Embed Size (px)
DESCRIPTION
In this presentation I talk about how honeypots that have more traditionally been used for research purposes can also be used as an effective part of a network security monitoring strategy.
Citation preview
Deceive to Detect:Using Canary Honeypots for Network Security Monitoring
Chris SandersCharleston ISSA November 2014
Chris Sanders
• Christian & Husband• Kentuckian and South
Carolinian• MS, GSE, et al.• Non-Profit Director• BBQ Pit Master
Chris Sanders
“[Practical Packet Analysis] gives you everything you need, step by step, to become proficient in packet analysis. I could not find a better book.”
“[Applied NSM] should be required reading for all intrusion analysts and those looking to develop a security monitoring program.”
– Amazon Reviewers
Outline
Objectives: Traditional Honeypots Canary Honeypot Architecture Honeypot Platforms• Honeyd• Kippo• Tom’s Honeypot• Honeydocs
“How can I use honeypots as an effective part of my detection strategy?”
***Disclaimer***
• Tactics in this presentation may be controversial, depending on your viewpoint.
• Only orgs with mature security programs should attempt the use of canary honeypots.
• Any time you invite an attacker to dance, you might get your feet stepped on.
Traditional Honeypot Design
• Intentionally Vulnerable System• Designed to Mimic Real Services• Easily Compromised
Traditional Honeypot Uses
• Specific Research Purposes• Tracking Unstructured Threats– Commodity Malware– Opportunistic Attackers
• Vaguely Useful for Building Basic Threat Intel
No Current Significant Production Value
How can honeypots be useful for operational purposes?
US Information Ops Doctrine
• US DoD JP 3-13 IO Capabilities*– Detect– Deny– Disrupt– Degrade– Destroy
* More commonly applied as the Cyber Kill Chain
– Deceive
Let’s Take Honeypots Farther…
Kentucky is Coal Country
Coal Mining is Hard
Coal Mining is Dangerous
Canaries for Methane Detection
Enter Canary Honeypots• Deceive to Detect• Honeypots for
Detection1. Placed Inside the
Network
2. Mimic Existing Systems
3. Detailed Alerting & Logging
Nobody Should Ever Talk to a Honeypot
Making the Case
• How do you detect a malicious user logging in to a Windows system?– Multiple Failed Logins– Weird External IP Address– IP Heuristics and Trending
• What if the malicious user logs in from another compromised system using legitimate credentials?
Honeypots in the Attack Life Cycle
Attackers Get Sloppy
High vs. Low Interaction
• High Interaction...– Real Operating
System– Real Services– Locked Down– Detailed Logging
• Low Interaction…– Software-Based– Mimics Real Services– Fake Environments– Limited Logging
* Some honeypots call themselves “medium” interaction, but these are still basically low interaction.
Exploitable vs. Non-Exploitable
• Exploitable...– Mimic Services– Contain
Vulnerabilities– Designed to be
Compromised– Compromises are
Monitored
• Non-Exploitable...– Mimic Services– No Vulnerabilities– Any Interaction is
Monitored
Canary Honeypot Architecture
1. Identify the Devices or Services to be Mimicked
2. Determine Honeypot Placement
3. Develop Alerting and Logging Capabilities
Identify Devices/Services to Mimic
• All About Risk - What is your biggest fear?• How would attackers exploit that?• Mimic critical services and components.– Confidentiality – File Server (SSH?)– Integrity – Database Server (SQL?)– Availability – Web Server (HTTP?)
Determine Honeypot Placement
• Close to the Asset Being Mimicked• Ability to Transmit Logs• Limit Communication of High Interaction
Honeypots (***IMPORTANT***)
Determine Honeypot Placement (cont.)
Develop Alerting and Logging
• Logging– High Interaction – OS Logs, HIDS– Low Interaction – Software Logs– Network – PCAP, Flow, etc
• Alerting– IDS Signatures– alert tcp any any -> $HONEYPOT 22 (msg:”Communication with SSH Honeypot”; sid:12345; rev:1;)
Honeypot Software
Honeyd
• The father of honeypots• Developed by Neil Provos 10+ years ago• Low Interaction• Can mimic operating systems and services• Capable of spinning up thousands of
honeypot instances
Honeyd Config
create defaultset default default tcp action block
set default default udp action block
set default default icmp action block
create ansm_winserver_1
set ansm_winserver_1 personality “Microsoft Windows Server 2003 Standard Edition”
Honeyd Config (cont.)
add ansm_winserver_1 tcp port 135 open
add ansm_winserver_1 tcp port 139 open
add ansm_winserver_1 tcp port 445 open
set ansm_winserver_1 ethernet “d3:ad:b3:3f:11:11”
bind 172.16.16.202 ansm_winserver_1
Running Honeyd
• Running Honeydsudo honeyd –d –f /etc/honeypot/ansm.conf
• Scan Results
Honeyd Logging
Honeyd Alerting
alert ip !$TRUSTED_MS_HOSTS any ->$MS_HONEYPOT_SERVERS [135,139,445] (msg:“Attempted Communication with Windows Honeypot on MS Ports”; sid:5000000; rev:1;)
Extended Service Emulation
• Emulate an ISS Web Serveradd ansm_winserver_1 tcp port 80 “sh /usr/share/honeyd/scripts/win32/ web.sh”
Kippo SSH Honeypot
• Low Interaction SSH Honeypot• Provides a Fake File System• Detailed Logging and Replay• Written in Python
Kippo Demo
Kippo Alertingalert tcp $HONEYPOT_SERVERS $SSH_PORTS ->any any (msg:“ET POLICY SSH Server Banner Detected on Expected Port – Honeypot System”; flow: from_ server,established; content:“SSH-”; offset: 0; depth: 4; byte_test: 1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,1 4,46,1, ⁄relative; reference:url,doc.emergingthreats.net/2001973; classtype: misc-activity; sid:2001973; rev:8;)
alert tcp any any <> $HONEYPOT_SERVERS $SSH_PORTS (msg:“ET POLICY SSH session in progress on Expected Port – Honeypot System”; threshold: type both, track by_src, count 2, seconds 300; reference:url,doc.emerging- threats.net/2001978; classtype:misc-activity; sid:2001978; rev:7;)
Tom’s Honeypot
• Developed by Tom Liston of InGuardians• Low Interaction Multi-Protocol Honeypot• Emulates RDP, VNC, Radmin, MSSQL, SIP• Written in Python• http://labs.inguardians.com/tomshoneypot
Tom’s Honeypot – RDP
Tom’s Honeypot – More
Honeydocs
• Documents designed to “phone home” when opened.
• Placed with/near other critical documents• Honeydocs should never be opened• Provides alerting when documents are
exfiltrated
Honeydoc Manual Example
Honeydoc Manual Example
Honeydoc Automated Example
MHN: Modern Honey Network
• Centralized Management• Web Interface w/ RESTful API• http://threatstream.github.io/mhn/
Conclusion
• Honeypots aren’t just for research!• They can be useful for intrusion detection.• Great care should be taken when deploying
honeypots inside the network perimeter.• Multiple useful tools already exist.
Thank You!
E-Mail: [email protected]: @chrissanders88
Blog: http://www.chrissanders.orgBook Blog: http://www.appliednsm.com
Testimony: http://www.chrissanders.org/mytestimony
