Embed Size (px)
Citation preview
© 2007 The MITRE Corporation. All rights reserved
OWASP Conference06 Sep 2007
InformationAssurance
Using Honeyclients for Detection and Response Against New AttacksKathy Wang
MITRE Corporation
2© 2007 The MITRE Corporation. All rights reserved
Problem
Client-side exploits are a growing threat– Lots of client-side vulnerabilities
Microsoft Internet Explorer has more than 50 serious vulnerabilities in last 6 months (SecurityFocus database)
– Lots of client-side exploits 90% of all PCs harbor spyware (Webroot, 2006)
We need to be able to proactively detect and characterize client-side attacks before we get hit
We lack a proactive detection technology for client-side attacks
3© 2007 The MITRE Corporation. All rights reserved
Example of an Emerging Threat
Contagion worm-like attacks– Paxson, et al, How to 0wn the Internet in Your Spare Time– Wheel-and-spoke client-server infection model– Requires two exploits, one for client, one for server
VulnerableClient
Contagion WormLoaded Server
VulnerableServer
VulnerableServer
VulnerableServer
Infected
Infected Infected Infected
4© 2007 The MITRE Corporation. All rights reserved
Contagion Worm Model Assumptions
Assume:– 1M vulnerable clients in the world
– 1M vulnerable web servers in the world Out of 10M web servers
– 1K popular servers
– Clients surf one server per minute
– Clients have 90% chance of visiting popular server, 10% chance of visiting unpopular server
– Contagion worm begins on one unpopular server
5© 2007 The MITRE Corporation. All rights reserved
Possible Contagion Worm Propagation
Contagion Worm Propagation
0
20
40
60
80
100
1 11 21 31 41 51
Time Elapsed (mins)
% In
fecte
d
Vulnerable Web Clients
Popular Web Servers
Unpopular Web Servers
6© 2007 The MITRE Corporation. All rights reserved
A New ‘Business’ Model
7© 2007 The MITRE Corporation. All rights reserved
Another Business Model
8© 2007 The MITRE Corporation. All rights reserved
Current Situation Current coverage of client-side exploits is inadequate
– Over 50% of recent vulnerabilities are client-based (SecurityFocus)– Only 1.5% of Snort Intrusion Detection System signatures are
based on client-side attacks (www.snort.org)
Honeypots– Detect server-side attacks– Passive devices
Current methods of client-side exploit detection are reactive– Anti-virus– Anti-spyware– Clueful users
9© 2007 The MITRE Corporation. All rights reserved
Background - Honeyclients
Honeyclients provide capability to proactively detect client-side exploits– A honeyclient is a system that drives a client application to
potentially malicious servers– Any changes made on honeyclient system are unauthorized – no
false positives!– We detect exploits even without prior signatures
10© 2007 The MITRE Corporation. All rights reserved
Basic Honeyclient Package
Client-side Exploit
Database
MaliciousServer
Request Response
Linux Host
Traffic logs
Windows VM
Honeyclient
Prototype Capabilities • Baseline integrity• Drive IE• Extract URLs• Recurse (Internal)• Integrity checks• Recurse (External)• Virtual host• Protective firewall• Exploit DB• Image rotation• Modular clients• Traffic history• Secure logging• Memory checks
Dedicated DSL
Internet
11© 2007 The MITRE Corporation. All rights reserved
Current Situation
Attackers are starting to include honeyclient avoidance technologies on malicious servers– Repeated visits from identical IPs result in blocked access to
some malicious sites (SANS Internet Storm Center)– Detection of spidering from honeyclients led to redirection to
benign sites (Robert Danford)
12© 2007 The MITRE Corporation. All rights reserved
Technical Approach: Add Advanced Capabilities to Counter Attackers Honeyclients should be able to:
– Detect kernel modifying rootkits Improve our integrity checks further Analyze virtual hard drives outside of VM environment
– Thwart exploits that detect virtual machine environments Add honeyclient capability for physical sandbox environment PXE boot image may allow us to network boot images quickly on real
hardware
– Handle active content sites Be able to access and download content from these sites Automated mouse clicking technology is available
– Be difficult to distinguish from human activity Attackers now recognize, and will actively counter honeyclients Develop human-like web crawling algorithms
13© 2007 The MITRE Corporation. All rights reserved
Human-like Honeyclient Prototype
Link scoring (good vs
bad words, link location) Browsing order for
links (breadth vs
depth) Bandwidth footprint
(humans do not
access links at the
same speeds)
14© 2007 The MITRE Corporation. All rights reserved
Current Situation
Each honeyclient can only cover so many sites– Need to coordinate efforts to improve coverage– No capability exists for distributed scanning
Individual honeyclients can scan redundant servers There is no central reporting mechanism
– The above restrictions limit the depth and breadth that we can effectively cover the Internet
15© 2007 The MITRE Corporation. All rights reserved
Technical Approach: Increase Our Coverage of Servers Design and deploy distributed honeyclients
– Sponsors are asking for this in order to coordinate efforts– Berkeley Open Infrastructure for Network Computing (BOINC)
Project has framework for distributed computing– This will result in much better coverage of the servers on the
Internet
16© 2007 The MITRE Corporation. All rights reserved
Distributed Honeyclient Prototype
Virtual Host
Honeyclient
Internet
Virtual Host
Report
Virtual Host
Honeyclient
Virtual Host
Honeyclient
CentralRepository
Honeyclient
Report
Report Report
= Bad server
= Good server
17© 2007 The MITRE Corporation. All rights reserved
Technical Approach: Gather and Correlate Honeyclient Data Trend spotting of collected data and statistical correlation
– What percentage of all servers are malicious?– How do exploits spread from one server to another?– Are there clusters of servers that become malicious around the
same time? (i.e., can we infer the control structure of the malicious server community?)
Expand existing exploit database
Share results of correlation with community
18© 2007 The MITRE Corporation. All rights reserved
Future Application for Honeyclients
Virtual Host
Honeyclient
Email Server
Email server sends email URLs and attachments to honeyclientfor processing
Honeyclient runs checks and notifies email server of bad URLs and/or attachments
Only emails that passchecks are forwardedto recipient
= Non-malicious email
= Malicious email
1 2
3
Using Honeyclients to Detect Malicious Emails
19© 2007 The MITRE Corporation. All rights reserved
Impact and Technology Transition
We plan to pilot honeyclient technology for several sponsors
Industry plans to run honeyclients– Verizon
– Symantec
Products and standards– Contact vendors about new vulnerabilities in client applications
20© 2007 The MITRE Corporation. All rights reserved
Why Should You Run Honeyclients?
Operational benefits
– Increase your visibility of emerging client-side threats
– Malware collection and analysis
– Share your results, and obtain other organizations’ results
Networking benefits
– Group forum meetings
– Government, industry, academic participation
– Discussion on latest trends in client-side exploits
21© 2007 The MITRE Corporation. All rights reserved
Why Should You Run Honeyclients?
Cost benefits
– HoneyClient package and Linux OSes are open-sourced
– VMWare Server is free
– Your costs: hardware, Internet connection, Windows license, analysts
Other factors to consider
– Your private data will not be leaked
– Opportunity to provide public service through data sharing
22© 2007 The MITRE Corporation. All rights reserved
Demonstration
23© 2007 The MITRE Corporation. All rights reserved
Some Honeyclient Case Examples
Please DO NOT go to any of the sites on the following slides unless you REALLY know what you’re doing!!!)
<Disclaimer>
</Disclaimer>
24© 2007 The MITRE Corporation. All rights reserved
www.world0fwarcraft.net (Changes)
Suspicious file
25© 2007 The MITRE Corporation. All rights reserved
www.world0fwarcraft.net (Changes)
Where’s /etc/hosts file???Definitely suspicious
26© 2007 The MITRE Corporation. All rights reserved
www.world0fwarcraft.net (Scans)
27© 2007 The MITRE Corporation. All rights reserved
www.sharky.in (Changes)
Suspicious behavior, let’scheck it out further!
28© 2007 The MITRE Corporation. All rights reserved
www.sharky.in (Changes)
This definitely doesn’tlook good…
29© 2007 The MITRE Corporation. All rights reserved
www.sharky.in (Scan)
Poor resultson scans…
30© 2007 The MITRE Corporation. All rights reserved
www.exploitoff.net (Changes)
OK. Let’s checkthis out.
31© 2007 The MITRE Corporation. All rights reserved
www.exploitoff.net (Changes)
Definitely not normal…
32© 2007 The MITRE Corporation. All rights reserved
www.exploitoff.net (Changes)
More badness…
33© 2007 The MITRE Corporation. All rights reserved
www.exploitoff.net (Scans)
Note that this binaryis very poorly identified…
34© 2007 The MITRE Corporation. All rights reserved
www.haaretz.com (Changes)
So many bad sites, so little time…
35© 2007 The MITRE Corporation. All rights reserved
www.haaretz.com (Changes)
What is this’46W9GLCI.htm’file anyway???
Trying to adda printer???
36© 2007 The MITRE Corporation. All rights reserved
www.haaretz.com (Changes)
Here it is again…
37© 2007 The MITRE Corporation. All rights reserved
www.haaretz.com
Clearly, a hacker witha political agenda!
38© 2007 The MITRE Corporation. All rights reserved
ns1.hosting101.biz
Yikes!Very, very bad sign…
39© 2007 The MITRE Corporation. All rights reserved
Additional Project Information
Our project websitehttp://honeyclient.mitre.org
Send us email, and we will add you to the mailing [email protected]
We need beta testers!http://www.honeyclient.org/trac/wiki/download
Developers are welcome too!SVN repository is available, let us know if you’d like access
