Jednym z najistotniejszych czynników wspierających ochronę krytycznej infrastruktury sieciowej jest czas reakcji zespołu reagowania na incydenty bezpieczeństwa (Incident Response Team).
Im szybciej, tym lepiej. Rozwiązania wspomagające wczesne wykrywanie ataków oparte o pasywną analizę zapytań DNS, zbiorów danych Netflow czy PCAP warto wesprzeć coraz częściej docenianą i wykorzystywaną produkcyjnie infrastrukturą typu honeynet. Rozsądne osadzenie sond honeypotowych w różnych segmentach sieci pozwoli na wykrycie ataku już w początkowych fazach rekonesansu i enumeracji. Dzięki honeypotom niejednokrotnie uzyskamy także szczegółowe informacje na temat nowej techniki ataku, próby wykorzystania błędu typu 0-day czy bardzo specyficznego użycia znanych od lat narzędzi.
"Know your enemy" - to dewiza, którą powinniśmy się kierować w trosce o rozwój defensywnych umiejętności zespołów bezpieczeństwa i honeypotowa sieć zdecydowanie posiada tu dużą wartość.
Podczas prelekcji postaram się przedstawić sposoby wykorzystania jak i możliwości oferowane przez open source'owe rozwiązania typu honeypot. Będziemy mówić o pojedynczych projektach imitujących rzeczywiste usługi (DNS, SMB, SSH, SCP/SFTP, FTP, telnet, HTTP, TFTP, MySQL/MSSQL, RDP i wiele innych), wstrzykiwaniu poprzez reverse proxy honeypotowych zawartości do aplikacji webowych, atakowaniu atakujących;) , kończąc na dedykowanych platformach z wbudowanych stackiem ELK.
4. # Needs
●
Active defense
●
Early infrastructure enumeration phase detection
●
Active/passive detection of vulnerable systems/services/apps
●
Creating baseline profiles:
– High level network traffic profiling
– Systems and network devices behavioral profiling
●
Security incident response evaluation
●
Forensics data analysis
5. # Needs
●
Correlation and active event analysis of multiple layers:
– Netflow + Passive DNS:
• Network billing
• Who?, what?, when?, where?
+ whois, nmap, etc.
6. # Needs
●
Correlation and active event analysis of multiple layers:
– Netflow / Passive DNS
– Deep Packet Inspection / Full Packet Capture:
• Glibc DNS resolver bug
• Heartbleed / Shellshock / Poodle
• SSL Self-signed / MiTM
• Metasploit detection
• Tunneling / pivoting, sending files through ICMP/DNS packets
• Powershell attacks
• Pass-The-Hash attack
• Port scanning
• IP reputation
• TOR detection
• Brute force attacks
• DHCP Rouge Server
• Fake WLAN AP
7. # Needs
●
Correlation and active event analysis of multiple layers:
– Netflow / Passive DNS
– Deep Packet Inspection / Full Packet Capture
– Logs/events mgmt:
• OS: auditd, SELinux/Apparmor, systemtap, sysdig
• Services: crashes
• Web application
• Switches and routers
+ OSSEC, Splunk, AlienVault, ELK.
8. # Needs
●
Correlation and active event analysis of multiple layers:
– Netflow / Passive DNS
– Deep Packet Inspection / Full Packet Capture
– Logs/events mgmt
– Memory forensics:
• Volatility Framework, GRR
– critical systems?
– daily ? weekly? monthly? quarterly?
"To hack companies, persistence isn't needed since
companies never sleep. I always use Duqu 2 style
"persistence", executing in RAM on a couple high-uptime
servers." - how Hacking Team was compromised.
10. # Honeypots
●
Supporters and opponents;)
●
Supplementing the prior techniques
●
To see what they do when they get in and how they get in
●
Do it right:
●
Multiple honey-hosts somehow connected together
●
Isolated, hardened & firewalled (Apate LKM/sysdig/systemtap)
●
Low hanging fruits, but not too low:>
●
Active observation:
●
Network pivoting between subnets
●
Commands, tricks, C&C IP, vulns, exploits
●
Internally sending malicious payload, injecting code
15. # Low interaction honeypots
●
Cowrie:
●
Based on Kippo
●
SFTP and SCP support for file upload
●
Supports for SSH exec commands
●
Saves downloaded files for inspection
●
Amun:
●
Emulates SMB vulns
●
Mimics response and detects shellcode:
●
Bindshell
●
Reverse shell
●
+ cmd.exe
16. # Low interaction honeypots
●
Honeydrive – honeypot Linux distro:
– Dionaea → SMB, FTP, TFTP, MySQL, SIP, SDP
– InetSim → HTTP, SMTP, POP3, DNS, NTP, IRC...
– Amun → SMB (SQL Slammer, Conficker)
– Honeyd → virtual hosts, up 65535 on LAN
– Glastopf, Wordpot, Shockpot – webapp honeypots
– Espot/ElasticHoney – elasticsearch (CVE-2014-3120/CVE-2015-
1427)
– Conpot - SCADA/ICS
– Thug – honeyclient, mimicing the behavior of a web browser
– PhoneyC
+ Kippo-Graph, Honeyd-Viz, DionaeaFR
17. # Low interaction honeypots
●
Portspoof by Piotr Duszyński:
●
SYN+ACK for every port connection attempt
●
Userspace, no root
●
Signature database (>9000)
●
Binds to only one port + iptables
●
Attack the attackers:
●
ex. exploits nmap http-domino-enum-pass NSE script
Please, do not use it when you are using standard ports for your real services:>
18. # High interaction honeypots
●
Intentionally left almost-vulnerable toys:>
●
For observing real attacks, require monitoring
●
Able to detect 0-days
●
Part of production, real VM/PHY:
●
OS:
●
some suid files, some CAP_* files, some hidden credentials
●
Database:
●
fake table in real DB instance, fake user
●
Active Directory:
●
fake Domain admin account for PTH detection
●
Web application:
●
fake, hidden admin=”false” form value, fake login panels, fake java applet
●
Service proxy
19. # High interaction honeypots
●
Web application honeypot using modsecurity:
20. # High interaction honeypots
●
Web application honeypot using modsecurity:
SecRule STREAM_OUTPUT_BODY "@rsub s/</form>/<input type="hidden"
name="debug" value="false"></form>/"
"id:'999009',phase:4,t:none,nolog,pass"
SecRule ARGS:debug "!@streq false"
"id:'999010',phase:2,t:none,log,block,msg:'HoneyTrap Alert: Fake HIDDEN
Form Data Manipulated.',setvar:ip.malicious_client=1"
------
SecRule ARGS_POST:password "@pmFromFile honey-passwords.txt"
"setenv:tag=suspicious,phase:2,id:'7',msg:'Honey-password value: %
{matched_var}',log,auditlog,deny"
– action: proxy:honeypot, redirect
21. # High interaction honeypots
●
Web application honeypot using modsecurity:
●
We all do like beef, don’t we?
●
Let’s inject some hook.js to the attackers!
22. # High interaction honeypots
●
HonSSH:
●
Some kind of MiTM/Proxy server
●
Two separate SSH connections between attacker and honeypot
27. # Honeypots
●
Some other interesting sweet honeytools:
●
Qebek – QEMU based
●
Argos – emulator for capturing 0-day
●
mitmproxy
●
Ghost USB honeypot
●
GasPOT - simulate a Veeder Root Gaurdian AST
●
GridPOT – electric grid honeynets
●
Karma / Fake AP / Real AP as honeyAP
https://github.com/paralax/awesome-honeypots
28. # When we got files, malware samples, then
●
Peepdf:
●
PDF file analysis
●
Cuckoo Sandbox:
●
Virus Total integration
●
Yara: meta + string + condition
●
Limon Sandbox:
●
Linux malware analysis sandbox:
●
Before, during and after execution
●
Memrory, static, dynamic analysis
29. # Summary
●
Fun;-)
●
Understand the intruder’s intentions
●
Increased visibility
●
Capture malware samples for analysis
●
The correlation of different data sources is the key
●
Slow down an attacker’s progress