Upload
lythuy
View
234
Download
4
Embed Size (px)
Citation preview
IssueDate:
Revision:
Honeypots&Honeynets
AdliWahid
1
Contents
1. Objectives2. DefinitionofHoneypot&Honeynets3. Benefits&Riskconsideration4. ExampleofHoneypottools5. TheHoneynet Project
Credits:DavidWatson(Honeynet Project)[email protected]
2
Objectives
1. Understandthetheconceptofhoneypots/honeynets andhowtheyaredeployed
2. Understandthevalueofhoneypotsandhoneynets tosecurityresearchers,securityresponseteams
3. Familiarizewithdifferenttypesofhoneypots4. Shareexperiencedeployinghoneynets
3
KnowYourEnemy
Howcanwedefendagainstanenemy,whenwedon’tevenknowwhotheenemyis?
(LanceSpitzner 1999)
4
KnowYourEnemy(2)
Tolearnthetools,tacticsandmotivesinvolvedincomputerandnetworkattacks,andsharethelessonslearned
(MissionStatement,TheHoneynet Project)
ThreatIntelligence,IndicatorsofCompromise
5
Howdowedetectattacksorvulnerabilitiesinournetworks?• Hint
• Howdoattackersdoit?• Namethecontrolsthatwehaveinplace
• Whatarethelimitationsofthecontrolsthatwehaveinplace?• Whatarethetargets&why?
HoneypotsandHoneynets
• Ahoneypotisaninformationsystemresourcewhosevalueliesintheunauthorizedorillicituseofthatresource
• Honeypotsystemshavenoproductionvalue,soanyactivitygoingtoorfromahoneypotislikelyaprobe,attackorcompromise
• Ahoneynet issimplyanetworkofhoneypots• Informationgatheringandearlywarningaretheprimarybenefitstomostorganisations
7
HoneypotandHoneynet Types
• Low-MediumInteraction(LI)• Emulatesservices,applicationsandOS’s• Easiertodeploy/maintain,lowrisk,butonlylimitedinformation
• High-Interaction(HI)• Realservices,applicatios andOS’s• Captureextensiveinformation,buthigherriskandtimeintensivetomaintain
8
HoneypotandHoneynet Types
• ServerHoneypots• Listenforincomingnetworkconnections• Analyse attackstargetingthehosts,servicesandoperatingsystems
• ClientHoneypots• Reachoutandinteractwithremotepotentiallymaliciousresources• Havetobeinstructedwheretogotofindsomethingmalicious• Analyse attackstargetingclientsapplication
9
HoneypotandHoneynet Pros/Cons
Pros• SimpleConcept• Collectsmalldatasetsofhighvalue
• FewFalsePositives• Catchnewattacks• LowFalseNegatives• Canbeatencryption• Minimalhardware• Realtimealerting
Cons• Potentiallycomplex• Needdataanalysis• Onlyamicroscope• Detectionbyattackers• Riskfromcompromises• Legalconcerns• Falsenegatives• Potentiallylive24/7• Operationallyintensive
10
ImplementingHoneypot
11
Recap
Honeypots: Computer resource(s) to be probed and/or attacked
12
Evilness
Malware
Badness
Noise
Whywouldyouwanttodothis?• Byright,youshouldnotexpectanyrealactivityortrafficto/from/inyourhoneypot
• Detectanomalousactivitiesinyournetworkorsystem?• Infected/Compromisedcomputers• Misconfiguration
• LearnaboutattacksontheInternet(inthewild)• Context• Attacksourceandtechniques• Vulnerabilitiesexploited• InformationSharingopportunities
• Improveoverallsecurity
13
Scneario 1:Generic‘Network-basedAttack’
14
Honeypot (Target)
Host1 Host 2
1
2
(Or)2
1.ConnectioninitiatedtoHoneypot
2.ConnectBack/Call-Home
Whatcanyoulearn?• Hoststhataretryingtoconnect/scanyou
• Potentiallyalreadycompromisedorinfected
• Scripts,binaries,files,toops fetchedordropped• Requestsbeingmade,Loginattempts• Packets,netflows• Sourceofattack• Relationshipswithothersystems• Commandpotentiallyexecuted
15
Scenario2:Client-basedHoneypot
16
Honeypot (Client-Side)
Target1.Honeypotinitiateconnection
2.Analyse response
Whatyoucanlearn?
• (0-days)orattacksontheClientApplication(i.e.WebBrowser)• Learnabouthosts/computersthatarehostingmaliciouswebsites
• <Iframes>• Javascript• Flash• PDFetc
17
Logs
• 2010:09:14:07:13:10 < honeypot> 2010-09-14 07:19:27 GMT 184.y.z.144 a05dfd7cca7771a7565a154d65f05ea2http://domain.lv/inx/fx29id1.txt????
• 2010:09:14:07:13:11 < honeypot> 2010-09-14 07:19:30 GMT 184.y.z.144 8dcad47f3e32e7dc1aee59167e67c601http://domain.lv/inx/fx29id2.txt?????
19
HoneypotSystems
20
HighInteractionHoneypot
• Thinkaboutyourgoalsandobjectivesfirst• Possiblescenario
• SetuparealsystemandmakegiveitanIPaddress(soitisreachabletosomething)
• i.e.InstallaWindows,Linux,Unixserver)
• Challengingtocontrol&manage• Whatifattackerusesystemtolaunchattacktoothersystems• Keepingthecomputerinausablestate
21
OpenSourceSystems
• Honeyd,Amun – (openmultipleports)• Dionaea,Nepenthes(Malware)• Kippo,Cowrie- SSHhoneypot• Glastopf – WebHoneypot• Ghost– USBHoneypot• Thug– ClientHoneypot• Conpot – IndustrialSystem
22
Dionaea
• 2nd Generationlowinteractionhoneypot• Python,runson*NIX• IPv6Support
• Goals• Detectbothknownandunknownattacks• Betterprotocolawareness• Vulnerabilitymodulesinscriptinglanguage• ShellcodedetectionusingLibEmu
• Checkouthttp://dionaea.carnivore.it• Learnaboutattacks,malwareandmanymore
23
Kippo
• EmulateSSHserver• Allow‘attacker’tolog-inusingcredentials(usernameandpassword)• Environmentallowlimitedcommands– i.e.ping,who,andwget• Recordactivities(keylog)ofattackersandtheiractivities
• Cowrie• ForkofKippo• AlsodoesTelnethoneypot
24
Glastopf WebHoneypot
• MinimalisticwebserverwritteninPython• ScansincomingHTTPrequestsstrings• Checksforremotefileinclusion(RFI),localfileinclusion(LFI)andSQLinjection
• Signaturesanddynamicattackdetection• Attempttodownloadattackpayloads• Searchkeywordindexingtodrawattackers• MySQLDBpluswebconsole• Integrationwithbotnetmonitoring&sandbox• Visitwww.glastopf.org
25
Ghost
• USBHoneypot• RunsonWindows• Manymalwarespreadacrosssystemsusingthumbrive (andbypassnetworkcontainmentstragegies)
• i.e.Stuxnet,Conficker
• TrickmalwareintothinkingthataUSBThumbrive hasbeeninserted• CapturesmalwarewrittenonUSB• More:https://code.google.com/p/ghost-usb-honeypot
26
Thug• LowInteractionClient-basedhoneypottoemulatewebbrowser
• BrowserPersonalities(i.e.IE)• DiscoveringExploitKits,MaliciousWebsites
• Scenario– yourwebsitehavebeencompromisedandattackerplacedamaliciousscriptonyourwebsite
• Pythonvulnerabilitymodules:activeX controls,corebrowserfunctions,browserplugins
• Logging:flatfile,MITREMAECformat,mongoDB,HPFeeds events+files• Testing:successfullyidentifies,emulatesandlogsIEWinXP infectionsanddownloadsservedPDFs,jars,etc fromBlackhole &otherattackkits
• Moreinformation• http://www.honeynet.org/node/827
27
VOIPHoneypots
• PBXdeploymentlackssecurity/exposetotheInternet• ToolsliveSIPvicious areusedtoscantheInternetforPBX• Miscreantsexploitweakauthentication&accesscontroltomakelongdistancecalls
• Organisations lose$• Honeypotscanbeusedtoidentifysourceofattacks:
oArtemisa
Canary- HoneyTokens• Discoverthatyou’vebeenbreached• Tokens=adigitalobject- file(s),emails,webpage,image• Deployedincertainlocationtodetect(attract)maliciousactivities
• Example:• mailininboxormailserver,• Files(PDF,HTML,Doc,XLS,etc)infileserver,usb stick,webserver,cloud
• Confidential.pdf,analysis.xls,networkdiagram.ppt
• CanaryTokensbyThinkst• https://www.canarytokens.org• http://blog.thinkst.com/p/canarytokensorg-quick-free-detection.html
• Furtherreadingo http://www.slideshare.net/chrissanders88/using-canary-honeypots-for-network-security-monitoring?from_action=save
SecurityEducation
• USBSticks• Associatedwithmalware• SocialEngineeringorTargetedAttack• CreateAwareness,test
• CanaryTokens• https://www.canarytokens.org
• Triggered!Oneofyourcanarydrops wastriggered.
Channel:HTTPTime :2016-05-2605:47:49.009176Memo :usbstix-03Source IP:203.119.X.YUser-agent:Mozilla/5.0(Macintosh;IntelMacOSX)Word/14.61.0
SupportingToolsandProjects
• CuckooSandbox• Visualization• TheHoneynet Project
• HPFeed• InformationSharing
• LogAnalysis
31
CuckooSandbox
• AutomatedMalwareAnalysisSystem• WhynotjustuseAnti-Virus?
• AnalyzeWindowsexecutables,DLLfiles,PDFdocumetns,Officedocuments,PHPScripts,PythonScriptsandInternetURLs
• WindowsguestVMsinVirtualBoxLinux• Windowshooking/driverpluspythonmodulesforextractingandanalysing sampleexecutions
32
CuckooSandbox(2)
• AnalyzeBinaries,Filescapturedinahoneypot• Traceofrelevantwin32APIcallsperformed• Dumpnetworktrafficgenerated(pcap)• Creationofscreenshotstakenduringanalysis• Dumpoffilescreated,deletedanddownloadedbythemalwareduringanalysis
• Extracttraceofassemblyinstructionsexecutedbymalwareprocess• http://cuckoobox.org• http://www.malwr.com
33
Virustotal.com
• Siteforanalyzingmalwaresamples(orunknownfiles)• Let’sscansomefile
TrafficAnalysis
• FullPacketCapture(PCAP)• Supportingtools(Wireshark,TCPDUMP,Moloch)• Considersizeoffile
• Netflow• Argus• SurfNet IDS
• MaliciousTrafficorNot?• Snort• BroIDS
Visualization
• ManyofthetoolsdonotreallyhaveaGUI• Reporting /Presentationiskey• Manyvisualizationtools
• HPFeeds• PicViz• Afterglow• Gnuplot• Splunk• Plug-insorfront-endformanyoftheexistingtools
36
Hardware
• Any(old)hardwarewithnetworkinterface• Singleboardcomputers(i.e.RaspberryPi)• Virtualizationisanotheroption
Community- TheHoneynet Project
• Theplatformforthoseinterestedinrunning,buildingandlearningfromhoneypots
• http://www.honeynet.org
• ManyChaptersfromaroundtheworld• Initiativeforinformationsharing
• HPFeeds• http://hpfeeds.honeycloud.net
• GoogleSummerofCodes(GSOC)
38
CommercialSolutions?
• CanaryTools• https://canary.tools• http://arstechnica.com/security/2015/05/canary-box-aims-to-lure-hackers-into-honeypots-before-they-make-headlines/
• (older?)• Spector(Symantec)• Mantrap
Consider!
• InstallingandplayingwithHoneypotstolearnaboutsecurity• Deployingitinternallytocatchmaliciousactivities• JoiningtheHoneynet Project• Sharingyourexperienceandknowledge• HappyHoneypotting!
40
Demo
1. Kippo,SSHHoneypot• Bruteforce• CompromiseLinux/Unixservers,routers
2. Deploymnent Experience• TheModernHoneypotNetwork(MHN)• Frameworkformanaginganddeployinghoneypots
41
Kippo Demo
42
MHNInstallation
• Runningmultiplehoneypots• http://threatstream.github.io/mhn/
• SetupExperience• UsingLXC• Debian/UbuntuSystems• Easytoadd&RemoveHoneypots• Dataaggregated
• SupportingSystem• Moloch(http://molo.ch)• Maltrail (https://github.com/stamparm/MalTrail)• BROIDS
• OtherFreeTools• Let’sEncrypt(TSL/SSLCertificates)
• Demo!(nopictureplease)
43
Molochhttps://molo.ch
• Molochisanopensource,largescaleIPv4packetcapturing(PCAP),indexinganddatabasesystem.
• AsimplewebinterfaceisprovidedforPCAPbrowsing,searching,andexporting.APIsareexposedthatallowPCAPdataandJSON-formattedsessiondatatobedownloadeddirectly.
• MolochisnotmeanttoreplaceIDSenginesbutinsteadworkalongsidethemtostoreandindexallthenetworktrafficinstandardPCAPformat,providingfastaccess.
• Molochisbuilttobedeployedacrossmanysystemsandcanscaletohandlemultiplegigabits/secoftraffic.
45
Maltrail
• Maltrail isamalicioustrafficdetectionsystem,utilizingpubliclyavailable(black)listscontainingmaliciousand/orgenerallysuspicioustrails
• StatictrailscompiledfromvariousAVreportsandcustomuserdefinedlists,wheretrailcanbeanythingfromdomainnametoipaddresses
• Trailsarepulledfrom• https://github.com/stamparm/MalTrail
46
Recap
• HowcanweuseHoneypots/Honeynet inourenvirionment?• Howcanitcomplementexistingsecuritycountermeasures
oDetectiono EducationoResponse
• Whatifthehoneypotdoesnotreceiveanything– hits/traffic/etc?
LearnMore!• Playwithone
• Honeydrive VirtualMachine• https://bruteforce.gr/honeydrive• Linuxbasedhoneypotdistro• Manytoos &honeypotsystems
• Deployoneyourself• Insidetheorganization• OntheInternet/DMZ
• Participateinaproject• WriteCode• Help/Document
• Honeynet Project• http://www.honeynet.org
48
MoreHoneypots
• https://github.com/paralax/awesome-honeypots• JointHoneypot/Honeynet projects
oDistributedSensors?o Sharedataandobservation?oAutomatedalerts
IssueDate:
Revision:
Questions?
Email:[email protected]:adliwahidLinkedIn:AdliWahidBlog:https://blog.apnic.net
50