SlideShare ist ein Scribd-Unternehmen logo

Having Honeypot for Better Network Security Analysis

Bangladesh Network Operators Group
Bangladesh Network Operators Group

The document discusses using honeypots for network security analysis. It begins with background on honeypots, explaining that they are decoy systems meant to attract cyber attacks. The document then discusses threat intelligence gathered from a honeypot including unique source IPs, attacked ports, downloaded scripts and their origins, and affected internal IPs. It notes the top devices targeted were outdated routers and IP cameras. The document concludes with discussing internal analysis and challenges convincing a client they have an issue after honeypot alerts.

Internet
1 von 32
Downloaden Sie, um offline zu lesen
Having Honeypot for Better Network Security Analysis A journey with APNIC honeypot A. S. M. Shamim Reza Link3 Technologies Limited shamimreza@link3.net
Today's talk Background history and challenges What is this honey things ? Threat Intel?? Use-cases !!!
Honeypot – what is it? “a honeypot It's a sacrificial computer system that's intended to attract cyber- attack, like a decoy. It mimics a target for hackers, and uses their intrusion attempts to gain information about cyber-criminals and the way they are operating or to distract them from other targets. “ – Kaspersky LAB
Honeypot – what is it? “a honeypot It's a sacrificial computer system that's intended to attract cyber- attack, like a decoy. It mimics a target for hackers, and uses their intrusion attempts to gain information about cyber-criminals and the way they are operating or to distract them from other targets. “ – Kaspersky LAB Honeypots are classified as: – Low level interaction – Mid interaction honeypot – High interaction honeypot “Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.” – Michel Oosterhof.
Background history – The idea of honeypots began in 1989 with a Publication “The Cuckoo’s Egg” by Clifford Stoll. – First ever Honeypot was released in 1997, called the Deceptive Toolkit. – In 1998 the first commercial honeypot came out, called Cybercop Sting.
Background history – The idea of honeypots began in 1989 with a Publication “The Cuckoo’s Egg” by Clifford Stoll. – First ever Honeypot was released in 1997, called the Deceptive Toolkit. – In 1998 the first commercial honeypot came out, called Cybercop Sting. – For me it started, interest, at bdNOG1, 2014 – Planned to host it at Link3 in APRICOT 25, 2020. – Influenced by Adli Wahid, Senior Internet Security Specialist, APNIC Link3 has hosted APNIC Honeypot, as a part of on going project “SOC”.
Honeypot – Question to ASK !!! Motivations • What is the primary purpose of the honeypot? • What are you trying to protect? • Are you interested in any attacks, or just ones that could be successful? • Are you interested in learning how the hacker or malware was initially successful? • Are you interested in identifying the hacker or origination point of the malware? • Are you interested in what the hacker or malware did (or wanted to do) after the initial exploit gained entrance to the honeypot? • Are you interested in what tools, techniques, or tactics were used? Based on this brainstorming, you can decide which sort of honeypot you are gonna work with. *** Honeypot Data Analysis. In: Honeypots for Windows. - Roger A. Grimes
Honeypot – how is it being useful By Analyzing the traffic towards the Honeypot will help to get – where the cyber-criminals are coming from – the level of threat – what are the methods they are using – what data or applications they are interested in – how well your security measures are working to stop cyber-attack Who Host Honeypot ? – large organization – Security researcher
16,312 4 57 Unique Source IP Adversary script Unique Internal IPs
Threat Intel ? SSH – 22 Telnet – 23 98.12% 1.88%
Threat Intel ? Those URLs ?? hxxp://1.2.3.4/bot.x86_64 – Reported as C2C server. – Since June 2020
Threat Intel ? Those URLs ?? hxxp://1.2.3.4/bot.x86_64 – I need to know the detail of these files, so I have taken it to hybrid analysis. And The Kaspersky LAB says - “Usually malware of this family is used to perform DDoS attacks.”
Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh These TWO script was downloaded by an outsider IP – 213.202.233.171 Open Ports – 22 80 443
Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh These TWO script was downloaded by an outsider IP – 213.202.233.171 First Report – 18 August 2020 Last report – 25 August 2020 – Mostly Scan for SSH port – patterns show they are looking for Honeypots.
Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh These TWO script was downloaded by an outsider IP – 213.202.233.171
Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh
Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh
Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh This IP from USA serves the scripts, and the script download another 10 scripts from Canada.
Threat Intel ? Few things to remember while working with Honeypot or similar. 1. All those script check was performed in a strict LAB environment. 2. NMAP scan and web-URL check was followed the same procedure (as 1). 3. If you do not take proper precautions, things might get worse and make you the victim accidentally
What about the internals !!! What I do, when I got any notifications at slack – Run nmap scan to get the port/service info of the device, associated with the IP. – Search for the DNS query history for the respective IPs. – Search for the type of the client in to our Client-Database. – Tricky part is to convince the client, so that I can get NetFlow or Packet-Capture accordingly. – Analyze the data, and try to find out the story behind it. – Recommend some best practices to the respective clients accordingly.
What about the internals !!! What I do, when I got any notifications at slack – Run nmap scan to get the port/service info of the device, associated with the IP. – Search for the DNS query history for the respective IPs. – Search for the type of the client in to our Client-Database. – Tricky part is to convince the client, so that I can get NetFlow or Packet-Capture accordingly. – Analyze the data, and try to find out the story behind it. – Recommend some best practices to the respective clients accordingly. Devices that are related to those 57 IPs So let us watch a story on the next few slides Device Name Version % Mikrotik Router < 6.46.6 92% Zyxel Router Backdated firmware 2.1% DVR System Backdated firmware 4.2% Netgear Router Backdated firmware 1.78%
What about the internals !!! one CCIE got it covered? – Slack gives me an alert, and I let my CS team knew to work on that particular client. – 2 days later I got alert for the same IP, me again knock my CS team to work on it. – 1 day later, I got the alert again; and then I asked our CS team whether they have worked on it or not ? – they replied, on second day client IT concern replied
What about the internals !!! one CCIE got it covered? – Slack gives me an alert, and I let my CS team knew to work on that particular client. – 2 days later I got alert for the same IP, me again knock my CS team to work on it. – 1 day later, I got the alert again; and then I asked our CS team whether they have worked on it or not ? – they replied, on second day client IT concern replied “i am a CCIE, I know what is happening in my network, you guys dont have to bother me again & again” So the challenge begins for me → → → [192.168.0.133 ← Faked the User’s IP for demonstration purpose]
What about the internals !!! what I was doing ? So before going to him. – Run nmap scan, and got this info →→→→→→→→
What about the internals !!! what I was doing ? So before going to him. – Run nmap scan, and got this info →→→→→→→→ – At the same time, I have set a logic at my NetFlow server to give me associated info. Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows 2020-07-01 00:05:04.760 3.168 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 413 615089 130 1.6 M 1489 1 2020-07-01 00:05:05.754 1.504 TCP 192.168.0.133:80 -> 185.220.103.9:60310 ...AP..F 0 83 122394 55 651031 1474 1 2020-07-01 00:05:05.775 2.784 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 62 88548 22 254448 1428 1 2020-07-01 00:05:05.766 3.200 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...A.... 0 205 307500 64 768750 1500 1 2020-07-01 00:05:05.759 0.000 GRE 192.168.0.133:0 -> 103.92.153.42:0 ........ 0 1 28 0 0 28 1 2020-07-01 00:05:05.764 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 25 33531 9 99794 1341 1 2020-07-01 00:05:07.757 2.656 TCP 192.168.0.133:80 -> 185.220.103.9:35334 ...AP... 0 145 212395 54 639743 1464 1 2020-07-01 00:05:07.757 3.008 TCP 192.168.0.133:80 -> 185.220.103.9:60268 ...AP... 0 271 403745 90 1.1 M 1489 1 2020-07-01 00:05:08.764 2.592 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 98 142399 37 439503 1453 1 2020-07-01 00:05:08.775 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 37 52879 13 157377 1429 1 2020-07-01 00:05:08.762 2.080 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...AP..F 0 174 258552 83 994430 1485 1 2020-07-01 00:05:09.778 3.104 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 213 317835 68 819162 1492 1s
What about the internals !!! what I was doing ? So before going to him. – Run nmap scan, and got this info →→→→→→→→ – At the same time, I have set a logic at my NetFlow server to give me associated info. Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows 2020-07-01 00:05:04.760 3.168 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 413 615089 130 1.6 M 1489 1 2020-07-01 00:05:05.754 1.504 TCP 192.168.0.133:80 -> 185.220.103.9:60310 ...AP..F 0 83 122394 55 651031 1474 1 2020-07-01 00:05:05.775 2.784 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 62 88548 22 254448 1428 1 2020-07-01 00:05:05.766 3.200 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...A.... 0 205 307500 64 768750 1500 1 2020-07-01 00:05:05.759 0.000 GRE 192.168.0.133:0 -> 103.92.153.42:0 ........ 0 1 28 0 0 28 1 2020-07-01 00:05:05.764 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 25 33531 9 99794 1341 1 2020-07-01 00:05:07.757 2.656 TCP 192.168.0.133:80 -> 185.220.103.9:35334 ...AP... 0 145 212395 54 639743 1464 1 2020-07-01 00:05:07.757 3.008 TCP 192.168.0.133:80 -> 185.220.103.9:60268 ...AP... 0 271 403745 90 1.1 M 1489 1 2020-07-01 00:05:08.764 2.592 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 98 142399 37 439503 1453 1 2020-07-01 00:05:08.775 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 37 52879 13 157377 1429 1 2020-07-01 00:05:08.762 2.080 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...AP..F 0 174 258552 83 994430 1485 1 2020-07-01 00:05:09.778 3.104 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 213 317835 68 819162 1492 1s Noticed something
What about the internals !!! what I was doing ? – Searched the IP at AbuseDB and Other Places. – and the reputation was not good; actually it was worse
What about the internals !!! what I was doing ? So I have got what I need, to talk to him. – the conversation was like … …. … … … … … … … … … .. .. .. .. .. .. .. – I finally managed to convince him that, he is not responsible for anything, rather there is something bad is happening and I am here to help only. – but I didnt get any Netflow or Packet-Capture data from him. SO me only have options to monitor the activities of that IP.
What about the internals !!! what I was doing ? So I have got what I need, to talk to him. – the conversation was like … …. … … … … … … … … … .. .. .. .. .. .. .. – I finally managed to convince him that, he is not responsible for anything, rather there is something bad is happening and I am here to help only. – but I didnt get any Netflow or Packet-Capture data from him. SO me only have options to monitor the activities of that IP. Update: since September 2020 I dont get any hit from that IP.
SO the benefits of having APNIC Honeypot in place – Before having APNIC honepot in place, we didn't have any direct info of which IP or its internal LAN is compromised. – Though Cowrie is for only ssh & telnet service, but still the logs gives some meaning full info to study on. And we are planning to host some other honeypot aswell. – Since 2013/2014 we have been maintaining security policy strictly, which are fine tuned on a regular basis. – Hosting APNIC honeypot is a low cost solution. – Info-graphic dashboard gives a greater view, like - which region is performing most of the attack.
“There are known knowns, things we know that we know; and there are known unknowns, things that we know we don't know. But there are also unknown unknowns, things we do not know we don't know.” Donald Rumsfeld, Known and Unknown: A Memoir ‘‘ ‘‘
Thank You for your attention shamimrezasohag Contact with Me | asmshamimreza sohag.shamim

Empfohlen

BGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoring
Bangladesh Network Operators Group
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12
Bangladesh Network Operators Group
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRR
Bangladesh Network Operators Group
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for Operators
Bangladesh Network Operators Group
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
Bangladesh Network Operators Group
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
Bangladesh Network Operators Group
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Bangladesh Network Operators Group
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Bangladesh Network Operators Group
 

Empfohlen

BGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoring
Bangladesh Network Operators Group
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12
Bangladesh Network Operators Group
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRR
Bangladesh Network Operators Group
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for Operators
Bangladesh Network Operators Group
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
Bangladesh Network Operators Group
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
Bangladesh Network Operators Group
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Bangladesh Network Operators Group
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Bangladesh Network Operators Group
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long Period
APNIC
 
pps Matters
pps Matterspps Matters
pps Matters
Bangladesh Network Operators Group
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
EC-Council
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKI
APNIC
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!
APNIC
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norway
IKT-Norge
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering Automation
Tom Paseka
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
APNIC
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
ShortestPathFirst
 
Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in general
IKT-Norge
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
Babak Farrokhi
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
MyNOG
 
APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking
Siena Perry
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)
Juniper Networks
 
Automating Network Infrastructure : Ansible
Automating Network Infrastructure : AnsibleAutomating Network Infrastructure : Ansible
Automating Network Infrastructure : Ansible
Bangladesh Network Operators Group
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoS
APNIC
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
Tom Paseka
 
It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8
newbie2019
 
Adversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC HoneypotAdversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC Honeypot
A. S. M. Shamim Reza
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
ratnalajaggu
 

Weitere ähnliche Inhalte

Was ist angesagt?

TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
EC-Council
 

Was ist angesagt? (20)

Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long Period
 
pps Matters
pps Matterspps Matters
pps Matters
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKI
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norway
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering Automation
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
 
Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in general
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)
 
Automating Network Infrastructure : Ansible
Automating Network Infrastructure : AnsibleAutomating Network Infrastructure : Ansible
Automating Network Infrastructure : Ansible
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoS
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
 
It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8
 

Ähnlich wie Having Honeypot for Better Network Security Analysis

Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
Amanpreet Singh
 
A Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetA Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial Botnet
Takashi Yamanoue
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
drewz lin
 

Ähnlich wie Having Honeypot for Better Network Security Analysis (20)

Adversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC HoneypotAdversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC Honeypot
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Community
 
Honeypot Project
Honeypot ProjectHoneypot Project
Honeypot Project
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUT
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
Internet census 2012
Internet census 2012Internet census 2012
Internet census 2012
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.ppt
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
 
04-post-connection-attacks.pdf
04-post-connection-attacks.pdf04-post-connection-attacks.pdf
04-post-connection-attacks.pdf
 
Honeypots.ppt1800363876
Honeypots.ppt1800363876Honeypots.ppt1800363876
Honeypots.ppt1800363876
 
A Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetA Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial Botnet
 
Computer security
Computer securityComputer security
Computer security
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEP
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
 
Visualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber SecurityVisualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber Security
 

Mehr von Bangladesh Network Operators Group

Mehr von Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 

Kürzlich hochgeladen

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 

Kürzlich hochgeladen (20)

Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 

Having Honeypot for Better Network Security Analysis

  • 1. Having Honeypot for Better Network Security Analysis A journey with APNIC honeypot A. S. M. Shamim Reza Link3 Technologies Limited shamimreza@link3.net
  • 2. Today's talk Background history and challenges What is this honey things ? Threat Intel?? Use-cases !!!
  • 3. Honeypot – what is it? “a honeypot It's a sacrificial computer system that's intended to attract cyber- attack, like a decoy. It mimics a target for hackers, and uses their intrusion attempts to gain information about cyber-criminals and the way they are operating or to distract them from other targets. “ – Kaspersky LAB
  • 4. Honeypot – what is it? “a honeypot It's a sacrificial computer system that's intended to attract cyber- attack, like a decoy. It mimics a target for hackers, and uses their intrusion attempts to gain information about cyber-criminals and the way they are operating or to distract them from other targets. “ – Kaspersky LAB Honeypots are classified as: – Low level interaction – Mid interaction honeypot – High interaction honeypot “Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.” – Michel Oosterhof.
  • 5. Background history – The idea of honeypots began in 1989 with a Publication “The Cuckoo’s Egg” by Clifford Stoll. – First ever Honeypot was released in 1997, called the Deceptive Toolkit. – In 1998 the first commercial honeypot came out, called Cybercop Sting.
  • 6. Background history – The idea of honeypots began in 1989 with a Publication “The Cuckoo’s Egg” by Clifford Stoll. – First ever Honeypot was released in 1997, called the Deceptive Toolkit. – In 1998 the first commercial honeypot came out, called Cybercop Sting. – For me it started, interest, at bdNOG1, 2014 – Planned to host it at Link3 in APRICOT 25, 2020. – Influenced by Adli Wahid, Senior Internet Security Specialist, APNIC Link3 has hosted APNIC Honeypot, as a part of on going project “SOC”.
  • 7. Honeypot – Question to ASK !!! Motivations • What is the primary purpose of the honeypot? • What are you trying to protect? • Are you interested in any attacks, or just ones that could be successful? • Are you interested in learning how the hacker or malware was initially successful? • Are you interested in identifying the hacker or origination point of the malware? • Are you interested in what the hacker or malware did (or wanted to do) after the initial exploit gained entrance to the honeypot? • Are you interested in what tools, techniques, or tactics were used? Based on this brainstorming, you can decide which sort of honeypot you are gonna work with. *** Honeypot Data Analysis. In: Honeypots for Windows. - Roger A. Grimes
  • 8. Honeypot – how is it being useful By Analyzing the traffic towards the Honeypot will help to get – where the cyber-criminals are coming from – the level of threat – what are the methods they are using – what data or applications they are interested in – how well your security measures are working to stop cyber-attack Who Host Honeypot ? – large organization – Security researcher
  • 9. 16,312 4 57 Unique Source IP Adversary script Unique Internal IPs
  • 10. Threat Intel ? SSH – 22 Telnet – 23 98.12% 1.88%
  • 11. Threat Intel ? Those URLs ?? hxxp://1.2.3.4/bot.x86_64 – Reported as C2C server. – Since June 2020
  • 12. Threat Intel ? Those URLs ?? hxxp://1.2.3.4/bot.x86_64 – I need to know the detail of these files, so I have taken it to hybrid analysis. And The Kaspersky LAB says - “Usually malware of this family is used to perform DDoS attacks.”
  • 13. Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh These TWO script was downloaded by an outsider IP – 213.202.233.171 Open Ports – 22 80 443
  • 14. Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh These TWO script was downloaded by an outsider IP – 213.202.233.171 First Report – 18 August 2020 Last report – 25 August 2020 – Mostly Scan for SSH port – patterns show they are looking for Honeypots.
  • 15. Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh These TWO script was downloaded by an outsider IP – 213.202.233.171
  • 16. Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh
  • 17. Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh
  • 18. Threat Intel ? Those URLs ?? hxxp://2.3.4.5/div Hxxp://2.3.4.5/miner.sh This IP from USA serves the scripts, and the script download another 10 scripts from Canada.
  • 19. Threat Intel ? Few things to remember while working with Honeypot or similar. 1. All those script check was performed in a strict LAB environment. 2. NMAP scan and web-URL check was followed the same procedure (as 1). 3. If you do not take proper precautions, things might get worse and make you the victim accidentally
  • 20. What about the internals !!! What I do, when I got any notifications at slack – Run nmap scan to get the port/service info of the device, associated with the IP. – Search for the DNS query history for the respective IPs. – Search for the type of the client in to our Client-Database. – Tricky part is to convince the client, so that I can get NetFlow or Packet-Capture accordingly. – Analyze the data, and try to find out the story behind it. – Recommend some best practices to the respective clients accordingly.
  • 21. What about the internals !!! What I do, when I got any notifications at slack – Run nmap scan to get the port/service info of the device, associated with the IP. – Search for the DNS query history for the respective IPs. – Search for the type of the client in to our Client-Database. – Tricky part is to convince the client, so that I can get NetFlow or Packet-Capture accordingly. – Analyze the data, and try to find out the story behind it. – Recommend some best practices to the respective clients accordingly. Devices that are related to those 57 IPs So let us watch a story on the next few slides Device Name Version % Mikrotik Router < 6.46.6 92% Zyxel Router Backdated firmware 2.1% DVR System Backdated firmware 4.2% Netgear Router Backdated firmware 1.78%
  • 22. What about the internals !!! one CCIE got it covered? – Slack gives me an alert, and I let my CS team knew to work on that particular client. – 2 days later I got alert for the same IP, me again knock my CS team to work on it. – 1 day later, I got the alert again; and then I asked our CS team whether they have worked on it or not ? – they replied, on second day client IT concern replied
  • 23. What about the internals !!! one CCIE got it covered? – Slack gives me an alert, and I let my CS team knew to work on that particular client. – 2 days later I got alert for the same IP, me again knock my CS team to work on it. – 1 day later, I got the alert again; and then I asked our CS team whether they have worked on it or not ? – they replied, on second day client IT concern replied “i am a CCIE, I know what is happening in my network, you guys dont have to bother me again & again” So the challenge begins for me → → → [192.168.0.133 ← Faked the User’s IP for demonstration purpose]
  • 24. What about the internals !!! what I was doing ? So before going to him. – Run nmap scan, and got this info →→→→→→→→
  • 25. What about the internals !!! what I was doing ? So before going to him. – Run nmap scan, and got this info →→→→→→→→ – At the same time, I have set a logic at my NetFlow server to give me associated info. Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows 2020-07-01 00:05:04.760 3.168 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 413 615089 130 1.6 M 1489 1 2020-07-01 00:05:05.754 1.504 TCP 192.168.0.133:80 -> 185.220.103.9:60310 ...AP..F 0 83 122394 55 651031 1474 1 2020-07-01 00:05:05.775 2.784 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 62 88548 22 254448 1428 1 2020-07-01 00:05:05.766 3.200 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...A.... 0 205 307500 64 768750 1500 1 2020-07-01 00:05:05.759 0.000 GRE 192.168.0.133:0 -> 103.92.153.42:0 ........ 0 1 28 0 0 28 1 2020-07-01 00:05:05.764 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 25 33531 9 99794 1341 1 2020-07-01 00:05:07.757 2.656 TCP 192.168.0.133:80 -> 185.220.103.9:35334 ...AP... 0 145 212395 54 639743 1464 1 2020-07-01 00:05:07.757 3.008 TCP 192.168.0.133:80 -> 185.220.103.9:60268 ...AP... 0 271 403745 90 1.1 M 1489 1 2020-07-01 00:05:08.764 2.592 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 98 142399 37 439503 1453 1 2020-07-01 00:05:08.775 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 37 52879 13 157377 1429 1 2020-07-01 00:05:08.762 2.080 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...AP..F 0 174 258552 83 994430 1485 1 2020-07-01 00:05:09.778 3.104 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 213 317835 68 819162 1492 1s
  • 26. What about the internals !!! what I was doing ? So before going to him. – Run nmap scan, and got this info →→→→→→→→ – At the same time, I have set a logic at my NetFlow server to give me associated info. Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows 2020-07-01 00:05:04.760 3.168 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 413 615089 130 1.6 M 1489 1 2020-07-01 00:05:05.754 1.504 TCP 192.168.0.133:80 -> 185.220.103.9:60310 ...AP..F 0 83 122394 55 651031 1474 1 2020-07-01 00:05:05.775 2.784 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 62 88548 22 254448 1428 1 2020-07-01 00:05:05.766 3.200 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...A.... 0 205 307500 64 768750 1500 1 2020-07-01 00:05:05.759 0.000 GRE 192.168.0.133:0 -> 103.92.153.42:0 ........ 0 1 28 0 0 28 1 2020-07-01 00:05:05.764 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 25 33531 9 99794 1341 1 2020-07-01 00:05:07.757 2.656 TCP 192.168.0.133:80 -> 185.220.103.9:35334 ...AP... 0 145 212395 54 639743 1464 1 2020-07-01 00:05:07.757 3.008 TCP 192.168.0.133:80 -> 185.220.103.9:60268 ...AP... 0 271 403745 90 1.1 M 1489 1 2020-07-01 00:05:08.764 2.592 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 98 142399 37 439503 1453 1 2020-07-01 00:05:08.775 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 37 52879 13 157377 1429 1 2020-07-01 00:05:08.762 2.080 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...AP..F 0 174 258552 83 994430 1485 1 2020-07-01 00:05:09.778 3.104 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 213 317835 68 819162 1492 1s Noticed something
  • 27. What about the internals !!! what I was doing ? – Searched the IP at AbuseDB and Other Places. – and the reputation was not good; actually it was worse
  • 28. What about the internals !!! what I was doing ? So I have got what I need, to talk to him. – the conversation was like … …. … … … … … … … … … .. .. .. .. .. .. .. – I finally managed to convince him that, he is not responsible for anything, rather there is something bad is happening and I am here to help only. – but I didnt get any Netflow or Packet-Capture data from him. SO me only have options to monitor the activities of that IP.
  • 29. What about the internals !!! what I was doing ? So I have got what I need, to talk to him. – the conversation was like … …. … … … … … … … … … .. .. .. .. .. .. .. – I finally managed to convince him that, he is not responsible for anything, rather there is something bad is happening and I am here to help only. – but I didnt get any Netflow or Packet-Capture data from him. SO me only have options to monitor the activities of that IP. Update: since September 2020 I dont get any hit from that IP.
  • 30. SO the benefits of having APNIC Honeypot in place – Before having APNIC honepot in place, we didn't have any direct info of which IP or its internal LAN is compromised. – Though Cowrie is for only ssh & telnet service, but still the logs gives some meaning full info to study on. And we are planning to host some other honeypot aswell. – Since 2013/2014 we have been maintaining security policy strictly, which are fine tuned on a regular basis. – Hosting APNIC honeypot is a low cost solution. – Info-graphic dashboard gives a greater view, like - which region is performing most of the attack.
  • 31. “There are known knowns, things we know that we know; and there are known unknowns, things that we know we don't know. But there are also unknown unknowns, things we do not know we don't know.” Donald Rumsfeld, Known and Unknown: A Memoir ‘‘ ‘‘
  • 32. Thank You for your attention shamimrezasohag Contact with Me | asmshamimreza sohag.shamim