Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Honeypots for Active Defense

4,711 views

Published on

InfoSec analysts are all somewhat familiar with Honeypots. When they are given the proper attention, care and feeding, they produce invaluable information and can be a critical asset when it comes to defending the network. This intel has been primarily used by security researchers and organizations with advanced defensive capabilities to study their adversaries and learn from their actions. But what about the rest of us? Honeypots are a lot of work to configure, maintain, and monitor, right? Not exactly; when deployed and monitored properly, Honeypots and Honey Tokens are a simple way to alert on anomalous activity inside the network. But how can an organization that is not focused on research gain valuable threat intelligence using Honeypots and actively defend their network using indicators generated from an internal Honeynet?

The answer is Honeypots for Active Defense. There are currently many open source security tool distributions that come pre-loaded with Honeypots among other useful tools, however the Honeypot software is often not deployed in an effective manner. This session will discuss techniques to leverage Honeypots in ways that will not overburden the security team with massive logs to sift through and focuses efforts on correlating active threat data observed in the Honeypots with the production environment. When deploying Honeypots effectively, this can give security analysts one additional mechanism to tip them off to nefarious activity within their network before they become the next headline.

Published in: Technology

Honeypots for Active Defense

  1. 1. Honeypots for Active Defense A Practical Guide to Honeynets within the Enterprise Greg Foss SecOps Lead / Senior Researcher @heinzarelli
  2. 2. # whoami Greg Foss SecOps Team Lead Sr. Security Research Engineer OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT
  3. 3. Traditional Defensive Concepts • Maintain a tough perimeter • Implement layered security controls • Block known attacks and ban malicious IP’s • Create and enforce policy to discourage misuse
  4. 4. …cross our fingers
  5. 5. InfoSec Realities • There is no magic security product that will protect you or your company. Period. • It’s when, not if — there’s always a way in…
  6. 6. Not Just ‘APTs’
  7. 7. Active Defense
  8. 8. What is ‘Active Defense’ • All comes down to tipping the odds in our favor as defenders… • Annoying the attacker • Trapping them and wasting time • Gather data + attempt attribution • ‘Attacking Back’ • Reduce the MTTD and MTTR • MTTD => Mean-Time-to-Detect • MTTR => Mean-Time-to-Respond
  9. 9. Why Internal Honeypots? • Easy to configure, deploy, and maintain • Fly traps for anomalous activity • They don’t even need to look legit once breached… Just enough to raise a flag. • You will learn a ton about your adversaries. Information that will help in the future… • *Honeypots are something to focus on after the basics have been taken care of.
  10. 10. Honeypot Use Cases • Research • Understand how attackers think, what works, what doesn’t, and what they are after. • Defense • Learn from the adversary and adapt… Lay traps to catch subtle yet abnormal activities.
  11. 11. Defense
  12. 12. VM’s ADHD http://sourceforge.net/projects/adhd/ Honey Drive 3 http://sourceforge.net/projects/honeydrive/
  13. 13. First things first… • Honeypots and Active Defense come after baseline security controls are in place. • Warning banners are critical and assist in the event prosecution is necessary / desired.
  14. 14. Types of Honeypots No Interaction Low Interaction Medium Interaction High Interaction Honey Tokens / Drives / Strings / Etc. *note - this is my interpretation, not necessarily ‘industry standard’
  15. 15. No Interaction Honeypots Primarily referred to as Honeyports, or services that simply log and/or ban on full TCP connect.
  16. 16. ‘No Interaction’ Honeypots • Basic Honeyports • Linux - NetCat and IPTables • Windows - NetCat and Netsh • Python and PowerShell options as well…
  17. 17. Windows PowerShell Honeyports
  18. 18. Windows PowerShell Honeyports
  19. 19. Linux Honeyports • Artillery — supports Windows too! • https://www.trustedsec.com/downloads/artillery/
  20. 20. Artillery Logging • Port Scanning and/or Illegitimate Service Access • Local Syslog, Flat File, or Remote Syslog options • IP’s are added to the banlist and blocked locally via IPTables
  21. 21. Artillery Logging Bonus! • File Integrity Monitoring
  22. 22. Low Interaction Honeypots Honeypots that serve up basic content and are not interactive once breached.
  23. 23. WordPot • https://github.com/gbrindisi/wordpot • Fake WordPress app, written in Python…
  24. 24. Fake PhpMyAdmin • https://github.com/gfoss/phpmyadmin_honeypot • Simple fake phpmyadmin ‘app’ that logs to flat files. This same approach can be applied to anything…
  25. 25. $any fake login panel • Custom - but believable and hidden from normal users • Can be used in ‘reverse phishing’ — discussing later…
  26. 26. $any fake login panel • Logging attacker data is standard, what if you need evidence that is a bit more tangible…
  27. 27. Honeybadger • https://bitbucket.org/LaNMaSteR53/honeybadger/ • Gain *true attribution on your adversaries…
  28. 28. Medium Interaction Honeypots Interactive honeypots that resemble real services and provide limited functionality once breached.
  29. 29. Medium Interaction Honeypots • TONS! But one of my favorites: • https://github.com/desaster/kippo • https://github.com/gfoss/kippo • Simulate SSH Service…
  30. 30. Kippo • Python script which simulates an SSH service that is highly customizable, portable, and adaptable. • Logs to flat files and stores the full TTY session for each connection, so that attacks can be replayed in real-time. • One of the more popular honeypots out there, as a result, attackers know how to differentiate between this and a real Linux host very quickly. Be cautious… • When deploying externally, there is a risk of CnC’s maintaining persistent connections. • Can be used as a pentest tool as well :-)
  31. 31. Kippo Alert Automation https://github.com/gfoss/kippo/blob/master/replay-alert.sh
  32. 32. High Interaction Honeypots Imitate real systems or modify real hosts to act as honeypots in order to verbosely log attacker activity and capture all network and related flow data.
  33. 33. Analysis Tools • LogRhythm Network Monitor and SIEM • Suricata IDS • http://suricata-ids.org/download/ • BRO IDS • https://www.bro.org/ • Cuckoo Sandbox • http://www.cuckoosandbox.org/
  34. 34. Routers and Switches • ROMAN Hunter - Router Man Hunter • http://sourceforge.net/projects/romanhunter/ • Configure real AP as a honeypot • Capture MAC of 
 attacker that 
 bypasses 
 security • Correlate the MAC and
 add it to an
 organizational blacklist…
  35. 35. High Interaction Warning! • Deploying real systems / devices / services is dangerous and requires dedicated monitoring. • Whenever hosts can actually be compromised there is huge risk if not monitored appropriately. • Never use the organization’s gold-standard image for the honeypot. • Segment these hosts from the production network!
  36. 36. Honey Tokens and Document Bugging Tracking file access, modification, exfiltration, etc…
  37. 37. File Integrity Monitoring
  38. 38. Honey Tokens • Use file integrity monitoring to track all interactions with files/folders/etc of interest. Great for network shares. • Not just files, this can be strings, drives, directories, etc. • Any predefined item that
 will generate a log when 
 accessed/modified/etc. • Trivial to configure…
  39. 39. Document Bugging • WebBug How To: • http://ha.ckers.org/webbug.html
 • WebBug Server: • https://bitbucket.org/ethanr/webbugserver
 • Bugged Files - Is your Document Telling on You? • Daniel Crowley + Damon Smith • https://www.youtube.com/watch?v=co1gFikKLpA
  40. 40. Document Tracking • Same tricks used by Marketing for years, normally for tracking emails. • Why loading external
 images within email
 is risky…
  41. 41. Document Tracking • Documents can be tracked in the same way as email / web. • Automating the process… • https://github.com/gfoss/misc/tree/master/Bash/webbug
  42. 42. Document Tracking Issues • If the document is opened up offline it will divulge information about the tracking service. • *There is no telling how someone will react once it is discovered that they were being tracked…
  43. 43. Screwing with Attackers • Reverse Phishing and ‘Attacking Back’ • A
 case
 study…
  44. 44. • Zip Bombs • http://unforgettable.dk - 42.zip • BeEF - Browser Exploitation Framework • http://beefproject.com/ • USB Killer • http://kukuruku.co/hub/diy/usb-killer • Clippy! • http://www.irongeek.com/i.php?page=security/ phpids-install-notes More Tricks
  45. 45. cat /dev/random | nc -nl 22
  46. 46. https://github.com/nitram509/ascii-telnet-server ASCII Art Distraction
  47. 47. Monitoring • Dedicated SOC - Security Operations Center • SIEM - Security Information Event Management • Correlate and Track Events • Evaluate Impact on the Real Environment • Measure Risk and Actively Respond to Threats • IDS, Network Flow Analysis, Firewalls, etc. • Configure once and it’s smooth sailing from there…
  48. 48. Enterprise Threat Intelligence • Develop Context-Aware Threat Intelligence • Leverage knowledge gained from attackers to create IOC’s and custom IDS and SIEM rules…
  49. 49. Event Correlation
  50. 50. Automating Response • Dynamic Honeypotting • Deploy PowerShell and Command Line Logging • http://www.slideshare.net/Hackerhurricane/ask- aalware-archaeologist/25
  51. 51. Automating Response • Google Rapid Response - GRR • https://github.com/google/grr • Netflix FIDO • https://github.com/Netflix/Fido • Kansa • https://github.com/davehull/Kansa • Power Forensics • https://github.com/Invoke-IR/PowerForensics
  52. 52. 1 PowerShell Script Live Data Acquisition and Incident Response Integrates into Existing Security Processes Remote Forensic Acquisition Host and User Lockdown https://github.com/gfoss/PSRecon/
  53. 53. Bringing it all together…
  54. 54. Honeypot Dashboards • HoneyDrive3 comes complete with dashboards and enhancement scripts to display interesting data. • Kippo Graph • http://bruteforce.gr/kippo-graph • The Modern Honey Network - can also deploy! • https://threatstream.com/blog/mhn-modern- honey-network • LogRhythm SIEM - Honeypot Analytics Suite
  55. 55. Works Cited & Recommended Reading • Strand, John, and Asadoorian, Paul. Offensive Countermeasures: The Art of Active Defense. 2013. • Murdoch, D. W. Blue Team Handbook: Incident Response Edition: A Condensed Field Guide for the Cyber Security Incident Responder. United States: CreateSpace Independent, 2014. • Chuvakin, Anton, and Kevin Schmidt. Logging and Log Management: The Authoritative Guide to Dealing with Syslog, Audit Logs, Events, Alerts and Other IT 'noise' Rockland, MA: Syngress, 2012. • Bodmer, Sean. Reverse Deception: Organized Cyber Threat Counter-exploitation. N.p.: n.p., n.d. Print.
  56. 56. Thank You! Questions? https://github.com/gfoss/ Greg Foss
 OSCP, GAWN, GPEN, GWAPT, GCIH, CEH
 SecOps Lead / Sr. Researcher
 greg.foss[at]LogRhythm.com
 @heinzarelli

×