Upload File

20160628-liengtiraphan-cannistra-lightning talk …...2016/09/28  · a honeypot consists of data...

  • Home
  • Documents
  • 20160628-liengtiraphan-cannistra-Lightning Talk …...2016/09/28  · a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site
12
HOW TO MAKE A HONEYPOT Piradon (Tien) Liengtiraphan Vallie M. Joseph Prof. Robert Cannistra Marist College © 2016 Internet2

Upload: others

Post on 08-Jul-2020

0 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: 20160628-liengtiraphan-cannistra-Lightning Talk …...2016/09/28  · a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site

HOW TO MAKE A HONEYPOT

Piradon (Tien) LiengtiraphanVallie M. Joseph

Prof. Robert CannistraMarist College

© 2016 Internet2

Page 2: 20160628-liengtiraphan-cannistra-Lightning Talk …...2016/09/28  · a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site

ThreatstoInternetSecurityCybersecuritythreatsareconstantlyincreasingTechnologyusedbyattackerssteadilyadvancingalongsidesecuritymeasures

Attackersalwayshavetheadvantage.(Onevectorneeded)Defenders(Allvectorsmustbeaccountedfor)

TypesofThreatsBotnetsDOS/DDOSBulkLoginAttemptsManyothers

Nearlyimpossibletostayaheadofattackersusingonlydefensestrategies

Page 3: 20160628-liengtiraphan-cannistra-Lightning Talk …...2016/09/28  · a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site

DefensivevsProactiveStrategiesBusinessesmustnowemploytheuseofnotonlydefensivebutproactivestrategiesaswell.Defensive

PatchingsecuritysoftwareafterharmfulattacksKeepingsecuritysoftwareuptodateSearchfortoolsthatdealspecificallywiththetypeofattackthebusinessissufferingfrom

Example:Patch-and-PrayProactive

UsinganalyticstoadjustsecurityprotocolsasneededPredict/IdentifyattackpatternsAllowfirewallsandothercybersecurityprotocolstolearnfromattacks

Example:Honeypots

Page 4: 20160628-liengtiraphan-cannistra-Lightning Talk …...2016/09/28  · a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site

Whatisahoneypot?“Ahoneypot isacomputersecuritymechanismsettodetect,deflect,or,insomemanner,counteractattemptsatunauthorizeduseofinformationsystems.Generally,ahoneypotconsistsofdata(forexample,inanetworksite)thatappearstobealegitimatepartofthesitebutisactuallyisolatedandmonitored,andthatseemstocontaininformationoraresourceofvaluetoattackers,whicharethenblocked.”

-Loras R.Even(SANS)

Cowrie

Page 5: 20160628-liengtiraphan-cannistra-Lightning Talk …...2016/09/28  · a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site

Whydoweneedhoneypots?DivertingAttackers

Adatabreachistheunfortunateresultofalackofsecurity.Howeverhavingawallthatabsorbsamajorityofattackscankeepyoursystemandinformationsafe.Havingaresourcethatlookvaluableandiseasilyaccessedhelpsshiftfocusfromotherbetterprotectedresources.

Whynotsimplyblockallattacks?PlethoraofvaluableinformationgainedfromtheattackstothesysteminformationcanbeusedforlateranalyticsAnalyticscanthenbeusedtocreatepredictivesecurityprotocolsItisjustasimportanttoknowwhatpeopledooncetheyareinaswellashowtheygetin.

Page 6: 20160628-liengtiraphan-cannistra-Lightning Talk …...2016/09/28  · a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site

Whydoweneedhoneypots?DataCollection

Whattocollect?IP,Username\PasswordCombination,Geolocation,ISP,etc..

IsrelativetowhatpurposethehoneypotservesWhatdowedowiththedata?

LearnmoreaboutattackersUsewhatislearnedtoperformpredictiveanalytics

Howdowedothis?LongtailSyslogAnalyzers

IPCountingfunctions,CountryCountingfunctions,etc.

Page 7: 20160628-liengtiraphan-cannistra-Lightning Talk …...2016/09/28  · a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site

LongtailAnalyticsOpensourceanalyticssoftware

CreatedatMaristCollegeCrawlsthroughinformationprovidedbySSHhoneypotsAnalyzesdifferenttypesofattackstosortthemintoattackpatterns

AttackPatternsCandetermineiftheattackisabotnetattack

AlsoidentifiesandclassifiesbotnetsInformationhasuseforthefuture

CouldbeusedtocreatedynamicfirewallsProactivelydeploysecurityprotocolstohelpdefendagainstattacks

Page 8: 20160628-liengtiraphan-cannistra-Lightning Talk …...2016/09/28  · a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site

IssuewithHoneypots:Fingerprinting/FingerprintScanning

Fingerprinting“Theactofperformingadeep,intensivescanonanetworkorprogramtoenumerateitssourcesanddependencies”

-TechTarget

AttackercanthenfindtheweaknessspecifictothenetworktheyfingerprintIfaresourcecanbefingerprinted,theinformationgainedcouldbeusedtocompromisethesystem.

Ahoneypotmustbeconvincing,ergoitmustmimiceverything,downtotheresource’sfingerprintAchievingafullmimiccanbedifficult,especiallyifthehoneypotliesonadifferentserverorport

Page 9: 20160628-liengtiraphan-cannistra-Lightning Talk …...2016/09/28  · a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site

FingerprintingThroughourvendorpartnerswehavebeenabletopreventfingerprintingofaprotectedresource.

HoweverforahoneypottoworkitmuststillmimictheresourcetothebestofitsabilityBesttospoofthefingerprint

Dependingonthetypeofhoneypotcreated(client,ssh,applicationspecific,etc),differentitemsmayneedtobespoofed

ForExampleSSHHoneypot:

NeedstohaveanequalamountofopenportsastherealSSHportalShouldhavesimilarlibrariesinstalledonit

ClientHoneypotShouldrunonthesamekindofserverastherealclientMustmimicthelookandfeeloftheclient

Page 10: 20160628-liengtiraphan-cannistra-Lightning Talk …...2016/09/28  · a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site

ExamplesofFingerprinting

12 Open Ports Found

Page 11: 20160628-liengtiraphan-cannistra-Lightning Talk …...2016/09/28  · a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site

FingerprintingwithBlackRidge

Page 12: 20160628-liengtiraphan-cannistra-Lightning Talk …...2016/09/28  · a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site

ConclusionAneffectivesecurityplanmustincludebothoffensiveanddefensivestrategiesThebestwaytohaveadequatesecurity,thereneedstobedefenseindepth

Useofamultitudeoftechnologiessuchasfirewalls,specificsecurityprotocolsandadaptivesecurity

Honeypotsaddanadditionallayerofsecurity,butcanalsobeusedtogeneratedataforpredictivesecurityThehoneypotshouldfingerprintasthedetectedresourceDataiscollectedfromthehoneypotsenttobeanalyzedbyanopensourceanalyticssoftwarecodenamed“Longtail”TheoutputofLongtail isthenusedtogenerateinformationthatservetorepresentthegeneraltrendofattackstowardthesecuredresource


Triptico GREST 20160628 2 smm - European Solar Telescope · Triptico GREST 20160628_2_smm Author: Gabriel Pérez Díaz Created Date: 20160926161117Z

First Name MI Last Name Member ID Pins Games Average · 2017-02-02 · Tina Marie Cannistra 11-50387 2,673 45 59 Leonard Cannistra 11-50385 3,747 42 89 Matt M Capone 11-106872 9,289

My Portal/ Workspace/ Workfiles Course Site Course Site Course Site Research Site Research Site Research Site Peer Review Peer Review Advising Portfolio

IMG 20160628 121348 - National Pharmaceutical Pricing ...nppaindia.nic.in/minutes/minutes-2016-17/minutes-162mt-9-5-16.pdfSchedule-I of DPCO, 2013 (NLEM, 2015). 31 The Authority discussed

Tax Compliance Status Verification - Treasury Documentation/20160628 Tax Com… · CDS Reports v20160628 . Supplier Summary Report v20160628 . Thank you SARS Contact Centre 0800 00

mm2 20160628 mb - unrated, the upstart

CVV” ASX For personal use only › asxpdf › 20160628 › pdf › 4385g7q5f2j0t0.pdf · “CVV” ASX Shares Outstanding: 50m Calingiri Scoping Study confirms outstanding WA Copper

Nsw 20160628

Site-to-Site VPN · Site-to-Site VPN Avirtualprivatenetwork(VPN)isanetworkconnectionthatestablishesasecuretunnelbetweenremote peersusingapublicsource,suchastheInternetorothernetwork

MONITORING SITE INFORMATION Site ID#: TUO208 Site Name

People’s Post Mitchell’s Plain 20160628

The revision of EURAMET guide cg-12projects.npl.co.uk/hf-circuits/docs/presentations/20160628-zeier.pdf · Introduction 1/3 Background • Rewrite of VNA guide EURAMET cg-12 (formerly

IMG 20160628 120953€¦ · (vi) Shri Suneel Chopra, Pr. Legal Consultant 1.2 Chairman, NPPA welcomed all the members present in the meeting. ll. Aqenda Items 1. Agenda Item no. 1:

8329-602 Natular DT 20160628 26 8329cru66.cahe.wsu.edu/~picol/pdf/WA/64281.pdf · EPAEst No. 8329-IL--03 EPA Reg. No.: 8329-602 PF-41334-1 117456 Natular DT AL0451 BL.indd 1 Pmducedby:

Casa mailbox split-rock-jetfighter-main001-20160628

NHT Fire Site NAFI SITE NAFI SITE NAFI SITE NAFI SITE Fire Pro Site Fire Pro Site Fire Pro Site Fire Pro Site Public Info on Fire Public Info on Fire Public

European Research Project ‘HF Circuits ... - Events - NPLprojects.npl.co.uk/hf-circuits/docs/presentations/20160628-ridler.pdf · Work Package 1 Traceable Reflection and Transmission

Targeted agents in Gynecologic Cancer Slides/930 Oza... · 2009. 5. 25. · in Ovarian Cancer GOG 170D (Burger ASCO 2005) Cannistra et al (ASCO 2006) Bevacizumab 15mg/kg q 3/52 Bevacizumab

IMG 20160628 121508nppaindia.nic.in/wp-content/uploads/2018/08/Minutes-of-the-163rd-a… · Company name/Product name M/S Pharma Force Lab. (Manufacturer) and M/S Mankind Pharma Ltd

CEREMONY SITE Site

AMETHYST ALBANY COMMUNITY SECTORS › sites › default › files … · AMETHYST ALBANY KILLARNEY CAPITAL LOYALIST SEVERN LAKES BRUCE GOLDEN HORSESHOE ST. CLAIR v4.3 20160628. Title:

Site selection, site planning, site divelepment

A1272 SM-A374-V02 manual 20160628 52X74mm … A1272_SM-A374-V02_manual_20160628_52X74mm_Outline Created Date 6/28/2016 3:52:27 PM

Basics: Use Macros - OCLC - OCLC: Worldwide, … Use Macros 8 20160628 1. Introduction to OCLC Macro Language for Connexion client Macros are short programs you write to automate routine

Www.ciscopress.com Copyright 2002Cisco Press: CCNA Instructor’s Manual Year 1 - Chapter 1/Cisco 1 - Module 1 Computer Basics By Robert M. Cannistra

Intro Aim Content Audience Elements Site - summary Site - content Site - game Site - info

ANNUAL REPORT - Thundermist Health Center...David Valois Chairperson Frank Ferri Vice Chairperson M. Douglas Fay Treasurer Linda Cannistra Secretary Eric Beane Mary Ellen Caniglia

geography fieldwork...5 10 15 20 25 30 35 40 Total points scored site 1 site 2 site 3 site 4 site 5 site 6 site 7 site 8 site 9 site 10 Sites Graph to show the residential quality

Xxx Site Name Xxx Site Name Xxx Site Name Xxx Site Name

Rollover v2 Conformance Testing Guide v1.0 FINAL 20160628 (PDF

People’s Post Retreat 20160628

PERSONALISATION AND THE UK TRAVELLERepidm.edgesuite.net/TravelWeekly/TWTVN/20160628/Sabre.pdf£ 101+ £0 33% are not willing to spend anything on air travel extras 66% are willing

TUgis...SESSION I - TRACK 2 - CARTOGRAPHY & VISUALIZATION (LA 3310) Chair: James Cannistra, GISP, CP, Maryland Department of Planning Using the weTable for Geospatial Participatory

ZONLON Catalogue English 20160628

SITE NARRATIVE SITE CALLOUTS SITE IMAGERY