Honeypots for Cloud Providers - SDN World Congress
1. Honeypots for Cloud
Providers
Matthew A Johnson
Professional Lecturer of Computing Technology
Matthew.Johnson1@marist.edu
Daniel Jast
Vallie Joseph
Piradon Liengtiraphan
2. Challenges for providers/carriers
Networks are moving toward SDN and NFV
Adoption/migration presents new challenges
Virtualized appliances are software
Typically VMs running familiar OS (Linux, BSD, Windows)
May be accessed remotely (e.g., via SSH)
As such they have traditional IT vulnerabilities
Remote intrusion
Denial of service
Imagine losing a vrouter, firewall, controller, load balancer!
3. Security policy implications
Awareness of threats to network resources is critical
Actively monitor access attempts
Record attack data for future audit or analysis
Defensive measures must be appropriately deployed
Block/divert unauthorized access
Hide virtual network resources to mitigate DDoS
Analytics can transform attack data into threat intelligence
Orchestrate/deploy both proactive + reactive measures
4. Traditional defense strategies
Corporations often use Patch-and-Pray 1
Patching security software after harmful attacks
Keeping security software up to date
Find tools to deal specifically with attack types suffered previously
These strategies assume that the attacks have already happened
By the time a company discovers an attack, it’s usually too late
Damage is already done
Business now spends additional funds to remedy the situation
Examples: Yahoo, Sony, AT&T
1. http://blog.eiqnetworks.com/blog/don-t-rely-on-patch-and-pray-use-vulnerability-management-to-secure-your-network
5. Evolving threat landscape
Threat landscape is constantly changing
Attack technologies evolve alongside new security measures
Various types of threats
Brute force attackers
Botnets
Advanced persistent threats
Attackers have the advantage
Only one vector needs to work
Defenders must account for all attack vectors
Cannot stay ahead of attackers using only traditional defense strategies
6. “Smart” Defense
Using analytics to adjust security protocols as needed
Generated from detailed attacker information collected from honeypots
Constantly updated with new attacker data
Predict attack patterns
Patterns drawn from similarities in data
Allow firewalls and other cybersecurity protocols to learn from attacks
Data collection and analytics are required for adaptive security protocols
Honeypots can collect this data
7. Cowrie
What is a honeypot?
A honeypot is a computer security mechanism set to detect, deflect, or, in some
manner, counteract attempts at unauthorized use of information systems. Generally,
a honeypot consists of data (for example, in a network site) that appears to be a
legitimate part of the site but is actually isolated and monitored, and that seems to
contain information or a resource of value to attackers, which are then blocked.1
More generally… “a security resource whose value lies in being probed, attacked, or
compromised.”2
1. https://www.sans.org/security-resources/idfaq/what-is-a-honeypot/1/9
2. http://www.honeypots.net/
8. Why do we need honeypots?
Honeypots keep systems and information safer by attracting attacks
Breaches result from gaps in - or lack of - security
Easily accessible resources that appear valuable shift will divert attackers
Protected resources with real value might be overlooked
Why not simply block all attacks?
Plethora of valuable information gained from the attacks to the system
Information can be used for auditing as well as analytics
Analytics enable predictive security protocols
Additional capabilities
Learn not only how attackers get in… but what they do once they get in
9. Honeypot data collection
Honeypots typically provide analytics software with basic information
IP address
Username/password credentials
Time stamps
Analytics can be improved through providing additional details
Client information (operating system, web browser, etc.)
GeoLocation
ISP data
10. What can we do with the data?
Learn more about attackers
Classifying attack patterns
Detecting trends
Use what is learned to perform predictive analytics
Use dynamically provisioned firewalls to prevent future attacks
Blacklist IP addresses
Identify harmful geographical groups and areas
How do we do this?
Longtail
Syslog Analyzers (IP Counting functions, Country Counting functions, etc.)
11. Longtail Analytics
Open source analytics software
Developed at Marist College
Crawls through information provided by honeypots
Analyzes different types of attacks to sort them into attack patterns
Attack Patterns
Example: determine if the attack is a botnet attack
Identifies and classifies botnets
Information has use for the future
Could be used to create dynamic firewalls
Proactively deploy security protocols to help defend against attacks
12.
13. Issues with honeypots
Vulnerable to fingerprinting
Scanning a network will reveal identifying characteristics
Attackers can find weaknesses specific to the network they fingerprint
If a honeypot can be fingerprinted then attackers can avoid it
Need to make honeypots hard to fingerprint
Original resources are still vulnerable
Prone to reconnaissance scans
Honeypots effectively fail if attacker finds the real resource
Need to also hide the real resources
15. Preventing Fingerprinting
A convincing honeypot must mimic fingerprint of the real resource
Approach depends on the type of honeypot (SSH, client, application, etc.)
SSH honeypot
same open ports as the real portal
same responses to login attempts
same libraries installed
Client honeypot
same server type and version
same look and feel
Nearly impossible to mimic real resource exactly
Honeypot must always reside on different server or port
16. Current security products
start after network
sessions are established.
First Packet Authentication
stops unauthorized access
at the earliest possible
time.
time
Data
Packet Flows
Session
Setup
Before caller-ID…
must answer to
determine identity
After caller-ID…
only answer known
and trusted callers
First-Packet Authentication™
Problem with traditional protocols
Identity of user/device determined only AFTER establishing session
Leaves networks vulnerable to several kinds of attacks
BlackRidge Transport Access Control (TAC) solves the problem
Authenticate identity & enforce policy on first packet before session
17. Cloaking with BlackRidge
Hiding critical resources
First-packet authentication™ blocks without revealing info to an attacker
With BlackRidge we can completely cloak desired devices
These devices include but are not limited to:
SDN Controllers, ESXI Servers, Virtual Machines, etc.
Defense in Depth
Combine with honeypots to more effectively divert traffic
Optimal data collection requires catching more attacks on the honeypot
19. Firewall IPS Protection
Firewall/IPS allows large number of TCP
connection attempts through and
information to leak.
BlackRidge Protection
BlackRidge does not allow any unauthorized connection
attempts or scans (information leakage) to occur.
BlackRidge in testbed
20. WDM Node C
WDM Node B
SDN Controller and Network
Hypervisor
With cloud orchestrator API
Brocade/Vyatta
5600
V-Router/Firewall
Ciena Metro
Ethernet
Marist API code
Marist LongTail
Honeypots & Analytics
SDN Controller and Network
Hypervisor
With cloud orchestrator API
Orchestrator with Application
Security Policy
Brocade/Vyatta
5600
V-Router/Firewall
Marist Remote
Management App
NetConf
NYS CCAC Ecosystem
21. 1. A. Jain, B. Buksh, Advance Trends in Network Security with Honeypot and its Comparative Study with other Techniques, IJETT 29/6 Nov 2015
2. http://www.infoworld.com/article/3128818/security/10-decisions-youll-face-when-deploying-a-honeypot.html
3. https://www.honeynet.org/blog
4. http://searchsecurity.techtarget.com/definition/Security-as-a-Service
Honeypot popularity
Companies are increasingly interested in this space1,2,3
Seeking more data to support security analytics
Setting up honeypots in their networks
Tenants might be deploying these technologies in the cloud
Providers have an opportunity to enhance their cloud offerings
SECurity as a Service
“a business model in which a large service provider integrates their security
services into a corporate infrastructure on a subscription basis more cost
effectively than most individuals or corporations can provide on their own,
when total cost of ownership is considered”4
22. What can providers do?
Deploy their own honeypots
Collect data for historical and predictive analytics
Honeypots as a service
Offer templates to customers who wish to use honeypots
Simplify setup and deployment
Security analytics as a service
Up-to-date threat intelligence can enable dynamic security policies
Offer tenants access to valuable information from honeypot analytics
Opportunities for SECaas
23. Conclusion
SDN+NFV poses new cybersecurity challenges for providers
Adaptive intelligence-driven security measures are needed
Honeypots not only add a layer of security… they can also capture vital data
Analytics (e.g. “Longtail”) leverages data for prediction and real-time response
Pair honeypots with cloaking technologies for Defense in Depth
Honeypots and threat analytics also present SECaaS opportunities
24. Acknowledgements
This work is supported in part by the National Science Foundation grant 1541384 Campus Cyberinfrastructure -
Data, Networking and Innovation Program (CC-DNI), per NSF solicitation 15-534, for the project entitled CC-
DNI (Integration (Area 4): Application Aware Software-Defined Networks for Secure Cloud Services
(SecureCloud))
Questions?