Upload
emil-tan
View
174
Download
0
Tags:
Embed Size (px)
Citation preview
Honeypot 101Emil Tan, Security+, GLEG, RHCSA/RHCT
Team Lead, Edgis
Research Guide, The Honeynet Project (Singapore Chapter)
The Honeynet Project
The Honeynet Project is a leading international 501c3 non-profit security
research organisation, dedicated to investigating the latest attacks and
developing open source security tools to improve Internet security.
Founded in 1999, The Honeynet Project has contributed to fight against
malware and malicious hacking attacks and has the leading security
professional among members and alumni.
What’s a Honeypot?
Information system resources which has no production values.
Its value lies in unauthorised or illicit use of that resource.
Its value lies in being probed, attacked, or compromised.
Lance Spitzner (@lspitzner)
What can be used as a honeypot? Resources
Hardware (End-points, Servers, Standalone PCs, USB Sticks, etc.)
Software (Services, Files, etc.)
It’s all about the purposes of the honeypot
Purposes? Aims? Objectives?
Intelligence Gathering
Trend / Behaviour Analysis
Know Your Enemy (KYE)
Bait / Decoy
Narrow down further depending on who you are
Similar to Incident Reponse – SMEs v. MNCs v. Financial Institutes v. Military
High v. Low Interactions
High Interaction Honeypots
It is what it is (The actual thing)
Content Rich; The Actual Shell, Services, etc.
Low Interaction Honeypots
A program
Emulated services; Limited Interactivities
What’s a Honeynet!?
A network of honeypots
What’s Considered a Good Honeypot?
Purposes / Aims / Objectives
Attractiveness
Stickiness
Data Collection
Where Do I Start?
High Interactions
Throw all the security tools in there! – NIDS, HIDS, Keyloggers –
Who cares about false positives?
In-Depth Data Capturing Tools – Sebek, Qebek, Capture-HPC, DPI
Egress Traffic Control – Snort Inline, iptables
Perimeter Control – Honeywall (Roo)
SSL Proxy & Traffic Analyser – HoneyProxy
Where Do I Start? (cont’d)
Low Interactions
The one that emulates everything (or the common services)! – Honeyd / Tiny Honeypot
Malware – Nepenthese, Dionaea, Honeytrap
Web Application – Glastopf
SSH – Kojoney, Kippo, Secure Honey
Client – Thug
ICS/SCADA – Conpot
USB Malware – Ghost USB
ENISA’s
Proactive Detection of Security Incident
https://www.enisa.europa.eu/activities/cert/support/proactive-detection
My Beautiful Machines
Roo
Roo (cont’d)
Beeswarm
Kojoney (Low Interaction – SSH)
Kojoney (Low Interaction – SSH) (cont’d)
Kippo (Low Interaction – SSH)
Recorded TTYs by Leon van der Eijk (Chief Public Relations Officer)
Honeytrap (Low Interaction – Malware)
Dynamic Reactions to Incoming Traffics
PCAP-based Sniffer
IP_Queue Interface
Tarpit / SinkHoles
Considerations
High or low interaction?
Which honeypot tools to use? Or should I create my own?
Physical or Virtual Environment?
Placed Insider or Outside my Production Environment?
Level of Vulnerabilities?
Legal Considerations
Where To Go From Here?
Google Summer of Code (GSoC) – http://www.honeynet.org/gsoc
YouTube Channel – https://www.youtube.com/user/TheHoneynetProject
The Honeynet Project Workshop!
18 – 20 May 2015
Stavanger, Norway
Tutorials – http://edgis-security.org/lab-tutorials
Who’s Going to BSides London?
3rd June 2015
ILEC Conference Centre
CFP – http://bit.ly/BSidesLDN2015CFP
Call for Workshops – http://bit.ly/BSidesLDN2015CFW
Rookies Track – http://bit.ly/BSidesLDN2015Mentors