Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

LT02 IDNOG04 - Charles Lim (Indonesia Honeynet Project) - Using Honeypot to detect WannaCry Worm

249 views

Published on

LT02 IDNOG04 - Charles Lim (Indonesia Honeynet Project) - Using Honeypot to detect WannaCry Worm

Published in: Internet
  • Login to see the comments

  • Be the first to like this

LT02 IDNOG04 - Charles Lim (Indonesia Honeynet Project) - Using Honeypot to detect WannaCry Worm

  1. 1. ID NOG Charles Lim Mario Marcello Next Gen Dionaea Honeypot
  2. 2. Honeypot • A Honeypot is – systems that are designed to be exploited, whether through emulated vulnerabilities, real vulnerabilities, or weaknesses. “Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.” Source: Malware Analyst Cookbook
  3. 3. Honeypot • Two types of Honeypot: – Low Interaction • Simulate most frequent services requested by attackers • E.g. Dionaea, Kippo, Honeytrap – High Interaction • Imitate the activities of the real systems that host a variety of services • E.g. HiHAT • Virtual Machine is commonly used for ease of maintenance
  4. 4. Honeypot – Why? • We have used IDS in the past – What we have learned: • Only known attacks are detected • Unknown attacks are not detected • Many false positives (if not properly tuned) • We use honeypot to: – Understand what is the attacker is doing, i.e. behavior of the attack – Both Low interaction & High Interaction have their own advantages and disadvantages
  5. 5. Services (Old Dionaea Honeypot) • SMB • HTTP/HTTPS • FTP • TFTP • MSSQL • MySQL • SIP
  6. 6. New Services available in next gen Dionaea Honeypot • EPMAP • FTP • HTTP • MongoDB • MQTT • MSSQL • MySQL • PPTP • SIP (VoIP) • SMB • TFTP • UPnP
  7. 7. Cyber Attack Statistic by KOMINFO supported by HONEYNET
  8. 8. Deploy Honeypot
  9. 9. Detecting WannaCry Dionaea open SMB service and allow the vulnerability to be exploited (remote may run exec and ping command via DoublePulsar)
  10. 10. References • http://www.honeynet.org/node/1353 • https://dionaea.readthedocs.io

×