Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Honeypots for Active Defense
A Practical Guide to Honeynets within the Enterprise
Greg Foss
SecOps Lead / Senior Researche...
# whoami
Greg Foss
SecOps Team Lead
Sr. Security Research Engineer
OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT
Traditional Defensive
Concepts
• Maintain a tough perimeter
• Implement layered security controls
• Block known attacks an...
…cross our fingers
InfoSec Realities
• There is no magic security product that
will protect you or your company. Period.
• It’s when, not if ...
Not Just ‘APTs’
Active Defense
What is ‘Active Defense’
• All comes down to tipping the odds in our
favor as defenders…
• Annoying the attacker
• Trappin...
Why Internal Honeypots?
• Easy to configure, deploy, and maintain
• Fly traps for anomalous activity
• They don’t even nee...
Honeypot Use Cases
• Research
• Understand how attackers think, what
works, what doesn’t, and what they are
after.
• Defen...
Defense
VM’s
ADHD
http://sourceforge.net/projects/adhd/
Honey Drive 3
http://sourceforge.net/projects/honeydrive/
First things first…
• Honeypots and Active Defense come after
baseline security controls are in place.
• Warning banners a...
Types of Honeypots
No Interaction
Low Interaction
Medium Interaction
High Interaction
Honey Tokens / Drives / Strings / Et...
No Interaction
Honeypots
Primarily referred to as Honeyports, or services
that simply log and/or ban on full TCP connect.
‘No Interaction’ Honeypots
• Basic Honeyports
• Linux - NetCat and IPTables
• Windows - NetCat and Netsh
• Python and Powe...
Windows PowerShell
Honeyports
Windows PowerShell
Honeyports
Linux Honeyports
• Artillery — supports Windows too!
• https://www.trustedsec.com/downloads/artillery/
Artillery Logging
• Port Scanning and/or Illegitimate Service Access
• Local Syslog, Flat File, or Remote Syslog options
•...
Artillery Logging Bonus!
• File Integrity Monitoring
Low Interaction
Honeypots
Honeypots that serve up basic content
and are not interactive once breached.
WordPot
• https://github.com/gbrindisi/wordpot
• Fake WordPress app, written in Python…
Fake PhpMyAdmin
• https://github.com/gfoss/phpmyadmin_honeypot
• Simple fake phpmyadmin ‘app’ that logs to flat files.
Thi...
$any fake login panel
• Custom - but believable and hidden from normal
users
• Can be used in ‘reverse phishing’ — discuss...
$any fake login panel
• Logging attacker data is standard, what if you
need evidence that is a bit more tangible…
Honeybadger
• https://bitbucket.org/LaNMaSteR53/honeybadger/
• Gain *true attribution on your adversaries…
Medium Interaction
Honeypots
Interactive honeypots that resemble real services
and provide limited functionality once brea...
Medium Interaction Honeypots
• TONS! But one of my favorites:
• https://github.com/desaster/kippo
• https://github.com/gfo...
Kippo
• Python script which simulates an SSH service that is
highly customizable, portable, and adaptable.
• Logs to flat ...
Kippo Alert Automation
https://github.com/gfoss/kippo/blob/master/replay-alert.sh
High Interaction
Honeypots
Imitate real systems or modify real hosts to act as
honeypots in order to verbosely log attacke...
Analysis Tools
• LogRhythm Network Monitor and SIEM
• Suricata IDS
• http://suricata-ids.org/download/
• BRO IDS
• https:/...
Routers and Switches
• ROMAN Hunter - Router Man Hunter
• http://sourceforge.net/projects/romanhunter/
• Configure real AP...
High Interaction
Warning!
• Deploying real systems / devices / services is
dangerous and requires dedicated monitoring.
• ...
Honey Tokens and
Document Bugging
Tracking file access, modification, exfiltration, etc…
File Integrity Monitoring
Honey Tokens
• Use file integrity monitoring to track all
interactions with files/folders/etc of interest.
Great for netwo...
Document Bugging
• WebBug How To:
• http://ha.ckers.org/webbug.html

• WebBug Server:
• https://bitbucket.org/ethanr/webbu...
Document Tracking
• Same tricks used by Marketing for years,
normally for tracking emails.
• Why loading external

images ...
Document Tracking
• Documents can be tracked in the same way as email /
web.
• Automating the process…
• https://github.co...
Document Tracking Issues
• If the document is opened up offline it will
divulge information about the tracking service.
• ...
Screwing with Attackers
• Reverse Phishing and ‘Attacking Back’
• A

case

study…
• Zip Bombs
• http://unforgettable.dk - 42.zip
• BeEF - Browser Exploitation Framework
• http://beefproject.com/
• USB Kil...
cat /dev/random | nc -nl 22
https://github.com/nitram509/ascii-telnet-server
ASCII Art Distraction
Monitoring
• Dedicated SOC - Security Operations Center
• SIEM - Security Information Event Management
• Correlate and Tra...
Enterprise Threat Intelligence
• Develop Context-Aware Threat Intelligence
• Leverage knowledge gained from attackers to
c...
Event Correlation
Automating Response
• Dynamic Honeypotting
• Deploy PowerShell and Command Line Logging
• http://www.slideshare.net/Hacker...
Automating Response
• Google Rapid Response - GRR
• https://github.com/google/grr
• Netflix FIDO
• https://github.com/Netf...
1 PowerShell Script
Live Data Acquisition and Incident Response
Integrates into Existing Security Processes
Remote Forensi...
Bringing it all
together…
Honeypot Dashboards
• HoneyDrive3 comes complete with
dashboards and enhancement scripts to
display interesting data.
• Ki...
Works Cited & Recommended Reading
• Strand, John, and Asadoorian, Paul. Offensive
Countermeasures: The Art of Active Defen...
Thank You!
Questions?
https://github.com/gfoss/
Greg Foss

OSCP, GAWN, GPEN, GWAPT, GCIH, CEH

SecOps Lead / Sr. Researche...
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Nächste SlideShare
Wird geladen in …5
×

Honeypots for Active Defense

4.678 Aufrufe

Veröffentlicht am

InfoSec analysts are all somewhat familiar with Honeypots. When they are given the proper attention, care and feeding, they produce invaluable information and can be a critical asset when it comes to defending the network. This intel has been primarily used by security researchers and organizations with advanced defensive capabilities to study their adversaries and learn from their actions. But what about the rest of us? Honeypots are a lot of work to configure, maintain, and monitor, right? Not exactly; when deployed and monitored properly, Honeypots and Honey Tokens are a simple way to alert on anomalous activity inside the network. But how can an organization that is not focused on research gain valuable threat intelligence using Honeypots and actively defend their network using indicators generated from an internal Honeynet?

The answer is Honeypots for Active Defense. There are currently many open source security tool distributions that come pre-loaded with Honeypots among other useful tools, however the Honeypot software is often not deployed in an effective manner. This session will discuss techniques to leverage Honeypots in ways that will not overburden the security team with massive logs to sift through and focuses efforts on correlating active threat data observed in the Honeypots with the production environment. When deploying Honeypots effectively, this can give security analysts one additional mechanism to tip them off to nefarious activity within their network before they become the next headline.

Veröffentlicht in: Technologie

Honeypots for Active Defense

  1. 1. Honeypots for Active Defense A Practical Guide to Honeynets within the Enterprise Greg Foss SecOps Lead / Senior Researcher @heinzarelli
  2. 2. # whoami Greg Foss SecOps Team Lead Sr. Security Research Engineer OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT
  3. 3. Traditional Defensive Concepts • Maintain a tough perimeter • Implement layered security controls • Block known attacks and ban malicious IP’s • Create and enforce policy to discourage misuse
  4. 4. …cross our fingers
  5. 5. InfoSec Realities • There is no magic security product that will protect you or your company. Period. • It’s when, not if — there’s always a way in…
  6. 6. Not Just ‘APTs’
  7. 7. Active Defense
  8. 8. What is ‘Active Defense’ • All comes down to tipping the odds in our favor as defenders… • Annoying the attacker • Trapping them and wasting time • Gather data + attempt attribution • ‘Attacking Back’ • Reduce the MTTD and MTTR • MTTD => Mean-Time-to-Detect • MTTR => Mean-Time-to-Respond
  9. 9. Why Internal Honeypots? • Easy to configure, deploy, and maintain • Fly traps for anomalous activity • They don’t even need to look legit once breached… Just enough to raise a flag. • You will learn a ton about your adversaries. Information that will help in the future… • *Honeypots are something to focus on after the basics have been taken care of.
  10. 10. Honeypot Use Cases • Research • Understand how attackers think, what works, what doesn’t, and what they are after. • Defense • Learn from the adversary and adapt… Lay traps to catch subtle yet abnormal activities.
  11. 11. Defense
  12. 12. VM’s ADHD http://sourceforge.net/projects/adhd/ Honey Drive 3 http://sourceforge.net/projects/honeydrive/
  13. 13. First things first… • Honeypots and Active Defense come after baseline security controls are in place. • Warning banners are critical and assist in the event prosecution is necessary / desired.
  14. 14. Types of Honeypots No Interaction Low Interaction Medium Interaction High Interaction Honey Tokens / Drives / Strings / Etc. *note - this is my interpretation, not necessarily ‘industry standard’
  15. 15. No Interaction Honeypots Primarily referred to as Honeyports, or services that simply log and/or ban on full TCP connect.
  16. 16. ‘No Interaction’ Honeypots • Basic Honeyports • Linux - NetCat and IPTables • Windows - NetCat and Netsh • Python and PowerShell options as well…
  17. 17. Windows PowerShell Honeyports
  18. 18. Windows PowerShell Honeyports
  19. 19. Linux Honeyports • Artillery — supports Windows too! • https://www.trustedsec.com/downloads/artillery/
  20. 20. Artillery Logging • Port Scanning and/or Illegitimate Service Access • Local Syslog, Flat File, or Remote Syslog options • IP’s are added to the banlist and blocked locally via IPTables
  21. 21. Artillery Logging Bonus! • File Integrity Monitoring
  22. 22. Low Interaction Honeypots Honeypots that serve up basic content and are not interactive once breached.
  23. 23. WordPot • https://github.com/gbrindisi/wordpot • Fake WordPress app, written in Python…
  24. 24. Fake PhpMyAdmin • https://github.com/gfoss/phpmyadmin_honeypot • Simple fake phpmyadmin ‘app’ that logs to flat files. This same approach can be applied to anything…
  25. 25. $any fake login panel • Custom - but believable and hidden from normal users • Can be used in ‘reverse phishing’ — discussing later…
  26. 26. $any fake login panel • Logging attacker data is standard, what if you need evidence that is a bit more tangible…
  27. 27. Honeybadger • https://bitbucket.org/LaNMaSteR53/honeybadger/ • Gain *true attribution on your adversaries…
  28. 28. Medium Interaction Honeypots Interactive honeypots that resemble real services and provide limited functionality once breached.
  29. 29. Medium Interaction Honeypots • TONS! But one of my favorites: • https://github.com/desaster/kippo • https://github.com/gfoss/kippo • Simulate SSH Service…
  30. 30. Kippo • Python script which simulates an SSH service that is highly customizable, portable, and adaptable. • Logs to flat files and stores the full TTY session for each connection, so that attacks can be replayed in real-time. • One of the more popular honeypots out there, as a result, attackers know how to differentiate between this and a real Linux host very quickly. Be cautious… • When deploying externally, there is a risk of CnC’s maintaining persistent connections. • Can be used as a pentest tool as well :-)
  31. 31. Kippo Alert Automation https://github.com/gfoss/kippo/blob/master/replay-alert.sh
  32. 32. High Interaction Honeypots Imitate real systems or modify real hosts to act as honeypots in order to verbosely log attacker activity and capture all network and related flow data.
  33. 33. Analysis Tools • LogRhythm Network Monitor and SIEM • Suricata IDS • http://suricata-ids.org/download/ • BRO IDS • https://www.bro.org/ • Cuckoo Sandbox • http://www.cuckoosandbox.org/
  34. 34. Routers and Switches • ROMAN Hunter - Router Man Hunter • http://sourceforge.net/projects/romanhunter/ • Configure real AP as a honeypot • Capture MAC of 
 attacker that 
 bypasses 
 security • Correlate the MAC and
 add it to an
 organizational blacklist…
  35. 35. High Interaction Warning! • Deploying real systems / devices / services is dangerous and requires dedicated monitoring. • Whenever hosts can actually be compromised there is huge risk if not monitored appropriately. • Never use the organization’s gold-standard image for the honeypot. • Segment these hosts from the production network!
  36. 36. Honey Tokens and Document Bugging Tracking file access, modification, exfiltration, etc…
  37. 37. File Integrity Monitoring
  38. 38. Honey Tokens • Use file integrity monitoring to track all interactions with files/folders/etc of interest. Great for network shares. • Not just files, this can be strings, drives, directories, etc. • Any predefined item that
 will generate a log when 
 accessed/modified/etc. • Trivial to configure…
  39. 39. Document Bugging • WebBug How To: • http://ha.ckers.org/webbug.html
 • WebBug Server: • https://bitbucket.org/ethanr/webbugserver
 • Bugged Files - Is your Document Telling on You? • Daniel Crowley + Damon Smith • https://www.youtube.com/watch?v=co1gFikKLpA
  40. 40. Document Tracking • Same tricks used by Marketing for years, normally for tracking emails. • Why loading external
 images within email
 is risky…
  41. 41. Document Tracking • Documents can be tracked in the same way as email / web. • Automating the process… • https://github.com/gfoss/misc/tree/master/Bash/webbug
  42. 42. Document Tracking Issues • If the document is opened up offline it will divulge information about the tracking service. • *There is no telling how someone will react once it is discovered that they were being tracked…
  43. 43. Screwing with Attackers • Reverse Phishing and ‘Attacking Back’ • A
 case
 study…
  44. 44. • Zip Bombs • http://unforgettable.dk - 42.zip • BeEF - Browser Exploitation Framework • http://beefproject.com/ • USB Killer • http://kukuruku.co/hub/diy/usb-killer • Clippy! • http://www.irongeek.com/i.php?page=security/ phpids-install-notes More Tricks
  45. 45. cat /dev/random | nc -nl 22
  46. 46. https://github.com/nitram509/ascii-telnet-server ASCII Art Distraction
  47. 47. Monitoring • Dedicated SOC - Security Operations Center • SIEM - Security Information Event Management • Correlate and Track Events • Evaluate Impact on the Real Environment • Measure Risk and Actively Respond to Threats • IDS, Network Flow Analysis, Firewalls, etc. • Configure once and it’s smooth sailing from there…
  48. 48. Enterprise Threat Intelligence • Develop Context-Aware Threat Intelligence • Leverage knowledge gained from attackers to create IOC’s and custom IDS and SIEM rules…
  49. 49. Event Correlation
  50. 50. Automating Response • Dynamic Honeypotting • Deploy PowerShell and Command Line Logging • http://www.slideshare.net/Hackerhurricane/ask- aalware-archaeologist/25
  51. 51. Automating Response • Google Rapid Response - GRR • https://github.com/google/grr • Netflix FIDO • https://github.com/Netflix/Fido • Kansa • https://github.com/davehull/Kansa • Power Forensics • https://github.com/Invoke-IR/PowerForensics
  52. 52. 1 PowerShell Script Live Data Acquisition and Incident Response Integrates into Existing Security Processes Remote Forensic Acquisition Host and User Lockdown https://github.com/gfoss/PSRecon/
  53. 53. Bringing it all together…
  54. 54. Honeypot Dashboards • HoneyDrive3 comes complete with dashboards and enhancement scripts to display interesting data. • Kippo Graph • http://bruteforce.gr/kippo-graph • The Modern Honey Network - can also deploy! • https://threatstream.com/blog/mhn-modern- honey-network • LogRhythm SIEM - Honeypot Analytics Suite
  55. 55. Works Cited & Recommended Reading • Strand, John, and Asadoorian, Paul. Offensive Countermeasures: The Art of Active Defense. 2013. • Murdoch, D. W. Blue Team Handbook: Incident Response Edition: A Condensed Field Guide for the Cyber Security Incident Responder. United States: CreateSpace Independent, 2014. • Chuvakin, Anton, and Kevin Schmidt. Logging and Log Management: The Authoritative Guide to Dealing with Syslog, Audit Logs, Events, Alerts and Other IT 'noise' Rockland, MA: Syngress, 2012. • Bodmer, Sean. Reverse Deception: Organized Cyber Threat Counter-exploitation. N.p.: n.p., n.d. Print.
  56. 56. Thank You! Questions? https://github.com/gfoss/ Greg Foss
 OSCP, GAWN, GPEN, GWAPT, GCIH, CEH
 SecOps Lead / Sr. Researcher
 greg.foss[at]LogRhythm.com
 @heinzarelli

×