Having Honeypot for Better Network Security Analysis

1. Having Honeypot for Better Network Security Analysis A journey with APNIC honeypot A. S. M. Shamim Reza Link3 Technologies Limited shamimreza@link3.net

2. Today's talk Background history and challenges What is this honey things ? Threat Intel?? Use-cases !!!

3. Honeypot – what is it? “a honeypot It's a sacrificial computer system that's intended to attract cyber- attack, like a decoy. It mimics a target for hackers, and uses their intrusion attempts to gain information about cyber-criminals and the way they are operating or to distract them from other targets. “ – Kaspersky LAB

4. Honeypot – what is it? “a honeypot It's a sacrificial computer system that's intended to attract cyber- attack, like a decoy. It mimics a target for hackers, and uses their intrusion attempts to gain information about cyber-criminals and the way they are operating or to distract them from other targets. “ – Kaspersky LAB Honeypots are classified as: – Low level interaction – Mid interaction honeypot – High interaction honeypot “Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.” – Michel Oosterhof.

5. Background history – The idea of honeypots began in 1989 with a Publication “The Cuckoo’s Egg” by Clifford Stoll. – First ever Honeypot was released in 1997, called the Deceptive Toolkit. – In 1998 the first commercial honeypot came out, called Cybercop Sting.

6. Background history – The idea of honeypots began in 1989 with a Publication “The Cuckoo’s Egg” by Clifford Stoll. – First ever Honeypot was released in 1997, called the Deceptive Toolkit. – In 1998 the first commercial honeypot came out, called Cybercop Sting. – For me it started, interest, at bdNOG1, 2014 – Planned to host it at Link3 in APRICOT 25, 2020. – Influenced by Adli Wahid, Senior Internet Security Specialist, APNIC Link3 has hosted APNIC Honeypot, as a part of on going project “SOC”.

7. Honeypot – Question to ASK !!! Motivations • What is the primary purpose of the honeypot? • What are you trying to protect? • Are you interested in any attacks, or just ones that could be successful? • Are you interested in learning how the hacker or malware was initially successful? • Are you interested in identifying the hacker or origination point of the malware? • Are you interested in what the hacker or malware did (or wanted to do) after the initial exploit gained entrance to the honeypot? • Are you interested in what tools, techniques, or tactics were used? Based on this brainstorming, you can decide which sort of honeypot you are gonna work with. *** Honeypot Data Analysis. In: Honeypots for Windows. - Roger A. Grimes

8. Honeypot – how is it being useful By Analyzing the traffic towards the Honeypot will help to get – where the cyber-criminals are coming from – the level of threat – what are the methods they are using – what data or applications they are interested in – how well your security measures are working to stop cyber-attack Who Host Honeypot ? – large organization – Security researcher

9. 16,312 4 57 Unique Source IP Adversary script Unique Internal IPs

10. Threat Intel ? SSH – 22 Telnet – 23 98.12% 1.88%

11. Threat Intel ? Those URLs ?? hxxp://1.2.3.4/bot.x86_64 – Reported as C2C server. – Since June 2020

12. Threat Intel ? Those URLs ?? hxxp://1.2.3.4/bot.x86_64 – I need to know the detail of these files, so I have taken it to hybrid analysis. And The Kaspersky LAB says - “Usually malware of this family is used to perform DDoS attacks.”

13. Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh These TWO script was downloaded by an outsider IP – 213.202.233.171 Open Ports – 22 80 443

14. Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh These TWO script was downloaded by an outsider IP – 213.202.233.171 First Report – 18 August 2020 Last report – 25 August 2020 – Mostly Scan for SSH port – patterns show they are looking for Honeypots.

15. Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh These TWO script was downloaded by an outsider IP – 213.202.233.171

16. Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh

17. Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh

18. Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh This IP from USA serves the scripts, and the script download another 10 scripts from Canada.

19. Threat Intel ? Few things to remember while working with Honeypot or similar. 1. All those script check was performed in a strict LAB environment. 2. NMAP scan and web-URL check was followed the same procedure (as 1). 3. If you do not take proper precautions, things might get worse and make you the victim accidentally

20. What about the internals !!! What I do, when I got any notifications at slack – Run nmap scan to get the port/service info of the device, associated with the IP. – Search for the DNS query history for the respective IPs. – Search for the type of the client in to our Client-Database. – Tricky part is to convince the client, so that I can get NetFlow or Packet-Capture accordingly. – Analyze the data, and try to find out the story behind it. – Recommend some best practices to the respective clients accordingly.

21. What about the internals !!! What I do, when I got any notifications at slack – Run nmap scan to get the port/service info of the device, associated with the IP. – Search for the DNS query history for the respective IPs. – Search for the type of the client in to our Client-Database. – Tricky part is to convince the client, so that I can get NetFlow or Packet-Capture accordingly. – Analyze the data, and try to find out the story behind it. – Recommend some best practices to the respective clients accordingly. Devices that are related to those 57 IPs So let us watch a story on the next few slides Device Name Version % Mikrotik Router < 6.46.6 92% Zyxel Router Backdated firmware 2.1% DVR System Backdated firmware 4.2% Netgear Router Backdated firmware 1.78%

22. What about the internals !!! one CCIE got it covered? – Slack gives me an alert, and I let my CS team knew to work on that particular client. – 2 days later I got alert for the same IP, me again knock my CS team to work on it. – 1 day later, I got the alert again; and then I asked our CS team whether they have worked on it or not ? – they replied, on second day client IT concern replied

23. What about the internals !!! one CCIE got it covered? – Slack gives me an alert, and I let my CS team knew to work on that particular client. – 2 days later I got alert for the same IP, me again knock my CS team to work on it. – 1 day later, I got the alert again; and then I asked our CS team whether they have worked on it or not ? – they replied, on second day client IT concern replied “i am a CCIE, I know what is happening in my network, you guys dont have to bother me again & again” So the challenge begins for me → → → [192.168.0.133 ← Faked the User’s IP for demonstration purpose]

24. What about the internals !!! what I was doing ? So before going to him. – Run nmap scan, and got this info →→→→→→→→

25. What about the internals !!! what I was doing ? So before going to him. – Run nmap scan, and got this info →→→→→→→→ – At the same time, I have set a logic at my NetFlow server to give me associated info. Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows 2020-07-01 00:05:04.760 3.168 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 413 615089 130 1.6 M 1489 1 2020-07-01 00:05:05.754 1.504 TCP 192.168.0.133:80 -> 185.220.103.9:60310 ...AP..F 0 83 122394 55 651031 1474 1 2020-07-01 00:05:05.775 2.784 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 62 88548 22 254448 1428 1 2020-07-01 00:05:05.766 3.200 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...A.... 0 205 307500 64 768750 1500 1 2020-07-01 00:05:05.759 0.000 GRE 192.168.0.133:0 -> 103.92.153.42:0 ........ 0 1 28 0 0 28 1 2020-07-01 00:05:05.764 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 25 33531 9 99794 1341 1 2020-07-01 00:05:07.757 2.656 TCP 192.168.0.133:80 -> 185.220.103.9:35334 ...AP... 0 145 212395 54 639743 1464 1 2020-07-01 00:05:07.757 3.008 TCP 192.168.0.133:80 -> 185.220.103.9:60268 ...AP... 0 271 403745 90 1.1 M 1489 1 2020-07-01 00:05:08.764 2.592 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 98 142399 37 439503 1453 1 2020-07-01 00:05:08.775 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 37 52879 13 157377 1429 1 2020-07-01 00:05:08.762 2.080 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...AP..F 0 174 258552 83 994430 1485 1 2020-07-01 00:05:09.778 3.104 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 213 317835 68 819162 1492 1s

26. What about the internals !!! what I was doing ? So before going to him. – Run nmap scan, and got this info →→→→→→→→ – At the same time, I have set a logic at my NetFlow server to give me associated info. Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows 2020-07-01 00:05:04.760 3.168 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 413 615089 130 1.6 M 1489 1 2020-07-01 00:05:05.754 1.504 TCP 192.168.0.133:80 -> 185.220.103.9:60310 ...AP..F 0 83 122394 55 651031 1474 1 2020-07-01 00:05:05.775 2.784 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 62 88548 22 254448 1428 1 2020-07-01 00:05:05.766 3.200 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...A.... 0 205 307500 64 768750 1500 1 2020-07-01 00:05:05.759 0.000 GRE 192.168.0.133:0 -> 103.92.153.42:0 ........ 0 1 28 0 0 28 1 2020-07-01 00:05:05.764 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 25 33531 9 99794 1341 1 2020-07-01 00:05:07.757 2.656 TCP 192.168.0.133:80 -> 185.220.103.9:35334 ...AP... 0 145 212395 54 639743 1464 1 2020-07-01 00:05:07.757 3.008 TCP 192.168.0.133:80 -> 185.220.103.9:60268 ...AP... 0 271 403745 90 1.1 M 1489 1 2020-07-01 00:05:08.764 2.592 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 98 142399 37 439503 1453 1 2020-07-01 00:05:08.775 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 37 52879 13 157377 1429 1 2020-07-01 00:05:08.762 2.080 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...AP..F 0 174 258552 83 994430 1485 1 2020-07-01 00:05:09.778 3.104 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 213 317835 68 819162 1492 1s Noticed something

27. What about the internals !!! what I was doing ? – Searched the IP at AbuseDB and Other Places. – and the reputation was not good; actually it was worse

28. What about the internals !!! what I was doing ? So I have got what I need, to talk to him. – the conversation was like … …. … … … … … … … … … .. .. .. .. .. .. .. – I finally managed to convince him that, he is not responsible for anything, rather there is something bad is happening and I am here to help only. – but I didnt get any Netflow or Packet-Capture data from him. SO me only have options to monitor the activities of that IP.

29. What about the internals !!! what I was doing ? So I have got what I need, to talk to him. – the conversation was like … …. … … … … … … … … … .. .. .. .. .. .. .. – I finally managed to convince him that, he is not responsible for anything, rather there is something bad is happening and I am here to help only. – but I didnt get any Netflow or Packet-Capture data from him. SO me only have options to monitor the activities of that IP. Update: since September 2020 I dont get any hit from that IP.

30. SO the benefits of having APNIC Honeypot in place – Before having APNIC honepot in place, we didn't have any direct info of which IP or its internal LAN is compromised. – Though Cowrie is for only ssh & telnet service, but still the logs gives some meaning full info to study on. And we are planning to host some other honeypot aswell. – Since 2013/2014 we have been maintaining security policy strictly, which are fine tuned on a regular basis. – Hosting APNIC honeypot is a low cost solution. – Info-graphic dashboard gives a greater view, like - which region is performing most of the attack.

31. “There are known knowns, things we know that we know; and there are known unknowns, things that we know we don't know. But there are also unknown unknowns, things we do not know we don't know.” Donald Rumsfeld, Known and Unknown: A Memoir ‘‘ ‘‘

32. Thank You for your attention shamimrezasohag Contact with Me | asmshamimreza sohag.shamim

Having Honeypot for Better Network Security Analysis

Having Honeypot for Better Network Security Analysis

Recommended

More Related Content

What's hot

What's hot(20)

Similar to Having Honeypot for Better Network Security Analysis

Similar to Having Honeypot for Better Network Security Analysis(20)

More from Bangladesh Network Operators Group

More from Bangladesh Network Operators Group(20)

Recently uploaded

Recently uploaded(20)

Having Honeypot for Better Network Security Analysis