SlideShare ist ein Scribd-Unternehmen logo

Honeypots for Active Defense

Greg Foss
Greg Foss

InfoSec analysts are all somewhat familiar with Honeypots. When they are given the proper attention, care and feeding, they produce invaluable information and can be a critical asset when it comes to defending the network. This intel has been primarily used by security researchers and organizations with advanced defensive capabilities to study their adversaries and learn from their actions. But what about the rest of us? Honeypots are a lot of work to configure, maintain, and monitor, right? Not exactly; when deployed and monitored properly, Honeypots and Honey Tokens are a simple way to alert on anomalous activity inside the network. But how can an organization that is not focused on research gain valuable threat intelligence using Honeypots and actively defend their network using indicators generated from an internal Honeynet? The answer is Honeypots for Active Defense. There are currently many open source security tool distributions that come pre-loaded with Honeypots among other useful tools, however the Honeypot software is often not deployed in an effective manner. This session will discuss techniques to leverage Honeypots in ways that will not overburden the security team with massive logs to sift through and focuses efforts on correlating active threat data observed in the Honeypots with the production environment. When deploying Honeypots effectively, this can give security analysts one additional mechanism to tip them off to nefarious activity within their network before they become the next headline.

Technologie
1 von 71
Downloaden Sie, um offline zu lesen
Honeypots for Active Defense A Practical Guide to Honeynets within the Enterprise Greg Foss SecOps Lead / Senior Researcher @heinzarelli
# whoami Greg Foss SecOps Team Lead Sr. Security Research Engineer OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT
Traditional Defensive Concepts • Maintain a tough perimeter • Implement layered security controls • Block known attacks and ban malicious IP’s • Create and enforce policy to discourage misuse
…cross our fingers
InfoSec Realities • There is no magic security product that will protect you or your company. Period. • It’s when, not if — there’s always a way in…
Not Just ‘APTs’
Active Defense
What is ‘Active Defense’ • All comes down to tipping the odds in our favor as defenders… • Annoying the attacker • Trapping them and wasting time • Gather data + attempt attribution • ‘Attacking Back’ • Reduce the MTTD and MTTR • MTTD => Mean-Time-to-Detect • MTTR => Mean-Time-to-Respond
Why Internal Honeypots? • Easy to configure, deploy, and maintain • Fly traps for anomalous activity • They don’t even need to look legit once breached… Just enough to raise a flag. • You will learn a ton about your adversaries. Information that will help in the future… • *Honeypots are something to focus on after the basics have been taken care of.
Honeypot Use Cases • Research • Understand how attackers think, what works, what doesn’t, and what they are after. • Defense • Learn from the adversary and adapt… Lay traps to catch subtle yet abnormal activities.
Defense
VM’s ADHD http://sourceforge.net/projects/adhd/ Honey Drive 3 http://sourceforge.net/projects/honeydrive/
First things first… • Honeypots and Active Defense come after baseline security controls are in place. • Warning banners are critical and assist in the event prosecution is necessary / desired.
Types of Honeypots No Interaction Low Interaction Medium Interaction High Interaction Honey Tokens / Drives / Strings / Etc. *note - this is my interpretation, not necessarily ‘industry standard’
No Interaction Honeypots Primarily referred to as Honeyports, or services that simply log and/or ban on full TCP connect.
‘No Interaction’ Honeypots • Basic Honeyports • Linux - NetCat and IPTables • Windows - NetCat and Netsh • Python and PowerShell options as well…
Windows PowerShell Honeyports
Windows PowerShell Honeyports
Linux Honeyports • Artillery — supports Windows too! • https://www.trustedsec.com/downloads/artillery/
Artillery Logging • Port Scanning and/or Illegitimate Service Access • Local Syslog, Flat File, or Remote Syslog options • IP’s are added to the banlist and blocked locally via IPTables
Artillery Logging Bonus! • File Integrity Monitoring
Low Interaction Honeypots Honeypots that serve up basic content and are not interactive once breached.
WordPot • https://github.com/gbrindisi/wordpot • Fake WordPress app, written in Python…
Fake PhpMyAdmin • https://github.com/gfoss/phpmyadmin_honeypot • Simple fake phpmyadmin ‘app’ that logs to flat files. This same approach can be applied to anything…
$any fake login panel • Custom - but believable and hidden from normal users • Can be used in ‘reverse phishing’ — discussing later…
$any fake login panel • Logging attacker data is standard, what if you need evidence that is a bit more tangible…
Honeybadger • https://bitbucket.org/LaNMaSteR53/honeybadger/ • Gain *true attribution on your adversaries…
Medium Interaction Honeypots Interactive honeypots that resemble real services and provide limited functionality once breached.
Medium Interaction Honeypots • TONS! But one of my favorites: • https://github.com/desaster/kippo • https://github.com/gfoss/kippo • Simulate SSH Service…
Kippo • Python script which simulates an SSH service that is highly customizable, portable, and adaptable. • Logs to flat files and stores the full TTY session for each connection, so that attacks can be replayed in real-time. • One of the more popular honeypots out there, as a result, attackers know how to differentiate between this and a real Linux host very quickly. Be cautious… • When deploying externally, there is a risk of CnC’s maintaining persistent connections. • Can be used as a pentest tool as well :-)
Kippo Alert Automation https://github.com/gfoss/kippo/blob/master/replay-alert.sh
High Interaction Honeypots Imitate real systems or modify real hosts to act as honeypots in order to verbosely log attacker activity and capture all network and related flow data.
Analysis Tools • LogRhythm Network Monitor and SIEM • Suricata IDS • http://suricata-ids.org/download/ • BRO IDS • https://www.bro.org/ • Cuckoo Sandbox • http://www.cuckoosandbox.org/
Routers and Switches • ROMAN Hunter - Router Man Hunter • http://sourceforge.net/projects/romanhunter/ • Configure real AP as a honeypot • Capture MAC of 
 attacker that 
 bypasses 
 security • Correlate the MAC and
 add it to an
 organizational blacklist…
High Interaction Warning! • Deploying real systems / devices / services is dangerous and requires dedicated monitoring. • Whenever hosts can actually be compromised there is huge risk if not monitored appropriately. • Never use the organization’s gold-standard image for the honeypot. • Segment these hosts from the production network!
Honey Tokens and Document Bugging Tracking file access, modification, exfiltration, etc…
File Integrity Monitoring
Honey Tokens • Use file integrity monitoring to track all interactions with files/folders/etc of interest. Great for network shares. • Not just files, this can be strings, drives, directories, etc. • Any predefined item that
 will generate a log when 
 accessed/modified/etc. • Trivial to configure…
Document Bugging • WebBug How To: • http://ha.ckers.org/webbug.html
 • WebBug Server: • https://bitbucket.org/ethanr/webbugserver
 • Bugged Files - Is your Document Telling on You? • Daniel Crowley + Damon Smith • https://www.youtube.com/watch?v=co1gFikKLpA
Document Tracking • Same tricks used by Marketing for years, normally for tracking emails. • Why loading external
 images within email
 is risky…
Document Tracking • Documents can be tracked in the same way as email / web. • Automating the process… • https://github.com/gfoss/misc/tree/master/Bash/webbug
Document Tracking Issues • If the document is opened up offline it will divulge information about the tracking service. • *There is no telling how someone will react once it is discovered that they were being tracked…
Screwing with Attackers • Reverse Phishing and ‘Attacking Back’ • A
 case
 study…
• Zip Bombs • http://unforgettable.dk - 42.zip • BeEF - Browser Exploitation Framework • http://beefproject.com/ • USB Killer • http://kukuruku.co/hub/diy/usb-killer • Clippy! • http://www.irongeek.com/i.php?page=security/ phpids-install-notes More Tricks
cat /dev/random | nc -nl 22
https://github.com/nitram509/ascii-telnet-server ASCII Art Distraction
Monitoring • Dedicated SOC - Security Operations Center • SIEM - Security Information Event Management • Correlate and Track Events • Evaluate Impact on the Real Environment • Measure Risk and Actively Respond to Threats • IDS, Network Flow Analysis, Firewalls, etc. • Configure once and it’s smooth sailing from there…
Enterprise Threat Intelligence • Develop Context-Aware Threat Intelligence • Leverage knowledge gained from attackers to create IOC’s and custom IDS and SIEM rules…
Event Correlation
Automating Response • Dynamic Honeypotting • Deploy PowerShell and Command Line Logging • http://www.slideshare.net/Hackerhurricane/ask- aalware-archaeologist/25
Automating Response • Google Rapid Response - GRR • https://github.com/google/grr • Netflix FIDO • https://github.com/Netflix/Fido • Kansa • https://github.com/davehull/Kansa • Power Forensics • https://github.com/Invoke-IR/PowerForensics
1 PowerShell Script Live Data Acquisition and Incident Response Integrates into Existing Security Processes Remote Forensic Acquisition Host and User Lockdown https://github.com/gfoss/PSRecon/
Bringing it all together…
Honeypot Dashboards • HoneyDrive3 comes complete with dashboards and enhancement scripts to display interesting data. • Kippo Graph • http://bruteforce.gr/kippo-graph • The Modern Honey Network - can also deploy! • https://threatstream.com/blog/mhn-modern- honey-network • LogRhythm SIEM - Honeypot Analytics Suite
Works Cited & Recommended Reading • Strand, John, and Asadoorian, Paul. Offensive Countermeasures: The Art of Active Defense. 2013. • Murdoch, D. W. Blue Team Handbook: Incident Response Edition: A Condensed Field Guide for the Cyber Security Incident Responder. United States: CreateSpace Independent, 2014. • Chuvakin, Anton, and Kevin Schmidt. Logging and Log Management: The Authoritative Guide to Dealing with Syslog, Audit Logs, Events, Alerts and Other IT 'noise' Rockland, MA: Syngress, 2012. • Bodmer, Sean. Reverse Deception: Organized Cyber Threat Counter-exploitation. N.p.: n.p., n.d. Print.
Thank You! Questions? https://github.com/gfoss/ Greg Foss
 OSCP, GAWN, GPEN, GWAPT, GCIH, CEH
 SecOps Lead / Sr. Researcher
 greg.foss[at]LogRhythm.com
 @heinzarelli

Empfohlen

Honeypot honeynet
Honeypot honeynetHoneypot honeynet
Honeypot honeynetSina Manavi
 
Honeypot a trap to hackers
Honeypot a trap to hackersHoneypot a trap to hackers
Honeypot a trap to hackersBhaskarasai Chitturi
 
Honeypots (Ravindra Singh Rathore)
Honeypots (Ravindra Singh Rathore)Honeypots (Ravindra Singh Rathore)
Honeypots (Ravindra Singh Rathore)Ravindra Singh Rathore
 
Honeypots
HoneypotsHoneypots
HoneypotsSARANYA S
 
Honeypot Basics
Honeypot BasicsHoneypot Basics
Honeypot BasicsManoj kumawat
 
Virtual honeypot
Virtual honeypotVirtual honeypot
Virtual honeypotElham Hormozi
 
Honeypot2
Honeypot2Honeypot2
Honeypot2KirtiGoyal25
 
What are Honeypots? and how are they deployed?
What are Honeypots? and how are they deployed?What are Honeypots? and how are they deployed?
What are Honeypots? and how are they deployed?HusseinMuhaisen
 

Empfohlen

Honeypot honeynet
Honeypot honeynetHoneypot honeynet
Honeypot honeynetSina Manavi
 
Honeypot a trap to hackers
Honeypot a trap to hackersHoneypot a trap to hackers
Honeypot a trap to hackersBhaskarasai Chitturi
 
Honeypots (Ravindra Singh Rathore)
Honeypots (Ravindra Singh Rathore)Honeypots (Ravindra Singh Rathore)
Honeypots (Ravindra Singh Rathore)Ravindra Singh Rathore
 
Honeypots
HoneypotsHoneypots
HoneypotsSARANYA S
 
Honeypot Basics
Honeypot BasicsHoneypot Basics
Honeypot BasicsManoj kumawat
 
Virtual honeypot
Virtual honeypotVirtual honeypot
Virtual honeypotElham Hormozi
 
Honeypot2
Honeypot2Honeypot2
Honeypot2KirtiGoyal25
 
What are Honeypots? and how are they deployed?
What are Honeypots? and how are they deployed?What are Honeypots? and how are they deployed?
What are Honeypots? and how are they deployed?HusseinMuhaisen
 
Honeypots
HoneypotsHoneypots
HoneypotsJ. Scott Christianson
 
Honeypots
HoneypotsHoneypots
HoneypotsPresentaionslive.blogspot.com
 
Honeypots.ppt1800363876
Honeypots.ppt1800363876Honeypots.ppt1800363876
Honeypots.ppt1800363876Momita Sharma
 
Honeypot
HoneypotHoneypot
HoneypotShashwat Shriparv
 
Honeypots
HoneypotsHoneypots
HoneypotsRushikesh Kulkarni
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingKeith Brooks
 
Honey po tppt
Honey po tpptHoney po tppt
Honey po tpptArya AR
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffersKunal Thakur
 
honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its typesVishal Tandel
 
Honeypot ss
Honeypot ssHoneypot ss
Honeypot ssKajal Mittal
 
Honeypot ppt1
Honeypot ppt1Honeypot ppt1
Honeypot ppt1samrat saurabh
 
Metasploit
MetasploitMetasploit
Metasploithenelpj
 
Honeypot
Honeypot Honeypot
Honeypot Sushan Sharma
 
All about Honeypots & Honeynets
All about Honeypots & HoneynetsAll about Honeypots & Honeynets
All about Honeypots & HoneynetsMehdi Poustchi Amin
 
Honeynet architecture
Honeynet architectureHoneynet architecture
Honeynet architectureamar koppal
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesamit kumar
 
Honey Pot
Honey PotHoney Pot
Honey Potiradarji
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network SecurityKirubaburi R
 
IoT - Attacks and Solutions
IoT - Attacks and SolutionsIoT - Attacks and Solutions
IoT - Attacks and SolutionsUlf Mattsson
 
Honeypots
HoneypotsHoneypots
HoneypotsJayant Gandhi
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief OverviewSILPI ROSAN
 

Weitere ähnliche Inhalte

Was ist angesagt?

Honeypots.ppt1800363876
Honeypots.ppt1800363876Honeypots.ppt1800363876
Honeypots.ppt1800363876Momita Sharma
 
Honey po tppt
Honey po tpptHoney po tppt
Honey po tpptArya AR
 
honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its typesVishal Tandel
 
Metasploit
MetasploitMetasploit
Metasploithenelpj
 
Honeynet architecture
Honeynet architectureHoneynet architecture
Honeynet architectureamar koppal
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesamit kumar
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network SecurityKirubaburi R
 
IoT - Attacks and Solutions
IoT - Attacks and SolutionsIoT - Attacks and Solutions
IoT - Attacks and SolutionsUlf Mattsson
 

Was ist angesagt? (20)

Honeypots
HoneypotsHoneypots
Honeypots
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Honeypots.ppt1800363876
Honeypots.ppt1800363876Honeypots.ppt1800363876
Honeypots.ppt1800363876
 
Honeypot
HoneypotHoneypot
Honeypot
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Honey po tppt
Honey po tpptHoney po tppt
Honey po tppt
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
 
honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its types
 
Honeypot ss
Honeypot ssHoneypot ss
Honeypot ss
 
Honeypot ppt1
Honeypot ppt1Honeypot ppt1
Honeypot ppt1
 
Metasploit
MetasploitMetasploit
Metasploit
 
Honeypot
Honeypot Honeypot
Honeypot
 
All about Honeypots & Honeynets
All about Honeypots & HoneynetsAll about Honeypots & Honeynets
All about Honeypots & Honeynets
 
Honeynet architecture
Honeynet architectureHoneynet architecture
Honeynet architecture
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantages
 
Honey Pot
Honey PotHoney Pot
Honey Pot
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network Security
 
IoT - Attacks and Solutions
IoT - Attacks and SolutionsIoT - Attacks and Solutions
IoT - Attacks and Solutions
 

Andere mochten auch

Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief OverviewSILPI ROSAN
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar reportInder NeGi
 
0x3E9 Ways To DIE
0x3E9 Ways To DIE0x3E9 Ways To DIE
0x3E9 Ways To DIEynvb
 
SecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingSecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingGreg Foss
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 
DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseGreg Foss
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Greg Foss
 
Interactive presentation screen format 16-9 - minimal for slideshare
Interactive presentation screen format 16-9 - minimal for slideshareInteractive presentation screen format 16-9 - minimal for slideshare
Interactive presentation screen format 16-9 - minimal for slidesharePatrick Keyzer
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeydicanhasfay
 
Honeypot Social Profiling
Honeypot Social ProfilingHoneypot Social Profiling
Honeypot Social ProfilingBryan Conde
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Communityamiable_indian
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin
 

Andere mochten auch (20)

Honeypots
HoneypotsHoneypots
Honeypots
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief Overview
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar report
 
0x3E9 Ways To DIE
0x3E9 Ways To DIE0x3E9 Ways To DIE
0x3E9 Ways To DIE
 
SecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingSecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture Training
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 
DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven Defense
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016
 
Interactive presentation screen format 16-9 - minimal for slideshare
Interactive presentation screen format 16-9 - minimal for slideshareInteractive presentation screen format 16-9 - minimal for slideshare
Interactive presentation screen format 16-9 - minimal for slideshare
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Lecture 7
Lecture 7Lecture 7
Lecture 7
 
CDE future sonar webinar
CDE future sonar webinar CDE future sonar webinar
CDE future sonar webinar
 
Honeypot Project
Honeypot ProjectHoneypot Project
Honeypot Project
 
Ppt
PptPpt
Ppt
 
GIS for Defence
GIS for DefenceGIS for Defence
GIS for Defence
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeyd
 
Honeypot Social Profiling
Honeypot Social ProfilingHoneypot Social Profiling
Honeypot Social Profiling
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Community
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking Drupal
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
 

Ähnlich wie Honeypots for Active Defense

Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.pptDetSersi
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
Visualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber SecurityVisualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber SecurityCambridge Intelligence
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoringchrissanders88
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 

Ähnlich wie Honeypots for Active Defense (20)

Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.ppt
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Visualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber SecurityVisualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber Security
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate Espionage
 

Mehr von Greg Foss

Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime OpsGreg Foss
 
Future of Destructive Malware
Future of Destructive MalwareFuture of Destructive Malware
Future of Destructive MalwareGreg Foss
 
Crypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto FarmerCrypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto FarmerGreg Foss
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018Greg Foss
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Greg Foss
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and OrchestrationGreg Foss
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataGreg Foss
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 

Mehr von Greg Foss (9)

Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime Ops
 
Future of Destructive Malware
Future of Destructive MalwareFuture of Destructive Malware
Future of Destructive Malware
 
Crypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto FarmerCrypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto Farmer
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and Orchestration
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint Data
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 

Kürzlich hochgeladen

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Kürzlich hochgeladen (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Honeypots for Active Defense

  • 1. Honeypots for Active Defense A Practical Guide to Honeynets within the Enterprise Greg Foss SecOps Lead / Senior Researcher @heinzarelli
  • 2. # whoami Greg Foss SecOps Team Lead Sr. Security Research Engineer OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT
  • 3. Traditional Defensive Concepts • Maintain a tough perimeter • Implement layered security controls • Block known attacks and ban malicious IP’s • Create and enforce policy to discourage misuse
  • 5. InfoSec Realities • There is no magic security product that will protect you or your company. Period. • It’s when, not if — there’s always a way in…
  • 8. What is ‘Active Defense’ • All comes down to tipping the odds in our favor as defenders… • Annoying the attacker • Trapping them and wasting time • Gather data + attempt attribution • ‘Attacking Back’ • Reduce the MTTD and MTTR • MTTD => Mean-Time-to-Detect • MTTR => Mean-Time-to-Respond
  • 9.
  • 10. Why Internal Honeypots? • Easy to configure, deploy, and maintain • Fly traps for anomalous activity • They don’t even need to look legit once breached… Just enough to raise a flag. • You will learn a ton about your adversaries. Information that will help in the future… • *Honeypots are something to focus on after the basics have been taken care of.
  • 11. Honeypot Use Cases • Research • Understand how attackers think, what works, what doesn’t, and what they are after. • Defense • Learn from the adversary and adapt… Lay traps to catch subtle yet abnormal activities.
  • 14. First things first… • Honeypots and Active Defense come after baseline security controls are in place. • Warning banners are critical and assist in the event prosecution is necessary / desired.
  • 15. Types of Honeypots No Interaction Low Interaction Medium Interaction High Interaction Honey Tokens / Drives / Strings / Etc. *note - this is my interpretation, not necessarily ‘industry standard’
  • 16. No Interaction Honeypots Primarily referred to as Honeyports, or services that simply log and/or ban on full TCP connect.
  • 17. ‘No Interaction’ Honeypots • Basic Honeyports • Linux - NetCat and IPTables • Windows - NetCat and Netsh • Python and PowerShell options as well…
  • 20. Linux Honeyports • Artillery — supports Windows too! • https://www.trustedsec.com/downloads/artillery/
  • 21. Artillery Logging • Port Scanning and/or Illegitimate Service Access • Local Syslog, Flat File, or Remote Syslog options • IP’s are added to the banlist and blocked locally via IPTables
  • 22. Artillery Logging Bonus! • File Integrity Monitoring
  • 23.
  • 24. Low Interaction Honeypots Honeypots that serve up basic content and are not interactive once breached.
  • 25. WordPot • https://github.com/gbrindisi/wordpot • Fake WordPress app, written in Python…
  • 26. Fake PhpMyAdmin • https://github.com/gfoss/phpmyadmin_honeypot • Simple fake phpmyadmin ‘app’ that logs to flat files. This same approach can be applied to anything…
  • 27. $any fake login panel • Custom - but believable and hidden from normal users • Can be used in ‘reverse phishing’ — discussing later…
  • 28. $any fake login panel • Logging attacker data is standard, what if you need evidence that is a bit more tangible…
  • 30.
  • 31. Medium Interaction Honeypots Interactive honeypots that resemble real services and provide limited functionality once breached.
  • 32. Medium Interaction Honeypots • TONS! But one of my favorites: • https://github.com/desaster/kippo • https://github.com/gfoss/kippo • Simulate SSH Service…
  • 33. Kippo • Python script which simulates an SSH service that is highly customizable, portable, and adaptable. • Logs to flat files and stores the full TTY session for each connection, so that attacks can be replayed in real-time. • One of the more popular honeypots out there, as a result, attackers know how to differentiate between this and a real Linux host very quickly. Be cautious… • When deploying externally, there is a risk of CnC’s maintaining persistent connections. • Can be used as a pentest tool as well :-)
  • 34.
  • 36. High Interaction Honeypots Imitate real systems or modify real hosts to act as honeypots in order to verbosely log attacker activity and capture all network and related flow data.
  • 37.
  • 38. Analysis Tools • LogRhythm Network Monitor and SIEM • Suricata IDS • http://suricata-ids.org/download/ • BRO IDS • https://www.bro.org/ • Cuckoo Sandbox • http://www.cuckoosandbox.org/
  • 39. Routers and Switches • ROMAN Hunter - Router Man Hunter • http://sourceforge.net/projects/romanhunter/ • Configure real AP as a honeypot • Capture MAC of 
 attacker that 
 bypasses 
 security • Correlate the MAC and
 add it to an
 organizational blacklist…
  • 40. High Interaction Warning! • Deploying real systems / devices / services is dangerous and requires dedicated monitoring. • Whenever hosts can actually be compromised there is huge risk if not monitored appropriately. • Never use the organization’s gold-standard image for the honeypot. • Segment these hosts from the production network!
  • 41. Honey Tokens and Document Bugging Tracking file access, modification, exfiltration, etc…
  • 43. Honey Tokens • Use file integrity monitoring to track all interactions with files/folders/etc of interest. Great for network shares. • Not just files, this can be strings, drives, directories, etc. • Any predefined item that
 will generate a log when 
 accessed/modified/etc. • Trivial to configure…
  • 44. Document Bugging • WebBug How To: • http://ha.ckers.org/webbug.html
 • WebBug Server: • https://bitbucket.org/ethanr/webbugserver
 • Bugged Files - Is your Document Telling on You? • Daniel Crowley + Damon Smith • https://www.youtube.com/watch?v=co1gFikKLpA
  • 45. Document Tracking • Same tricks used by Marketing for years, normally for tracking emails. • Why loading external
 images within email
 is risky…
  • 46. Document Tracking • Documents can be tracked in the same way as email / web. • Automating the process… • https://github.com/gfoss/misc/tree/master/Bash/webbug
  • 47. Document Tracking Issues • If the document is opened up offline it will divulge information about the tracking service. • *There is no telling how someone will react once it is discovered that they were being tracked…
  • 48. Screwing with Attackers • Reverse Phishing and ‘Attacking Back’ • A
 case
 study…
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57. • Zip Bombs • http://unforgettable.dk - 42.zip • BeEF - Browser Exploitation Framework • http://beefproject.com/ • USB Killer • http://kukuruku.co/hub/diy/usb-killer • Clippy! • http://www.irongeek.com/i.php?page=security/ phpids-install-notes More Tricks
  • 58. cat /dev/random | nc -nl 22
  • 60. Monitoring • Dedicated SOC - Security Operations Center • SIEM - Security Information Event Management • Correlate and Track Events • Evaluate Impact on the Real Environment • Measure Risk and Actively Respond to Threats • IDS, Network Flow Analysis, Firewalls, etc. • Configure once and it’s smooth sailing from there…
  • 61. Enterprise Threat Intelligence • Develop Context-Aware Threat Intelligence • Leverage knowledge gained from attackers to create IOC’s and custom IDS and SIEM rules…
  • 63. Automating Response • Dynamic Honeypotting • Deploy PowerShell and Command Line Logging • http://www.slideshare.net/Hackerhurricane/ask- aalware-archaeologist/25
  • 64. Automating Response • Google Rapid Response - GRR • https://github.com/google/grr • Netflix FIDO • https://github.com/Netflix/Fido • Kansa • https://github.com/davehull/Kansa • Power Forensics • https://github.com/Invoke-IR/PowerForensics
  • 65. 1 PowerShell Script Live Data Acquisition and Incident Response Integrates into Existing Security Processes Remote Forensic Acquisition Host and User Lockdown https://github.com/gfoss/PSRecon/
  • 66.
  • 68. Honeypot Dashboards • HoneyDrive3 comes complete with dashboards and enhancement scripts to display interesting data. • Kippo Graph • http://bruteforce.gr/kippo-graph • The Modern Honey Network - can also deploy! • https://threatstream.com/blog/mhn-modern- honey-network • LogRhythm SIEM - Honeypot Analytics Suite
  • 69.
  • 70. Works Cited & Recommended Reading • Strand, John, and Asadoorian, Paul. Offensive Countermeasures: The Art of Active Defense. 2013. • Murdoch, D. W. Blue Team Handbook: Incident Response Edition: A Condensed Field Guide for the Cyber Security Incident Responder. United States: CreateSpace Independent, 2014. • Chuvakin, Anton, and Kevin Schmidt. Logging and Log Management: The Authoritative Guide to Dealing with Syslog, Audit Logs, Events, Alerts and Other IT 'noise' Rockland, MA: Syngress, 2012. • Bodmer, Sean. Reverse Deception: Organized Cyber Threat Counter-exploitation. N.p.: n.p., n.d. Print.
  • 71. Thank You! Questions? https://github.com/gfoss/ Greg Foss
 OSCP, GAWN, GPEN, GWAPT, GCIH, CEH
 SecOps Lead / Sr. Researcher
 greg.foss[at]LogRhythm.com
 @heinzarelli