Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Deceive to Detect: 
Using Canary Honeypots for 
Network Security Monitoring 
Chris Sanders 
Charleston ISSA 
November 2014
Chris Sanders 
• Christian & Husband 
• Kentuckian and South 
Carolinian 
• MS, GSE, et al. 
• Non-Profit Director 
• BBQ ...
Chris Sanders 
“[Practical Packet Analysis] gives you everything you need, step by step, to become 
proficient in packet a...
Outline 
Objectives: 
 Traditional Honeypots 
 Canary Honeypot Architecture 
 Honeypot Platforms 
• Honeyd 
• Kippo 
• ...
***Disclaimer*** 
• Tactics in this presentation may be 
controversial, depending on your viewpoint. 
• Only orgs with mat...
Traditional Honeypot Design 
• Intentionally Vulnerable System 
• Designed to Mimic Real Services 
• Easily Compromised
Traditional Honeypot Uses 
• Specific Research Purposes 
• Tracking Unstructured Threats 
– Commodity Malware 
– Opportuni...
How can honeypots be useful for 
operational purposes?
US Information Ops Doctrine 
• US DoD JP 3-13 IO Capabilities* 
– Detect 
– Deny 
– Disrupt 
– Degrade 
– Destroy 
– Decei...
Let’s Take Honeypots Farther…
Kentucky is Coal Country
Coal Mining is Hard
Coal Mining is Dangerous
Canaries for Methane Detection
Enter Canary Honeypots 
• Deceive to Detect 
• Honeypots for 
Detection 
1. Placed Inside the 
Network 
2. Mimic Existing ...
Making the Case 
• How do you detect a malicious user logging in 
to a Windows system? 
– Multiple Failed Logins 
– Weird ...
Honeypots in the Attack Life Cycle
Attackers Get Sloppy
High vs. Low Interaction 
• High Interaction... 
– Real Operating 
System 
– Real Services 
– Locked Down 
– Detailed Logg...
Exploitable vs. Non-Exploitable 
• Exploitable... 
– Mimic Services 
– Contain 
Vulnerabilities 
– Designed to be 
Comprom...
Canary Honeypot Architecture 
1. Identify the Devices or Services to be 
Mimicked 
2. Determine Honeypot Placement 
3. Dev...
Identify Devices/Services to Mimic 
• All About Risk - What is your biggest fear? 
• How would attackers exploit that? 
• ...
Determine Honeypot Placement 
• Close to the Asset Being Mimicked 
• Ability to Transmit Logs 
• Limit Communication of Hi...
Determine Honeypot Placement (cont.)
Develop Alerting and Logging 
• Logging 
– High Interaction – OS Logs, HIDS 
– Low Interaction – Software Logs 
– Network ...
Honeypot Software
Honeyd 
• The father of honeypots 
• Developed by Neil Provos 10+ years ago 
• Low Interaction 
• Can mimic operating syst...
Honeyd Config 
create default 
set default default tcp action block 
set default default udp action block 
set default def...
Honeyd Config (cont.) 
add ansm_winserver_1 tcp port 135 open 
add ansm_winserver_1 tcp port 139 open 
add ansm_winserver_...
Running Honeyd 
• Running Honeyd 
sudo honeyd –d –f /etc/honeypot/ansm.conf 
• Scan Results
Honeyd Logging
Honeyd Alerting 
alert ip !$TRUSTED_MS_HOSTS any 
->$MS_HONEYPOT_SERVERS [135,139,445] 
(msg:“Attempted Communication with...
Extended Service Emulation 
• Emulate an ISS Web Server 
add ansm_winserver_1 tcp port 80 “sh 
/usr/share/honeyd/scripts/w...
Kippo SSH Honeypot 
• Low Interaction SSH Honeypot 
• Provides a Fake File System 
• Detailed Logging and Replay 
• Writte...
Kippo Demo
Kippo Alerting 
alert tcp $HONEYPOT_SERVERS $SSH_PORTS ->any any 
(msg:“ET POLICY SSH Server Banner Detected on 
Expected ...
Tom’s Honeypot 
• Developed by Tom Liston of InGuardians 
• Low Interaction Multi-Protocol Honeypot 
• Emulates RDP, VNC, ...
Tom’s Honeypot – RDP
Tom’s Honeypot – More
Honeydocs 
• Documents designed to “phone home” when 
opened. 
• Placed with/near other critical documents 
• Honeydocs sh...
Honeydoc Manual Example
Honeydoc Manual Example
Honeydoc Automated Example
MHN: Modern Honey Network 
• Centralized Management 
• Web Interface w/ RESTful API 
• http://threatstream.github.io/mhn/
Conclusion 
• Honeypots aren’t just for research! 
• They can be useful for intrusion detection. 
• Great care should be t...
Thank You! 
E-Mail: chris@chrissanders.org 
Twitter: @chrissanders88 
Blog: http://www.chrissanders.org 
Book Blog: http:/...
Using Canary Honeypots for Network Security Monitoring
Upcoming SlideShare
Loading in …5
×

Using Canary Honeypots for Network Security Monitoring

20,884 views

Published on

In this presentation I talk about how honeypots that have more traditionally been used for research purposes can also be used as an effective part of a network security monitoring strategy.

Published in: Technology
  • Be the first to comment

Using Canary Honeypots for Network Security Monitoring

  1. 1. Deceive to Detect: Using Canary Honeypots for Network Security Monitoring Chris Sanders Charleston ISSA November 2014
  2. 2. Chris Sanders • Christian & Husband • Kentuckian and South Carolinian • MS, GSE, et al. • Non-Profit Director • BBQ Pit Master
  3. 3. Chris Sanders “[Practical Packet Analysis] gives you everything you need, step by step, to become proficient in packet analysis. I could not find a better book.” “[Applied NSM] should be required reading for all intrusion analysts and those looking to develop a security monitoring program.” – Amazon Reviewers
  4. 4. Outline Objectives:  Traditional Honeypots  Canary Honeypot Architecture  Honeypot Platforms • Honeyd • Kippo • Tom’s Honeypot • Honeydocs “How can I use honeypots as an effective part of my detection strategy?”
  5. 5. ***Disclaimer*** • Tactics in this presentation may be controversial, depending on your viewpoint. • Only orgs with mature security programs should attempt the use of canary honeypots. • Any time you invite an attacker to dance, you might get your feet stepped on.
  6. 6. Traditional Honeypot Design • Intentionally Vulnerable System • Designed to Mimic Real Services • Easily Compromised
  7. 7. Traditional Honeypot Uses • Specific Research Purposes • Tracking Unstructured Threats – Commodity Malware – Opportunistic Attackers • Vaguely Useful for Building Basic Threat Intel No Current Significant Production Value
  8. 8. How can honeypots be useful for operational purposes?
  9. 9. US Information Ops Doctrine • US DoD JP 3-13 IO Capabilities* – Detect – Deny – Disrupt – Degrade – Destroy – Deceive * More commonly applied as the Cyber Kill Chain
  10. 10. Let’s Take Honeypots Farther…
  11. 11. Kentucky is Coal Country
  12. 12. Coal Mining is Hard
  13. 13. Coal Mining is Dangerous
  14. 14. Canaries for Methane Detection
  15. 15. Enter Canary Honeypots • Deceive to Detect • Honeypots for Detection 1. Placed Inside the Network 2. Mimic Existing Systems 3. Detailed Alerting & Logging Nobody Should Ever Talk to a Honeypot
  16. 16. Making the Case • How do you detect a malicious user logging in to a Windows system? – Multiple Failed Logins – Weird External IP Address – IP Heuristics and Trending • What if the malicious user logs in from another compromised system using legitimate credentials?
  17. 17. Honeypots in the Attack Life Cycle
  18. 18. Attackers Get Sloppy
  19. 19. High vs. Low Interaction • High Interaction... – Real Operating System – Real Services – Locked Down – Detailed Logging • Low Interaction… – Software-Based – Mimics Real Services – Fake Environments – Limited Logging * Some honeypots call themselves “medium” interaction, but these are still basically low interaction.
  20. 20. Exploitable vs. Non-Exploitable • Exploitable... – Mimic Services – Contain Vulnerabilities – Designed to be Compromised – Compromises are Monitored • Non-Exploitable... – Mimic Services – No Vulnerabilities – Any Interaction is Monitored
  21. 21. Canary Honeypot Architecture 1. Identify the Devices or Services to be Mimicked 2. Determine Honeypot Placement 3. Develop Alerting and Logging Capabilities
  22. 22. Identify Devices/Services to Mimic • All About Risk - What is your biggest fear? • How would attackers exploit that? • Mimic critical services and components. – Confidentiality – File Server (SSH?) – Integrity – Database Server (SQL?) – Availability – Web Server (HTTP?)
  23. 23. Determine Honeypot Placement • Close to the Asset Being Mimicked • Ability to Transmit Logs • Limit Communication of High Interaction Honeypots (***IMPORTANT***)
  24. 24. Determine Honeypot Placement (cont.)
  25. 25. Develop Alerting and Logging • Logging – High Interaction – OS Logs, HIDS – Low Interaction – Software Logs – Network – PCAP, Flow, etc • Alerting – IDS Signatures – alert tcp any any -> $HONEYPOT 22 (msg:”Communication with SSH Honeypot”; sid:12345; rev:1;)
  26. 26. Honeypot Software
  27. 27. Honeyd • The father of honeypots • Developed by Neil Provos 10+ years ago • Low Interaction • Can mimic operating systems and services • Capable of spinning up thousands of honeypot instances
  28. 28. Honeyd Config create default set default default tcp action block set default default udp action block set default default icmp action block create ansm_winserver_1 set ansm_winserver_1 personality “Microsoft Windows Server 2003 Standard Edition”
  29. 29. Honeyd Config (cont.) add ansm_winserver_1 tcp port 135 open add ansm_winserver_1 tcp port 139 open add ansm_winserver_1 tcp port 445 open set ansm_winserver_1 ethernet “d3:ad:b3:3f:11:11” bind 172.16.16.202 ansm_winserver_1
  30. 30. Running Honeyd • Running Honeyd sudo honeyd –d –f /etc/honeypot/ansm.conf • Scan Results
  31. 31. Honeyd Logging
  32. 32. Honeyd Alerting alert ip !$TRUSTED_MS_HOSTS any ->$MS_HONEYPOT_SERVERS [135,139,445] (msg:“Attempted Communication with Windows Honeypot on MS Ports”; sid:5000000; rev:1;)
  33. 33. Extended Service Emulation • Emulate an ISS Web Server add ansm_winserver_1 tcp port 80 “sh /usr/share/honeyd/scripts/win32/ web.sh”
  34. 34. Kippo SSH Honeypot • Low Interaction SSH Honeypot • Provides a Fake File System • Detailed Logging and Replay • Written in Python
  35. 35. Kippo Demo
  36. 36. Kippo Alerting alert tcp $HONEYPOT_SERVERS $SSH_PORTS ->any any (msg:“ET POLICY SSH Server Banner Detected on Expected Port – Honeypot System”; flow: from_ server,established; content:“SSH-”; offset: 0; depth: 4; byte_test: 1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,1⁄ 4,46,1, relative; reference:url,doc.emergingthreats.net/2001973; classtype: misc-activity; sid:2001973; rev:8;) alert tcp any any <> $HONEYPOT_SERVERS $SSH_PORTS (msg:“ET POLICY SSH session in progress on Expected Port – Honeypot System”; threshold: type both, track by_src, count 2, seconds 300; reference:url,doc.emerging- threats.net/2001978; classtype:misc-activity; sid:2001978; rev:7;)
  37. 37. Tom’s Honeypot • Developed by Tom Liston of InGuardians • Low Interaction Multi-Protocol Honeypot • Emulates RDP, VNC, Radmin, MSSQL, SIP • Written in Python • http://labs.inguardians.com/tomshoneypot
  38. 38. Tom’s Honeypot – RDP
  39. 39. Tom’s Honeypot – More
  40. 40. Honeydocs • Documents designed to “phone home” when opened. • Placed with/near other critical documents • Honeydocs should never be opened • Provides alerting when documents are exfiltrated
  41. 41. Honeydoc Manual Example
  42. 42. Honeydoc Manual Example
  43. 43. Honeydoc Automated Example
  44. 44. MHN: Modern Honey Network • Centralized Management • Web Interface w/ RESTful API • http://threatstream.github.io/mhn/
  45. 45. Conclusion • Honeypots aren’t just for research! • They can be useful for intrusion detection. • Great care should be taken when deploying honeypots inside the network perimeter. • Multiple useful tools already exist.
  46. 46. Thank You! E-Mail: chris@chrissanders.org Twitter: @chrissanders88 Blog: http://www.chrissanders.org Book Blog: http://www.appliednsm.com Testimony: http://www.chrissanders.org/mytestimony

×