Honeypots & Honeynets Overview
Adli Wahid Security Specialist, APNIC.net [email protected]
1 Contents
1. Objec�ves 2. Defini�on of Honeypot & Honeynets 3. Benefits & Risk considera�on 4. Example of Honeypot tools 5. The Honeynet Project
Credits: David Watson (Honeynet Project) for the some of the contents of this slide [email protected]
2 Objec�ves
1. Understand the the concept of honeypots / honeynets and how they are deployed 2. Understand the value of honeypots and honeynets to security teams 3. Familiarize with different types of honeypots
3 Know Your Enemy
How can we defend against an enemy, when we don’t even know who the enemy is?
(Lance Spitzner 1999)
4 Know Your Enemy (2)
To learn the tools, tac�cs and mo�ves involved in computer and network a�acks, and share the lessons learned
(Mission Statement, The Honeynet Project)
These days you may be familiar with the term ‘Threat Intelligence’
5 Honeypots and Honeynets
• A honeypot is an informa�on system resource whose value lies in the unauthorized or illicit use of that resource • Honeypot systems have no produc�on value, so any ac�vity going to or from a honeypot is likely a probe, a�ack or compromise • A honeynet is simply a network of honeypots • Informa�on gathering and early warning are the primary benefits to most organisa�ons
6 Honeypot and Honeynet Types
• Low-Interac�on (LI) – Emulates services, applica�ons and OS’s – Easier to deploy/maintain, low risk, but only limited informa�on • High-Interac�on (HI) – Real services, applica�os and OS’s – Capture extensive informa�on, but higher risk and �me intensive to maintain
7 Honeypot and Honeynet Types
• Server Honeypots – Listen for incoming network connec�ons – Analyse a�acks targe�ng host’s users, services and opera�ng systems
• Client Honeypots – Reach out and interact with remote poten�ally malicious resources – Have to be instructed where to go to find evil – Analyse a�acks targe�ng clients and users
8 Honeypot and Honeynet Pros / Cons
Pros Cons • Simple Concept • Poten�ally complex • Collect small data sets of • Need data analysis high value • Only a microscope • Few False Posi�ves • Detec�on by a�ackers • Catch new a�acks • Risk from compromises • • Low False Nega�ves Legal concerns • False nega�ves • Can beat encryp�on • Poten�ally live 24/7 • Minimal hardware • Opera�onally intensive • Real �me aler�ng
9 Implemen�ng Honeypot
10 Recap
Badness Evilness
Noise Malware
Honeypots: Computer resource(s) to be probed and/or attacked
11 Why would you want to do this?
• By right, you should not expect any real ac�vity or traffic to/from/in your honeypot • Detect anomalous ac�vi�es in your network or system? – Infected / Compromised computers – Misconfigura�on • Learn about a�acks in the wild (research) – A�ackers and a�acker techniques – Informa�on Sharing opportuni�es – Improve overall Security
12 Example ‘Network-based A�ack’ Pa�ern
Source/ Host Host (Reposi (Attacker tory) ) 2
1. Connec�on (Or) 2 ini�ated to 1 Honeypot Honeypot
13 What can you learn?
• Hosts that are trying to connect / scan you – Poten�ally already compromised or infected • The payload used a�er successfully gaining access to the honeypot system • Scripts, binaries/executables etc
14 Example of Client-based Honeypot
Honeypot 1. Honeypot ini�ate connec�on Target (Client- Side)
2. Analyse response
15 What you can learn?
• (0-days) or a�acks on the Client Applica�on (i.e. Web Browser) • Learn about hosts / computers that are hos�ng malicious websites –
16 Exercise 1
Let us discuss • What is the difference between IDS and Honeypot? • What are some of the Use Cases for deploying a honeypot or honeynet? • What is the mininum that is required for se�ng up a honeypot? • Look at the previous 2 scenarios, what are the intelligence that we can obtain from implemen�ng 2 types of honeypots?
17
Deploying Honeypots with Publically Available Tools
21 High Interac�on Honeypot
• Think about your goals and objec�ves first • Possible scenario – Setup a real system and make give it an IP address (so it is reachable to something) – i.e. Install a Windows, Linux, Unix server) • Challenging to control & manage – What if a�acker use system to launch a�ack to other systems – Keeping the computer in a usable state
22 Some Examples
• Dionaea (Malware) • Kippo - SSH honeypot • Glastopf – Web Honeypot • Ghost – USB Honeypot • Thug – Client Honeypot
23 Dionaea
• 2nd Genera�on low interac�on honeypot – Python, runs on *NIX – IPv6 Support • Goals – Detect both known and unknown a�acks – Be�er protocol awareness – Vulnerability modules in scrip�ng language – Shell code detec�on using LibEmu • Check out h�p://dionaea.carnivore.it • Learn about a�acks, malware and many more
24 Kippo
• Emulate SSH server – Allow ‘a�acker’ to log-in using creden�als (username and password) – Environment allow limited commands – i.e. ping, who, and wget – Record ac�vi�es (keylog) of a�ackers and their ac�vi�es
25 Glastopf Web Honeypot
• Minimalis�c web server wri�en in Python • Scans incoming HTTP requests strings • Checks for remote file inclusion (RFI), local file inclusion (LFI) and SQL injec�on • Signatures and dynamic a�ack detec�on • A�empt to download a�ack payloads • Search keyword indexing to draw a�ackers • MySQL DB plus web console • Integra�on with botnet monitoring & sandbox • Check out Glastopf.org
26 Ghost
• USB Honeypot • Runs on Windows • Many malware spread across systems using thumbrive (and bypass network containment stragegies) – i.e. Stuxnet, Conficker • Trick malware into thinking that a USB Thumbrive has been inserted • Captures malware wri�en on USB • More: h�ps://code.google.com/p/ghost-usb-honeypot
27 Thug
• Low Interac�on Client-based honeypot to emulate web browser – Browser Personali�es (i.e. IE) – Discovering Exploit Kits, Malicious Websites • Python vulnerability modules: ac�veX controls, core browser func�ons, browser plugins • Logging: flat file, MITRE MAEC format, mongoDB, HPFeeds events + files • Tes�ng: successfully iden�fies, emulates and logs IE WinXP infec�ons and downloads served PDFs, jars, etc from Blackhole & other a�ack kits • More informa�on – h�p://www.honeynet.org/node/827
28 Tools and Projects
• Cuckoo Sandbox • Visualiza�on • The Honeynet Project – HPFeed
29 Cuckoo Sandbox
• Automated Malware Analysis System – Why not just use An�-Virus? • Analyze Windows executables, DLL files, PDF documetns, Office documents, PHP Scripts, Python Scripts and Internet URLs • Windows guest VMs in Virtual Box Linux • Windows hooking / driver plus python modules for extrac�ng and analysing sample execu�ons
30 Cuckoo Sandbox (2)
• Trace of relevant win32 API calls performed • Dump network traffic generated (pcap) • Crea�on of screenshots taken during analysis • Dump of files created, deleted and downloaded by the malware during analysis • Extract trace of assembly instruc�ons executed by malware process • h�p://cuckoobox.org • h�p://www.malwr.com
31 Visualiza�on
• Many of the tools do not really have a GUI • Repor�ng / Presenta�on is key • Many visualiza�on tools – PicViz – A�erglow – Gnuplot – Splunk – Plug-ins or front-end for many of the exis�ng tools
32 The Honeynet Project
• The pla�orm for those interested in running, building and learning from honeypots – h�p://www.honeynet.org • Many Chapters from around the world • Ini�a�ve for informa�on sharing – HP Feeds – h�p://hpfeeds.honeycloud.net
33 Consider!
• Installing and playing with Honeypots to learn about security • Joining the Honeynet Project as a chapter • Sharing your experience and knowledge • Happy Honeypo�ng!
34
• Kippo • Dionaea
35 Ques�ons?
• Thank You! • Email [email protected]
36