Download - Honeypots for Active Defense
Honeypots for Active DefenseA Practical Guide to Honeynets within the Enterprise
Greg Foss SecOps Lead / Senior Researcher @heinzarelli
# whoami
Greg Foss
SecOps Team Lead
Sr. Security Research Engineer
OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT
Traditional Defensive Concepts
• Maintain a tough perimeter
• Implement layered security controls
• Block known attacks and ban malicious IP’s
• Create and enforce policy to discourage misuse
InfoSec Realities• There is no magic security product that
will protect you or your company. Period.
• It’s when, not if — there’s always a way in…
What is ‘Active Defense’• All comes down to tipping the odds in our
favor as defenders…
• Annoying the attacker
• Trapping them and wasting time
• Gather data + attempt attribution
• ‘Attacking Back’
• Reduce the MTTD and MTTR
• MTTD => Mean-Time-to-Detect
• MTTR => Mean-Time-to-Respond
Why Internal Honeypots?
• Easy to configure, deploy, and maintain
• Fly traps for anomalous activity
• They don’t even need to look legit once breached… Just enough to raise a flag.
• You will learn a ton about your adversaries. Information that will help in the future…
• *Honeypots are something to focus on after the basics have been taken care of.
Honeypot Use Cases
• Research
• Understand how attackers think, what works, what doesn’t, and what they are after.
• Defense
• Learn from the adversary and adapt… Lay traps to catch subtle yet abnormal activities.
VM’s
ADHD
http://sourceforge.net/projects/adhd/
Honey Drive 3
http://sourceforge.net/projects/honeydrive/
First things first…• Honeypots and Active Defense come after
baseline security controls are in place.
• Warning banners are critical and assist in the event prosecution is necessary / desired.
Types of Honeypots
No Interaction
Low Interaction
Medium Interaction
High Interaction
Honey Tokens / Drives / Strings / Etc.
*note - this is my interpretation, not necessarily ‘industry standard’
No Interaction Honeypots
Primarily referred to as Honeyports, or services that simply log and/or ban on full TCP connect.
‘No Interaction’ Honeypots• Basic Honeyports
• Linux - NetCat and IPTables
• Windows - NetCat and Netsh
• Python and PowerShell options as well…
Linux Honeyports• Artillery — supports Windows too!
• https://www.trustedsec.com/downloads/artillery/
Artillery Logging• Port Scanning and/or Illegitimate Service Access
• Local Syslog, Flat File, or Remote Syslog options
• IP’s are added to the banlist and blocked locally via IPTables
Low Interaction Honeypots
Honeypots that serve up basic content and are not interactive once breached.
WordPot• https://github.com/gbrindisi/wordpot
• Fake WordPress app, written in Python…
Fake PhpMyAdmin• https://github.com/gfoss/phpmyadmin_honeypot
• Simple fake phpmyadmin ‘app’ that logs to flat files. This same approach can be applied to anything…
$any fake login panel• Custom - but believable and hidden from normal
users
• Can be used in ‘reverse phishing’ — discussing later…
$any fake login panel• Logging attacker data is standard, what if you
need evidence that is a bit more tangible…
Honeybadger• https://bitbucket.org/LaNMaSteR53/honeybadger/
• Gain *true attribution on your adversaries…
Medium Interaction Honeypots
Interactive honeypots that resemble real services and provide limited functionality once breached.
Medium Interaction Honeypots
• TONS! But one of my favorites:
• https://github.com/desaster/kippo
• https://github.com/gfoss/kippo
• Simulate SSH Service…
Kippo• Python script which simulates an SSH service that is
highly customizable, portable, and adaptable.
• Logs to flat files and stores the full TTY session for each connection, so that attacks can be replayed in real-time.
• One of the more popular honeypots out there, as a result, attackers know how to differentiate between this and a real Linux host very quickly. Be cautious…
• When deploying externally, there is a risk of CnC’s maintaining persistent connections.
• Can be used as a pentest tool as well :-)
Kippo Alert Automation
https://github.com/gfoss/kippo/blob/master/replay-alert.sh
High Interaction Honeypots
Imitate real systems or modify real hosts to act as honeypots in order to verbosely log attacker activity and capture all network and related flow data.
Analysis Tools• LogRhythm Network Monitor and SIEM
• Suricata IDS
• http://suricata-ids.org/download/
• BRO IDS
• https://www.bro.org/
• Cuckoo Sandbox
• http://www.cuckoosandbox.org/
Routers and Switches• ROMAN Hunter - Router Man Hunter
• http://sourceforge.net/projects/romanhunter/
• Configure real AP as a honeypot
• Capture MAC of attacker that bypasses security
• Correlate the MAC and add it to anorganizational blacklist…
High Interaction Warning!
• Deploying real systems / devices / services is dangerous and requires dedicated monitoring.
• Whenever hosts can actually be compromised there is huge risk if not monitored appropriately.
• Never use the organization’s gold-standard image for the honeypot.
• Segment these hosts from the production network!
Honey Tokens• Use file integrity monitoring to track all
interactions with files/folders/etc of interest. Great for network shares.
• Not just files, this can be strings, drives, directories, etc.
• Any predefined item that will generate a log when accessed/modified/etc.
• Trivial to configure…
Document Bugging• WebBug How To:
• http://ha.ckers.org/webbug.html
• WebBug Server:
• https://bitbucket.org/ethanr/webbugserver
• Bugged Files - Is your Document Telling on You?
• Daniel Crowley + Damon Smith
• https://www.youtube.com/watch?v=co1gFikKLpA
Document Tracking• Same tricks used by Marketing for years,
normally for tracking emails.
• Why loading externalimages within email is risky…
Document Tracking• Documents can be tracked in the same way as email /
web.
• Automating the process…
• https://github.com/gfoss/misc/tree/master/Bash/webbug
Document Tracking Issues• If the document is opened up offline it will
divulge information about the tracking service.
• *There is no telling how someone will react once it is discovered that they were being tracked…
• Zip Bombs
• http://unforgettable.dk - 42.zip
• BeEF - Browser Exploitation Framework
• http://beefproject.com/
• USB Killer
• http://kukuruku.co/hub/diy/usb-killer
• Clippy!
• http://www.irongeek.com/i.php?page=security/phpids-install-notes
More Tricks
https://github.com/nitram509/ascii-telnet-server
ASCII Art Distraction
Monitoring• Dedicated SOC - Security Operations Center
• SIEM - Security Information Event Management
• Correlate and Track Events
• Evaluate Impact on the Real Environment
• Measure Risk and Actively Respond to Threats
• IDS, Network Flow Analysis, Firewalls, etc.
• Configure once and it’s smooth sailing from there…
Enterprise Threat Intelligence• Develop Context-Aware Threat Intelligence
• Leverage knowledge gained from attackers to create IOC’s and custom IDS and SIEM rules…
Automating Response• Dynamic Honeypotting
• Deploy PowerShell and Command Line Logging
• http://www.slideshare.net/Hackerhurricane/ask-aalware-archaeologist/25
Automating Response• Google Rapid Response - GRR
• https://github.com/google/grr
• Netflix FIDO
• https://github.com/Netflix/Fido
• Kansa
• https://github.com/davehull/Kansa
• Power Forensics
• https://github.com/Invoke-IR/PowerForensics
1 PowerShell Script
Live Data Acquisition and Incident Response
Integrates into Existing Security Processes
Remote Forensic Acquisition
Host and User Lockdown
https://github.com/gfoss/PSRecon/
Honeypot Dashboards• HoneyDrive3 comes complete with
dashboards and enhancement scripts to display interesting data.
• Kippo Graph
• http://bruteforce.gr/kippo-graph
• The Modern Honey Network - can also deploy!
• https://threatstream.com/blog/mhn-modern-honey-network
• LogRhythm SIEM - Honeypot Analytics Suite
Works Cited & Recommended Reading
• Strand, John, and Asadoorian, Paul. Offensive Countermeasures: The Art of Active Defense. 2013.
• Murdoch, D. W. Blue Team Handbook: Incident Response Edition: A Condensed Field Guide for the Cyber Security Incident Responder. United States: CreateSpace Independent, 2014.
• Chuvakin, Anton, and Kevin Schmidt. Logging and Log Management: The Authoritative Guide to Dealing with Syslog, Audit Logs, Events, Alerts and Other IT 'noise' Rockland, MA: Syngress, 2012.
• Bodmer, Sean. Reverse Deception: Organized Cyber Threat Counter-exploitation. N.p.: n.p., n.d. Print.
Thank You!
Questions?
https://github.com/gfoss/
Greg Foss OSCP, GAWN, GPEN, GWAPT, GCIH, CEH
SecOps Lead / Sr. Researchergreg.foss[at]LogRhythm.com
@heinzarelli