Cloud Servers, Honeypots & ELK- The Path To Attaining ... · PDF fileSESSION ID: #RSAC Abhinav...
Transcript of Cloud Servers, Honeypots & ELK- The Path To Attaining ... · PDF fileSESSION ID: #RSAC Abhinav...
SESSION ID:
#RSAC
Abhinav Singh
Cloud Servers, Honeypots & ELK-The Path To Attaining Cyber-Hunting Nirvana!
FLE1-F04
Security Researcher
@abhinavbom#malwaremustdie!
Presenter’s Company
Logo – replace on
master slide
#RSAC
Disclaimer
2
The views expressed in this presentation are my personal views and do not necessarily reflect views of my employer. They do not represent (nor are they intended to represent) the positions, opinions or policies of my employer or any other company or person. This presentation is not intended to make product or deployment recommendations.
Presenter’s Company
Logo – replace on
master slide
#RSAC
About Me
3
Security researcher. Speaker at Blackhat, Null, GroundZero etc.
Author– Metasploit Penetration testing Cookbook (1st & 2nd Ed.)
Udemy Course On Metasploit.
Linkedin.com/in/abhinavbom
@abhinavbom
@MalwareMustDie!
Presenter’s Company
Logo – replace on
master slide
#RSAC
AGENDA
4
Choosing and deploying your honeypots.
Cloud server instance(IaaS).
ELK stack (Elasticsearch, Logstash, Kibana).
Building intelligence.
Process, Patch and Hunt.
Conclusion.
Presenter’s Company
Logo – replace on
master slide
#RSAC
“Apply” Slide
5
Bullet point here (see slides 5 - 8 for instructions)
Bullet point here
Bullet point here
Varanasi, India
Presenter’s Company
Logo – replace on
master slide
#RSAC
Honeypots
6
A server/setup that is configured to detect an intruder by mirroring a real production system.
Isolated from the main network.
The intruder activities are monitored, captured and Stored.
Low and High Interaction.
Presenter’s Company
Logo – replace on
master slide
#RSAC
Brief History Of Honeypots
7
1990-1991: First studies released by Clifford Stoll (The Cuckoo’s egg) & Bill Cheswick (An Evening with Berferd).
1996-1997: Deception Toolkit introduced by Fred Cohen.
1998: First commercial honeypot CyberCop Sting released.
1999-2000: Honeynet project came into existence.
2001-2005: Honeypot research becomes mainstream.
Focus shifts from honeypots to mainstream threat detection technologies.
Presenter’s Company
Logo – replace on
master slide
#RSAC
Picking Your Honey!!
8
SSH: Kippo, Cowrie, Hornet.
Web Apps: Glastpof, Wordpot, ShockPot, Thug.
ICS/SCADA: Conpot, Gridpot.
Emails: Spambot, Spamhole.
Github.com/abhinavbom/awesome-honeypots
Presenter’s Company
Logo – replace on
master slide
#RSAC
Multi-pots Setup
9
T-pot (by T-Mobile) - http://dtag-dev-sec.github.io/mediator/feature/2015/03/17/concept.html
MHN (By ThreatStream) - https://github.com/threatstream/mhn
Presenter’s Company
Logo – replace on
master slide
#RSAC
Cloud Servers (IaaS)
10
Virtual cloud servers, similar to virtualization.
On demand computing resources.
Scalability, reliability, high up-time.
Pay for what you use.
Amazon web services, Google Cloud, digital Ocean etc.
Presenter’s Company
Logo – replace on
master slide
#RSAC
Basic Requirements and cost Estimation
11
50 GB storage.
2 GB RAM.
Preferably Linux environment.
Approximate cost of $10/month.
Presenter’s Company
Logo – replace on
master slide
#RSAC
ELK Stack
13
Store, Search &Analyze Collect, Enrich & Transport Explore, Visualize and Share
Presenter’s Company
Logo – replace on
master slide
#RSAC
Log Processing
14
Centralize data processing of all types.
Normalize varying schemas and formats.
Fast and convenient way for parsing the logs in a standardized manner.
https://www.elastic.co/products/logstash
Presenter’s Company
Logo – replace on
master slide
#RSAC
Search & Indexing - Elasticsearch
20
Search server based on Lucene.
Distributed, scalable, and highly available.
Schema free JSON, RESTful API.
Cross platform, open source.
https://www.elastic.co/products/elasticsearch
Presenter’s Company
Logo – replace on
master slide
#RSAC
Elasticsearch Architecture
21
Logstash.conf
Elasticsearch default web access
Elasticsearch.yaml
Presenter’s Company
Logo – replace on
master slide
#RSAC
Log Visualization with Kibana
22
Flexible analytics and visualization platform.
Real-time summary, charting and dashboard generation for streaming data.
Architectured to work with Elasticsearch.
https://www.elastic.co/products/kibana
Presenter’s Company
Logo – replace on
master slide
#RSAC
25
Log Source 1
Log Source 2
Log Source 3
Log Source 4
Presenter’s Company
Logo – replace on
master slide
#RSAC
Discovering attack patterns
26
BruteForce attempts.
Successful authentication.
Command executions.
Attacker GeoIP location.
File uploads.
Malicious Web requests.
Presenter’s Company
Logo – replace on
master slide
#RSAC
Analytics dashboard
30
Displays saved visualizations and queries in groups and charts.
Each visualization consists of resizable containers.
Interactive and detailed.
Presenter’s Company
Logo – replace on
master slide
#RSAC
Manual Insight based on Visual Data
33
Observing peaks and lows.
Location patterns.
Correlating Events from multiple sources.
OSINT.
Presenter’s Company
Logo – replace on
master slide
#RSAC
Ubnt:Ubnt
34
Default factory set password for Ubiquiti Networks appliances.
Product ranges from CCTV, VOIP, Routing etc.
http://www.extremetech.com/computing/205525-anonymous-may-have-hijacked-thousands-of-routers-for-zombie-botnet
Presenter’s Company
Logo – replace on
master slide
#RSAC
Top Command Executions
35
Something special about /tmp/.xs/…
http://blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/
Presenter’s Company
Logo – replace on
master slide
#RSAC
Web Attacks
36
Trying Blind SQLi.
Unconditional redirects.
Malicious Command injections through web requests.
CMS plugin exploits(Wordpress, Joomla etc).
Presenter’s Company
Logo – replace on
master slide
#RSAC
Attacking Your Own Honeypots
40
Mimic the frequent activities captured in your logs –Fingerprinting the fingerprints.
Scan(attack) your honeypot.
Detect leakage (based on your attacks).
Patch the code.
Presenter’s Company
Logo – replace on
master slide
#RSAC
Attack your honeypots and detect Leakage
43
Presenter’s Company
Logo – replace on
master slide
#RSAC
Patch The Code
44
Fork the project and add your modifications.
Open an incident for developer fixes(less reliable).
Randomize as much as possible.
See you at “The HoneyNet Project” - www.honeynet.org/project