Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2018 - Using Honeypots for Network Security Monitoring


Published on

A strong detection and response capability is required for the success of security program because prevention eventually fails and a motivated attacker can always find a way in. However, economics are not in favor of network security monitoring (NSM). Due to the hardware, software, and labor required it's expensive to deploy an NSM capability and hire qualified analysts to maintain and investigate the high volume of alerts, especially at scale.

In this presentation I'll discuss how honeypots are re-emerging as a practical solution for driving down the cost of network security monitoring. These aren't your traditional honeypots meant to sit outside the firewall to research automated malware. These are focused, use case specific honeypots that are designed to provide detection with a favorable signal to noise ratio. By integrating honeypots into your NSM strategy and taking a targeted approach, a grid of honeypots can realistically become your most cost effective detection tool. I'll make the case for honeypots like these and discuss implementation strategies that I've seen work. You should come away from this presentation with a unique perspective on honeypots and an actionable plan you can use to start evaluating and deploying tactical honeypots in your network.

Published in: Technology
  • Get Now to Read PDF eBook ===
    Are you sure you want to  Yes  No
    Your message goes here

2018 - Using Honeypots for Network Security Monitoring

  1. 1. CHRIS SANDERS Twitter: @chrissanders88 | Mail: Researcher | Author | SANS GSE #64 | BBQ Pitmaster
  2. 2. Agenda  What is the history of honeypots?  Why aren’t honeypots used more?  How can I use honeypots for detection?  What are common misconceptions about honeypots?  What honeypots can I deploy?
  3. 3. Meet Cliff Stoll!
  4. 4. Monitoring the Attack
  5. 5. The Honeypot (1986)
  6. 6. The Cuckoo’s Egg
  7. 7. Meet Bill Cheswick!
  8. 8. The Honeypot (1991)
  9. 9. An Evening with Berferd (1991)
  10. 10. The Honeynet Project (1999)
  11. 11. Honeypot Timeline – Formative Years 1986 •Cliff Stoll Creates the SDINET Honeypot 1989 •The Cuckoo's Egg Published 1992 •An Evening with Berferd 1997 •Deception Toolkit Released 1998 •Cyberco p Sting Release d 1999 • Honeynet Project Begins 2003 • Honeyd Released 2003 • Honeypots (Sptizner) Published 2008 • Honeynet Project • Monitors MS08-067
  12. 12. Disappearance of Production Honeypots  Reasons:  Most publications focused on research  Lack of great tooling  A lot of baggage with the term  Slow Re-emergence:  2013: Applied NSM, Chris Sanders  2015: Bring Back the Honeypots, Haroon Meer  2016+: Multiple deception vendors enter the space Production Research
  13. 13. What is a honeypot? A honeypot is a security resource whose only value lies in being probed or attacked. Deceptive Discoverab le MonitoredInteractive
  14. 14. Research Honeypots  Deceptive: Designed to appear vulnerable to exploitation  Discoverable: Placed outside the firewall on the public internet  Interactive: Provide high interaction  Monitored: Logged for later review
  15. 15. Detection Honeypots Nobody should ever talk to a honeypot  Deceptive: Appear valuable by representing org resources.  Discoverable: Placed inside the network  Interactive: Provide minimal interaction  Monitored: Configured to log/alert when touched
  16. 16. Home Field Advantage You want the attacker to SEE systems, services, or data that are actually honeypots. You want the attacker to THINK the honeypots are valuable. You want the attacker to DO something that causes an interaction with the honeypot. What is valuable on your network? Attacker Foothold Valuable DataCompromise Path
  17. 17. SoupCorp Distribution Data  Windows Workstations  Database Server  Contains Customer Information  Managed via SSH  Web App Server  Queries Data from DB Server  Managed via SSH
  18. 18. SSH Honeypot See:  A system advertising open port 22. Think:  It’s valuable because it is surrounded by other valuable servers Do:  Scan, connect to, or authenticate to the SSH service The Attacker
  19. 19. SSH Honeypot  Deceptive: A service mimicking SSH access to a production system  Discoverable: Responds to network requests  Interactive: Responds to authentication requests  Monitored: Generates alerts on The Honeypot
  20. 20. SoupCorp Recipe Data  File Server  Employee data  Secret soup recipes  Workstations  Mount network drives to file server
  21. 21. File Server Honeytoken  See:  An excel file  Think:  It’s valuable because it has an enticing name and is surrounded by other valuable files  Do:  Open, copy, or move the file The Attacker
  22. 22. File Server Honeytoken  Deceptive: An Excel document containing no production data.  Discoverable: Placed among other files on a real network share.  Interactive: Can be opened like a normal excel doc.  Monitored: Generates logs/alerts on access, open, or modification. The Honeypot
  23. 23. See-Think-Do  See:  At what points on the network will the attacker have visibility to sensitive assets?  Think:  What kind of honeypot can I deploy that will appear valuable to the attacker?  Do:  How can the attacker interact with the honeypot in a way that is enticing to them, and meaningful to me?
  24. 24. AWS Credential Honeypot 1. Create AWS IAM credentials with no permissions. 2. Setup CloudTrail/CloudWatch to notify on key usage 3. Spread references to credentials in meaningful locations.  Developer laptops  Configuration files  ~/.aws/credentials
  25. 25. Tracking E-Mail Usage 1. Create a unique e-mail account to register for a service. 2. Monitor the inbound e- mail to that account. 3. Setup a rule that forwards the e-mail to a centralized location if it is not from an expected sender.
  26. 26. DHCP Rogue Device Honeypot 1. Assign static IP addresses in sensitive ranges. 2. Enable DHCP for the range, but segment network access for dynamic assignments. 3. Log DHCP assignments and alert on assignments in this range.
  27. 27. Honey Tables / Records 1. Create an appealing database table with no production value 2. Log database queries 3. Monitor queries containing references to the honeytable and alert on access. 1. Create a user/password database table 2. Populate the table with fake credentials. 3. Monitor authentication logs for attempts to use the fake credentials. Access-Based Strategy Token-Based Strategy
  28. 28. Your First Honeypot 1. Browse to https://canarytokens.or g 2. Create a word document honeytoken 3. Scatter it amongst locations containing valuable documents. 4. Wait.
  29. 29. Recommended Honeypot Software Honeypots OpenCanary Tom’s Honeypot Cowrie (SSH) RDPY (RDP) Management Ansible Docker Chef Alerting Windows Logs Suricata Bro SIEM ELK
  30. 30. References  Espionage/dp/1416507787      candidate-sell-donor-data/index.html  presidential.html  using-aws-access-keys-honeytokens/
  31. 31. Thank You! Mail: Twitter: @chrissanders88 Blog: Training: Slides: