Time
31 hours 29 minutes
Difficulty
Beginner
CEU/CPE
30

Video Description

Capturing methods This lesson discusses capturing methods. Capturing methods are ways of detecting and analyzing suspicious activity. Two capturing methods are honey pots and honey nets. A honey pot is an intentionally vulnerable machine in order to lure an attacker and try to goad them into attacking that machine. A honeypot is useful if the prospective attacker does not figure out it is a honeypot. A honey net is an entire network of honey pots. Honey pots are more intricate as well as more convincing at looking at a large enterprise for a would-be attacker.

Video Transcription

00:04
our last two network security appliances that we're gonna talk about are capturing methods. And what we mean by that is these were going to be different appliances that we can use to sort of detect and sort of help us analyze malicious activity. These are gonna be our honey pots and our honey nets. Now, honey pots and honey nets are honey pots are going to be
00:24
intentionally vulnerable machines that are used in order to
00:28
sort of lure an attacker to try and go them into connecting to that machine. Maybe it's a machine with a weak password. We have any intentionally outdated or unpatched service running on that machine. That is sort of
00:42
it's not extremely obvious of Lee vulnerable, but it's just vulnerable enough that it could lure someone who's trying to maliciously attack our network into jumping, jumping the gun and going right at it, because it's maybe something that's very easy to find and something that is obvious if they know what they're doing and they know how to look
01:00
So
01:02
they find this honey pot. They find this intentionally vulnerable machine that we would want to be on its own segmented area of the network or a on an actual virtual machine on an actual physical machine and we'll need this machine to essentially at his axe is like a canary
01:19
canary being something that
01:23
we set up that should never be touched. No one should be logging into this honey pot. No one should be logging in and doing work on this virtual machine. But if someone is, we get an alarm that's set to us. And if we talk to our security team and say, Hey, is anyone logged into the honey pot doing some changes? They say no, then
01:42
we know we've got We've got someone. We got him, We got someone on the line.
01:45
So
01:47
what we're going to do now is we have Our honeypot is rigged with all sorts of hidden cameras and microphones and logs that we are very, very obvious. We're very consciously tracking what's going on with that honey pot, and we're trying to see what the attacker is going to do next.
02:05
What this does is it gives us insight into the Attackers methodologies,
02:08
and it gives us insight as to where else they might have tried to hit our network. If we can know what they do, and we know how they work. Then we can better protect ourselves against them. Think of a professional sports team watching, watching video of the other of the opposing the coming up opposing teams film.
02:25
They watched that film. They see how they work, They see how they tick
02:29
and they're able Thio be able to block against it a bit better because they know their weaknesses and they know their strengths. So that's how honey Pot. That's what our honeypot is there for.
02:39
Now this honey pot is gonna be useful if it's not detected as a honey pot. If we just set up a completely blank machine, a completely blank Windows X p service pack one machine with absolutely nothing on it with a background that says with a background of a honey pot, then this is going to be a very obvious honey pot to an attacker and
02:59
and experienced attacker or someone who
03:01
knows what they're doing is going to immediately notice that or they'll very quickly noticed that, and they're not gonna do anything. They'll jump out and the re or they'll do something Thio Throw us off or do something to make it stinks or make us get into our heads essentially, because that
03:19
that honey pot, they're not gonna not gonna show us what they've got if they know that we're watching.
03:23
So we need to make sure that that honey pot is not extremely easily detected as a honey pot. We maybe wantto throw a couple fake user accounts on there. Maybe we wanna have a security team log in and create some fake files. Make it maybe look, make it look like an office. The office manager's computer, where it has
03:43
a couple of orders for some for some office supplies. Or
03:46
it has a couple memos to the office for the Christmas holiday party where the spring holiday party.
03:52
Spring holiday party. So we have. We make it look like it's a real machine. It's a virtual machine. We need to be careful because virtual machines have ah lot of very clear, telltale signs that can very quickly be detected if it's a virtual machine and if it is detected than the person might jump out, because they realize that it's a honey pot.
04:11
So we want to set up our honey pot. We wanna
04:13
set up our trap and very cleverly disguise it. So it looks like an actual machine without actually having data on it that is confidential or data that could be compromising to our company. And then we could use that as a machine to machine to track a the user track the malicious user.
04:30
Now, this isn't for everyone. If we have, ah, small business with
04:33
maybe 10 or 15 people that were administrating in our network, we don't just set up a honey pot just for the heck of it.
04:41
Honeypot administration is very serious. Technical security work that allows us to track malicious activity in the network allows us to do some security research on the network in general, or just do security research for some large security companies will set up a honeypot servers and honey net servers across the Internet
05:00
and wait for bots, or wait for
05:02
wait for malicious Attackers to come in so they can collect malware samples and create those signatures for the anti viruses that we were talking about earlier. So they're very serious security appliances and there are a lot of management, and they require a bit of security knowledge as to how to prep and set these up and tow what to even do with them. It wants their triggered
05:20
on Dhe, then passed our honey pots. We have something called the Honey Net, and a honey net is actually an entire network or cluster of honey pots. And the reason we do this is to make things more convincing. If an attacker it finds a vulnerable, vulnerable, vulnerable machine on our perimeter network jumps into it. So it's looking around and they say,
05:41
Okay, this machine, what's really convincing? But
05:44
there's this machine is not connected to anything else except the router. That's all it's connected to. Then that's gonna look a bit suspicious,
05:51
especially if they know that they're trying to attack a company that is a very large enterprise company. And they find one machine on the public network that has a little bit of that. That's a little bit off. So honey net is going to be entire network and cluster of machines and servers and different aspects of our network
06:12
that make it actually looks like the beginning of a very complicated, intricate network
06:15
that our attacker wants to get in further. Maybe we set it up and we make it look like we have 10 machines. And then there is a There is a another switch, and that's performing attitude out one X, and that's going to connect to a Triple A server. And they're right now. They're just stuck on one of those five machines.
06:32
They're able to scan and they're able to ping those other machines and they say, Okay, there's more out there that more can explore
06:39
and then we're watching as they're trying to get there. It doesn't mean we have to set up an entire enterprise. That act is a honey net, and that's where a large security company and we're trying to do. That doesn't mean we need to set up an entire enterprise and dedicate a full staff of people to manage honey net. But what we can do is we can just set up just enough virtual appliances
06:59
and set up and use just enough tools to simulate a virtual network
07:03
so that it looks like it's the beginning of a large enterprise. It's sort of like the steak building. It's sort of like the little fake towns that you see in Hollywood. You walk in you walk into an old Hollywood western town and you look around you like Oh, look, there's a bank and there's the jailhouse and there's three houses here and look at all this stuff
07:21
And then, you know, you try to open one of the doors and there's nothing behind them. They didn't actually build a bank in a jailhouse and
07:29
pub and everything else pub in the middle of a Western. They didn't build everything. They just built the facades, they just built the fun of them. And that's sort of what we're going to do with our honey net. So again, remember, these are our honey pots and honey nets. They're going to be a fake,
07:44
intentionally vulnerable many networks that we use in order to try to capture malicious activity so we can analyze it and we can better protect our networks.
07:53
So thank you for joining us here today on cyber today we talked about categorizing a couple of different types of network security appliances. We talked about our ivy s and R I. P s is We talked about our honey pots and our honey mets, and we just talked and we talked about how we're able to get these uses network security appliances in our network and use them to better protect our network.
08:13
So hopefully you'll be able to take this knowledge and you'll be able to use it to
08:18
apply to your own network or use it in your studies for your network plus, and hopefully we'll be able to see you here next time on cyber.

CompTIA Network+

This CompTIA Network+ certification training provides you with the knowledge to begin a career in network administration. This online course teaches the skills needed to create, configure, manage, and troubleshoot wireless and wired networks.

Instructed By

Instructor Profile Image
Anthony Harris
Systems Analyst and Administrator at SAIC
Instructor