2015 is turning out to be the most spectacular year of high profile compromises across almost every vertical and many companies are starting to consider new options to raise the bar for intrusion detection and incident response, including deploying honeypots.
In this workshop we will present an overview of the current state of the art of leveraging open source tools to build a novel intrusion detection system inside the enterprise. We will discuss the pros/cons and ins/outs of several major open source honeypots as well as how to manage and deploy these sensors using the Modern Honey Network, Splunk, as well as integration into other systems such as ArcSight. We will discuss real world deployments of honeypots, what worked and what didn't as well as recommendations for getting the most out of these non-convention network sensors.
2. BSidesLV 2015
whois jason.trost
⢠Director of ThreatStream Labs
⢠Working in Security for >10 years now
⢠Previously at Sandia, DoD, Booz Allen, Endgame Inc.
⢠Big advocate of open source and open source contributor
⢠Binary Pig â large-scale static analysis using Hadoop
⢠Apache Accumulo â Pig integration, pyaccumulo, Analytics
⢠Apache Storm
⢠Elasticsearch plugins
⢠Honeynet Project
⢠Modern Honey Network
2
3. BSidesLV 2015
whois nicholas.albright
⢠Principle Threat Researcher, ThreatStream Labs
⢠Previous: VMware, Department Of Interior, Consultant for
Fed/Financial
⢠Old School Hacker, Penetration Tester, Tactician and Puzzletier.
⢠Currently focused on Sinkholes, Darknets and Malware
3
4. BSidesLV 2015
ThreatStream
⢠Cyber Security company founded in 2013 and venture backed by Google
Ventures, Paladin Capital Group, Institutional Venture Partners, and General
Catalyst Partners.
⢠SaaS based enterprise security software that provides actionable threat
intelligence to large enterprises and government agencies.
⢠Our customers hail from the financial services, retail, energy, technology and
government sectors.
4
5. BSidesLV 2015
Agenda
⢠Intro to Honeypots
⢠Enterprise Integration of Honeypot Sensors
⢠Concerns with Enterprise Use
⢠Useful Honeypots for Enterprise Use
⢠Lab Exercises
⢠Deploy MHN
⢠Deploy Dionaea + Kippo + Snort + p0f
⢠Splunk Integration
⢠ELK Integration
5
7. BSidesLV 2015
Intro to Honeypots
⢠Software systems designed to mimic vulnerable
servers and desktops
⢠Used as bait to deceive, slow down, or detect
hackers, malware, or misbehaving users
⢠Designed to capture data for research, forensics,
and threat intelligence
7
8. BSidesLV 2015
Why Honeypots?
⢠Cheapest way to generate threat intelligence feeds around malicious IP addresses at
scale
⢠Lots of places you can use them and get value
⢠Internal deployment
⢠Behind the firewall
⢠Low noise IDS sensors
⢠Local External deployment
⢠Who is attacking me?
⢠Outside the firewall and on your IP space
⢠Global External deployment
⢠Rented Servers, Cloud Servers, etc
⢠Who is attacking everyone?
⢠Global Trends
8
10. BSidesLV 2015
Low Interaction vs. High Interaction
10
Low Interaction
Initial Goal is usually Malware Collection
Contextual Awareness and IDS
Assisting with Incident Response
Low maintenance, easy to finger print
Great for detecting Rogue Employees
Not much âactorâ level intelligence
Many to choose from
High Interaction
Initial Goal is usually Actor AoO
May start as a compromised workstation
High maintenance, requires monitoring
Difficult to fingerprint if seeded properly
Many call this Incubator Lab or Office in a Box
11. BSidesLV 2015
Security Intuition, Intelligence Ignorance
To understand our future risks, we must understand our current security
posture, gaps and the security strategies that we have had success with.
Intelligence Ignorance
⢠Personal/Corporate Bias
⢠Personal Experience and Corporate Policy
⢠Outdated Controls and Information
⢠Weak/Outdated Security Controls, Misconfigurations and lack of context
⢠News Bias
⢠APT Actors are launching Cyber Terrorism Attacks
Honeypots help remove bias by providing factual data that can help us retrain
our security and analyst intuition.
11
14. BSidesLV 2015
Leveraging Honeypot Data
Use cases
⢠Metrics
⢠Clear statistics on events, who, from where, using what?
⢠Intrusion Detection
⢠detect compromised devices
⢠detect lateral movement attempts
⢠Threat Intelligence
⢠Retrain Analysts
⢠Hunting Exercises
⢠Incident Response
⢠Use logs as a âstarting pointâ for an incident
⢠Most attackers will compromise and advance to the next system, leaving valuable data on the honeypot.
14
15. BSidesLV 2015
Deployment Decisions
⢠Sensor Placement
⢠Local Internal
⢠Local External
⢠Global External
⢠Deploy Strategically to blend in
⢠Widespread or limited deployment
⢠Deployment how
⢠Modern Honey Network
⢠VMware
⢠Cloud hosted Images (Amazon AMI, Digital Ocean Image, etc.)
⢠Sensor combinations
⢠Snort/Suricata + p0f on each honeypot
⢠Dionaea + kippo + (Glastopf|Shockpot|Wordpot)
15
16. BSidesLV 2015
Honeypot Profile Tuning
⢠Tune the sensors to match your environment
⢠Windows shop?
⢠Use Dionaea or Amun configured with Windows services
⢠Tune open ports and services to blend in
⢠Linux shop?
⢠Use Dionaea configured for select Linux services
⢠Use Kippo and Shockpot
⢠Run webapps?
⢠Use (and customize) Glastopf and/or Wordpot and/or Shockpot
⢠Deploy Elastichoney
⢠Run Industrial Control Systems?
⢠Use Conpot
16
17. BSidesLV 2015
Honeypot Maintenance and Management
⢠Run under supervision, i.e. should restart upon failure or alert
⢠supervisord
⢠upstart
⢠Log Rolling and data age off
⢠Monitoring health and status
⢠Software updates
17
21. BSidesLV 2015
Hpfeeds
⢠An authenticated publish/subscribe based data feed system
⢠Designed for exchanging honeypot events/data between clients and an
Hpfeeds broker
⢠Used by most honeypots, esp. the ones from the Honey Net Project
⢠Simple access control and authentication for publishers and subscribers
⢠identity (username)
⢠secret (api key)
⢠allowed publish channel list
⢠allowed subscribe channel list
⢠Messages from honeypots are published to channels on the hpfeeds broker
21
22. BSidesLV 2015
hpfeeds-logger
⢠An open source library that reads from hpfeeds and writes to files
⢠Designed to transform all the major honeypotsâ custom JSON format
into a normalized format
⢠Initially built for the MHN Splunk App
⢠Supports ArcSightâs CEF format
⢠Supports JSON format suitable for ELK
⢠Really useful for creating dashboards that span different types of
honeypots
https://github.com/threatstream/hpfeeds-logger
22
23. BSidesLV 2015
Logstash
⢠Modular Log processing engine optimized for use with Elasticsearch
⢠This is the ingest portion of the ELK Stack
⢠Logstash is incredibly flexible and powerful for receiving, transforming, and
outputting to various data stores
⢠Simple DSL
⢠Plugin based, examples:
⢠input: rabbitmq, kafka, zeromq, redis, twitter, xmpp, imap
⢠filter: geoip, dns, useragent, cidr, aggregate
⢠output: elasticsearch, hipchat, kafka, rabbitmq, syslog, csv
⢠There is a plugin for hpfeeds!
⢠https://github.com/aabed/logstash-input-hpfeeds
23
24. BSidesLV 2015
logstash-input-hpfeeds
⢠Logstash module for reading events from hpfeeds
⢠Great for integrating honeypot feeds directly into the ELK stack
⢠MHN has a deploy script for this too
https://github.com/aabed/logstash-input-hpfeeds
24
25. BSidesLV 2015
Splunk Universal Log Forwarder
⢠Not open source, but free
⢠Powerful tool for shipping almost any log data to splunk
⢠Not nearly as flexible as logstash
⢠Provides lots of useful features
⢠compression
⢠tagging with metadata
⢠SSL
⢠throttling and buffering
25
26. BSidesLV 2015
Dashboard and Reporting
⢠Elasticsearch, Logstash, and Kibana (ELK)
⢠Modern Honey Network (MHN)
⢠Splunk
26
27. BSidesLV 2015
Elasticsearch, Logstash, and Kibana (ELK)
⢠A complete open source stack for data ETL, Search, and visualization
⢠Elasticsearch
⢠Search engine database with REST APIs exposing all aspects of the system
⢠Designed to scale linearly
⢠Kibana
⢠Angularjs web application that is a pretty and intuitive frontend over
Elasticsearch
⢠Power data visualization and exploration framework
⢠We are going to use this to build some dashboards later
27
28. BSidesLV 2015
Splunk
⢠Power enterprise software for managing and search log data
⢠Lots of our customers use Splunk and I is becoming more and more
common for SIEM like use cases
⢠Not open source, but has a very capable free version
⢠The free version is sufficient for many honeypot use cases
⢠We built an open source MHN splunk app to integrate
28
30. BSidesLV 2015
Data Exploration and Analysis
⢠Elasticsearch and Kibana
⢠Modern Honey Network (MHN)
⢠MHN REST APIs
⢠Mongo DB Queries or mongoexport to CVS
⢠hpfeeds-logger
⢠output as CEF, JSON, or Splunk KV
⢠analyze raw data with whatever tool
⢠Splunk
30
31. BSidesLV 2015
What is Modern Honey Network
⢠Open source platform for managing honeypots, collecting and analyzing
their data
⢠Makes it very easy to deploy new honeypots and get data flowing
⢠Leverages some existing open source tools
⢠hpfeeds
⢠nmemosyne
⢠honeymap
⢠MongoDB
⢠Dionaea, Conpot, Snort, Kippo, p0f, Suricata
⢠Glastopf, Amun, Wordpot, Shockpot, Elastichoney
31
32. BSidesLV 2015
Honeypot Management with MHN
⢠MHN Automates management tasks
⢠Deploying new honeypots
⢠Setting up data flows using hpfeeds
⢠Store and index the resulting data
⢠Expose REST APIs for application building and integration
⢠Correlate with IP Geo data
⢠Real-time visualization
⢠Log/normalization tools for Integration with other security tools
32
34. BSidesLV 2015
SIEM Integration Scenarios
⢠Intrusion Detection System (Generates events into the SIEM)
⢠âFact ofâ an event occurring could be worth investigating depending on the
network and deployment
⢠e.g. Detection of port scan inside high value network
⢠e.g. Detection of exploitation attempt against honeypot
⢠e.g. Password brute force behind the firewall
⢠Threat Intelligence (event enrichment)
⢠Gathers data useful for making decisions
⢠Individual events are not as important as the aggregation of these events
⢠Attacker Summary (other ports scanned, first seen/last seen, number of
sensors probed, etc)
⢠Attacker Metadata (OS, Uptime, Connection Type, Application Type)
34
37. BSidesLV 2015
Dionaea and Amun
37
Dionaea
⢠Started out as âNepenthes,â a windows service emulating honeypot
⢠Uses LibEMU to parse shellcode, hands even uncategorized threats
⢠Captures binaries, auto uploading to VirusTotal and Sandbox
services
⢠Implemented in C and Python
⢠Can mimic a number of different Linux and Windows based services
Amun
⢠Modular Honeypot written in Python
⢠Stock vulnerable services will capture many commodity worms
⢠Easy to extend, new vulnerability modules are loaded without restart
⢠Awesome mimicking of success exploit responses (bindshell, connect
back shell, fetch URL, etc.)
38. BSidesLV 2015
Dionaea and Amun: features
⢠Dionaea
⢠Provides emulation of the following services: FTP, HTTP, MySQL, MSSQL, SMB,
SIP, TFTP
⢠Amun
⢠Incredibly meticulous implementation of SMB (3,330 lines of python)
⢠Mimics vulnerabilities in SMB
⢠Detects shellcode capabilities and mimics the proper response
⢠connect back shell
⢠bindshell
⢠http download
⢠Push a mimicked CMD.EXE terminal
38
40. BSidesLV 2015
Dionaea and Amun: Configuration
⢠Dionaea
⢠So many options with Dionaea (default config file is 680+ lines)
⢠Depending on your deployment scenario, probably want to disable
http/https ports
⢠Chose combinations of services that match your real environment
(i.e. likely donât want mysql and mssql running together)
⢠Amun
⢠Highly configurable as to which ports and which vulnerabilities it
mimics
⢠Chose the ports and services that best represent you network
40
Amun Vulnerability Modules
vuln-smb: 445,139
vuln-dcom: 135
vuln-ca: 10203
vuln-ftpd: 21
vuln-sasserftpd: 1023,5554
vuln-wins: 42
vuln-arc: 6070,41523,1900
vuln-symantec: 2967,2968,38292
vuln-msdtc: 3372,1025
vuln-axigen: 110
vuln-slmail: 110
vuln-mdaemon: 110
vuln-upnp: 5000,2555
vuln-iis: 443
vuln-maxdb: 9999
vuln-tivoli: 8080,1111,1581
vuln-msmq: 2101,2103,2105,2107
vuln-sub7: 27347
vuln-imail: 25,587
vuln-mercury: 105
vuln-lotusdomino: 143
vuln-arkeia: 617
vuln-dameware: 6129
vuln-veritas: 6101
vuln-trend: 5168,3268,3628
vuln-bagle: 2745
vuln-goodtech: 2380
vuln-helix: 554
vuln-hpopenview: 2954
vuln-http: 80
vuln-peercast: 7144
41. BSidesLV 2015
Kippo
⢠âKippo is used to log brute force attacks and the entire shell
interaction performed by an attacker.â
⢠SSH Emulating Honeypot, written in Python.
⢠Easy to customize
⢠Set multiple passwords for the same account
⢠unlimited accounts and passwords.
41
42. BSidesLV 2015
Kippo: Features
⢠Fast, Multi Threaded support can handle unthrottled brute force
attempts.
⢠Fake file system can Mimic any other Linux file system, including ARM
architectures!
⢠Prevents actors from disconnecting from the honeypot
⢠Sometimes actors donât realize this and reveal important details about
themselves
⢠Full Session data is saved, including keylog events
⢠Useful for determining if an attack is automated or a human
42
43. BSidesLV 2015
Kippo: Configuration
⢠Kippoâs default File System is archaic and should be updated using
utils/createfs.py >fs.pickle from the main Kippo directory.
⢠This will clone your local file system and help give credibility to your honeypot.
⢠Update common commands such as âfreeâ, with free >
txtcmds/bin/free
⢠Modify Kippoâs config file, kippo.cfg, changing the hostname and
default root password. Keep the password easy to guess, but not
12345.
43
45. BSidesLV 2015
Conpot
⢠Industrial Control Systems (ICS) honeypot
⢠Goal: to collect intelligence about the motives and methods of
adversaries targeting industrial control systems
⢠Default config provides basic emulation of a Siemens S7-200 CPU with
a few expansion modules installed.
⢠The attack surface of the default emulation includes the protocols
MODBUS, HTTP, SNMP and s7comm.
45
47. BSidesLV 2015
Web App Honeypots
⢠Glastopf
⢠Very extensible web application honeypot
⢠Vulnerability type emulation instead of vulnerability emulation.
⢠Once a vulnerability type is emulated, Glastopf can handle unknown attacks of the
same type
⢠Wordpot
⢠Wordpress honeypot
⢠Appears vulnerable to Wordpress scanners
⢠Identifies the specific type of scan or attack
⢠Shockpot
⢠Mimics a web server that is vulnerable to the ShellShock Vulnerability (CVE-2014-
6271).
⢠Captures commands executed and fetches payloads for analysis
⢠Weâve observed traditional x86(-64) and ARM architectures (Routers/etc)
47
48. BSidesLV 2015
NoSQL Honeypots
⢠Elastichoney
⢠Mimics elasticsearch instances vulnerable to CVE-2015-1427
⢠Logs the remote code execution attempts
⢠Attempts to fetch HTTP Payloads
⢠delilah (from Novetta)
⢠Similar to Elastichoney, but implemented in Python and uses tornado
⢠Comes with a dashboard for viewing the data collect
⢠nosqlpot
⢠Mimics a Redis instance with fake data loaded into it
⢠Logs all interactions
48
49. BSidesLV 2015
p0f/Snort/Suricata
⢠Not honeypots, but really useful network sensors
when deployed with honeypots
⢠p0f â Passive OS fingerprinting
⢠Estimates the Operating system and other details about a
host
⢠Provides more context about attacking hosts
⢠Linux Server vs. Windows XP vs. Windows 7/8
⢠DSL vs. Ethernet/Modem vs. VPN/Tunnel
⢠Application profiling by User-Agent
⢠Uptime
⢠Snort/Suricata â Intrusion detection systems and
traffic analyzers
⢠Identify specific attack patterns and exploits
⢠Provides more context about the attack traffic
49
http://null-byte.wonderhowto.com/
51. BSidesLV 2015
Lab Exercises
1. Get your login info from the instructors
⢠MHN Server
⢠Honeypot Server
2. Login to your MHN Server in in one terminal and your Honeypot
server in the other.
3. Download the lab exercises (PDF) here:
http://bit.ly/honey-labs
51
52. BSidesLV 2015
Exercise 1: Deploy & Configure MHN
⢠Download, deploy and configure Modern Honey Network (MHN)
⢠Set it up to use HTTPS
⢠Login and explore the interface
⢠Map
⢠Deploy
⢠Attacks
⢠Payloads
⢠Rules
⢠Sensors
⢠Charts
⢠Settings
52
53. BSidesLV 2015
Exercise 2: Deploy Honeypots
⢠Deploy Honeypots (Dionaea + Kippo + p0f + Snort) using MHN
⢠Login to your Honeypot using SSH
⢠Deploy Dionaea
⢠Deploy Snort
⢠Deploy p0f
⢠Deploy Kippo
⢠Port scan your honeypot
⢠Try some ssh attempts
53
54. BSidesLV 2015
Exercise 3: Integrate with Splunk
⢠Integrate MHN with Splunk
⢠Install the MHN Splunk app
⢠Explore the interface and your data
54
55. BSidesLV 2015
Exercise 4: Integrate with ELK
⢠Integrate MHN with Elasticsearch, Logstash, Kibana (ELK)
⢠Explore the data
⢠Create an interactive Kibana Dashboard
55
56. BSidesLV 2015
Modern Honey Network
⢠mailing list: modern-honey-network@google groups
⢠website: http://threatstream.github.io/mhn/
⢠Source code: https://github.com/threatstream/mhn
56
57. BSidesLV 2015
Contact Info
⢠Jason Trost
⢠@jason_trost
⢠jason.trost [AT] threatstream [DOT] com
⢠https://github.com/jt6211
⢠Nicholas Albright
⢠@nma_io
⢠nalbright [AT] threatstream [DOT] com
57
Editor's Notes
Nicholas
In this talk, when I say honeypot, I am referring to low interaction honeypots.
Nicholas - Local vs. Global Deployment: is this IP scanning/attacking everyone or just my network?
Anyone go to Derby Con? did you see Katherine Trame and David Sharpeâs talk? They are from GE-CIRT team. This is a slide they presented that showed the types of attacks that their team responded to over the past 3 years. Internet facing assets represented the vast majority of incidents they responded to. IMO, this makes a strong case for honeypots.
We will focus entirely on low interaction honeypots in this class
Nicholas
Getting the data back from each honeypot sensor to a single agregation point is crucial to being able to take action or leverage this data for analytics.
cidr filter â checks an IP value against a list of CIDRs
aggregate â performs aggregation across events from a log (i.e. multiple lines get summaried into one line of output)
automates the install process for each honeypot: install dependencies, install honeypot, run under supervisord, get data flow going to MHN server using HPFeeds. Makes them manageable.
GNU Lesser General Public License (LGPL)
Start with sensors
hpfeeds -> honeymap
hpfeeds to mnemosyne
hpfeeds to hpfeeds-logger for integrations
web app for uses to manage, deploy and explore the data
REST APIs for building apps and automation around MHN
IDS integration can be done using hpfeeds logger and watchin for events of interest in Splunk, ArcSight, or ELK
Threat intel integration can be done in MHN using these APIs:
attacker_stats
metadata
There are a ton of honeypots and netork sensors out there. Here are a few that we have found useful or interesting
We donât recommend shiva or honeyd for enterprise use, but they are very awesome tools.
Lots of risks unless you really know what youâre doing.
Risks are mainly around causing outages (email or network)
* shiva â can get your IP space added to email spam lists which can in essense cause email sending outages
* honeyd â if misconfigured can cause network outages due to ARP