Threat Intelligence from Honeypots for Active Defense

2

Today’s Presenters

Ioannis KoniarisInformation Security Engineer and Researcher

Ken WestinSecurity Researcher, Tripwire

3

If you know your enemies and know yourself, you will not be imperiled in a hundred battles.

— Sun Tzu, The Art of War

4

Know Yourself: Vulnerability Centered

• Strong focus on prevention

• Signature based detection

• Business context of assets

• Threats are viewed equally without context

• Minimal ability to detect unknown threats

5

• Understands prevention fails (eventually)

• Focus on collection and observation

• Every attack makes you stronger

• Understand threats use different TTP (Tools, Tactics & Procedures)

• Leverages wide range of data sources

• Detection based on more than signatures

Know Your Enemies: Threat Centered

APT

Script Kiddie

Hacktivist

Criminal Syndicate

Bots

6

APT

Script Kiddie

Hacktivist

Criminal Syndicate

Bots

7

Space I can recover. Time, never.

— Napoleon Bonaparte

8

Hacking is a Business Too: Reduce Their ROI

9

Hacking Back: Proactive Intelligence with Honeypots for Active Defense

Ioannis Koniaris, GCIH, GSNA, eCPPT, eMAPT

10

About me

● Started studying honeypots for academic purposes (thesis, IEEE papers)

● Member of the Honeynet Project (non-profit)● Maintainer of BruteForce Lab (http://bruteforce.gr) →

open source honeypots projects for ~3 years● Tools: HoneyDrive, Kippo-Graph, Honeyd-Viz, various

others tools and contributions● Always interested in collaboration for new tools and

research!

11

Introduction to honeypots

● Definition:“An information system resource whose value lies in unauthorized or illicit use of that resource” (Lance Spitzner)

● It’s a system with no production value● There is no reason for a legitimate user to use it or

interact with it

12

Introduction to honeypots

● Any communication attempt is automatically considered malicious

● A honeypot that tries to connect to another system is probably compromised

● They are both deceit tools and traps● Attackers waste time while their actions are monitored

closely

13

Introduction to honeypots

● They cannot prevent attacks against the network by themselves

● But, they can help in the detection phase of an attack and identify the methods of exploiting

● They can be used in conjunction with firewalls and IDSes and in fact support them really nicely as they “patch” their weaknesses

14

Emulation of OSes and Services

● OS emulation is done using “fingerprints”● 8 parameters of the TCP/IP stack are not fixed – 67

bit signature● The same way that various tools identify the remote

OS, e.g. nmap, p0f, etc● Service emulation is done using scripts with identical

behavior and output as the real services

15

Honeypot classifications

● Honeypots can be divided into categories based on two criteria:o The purpose of honeypot deploymento The level of allowed interaction with the honeypot

● Honeypot categories based on purpose:o Production honeypotso Research honeypots

16

Honeypot classifications

● Production honeypots are placed alongside the real systems of a business, acting as decoys

● Ideally they are mirrors of real servers where attackers will waste their time while we are gathering intelligence

● Research honeypots monitor attack activities and capture malicious traffic and files to enhance our knowledge of attack vectors

17

Honeypot classifications

● Honeypot categories based on the level of allowed interaction:o Low-interaction honeypotso Medium-interaction honeypotso High-interaction honeypots

● Low-interaction honeypots offer little to no interaction between the server and the attacker

● It’s only software emulating one or more services – low added risk but limited data

18

Honeypot classifications

● Medium-interaction honeypots offer greater interaction between the system and the attacker

● The emulated network services respond to the attacker and allow access to fake resources (e.g. a fake FTP server)

● Can be used to catch malware as well by emulating specific vulnerabilities in a service

● Medium added risk but generally good results and data!

19

Honeypot classifications

● High-interaction honeypots are real vulnerable OSes given to attackers as sacrificial lambs

● Intruders will have real access and control of the system● Usually used to capture attacks against specific services

or targets fitting a specific profile● High risk and high reward! ● Greatest level of data capture, BUT they must be

isolated and monitored at all times! (pivoting)

20

Honeypot placement & operation

● Mainly 3 common honeypot placement spots:o Externally, in front of the firewall, facing the Interneto Internally, behind the firewallo Demilitarized Zone (DMZ)

● External placement is used to immediately make them available to attackers for intrusion and takeover (most suitable for research honeypots)

21

Honeypot placement & operation

● Internal placement is most suitable to detect attackers (human or software) that have breached the perimeter

● Effective early warning system● High added risk to the network if using a high-

interaction honeypot and it gets taken over – egress firewall needed

22

Honeypot placement & operation

● DMZ placement is the best choice for a business/organization

● Honeypots and other DMZ hosts share the same subnet

● Can be setup as mirrors of real systems in order to catch early attacks against the DMZ

23

Other honeypot technologies

● Honeytokens are objects with no production value placed in a system as an intrusion detection mechanism

● Various small electronic baits that no legitimate user should access – e.g. fake admin account user/pass combination

● If a honeytoken is found in the application’s logs, the system has been compromised

24

Other honeypot technologies

● Honeypages are fake web pages inside a real web app, with no production value

● There is no direct link to them, every request is considered malicious

● A request can come from automated scanning, robots.txt analysis, etc – honeypages log every info they can get

25

Other honeypot technologies

● Attackers nowadays target client programs (browsers, media players, file viewers etc)

● A client honeypot actively tries to find malicious websites serving exploits targeting client applications

● They usually use HTTP, and emulate various web technologies like JavaScript, Active-X, etc acting like a browser

● Thug: modern Python honeyclient (Thug-Vagrant)

26

The value of honeypots

● They give almost no false positiveso Honeypots have no production value and any

interaction can be automatically considered malicious and a candidate for further analysis

● They help us detect malicious actions early ono Sysadmins can use them to quickly classify the

nature and severity of attacks

27

The value of honeypots

● New and unknown attacks can be logged and identified as malicious as fast as common attackso Tools like Honeycomb can create IDS rules o Files or content generated (e.g. IRC logs) by

attackers are saved for further analysis● Add an extra layer of protection, for example when

they are placed internally in order to catch insider threats or warn sysadmins for malware

28

Honeypot advantages

● Simplicity of their idea● They provide a small amount of captured data of high

value● Low requirements in terms of hardware● Can be effective in crypto environments (where IDSes

might have problems) or IPv6 networks

29

Honeypot disadvantages

● No real value if nobody attacks them! ● Limited attack detection radius/scope● Compromised HI honeypots can be used as platforms

to launch further attacks (pivots)● Honeypots can sometimes taunt attackers● Bugs or vulnerabilities can exist in the honeypots

themselves● Placing honeypots increases the overall complexity of

a network – not good from a security standpoint

30

Legal issues

● Disclaimer: IANAL● Different legislations across the world, different laws

concerning the acquisition and storage of data● No definite answer can be given, even though all top

honeypot researchers agree that we are on the safe side!

31

Legal issues

● Privacy:o Essentially the question: “how much data can an

admin gather and store before a privacy problem arises?”

o Is it legal for an admin to capture data from other company employees? What about external threats in general?

32

Legal issues

● Privacy (cont.):o According to Lance Spitzner: The people breaking

into these systems are NOT AUTHORIZED to use them, and if they place any files on them, they have given up their privacy rights to that data

33

Legal issues

● Privacy (cont.):o By using honeypots for communication, malicious

actors have given up their right to privacy, as honeypots are not service providers and are not bound by privacy requirements designed for service providers

34

Legal issues

● Entrapment: A person is 'entrapped' when he is induced or persuaded by law enforcement officers or their agents to commit a crime that he had no previous intent to commito Setting up honeypots cannot be considered an

entrapment activity because honeypots do not induce or persuade anyone, neither promote malicious activity by themselves, attackers find and attack them on their own

35

Legal issues

● Liability:o Hypothetical scenario: a honeypot of company X is

compromised by an attacker and is used as the source of attacks against the network of company Y. Who’s to blame???

o No definite answer in this case, BUT we should also have mitigated this risk in the first place! (firewalls, egress filtering, etc)

36

Threat Intelligence gathering

● The Honeynet Project (in cooperation with the University of Aachen) published the first “public” live map of attacks: http://map.honeynet.org

37

38

Threat Intelligence gathering

● HoneyDrive: a self-contained Honeypot Linux distribution: http://bruteforce.gr/honeydrive

● It contains more than 10 honeypot systems preinstalled and preconfigured to work out of the box, plus ~90 other tools

● Some honeypots can be cumbersome to install and configure properly

● Created mainly to be a straightforward medium to quickly test and deploy different honeypots

39

Threat Intelligence: SSH attacks

● Kippo SSH honeypot: https://github.com/desaster/kippo

● Medium interaction, written in Python (Twisted)● Logs entire shell sessions (UML compatible)● Stores all files downloaded by attackers● Emulates a Debian OS● You can add fake files and content● You can add fake command output

40

Threat Intelligence: SSH attacks

● Kippo-Graph is a visualization tool for Kippo: http://bruteforce.gr/kippo-graph

41

Threat Intelligence: SSH attacks

● Kippo fork with ElasticSearch support: https://github.com/ikoniaris/kippo

42

Threat Intelligence: malware attacks

● Dionaea is a malware honeypot: http://dionaea.carnivore.it/

● The successor of Nepenthes● Written in C/Python, emulates protocols● SMB, HTTP(S), (T)FTP, MSSQL, MySQL, SIP● Uses libemu to detect and analyze shellcodes● Shellcode runs inside a libemu VM and API calls get

recorded

43

Threat Intelligence: malware attacks

● DionaeaFR is a front end for Dionaea: http://rubenespadas.github.io/DionaeaFR/

44

Threat Intelligence: web attacks

● Glastopf is a web honeypot that emulates thousands of vulnerabilities “types” to catch web attacks (vs vuln emulation): http://glastopf.org/

● Wordpot is a Wordpress honeypot: http://brindi.si/g/projects/wordpot.html

45

Threat Intelligence: SCADA attacks

● Conpot is an ICS honeypot to collect intelligence about motives and methods of adversaries targeting industrial control systems: http://conpot.org/

● ModBus emulation and specific widely used SCADA devices

● HMIs and new devices can be added by interested parties

46

Threat Intelligence: network sim

● Honeyd creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and have a “personality”: http://www.honeyd.org/

● Can emulate entire network/system topologies● Honeyd2MySQL transfers honeyd logs to a MySQL

DB: http://bruteforce.gr/honeyd2mysql● Honeyd-Viz is a visualization tool for Honeyd:

http://bruteforce.gr/honeyd-viz

47

Threat Intelligence: active defence

● ADHD is distro containing various active defense tools: http://sourceforge.net/projects/adhd/

● It contains tools like:● Artillery and Bear Trap for blacklisting attackers● Decloak and Honey Badger to unmask attackers ● Spidertrap and Weblabyrinth to trap malicious web

scanners in endless loops

48

Threat Intelligence: active IDS

● Beeswarm is an active IDS project: https://github.com/honeynet/beeswarm

● It provides easy configuration, deployment and management of honeypots and clients

● The system lures attackers into the honeypots by setting up drones who communicate with honeypots and intentionally leak credentials (honeytokens)

49

Threat Intelligence: active IDS

50

Threat Intelligence: other tools

● Modern Honey Network is a solution for managing and deploying common honeypot sensors: http://threatstream.github.io/mhn/

● Combine gathers threat intel from public feeds: https://github.com/mlsecproject/combine

● ArcReactor monitors public sources for OSINT data and sends them to a SIEM: http://deadbits.org/projects/arcreactor/

51

Conclusions

● Honeypots still present a unique concept● They are more useful than ever in the current

landscape of global attacks● Tools and utilities exist to easily deploy sensors and

gather intelligence that matters to *you*● Much activity in the field by organizations (e.g.

Honeynet Project) and individual researchers● Give them a try!

52

Contact me

● BruteForce Lab: http://bruteforce.gr● Email: ikoniaris@gmail.com● Twitter: @ikoniaris

53

Thank you