lecture4_honeypots

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

History

How honeypotsworkHoneyD

Honeynet, Honeywall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

OutlookLimitations

Recent topics

Honeynet ResearchAlliance

Summary

Intrusion Detection SystemsLecture #4: Honeypots


Faculteit van Natuurwetenschappen, Wiskunde en InformaticaUniversiteit van Amsterdam

2008-04-10 / SNE-IDS college ’07-’08



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Outline

Definitions, purpose

History

How honeypots workHoneyDHoneynet, HoneywallMWCollect: Nepenthes, HoneyTrap and HoneyBow

OutlookLimitationsRecent topicsHoneynet Research Alliance



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Definitions: ‘honeypot’.

DefinitionA honeypot is a [sacrificial] security resource whosevalue lies in being probed, attacked or compromised.Source: “Honeypots: Tracking Hackers", Lance Spitzner, 2002 (book)



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Purpose of a honeypot.

The two main purposes of a honeypot:I Research

I Attract blackhatsI Reveal blackhat tactics, techniques, tools (KYE)I Reveal motives/intentions (?)I Mostly universities, governments, ISPs

I ProtectionI Deter blackhats from real assetsI Provide early warningI Mostly governments, large enterprises

I Purpose may determine honeypot functionality andarchitecture



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Definitions: ‘honeynet’ and ‘honeywall’.

DefinitionA honeynet is a network of [high-interaction] honeypots.

DefinitionA honeywall is a layer-2 bridge that is placed in-linebetween a network and a honeynet, or between anetwork and a honeypot, to uni- or bidirectionally capture,control and analyze attacks.

DefinitionA honeytoken is a honeypot which is not a computer.



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Warning.

WARNING

In real life, “Honeynet"/“honeynet" and“Honeywall"/“honeywall" are sometimes usedambiguously to refer to both their concepts, as well astheir prevalent implementation (think ‘DNS’ versus‘bind’). This also explains any inconsistencies in (my) useof CaPiTaLiZaTiOn.



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Psychology behind a honeypot.

In its protective form, a honeypot is designed ondeception and intimidation (Fred Cohen, 2001):

I ConcealmentI CamouflageI False/planted information (honeytokens)I Feints, lies, et cetera

I E.g. false claims that a facility if being watched bylaw enforcement authorities



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Functional requirements of a honeypot.

Functional requirements of a honeypot include:I Data control (important!)I Data captureI Data collection (for large-scale honeynets)I Data analysis



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Taxonomy of honeypots.

Honeypots may be distinguished by their properties:I Level of interactivityI Data captureI Containment (= ‘data control’)I Distribution appearanceI Role in N-tier architectureI Communication interface (API, NIC, ...)

Source: “Taxonomy of Honeypots", Seifert, Welch & Komisarczuk, 2006



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Taxonomy of honeypots.

Honeypot

Communication interface

Distribution appearance

Role in an N-tier architecture

Data captureContainment

Interaction level

High Low

Software API Non Network Hardware IF Network IF

Client Server

Defuse

Block

Slowdown

None

Intrusions

Events

Attacks

None

Distributed Stand-alone



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Level of interactivity: low.

Fake daemon

Operating System

Other local resources

harddisk

Reconstructed from source: “Honeypots", R. Baumann, C. Plattern (diploma thesis), 2002



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Level of interactivity: mid.

Fake daemon

Operating System


harddisk




Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Level of interactivity: high.

Fake daemon

Operating System


harddisk




Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

History of honeypots.

I 1990: real systemsI Deploy unpatched systems in default config on

unprotected network (‘low-hanging fruit’)I Easy to deployI High-interaction, high-riskI Nice reading: “Cuckoo’s Egg” by Clifford Stoll

I 1998: service/OS emulationI Deception Toolkit, CyberCop Sting, KFSensor,

SpecterI Easy to deployI Low-interaction, low-risk

I 1999-current: virtual systemsI HoneyD, Honeywall, Qdetect, Symantec Decoy

Server (≈’03/’04)I Less easy to deployI Mid/high-interaction, mid/high-risk



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

History of the Honeynet Project.

History of the Honeynet ProjectI 1999: Lance Spitzner (Sun) founds Honeynet projectI 1999-2001, GenI: PoC, L3+ (modified IP-headers)I 2001-2003, GenII: GenI + bridging (no TTL, harder

to detect)I 2003: Release of Eeyore Honeywall CD-ROM

I 2003-current, GenIII: GenII + blocking (Honeywall)I 2005: Release of Roo Honeywall CD-ROM

I future: ‘GenIV’ refers to next-gen analysiscapabilities

Honeynet.org is home to the ‘KYE papers’ and has manyrefs to academic work! They are also known for the Scanof the Month (SotM) challenges, which alas appear tohave stopped in 2005.



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Outline


History





Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

HoneyD.

HoneyDI Run multiple virtual IP-stacks in parallel (+ routing)I Mid-interaction OS/service emulator

I Emulates SMTP, FTP, HTTP, ...I Easily extendible through customizable scripts

I TCP/IP fingerprint spoofing through ‘personalities’I Impersonate Win32 on your favorite UNIX flavor

(which should be MINIX), fooling nmap and xprobeI Fake WinSize, DF, ToS, ISN, ...I Fake packet loss, TTL, latency

I First released in 2002 by Niels Provos (the guy fromoutguess/stegdetect)



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

HoneyD.

HoneyD architecture

libnet

libpcap

Personality engine

Userland IP-stack

ICMP

UDP

TCP

Service

External program

proxy

HoneyD

Reconstructed from source: http://md.hudora.de/presentations/2005-bh-honeypots-03-honeyd.pdf



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

HoneyD.

Applying the mid-interaction model to HoneyD: HoneyDservicing incoming requests on port TCP/21 by executingfake-ftpd.sh.

HoneyD listening on tcp/21

Operating System


fake-ftpd.sh



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Outline


History





Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Honeynet, Honeywall.

The basic idea of a Honeynet/Honeywall:

17

Theory

Internet

Honeywall

Honeypot

Honeypot

No Restrictions

Connections Limited Packet Scrubbed

Source: http://assert.uaf.edu/workshop06/slides/rdodge.pdf



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Sebek.

Sebek: spying on your intruderI Honeynet.org: “Sebek is a tool designed for data

capture, it attempts to capture most of the attackersactivity on the honeypot, without the attackerknowing it (hopefully), then sends the recovered datato a central logging system."

I Linux kernel module that hooks sys_read()I Covertly sends captured data to honeywall (UDP)I Recovers keystrokes, uploaded files, passwords, IRC

chats, even if they’re encrypted by SSH, IPSec orSSL.



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Sebek.

Source: “Know Your Enemy: Sebek - A kernel based data capture tool", Honeynet Project, 2003



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Sebek in GenII honeynet.

Proceedings of the 2005 IEEEWorkshop on Information Assurance and Security

T1B2 1555 United States Military Academy, West Point, NY, 15 – 17 June2004

Towards a Third Generation Data Capture Architecture for Honeynets

Edward Balas and Camilo VieccoAdvanced Network Management Lab

Indiana University

Abstract— Honeynets have become an important tool forresearchers and network operators. However, their e!ec-tiveness has been impeded by a lack of a standard unifiedhoneynet data model which results from having multiple un-related data sources, each with its own access method andformat.

In this paper we propose a new data collection architec-ture that addresses the need for both rapid comprehensionand detailed analysis by providing two data access methods:a relational model based fast path, and a canonical slowpath. We also present a set of tools based on this architec-ture.

I. Introduction

A Honeynet is a network of high interaction honey-pots[1]. High interaction honeypots are quite different fromlow interaction honeypots such as Honeyd [2] for they pro-vide a full operating system and set of software for an in-truder to interact with. This high level of interactivity is adesired because it allows researchers the ability to observethe behavior of an intruder in a live system, and not a sim-ulation. As a result, high interaction honeypots are wellsuited to capture new or unanticipated activity. However,high interaction honeypots collect a larger volume detaileddata from multiple data sources making it difficult to man-age honeynets and make sense of the collected data.

To help facilitate honeynet deployments and the sharingof information between researchers, The Honeynet Projectstandardized the GenII honeynet architecture[3]. This ar-chitecture includes a specification of Data Capture proce-dures whose purpose is to “log all of the attacker’s activity”.The GenII Data Capture procedures specify the collectionof three types of data: firewall logs, network traffic andsystem activity. Figure 2 provides a schematic represen-tation of a typical Gen II deployment. This architecturedoes not provide any guidance on how to store or accessthe captured data.

In the standardized architecture, firewall logs are usedto provide a summary of the network activity. The“rc.firewall” script provided by the honeynet project al-lows this by using the Linux IPTables[4] connection track-ing capabilities. We feel this logging is counter-intuitivebecause firewall logs are typically used for policy auditingand in this case they are being used to provide summary

Fig. 1. GenII Honeynet Data Capture.

accounts of network activity. In addtion, these summarieslack needed detail such as the duration and quantity ofnetwork activity

Network traffic and Intrusion Detection System(IDS)events are captured using the Snort IDS system[5]. ForData Capture, two instances of are executed, one to merelyrecord the raw traffic, and the other to examine the net-work traffic looking for events that are indicative of misuseor intrusion.

System activity refers to monitoring activity from theperspective of each high interaction honeypot. This typeof monitoring includes two types of data: Syslog and Se-bek. Syslog data is provided by each honeypot’s operatingsystem. Sebek is a tool developed by the Honeynet Projectto monitor the behavior of intruder even when the intruderuses session encryption[6]. Sebek operates as hidden ker-nel module which covertly exports log data to the loggingsystem.

The GenII honeynet architecture gathers very detailed

1

Source: “Towards a Third Generation Data Capture Architecture for Honeynets", Balas & Viecco, 2005



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Hflowd data fusion (Perl script).

To augment our understanding of the network activ-ity and the hosts at either side of a communication, weadded passive operating system fingerprinting capability,provided by the p0f[13] tool. P0f is also a pcap basedmonitor that provides an estimate of the operating sys-tem(OS) used by host that initiates a TCP connection.This data is useful for two reasons. First, across flows itallows one to see if the apparent host OS is changing for agiven IP source providing an indication that the host mightbe behind a NAT. Second, OS identification can improvethe accuracy of IDS events through the process of passivealert verification[14][15]. For instance in a situation wherea apache mod ssl exploit[16] is launched against a non-linuxhost, the system could detect this discrepancy and treat thealert with a lower priority similar to the approach taken byRNA[14]2.

The addition of the Argus and p0f data to the Snortand packet capture data provides a more comprehensiverepresentation of events than provided in the GenII design.Further this new data can be organized around the conceptof a network flow. However additional data sources areneeded to bridge the relational gap between the networkflows and processes on a host.

To bridge this gap we enhanced Sebek [6] to monitor net-work activity from the host’s perspective. Sebek is a kernelbased data capture tool designed to be installed on high in-teraction honeypots [1]. Balas modified Sebek to monitorsocket, process and file activity [17]. These modificationsprovided three necessary capabilities.

First, Sebek was enhanced to monitor socket activity.Whenever a honeypot accepts or creates a network con-nection, Sebeck records the IP level attributes as well asthe corresponding host, process and inode. This allowsus to relate a network flow to the specific open inode andfile descriptor used by a process to service the connection.This data is integral to providing a composite view of theincident that transcends flow and host data. Once a net-work connection associated with an intrusion attempt is ob-served, we immediately know which inode and process theintrusion was tied to. Using this data we can quickly iden-tify related information such as the keystrokes captured bySebek.

Second, Sebek was enhanced to monitor process creation.This monitoring allows us to relate one process to another,rebuilding the process tree. This is important in intru-sion analysis for it allows us to track the intrusion forwardfrom the point of intrusion identifying all processes cre-ated, and any other causally related system activity, suchas outbound network connections[8]. The same capabilitycan be used in reverse, if we see an outbound connectionon a honeypot, we can back track to identify the point of

2p0f can only estimate the OS of the TCP initiator, in this examplethe OS of the host under attack is known by either manually intro-duction of the OS by part of the administrator as with a honeypot orthrough previous TCP connections initiated by the particular host

Honeynet Ethernet

Raw Socket

libpcap

P0f

Passive

OS

detector

Snort

Intrusion

Detection

System

Argus

Flow Monitor

Sebek

Data Collector

Traffic

Recorder

Hflowd: Data Fusion

Relational Data Access Raw Data Access

Deamons

Kernel

Hflow DB Pcap

Fig. 3. Data collection and fusion diagram

intrusion.Lastly, the ability to monitor the opening of files was

added. Coupled with the process tree this allows us to iden-tify all files accessed as part of an intrusion. This knowledgecan in turn be used to prioritize data analysis e!orts. Asan example, presume that a specific intruder likes to placehis/her files in a unique location in the file system. Oncethis location is identified, we can quickly search preexistingdata for any prior indications of the same intruder’s pres-ence. This capability can also be used to create a crudeform of Honeytoken[18] where the act of accessing a cer-tain file might be deemed an interesting event requiringfurther investigation.

B. Data Fusion

Hflow was developed to combine each of these datasources into a composite relational model. It continuallyconsumes data from each source, fusing it based on iden-tifiable relationships and it then loads this data into adatabase.

Hflow receives Argus flow, Snort IDS, p0f OS fingerprintsand Sebek data. This data once combined is then insertedinto a database.

Flow related data, such as Argus and Snort, are corre-lated based on corresponding tuples consisting of the IPprotocol number, the source and destination IP addressesand if applicable port numbers which fall within the same

4



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Outline


History





Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

MWCollect: Nepenthes, HoneyTrap andHoneyBow.

MWCollectI MWCollect (sort of) is an alliance of malware

researchers and software engineersI ...and less pretty, it is the dead parent process from

which Nepenthes was forkedI Home to Nepenthes, HoneyTrap and HoneyBowI State-of-art (scientific) research on malware

I Reverse engineering polymorphic shellcodesI Call-flow graph (binary) analysisI Et cetera



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Nepenthes.

NepenthesI Malware-collecting mid-interaction honeypotI Emulates known vulnerabilities and captures the

malware trying to exploit themI E.g. NetDDE, LSASS, DCOM, ASN1, MSSQL,

UPNP, IIS vulnsI Modular arch: vuln-*, shellcode-*, download-*,

submit-*I Extensions are being developed for call-flow graphs

and binary shellcode analysisI First released in 2006 by Paul Baecher et al.



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Nepenthes.

Nepenthes

tcp/445

tcp/135

tcp/80

tcp/...

Nepenthes core

geolocation-hostip

module-portwatch

vuln-lsass

vuln-dcom

vuln-asn1

vuln-wins

...

log-download log-irc dnsresolve-adns

geolocation-geoip

EXPLOIT

shellcode-generic

shellemu-winnt

PAYLOAD

download-tftp

download-ftp

download-http

download-link

MALWARE URL

...

submit-file

submit-xmlrpc

submit-norman

MALWARE!

Source: “The Nepenthes Platform: An Efficient Approach to Collect Malware", Baecher et al., 2006



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

HoneyTrap and HoneyBow.

HoneyTrapI Low-interaction malware collection honeypotI HoneyTrap binds to (all!) unbound TCP ports, and

listensI Does not emulate vulns or services, although the

latter is possible through plug-insI Aimed at catching 0-days (unlike Nepenthes)

HoneyBowI High-interaction malware collection honeypotI Announced in Dec/2006 by China Honeynet ProjectI Modular arch: MwWatcher, MwFetcher, MwSubmitterI Claimed it will interoperate with Nepenthes



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Outline


History





Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Limitations.

Limitations/caveats in honeypot technologyI Complexity is the enemy of security, and honeynets

are complex.I Bugs in emulatorsI Bugs in data capture/analysis/control toolsI Privilege escalation / jailbreak

I Known attacks: NoSEBrEaK, (unoffical) Phrack#62/0x07 (Local Honeypot Identification).

I Decoy/false attacks (counter-counter, etc.).I Blackhats exchange and evade IP-ranges of known

honeynetsI Auto(re)configuration, higher volatility might help



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Outline


History





Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Recent topics.

I HoneysnapI CLI tool for high-level analysis of captured dataI honeysnap -c honeynet.cfg myfile.pcap

I Unified Data Analysis Framework (UDAF)I Library for data acquisition, filtering, fusion, reporting,

et cetera (towards visual programming)I Let’s hope it’ll be interoperable with IDMEF / GOTEK

I Sandboxes: CWSandbox, Norman, SandboxieI SCADA honeynets

I Cisco CIAG: scadahoneynet.sf.netI PLC emulation; MODBUS, DNP

I Client honeypots: honeyclient, Capture-HPC,HoneyC, SpyBye

I Honeystick, Google Hack Honeypot



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Honeypot classification.

Source: “Taxonomy of Honeypots", Seifert, Welch & Komisarczuk, 2006



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Outline


History





Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Honeynet Research Alliance.

Honeynet Research AllianceI “The Honeynet Research Alliance is a trusted forum

of other honeypot research organizations. [...] Theseorganizations subscribe to the Alliance for thepurpose of researching, developing and deployinghoneypot related technologies and sharing thelessons learned."



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Honeynet Research Alliance (map).

NL is still not represented. Why?



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Summary

Topics that have been discussedI Definition, purpose, taxonomyI Tools: HoneyD, Honeywall, Sebek, NepenthesI Limitations, recent topics



Definitions,purpose

History


Honeynet, Honeywall


OutlookLimitations

Recent topics


Summary

Feedback!

QuestionsQuestions regarding this lecture?

Lab assignments (deadline = April 14th):http://os3.nl/2007-2008/courses/ids/practica_bij_10_april

These slides will be uploaded here:http://os3.nl/2007-2008/courses/ids/

http://os3.nl/2007-2008/courses/ids/practica_bij_10_april

http://os3.nl/2007-2008/courses/ids/practica_bij_10_april

http://os3.nl/2007-2008/courses/ids/

Documents

lecture4_honeypots