Article Preview
Top1. Introduction
Honeypots are information system resources which are deployed for being attacked and compromised. Honeypot captures information about attacks, motives of the attackers and technique used by the attackers (Sehgal et al., 2012; Vrable et al., 2005; Leita et al., 2008; Anagnostakis et al., 2005). This information is useful for the defenders in developing robust mechanisms for detection and mitigation of such internet attacks. This Attack information when collected on a large scale by strategically deploying the Honeypot sensors can be converted in to threat intelligence (IOCs-incident of compromises) which is required by LEA (Law enforcement agencies) for understanding the overall threat landscape and early warning of any major attack incident. Organizations such as CERTs, security companies and academic research labs regularly needs this threat intelligence as feed for incident response, research and development purposes. To cater the needs of these user communities organizations such as (Team-Cymru, n. d.; Shadowserver, n. d.; abuse-ch, n. d.; SpamHaus, n. d.; NorseIPVIiking, n. d.; ATLAS, n. d.) are actively engaged in the large scale collection and processing of the threat intelligence. These organizations offer threat feeds as a service to the multiple user agencies. Standards such as (MAEC, n. d.; STIX, n. d.; TAXII, n. d.; OpenIOC, n. d.; and CYBOX, n. d.) has emerged for effective sharing and efficient usage of threat intelligence feeds. The organizations involved in the business of offering threat feeds as a service uses Honeypots as prime tool for capturing and collection of the attack data. Worldwide many projects such as (hoeynet.org, n. d.; GenIII Honeynets, n. d.; Honeynet.org, n. d.; UKHoneynet, n. d.; NOHA, n. d.; Vanderavero et al., 2004; honeytarg, n. d.) are actively engaged in the capturing and collection of attack data using Honeypots.
Honeypot attract attacker by exposing network service vulnerabilities. Attackers targeting the users connected with internet get attracted by these vulnerabilities and attack these Honeypots. At Honeypot all the communication with attacker along with the system level activities are being monitored, captured and logged. The exploitability of the Honeypot can be measured in terms of Honeypot attack surface. The notion of system attack surface was first introduced by Howard (Howard, 2003). He proposed a measurement method for measuring the windows operating system’s attack surface. In case of Honeypots, Attack surface can be defined as the complete set of vulnerabilities exposed by the Honeypot. These vulnerabilities are present in the network services running on the Honeypot along with their dependencies which are indirectly accessible to the attackers. Honeypot attack surface is a key factor which affects both value and the volume of attack data captured by the Honeypots.
Till date there were no standards available for the quantification of Honeypot attack surface. In the work presented in this paper we have tried to quantify the Honeypot attack surface by modeling the Honeypot attack surface. We have proposed a framework for baselining any high interaction Honeypot. The Honeypot baselining framework enables users to 1) enumerate the Honeypot system software, 2) modeling attack surface and 3) identifying and whitelisting legitimate system activities. The outcome of the Honeypot baselining process is used as an input for attack to vulnerability mapping module. This module maps the successful attacks captured by the honeypots to the vulnerabilities exposed by the Honeypot. This attack to vulnerability mapping leads to the detection of the zero day vulnerability exploitation attempts. In the work presented in this paper we have explained various phases of Honeypot baselining process and demonstrated it with a sample case study for windows 8 operating system