Today there is a dispute over the ethics of operations involving honeypots and honeynets in cyber security. However, many organizations will adopt the use of such techniques and tools to develop defensive strategies to stop attackers. For professional offensive security practitioners, detecting, bypassing, and even avoiding honeypots is a new challenge and much is to be discovered and shared. This brief will work to accomplish these objectives and begin the development of a new framework for Counter Honeypot Operations (CHOps).

1. Finding the Sweet Spot
Counter Honeypot Operations (CHOps)

2. Intro
Jon Creekmore
Independent Security Researcher
www.LinkedIn.com/in/MrCreekmore
Executive Director – Cyber Discovery Group
www.DiscoverCyber.org
Vice President – Augusta Locksports
www.AugustaLocksports.org

3. def Jon()
• Recent vet from the DOD and CYBERCOM…
• Bunch o’ certs…
• CSRA Chapter President - ISC2
• Loves to help people, a lot…
• Lifelong learner and PhD candidate from a Cyber
Center of Excellence…
• Still no idea of what to do with NOPS...

4. Agenda
• CHOps Overview
• Why CHOps?
• Honeypots
• The Defenders
• Detection
• Collection
• Active Defense
• Counter-Intel
• Deception Methodology
• ROE
• Init RedTeam()
• Evaluating Success
• Owning the Chain
• Counter-Deception
• Import CHOps.win
• Summary
• Questions

5. CHOps Overview
• Counter Honeypot Operations (CHOps) Framework
• Designed to be a community driven open source
methodology framework to establish the best
techniques for engaging and defeating honeypots
• Also backing the push for a common methodology
in deception as a domain of security

6. Why CHOps
• As deterrence strategies evolve, so will the need to
overcome the deception controls
• CHOps is focused to be useful for red team
personnel, penetration testers, auditing teams,
and other lawful parties
• Counter-Deception skills are being greatly
developed by the real bad guys and white hats
need to come together and share info on these
skills to out-pace the threat

7. Why CHOps
• As deterrence strategies evolve, so will the need to
overcome the deception controls
• CHOps is focused to be useful for red team
personnel, penetration testers, auditing teams,
and other lawful parties
• Counter-Deception skills are being greatly
developed by the real bad guys and white hats
need to come together and share info on these
skills to out-pace the threat

8. Honeypots
• Deception devices used to help prevent, deter,
detect, or mitigate the adverse effects to a system
or environment
• Commonly designed to look like real systems and
services to fool attackers
• Great source of both technical protection and also
intelligence for security personnel

9. Honeypots
• Commonly come in four categories:
• No Interaction:
-Simulates an open port, but not much more
• Low Interaction:
Port with some level of working service
• Mid Interaction:
Port, service, and at least a reasonable level of function
• High Interaction:
Fully working platform which can be compromised and
operate with complex actions

10. The Defenders
• Security personnel who deploy and use honeypots
• They have the “high ground”
• Well versed in the environment and their intent is
pre-identified
• Anticipating attacks

11. The Defenders
• Assume they control you
• Deployment flaws
• Downstream Liability
• Likelihood of Harm x Gravity of Result
/ Burden to Avoid

12. The Defenders
• Some common pots:
• Honeyd
• Kippo
• Cybercop Sting
• ManTrap
• Deception Toolkit
• Tripwire
• BearTrap
• Nova
• Artillery
• Conpot
• Dionea
• Glastoph
• KFSensor

13. The Defenders
• What a good pot must have…
• Emulated Service
• Full Service
• Logical Service Patterns
• Working Known Exploits
• Zero-Day Exploitable

14. Detection
• Some honeypots are deployed for detection
purposes to simply know when harm is near
• Most commonly no, low, and mid interaction
• Setup with common services in order to look real
• Connected to back-end SIEM, NetMon, and more
to be able to alert or at least record when
interaction has occurred

15. Collection
• These honeypots are often mid and high level
• Can collect behaviors, inputs, activities, intent, and
much more on an attacker
• Used to support intelligence operations
• Can lend aid to developing advanced protection
controls and aid in attribution

16. Active Defense
• The practice of developing response actions to an
attacker in order to protect the assets and to acquire
evidence
• Very ethically concerning at times due to rights
• Can also lead to excessive compromise and collateral
damage
• Requires a great amount of skill/resources to effectively
deploy

17. Counter-Intel
• The art of controlling, manipulating, and
presenting information to mislead or falsify
information to an adversary
• Used in an advanced strategy to provide an
additional layer of protection to the mission
• Requires constant evolution and refinement to
work best and with confidence

18. Deception Methodology
First, the kill chain…
• Recon
• Weaponization
• Delivery
• Exploitation
• Infiltration
• Command and Control (C2)
• Actions and Objectives

19. Deception Methodology
First, the kill chain…
• Delivery and Exploitation are where honeypots are
most utilized
• Knowing this framework can give an advantage to
the defense in anticipating the actions of attackers

20. Deception Methodology
What they believe:
• Attacker has the advantage
• Attacker has flexibility, is agile
• Need to focus on the attacker, not the attack
• We know where the attacker can be
• Honeypots are not just tech, but a methodology
• Dynamic Defense is maneuverable
• Deception Oriented Architecture is Key

21. Deception Methodology
How they perceive attacker methods:
OODA

22. Deception Methodology
Some of what they will be doing:
• Attractive Naming
• Inaccessibility on the LAN
• Stealthy Layered Logging
• Cryptic Logging
• Network Sniffing
• Baselining
• It is economic!

23. Rules of Engagement
• DEFENDERS NORMALLY HAVE SOME KIND OF ROE
• Knowing this can greatly aid in counter-deception
efforts and CHOps
• Many organizations follow ROE guidance from
laws/regs/policies/etc.

24. Init RedTeam()
• The Red Team is an authorized, ethical, and legal
party provided offensive security services to help
improve security operations
• There are a great deal of healthy offsec skills, tools,
services, and more out there today
• Access to effective counter-deception solutions are
limited and often expensive to develop

25. Evaluating Success
• As a framework, there needs to be clear
milestones for success and evaluation
• It is okay to assume that some degree of
compromise for a red team will occur
• The end goals of a counter-deception campaign is
to prove that there is room to more effectively
conduct deception efforts, in this case…...
Honeypot Operations ;-)

26. Owning the Chain
• Breaking it down a bit more, CHOps can also use
the kill chain to also develop, supervise, and
evaluate, which is pretty neat!
• Developing great honeypots is an art, so is
overcoming them, it is not all technical flaws in the
solutions, think about the behavior of the people
• Defense knows the prevention is ideal, but
detection is a must today, get in and leave with
more than they realize you came for…

27. Owning the Chain
• Understanding the deception chain is key to
developing effective counter-deception strategies
and building out the CHOps Framework
• Gadi Evron demonstrated this at Honeynet2014
very well and framed what the metrics and factors
are surrounding attacks in an environment
• Similar to the OSI, but focused more on the next
layer of security; deception

28. Owning the Chain
• Deception Chain OSI (Evron, 2014)
OSI
Model/
Attack
Stages
Penetration
Lateral
Movement
Command
and
Control
Actions
on
Objective
Data
Exfiltration
Covering
Tracks
Intelligence
Data
Application
Host
Domain
Network
Physical

29. Brute Force on FTP
• Deception Chain OSI (Evron, 2014)
OSI
Model/
Attack
Stages
Penetration
Lateral
Movement
Command
and
Control
Actions
on
Objective
Data
Exfiltration
Covering
Tracks
Intelligence
Data
Application x x x
Host x x x
Domain ? ?
Network x x
Physical

30. Owning the Chain
• Scenario Example:
• A pen tester has discovered an FTP server in the
environment.
• He has decided to attempt to run a brute-force tool to
attempt to penetrate into the service and host.
• After success, he enumerates a list of files, retrieves two
of them, and uploads one file named evil.php for later
testing through the web app service on the box

31. Counter-Deception
• Defense assumes that attackers will have modeled
behavior patterns which provide precursors to their
intention and courses of action in the network, let them
think they are right
• Like attackers, defenders also have a great deal of
known common modeled behaviors, we know they are
logging, watching, manipulating, but the key is simply
cost/effectiveness
• Target their Total Cost of Ownership (TCO) and work
just over it, or look at where the “tipping point” in their
procedures might be…

32. Counter-Deception
• Now let’s look at the scenario from the CHOps
point-of-view…
• The attacker did brute force the FTP service
• He knew this was going to be logged, and there are often
log file based local attacks, he crafted a word list for his
tool which will also create suspicious payload-like entries
for deception to the defenders to redirect attention away
from the evil.php
• Or, he knew defenders often use the words used for
passwords in brute-force attempts to develop word lists
for defense, the attacker used specially encoded
passwords which some tools will have issues parsing

33. Import CHOps.WIN
• At the core, CHOps is (as of the current version), a
framework which will guide offsec professionals
with a guide on the best way to go step-by-step,
piece-by-piece, into getting a better ROI for
engaging with honeypots
• It is essentially designed to be a decision model,
but will also extend to be a multi-faceted tool to
help build intel on defensive deception capabilities

34. Import CHOps.WIN
We have some things we know:
Detect – Deny – Disrupt – Degrade – Destroy
(JP 3-13, Joint Doctrine for Information Ops)
These are the objectives of the defense.
By using our own intel and recon we can predict and
possibly even defeat the defense.

35. Import CHOps.WIN
Start here…
• Detect:
• Single to Few Ports, Connection Based, Easy Access
• Deny:
• Excessive Ports, No Banners, RST Packets
• Disrupt:
• Broken File Transfers, Locked Down Files, Restricted
Commands
• Degrade:
• False Banners, Erroneous Error Codes, Broken Configs
• Destroy:
• IP Bans, File Encryptions, Account Revocation

36. Import CHOps.WIN
Once the deception objectives are determined, we can
know develop an effective counter-deception…
Scenario:
A pen tester has been contracted for a company to black
box test its main office. After a little OSINT, the attacker
knows the company has some DNS records to some web
servers. She sees that there are two web servers for the
company and scans both. After several route scans, she
notices that one web server has not returned the same
routing scheme once and the last few hops seem to keep
rotating similar IP addresses, but the last address is the
same…

37. Import CHOps.WIN
Some possible options…
1. The defense has setup a honeypot that switches up
routing schemes based on certain scan attempts and
the defense is attempting to degrade the reliability of
the intel gathered from the honeypot web server
2. The defense has setup a honeypot routing device which
load balances certain traffic based on indicators which
send possibly malicious traffic through an appliance
3. 3.14159265359… possibilities, but that’s the point ;-)

38. Import CHOps.WIN
Some CHOps Techniques
• Default Response Identification
• Application Error Handling
• OS Fingerprinting
• TCP Sequence Analysis (see also Red Pill)
• ARP Addresses
• Much more…

39. Import CHOps.WIN
• CHOps is still in early development
• There is a need to come together and share not only
the data on honeypot engagements, but also to
develop metrics to help effectively identify, detect,
assess, and overcome honeypot technologies to
accomplish better offsec services
• Many professionals keep their effective counter-
deception techniques and strategies to themselves, but
by information sharing, the good guys can make leaps
ahead of the bad guys and grow the field

40. Summary
• CHOps is still in early development
• There is a need to come together and share not only
the data on honeypot engagements, but also to
develop metrics to help effectively identify, detect,
assess, and overcome honeypot technologies to
accomplish better offsec services
• Many professionals keep their effective counter-
deception techniques and strategies to themselves, but
by information sharing, the good guys can make leaps
ahead of the bad guys and grow the field

41. References
• Evron, G. (2014). #Honeynet2014 - Gadi Evron - Cyber
Counter Intelligence: An attacker-based approach.
• Martin, W. (2001, May 25). Honey Pots and Honey Nets -
Security Through Deception. Meer, H., & Slaviero, M. (2015).
Bring Back the Honeypots. Retrieved from
https://www.youtube.com/watch?v=W7U2u-qLAB8
• Rowe, N. C., Custy, E. J., & Duong, B. T. (2007). Defending
Cyberspace with Fake Honeypots.JCP, 2(2).
doi:10.4304/jcp.2.2.25-36
• Sochor, T. (2016). Low-Interaction Honeypots and High-
Interaction Honeypots. Internet Threat Detection Using
Honeypots, 1172-2183. doi:10.4018/978-1-4666-9597-9.les2
• Spitzner, L. (2003, December). Honeypots: Catching the
Insider Threat. Sysman, D., Evron, G., & Sher, I. (2015).
Breaking Honeypots For Fun And Profit.

42. Additional Resources
• The Honeynet Project: www.honeynet.org

43. Additional Resources
• Honeypot Hunter:
• http://www.send-safe.com/honeypot-hunter.html

44. Additional Resources
And of course, the Honeyhuman…
• Brian Krebs:

45. Questions?