting Sebek, the HoneyNet kernel monitoring tool, to Windows NT/2000/XP. Ported the Snort Intrusion Detection System to Windows NT/2000/XP. Architected, Developed and deployed a secure 801.11 Wireless network covering Northern Illinois and parts of Texas