Honeypot Workshop

Transcript

1. [Honeypot Workshop] Johnny Vestergaard [email protected] PROSA, September 2014

2. [agenda] • Introduction. • Workshop checklist. • A bit of

   theory. • Workshop time • Kippo. • Conpot. • Beeswarm.

3. [the speaker] ! • Software engineer - daytime job. •

   Independent consultant - Crow Solutions. • Former military intelligence analyst within Electronic Warfare. • The Honeynet Project. • linkedin.com/in/johnnykv • github.com/johnnykv

4. [disclaimer] The views and opinions expressed in this presentation are

   the personal views of the speaker and do not necessarily reflect the views, policies or procedures of present or past employers. ! All information, tactics, techniques and procedures used or mentioned during this presentation are based solely on open and public accessible sources.

5. [the honeynet project] The Honeynet Project is a leading international

   501c3 non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security.

6. [workshop checklist] How may participated in the previous talk? Virtualbox

   installed Honeydrive up and running Virtual machine has connectivity - network bridged! http://ge.tt/api/1/files/2U5Rfzz1/0/blob?download conpot upgrade: git pull; sudo python setup.py install sudo pip install --upgrade cybox Write IP info on pad (WARNING): https://etherpad.mozilla.org/xxxx

7. [a bit of theory]

8. [case network] O

9. Defenders dilemma

10. Defenders dilemma vs. Intruders dilemma

11. Detect Respond

12. Deceive Detect Respond

13. [OODA] Observe Orient Decide Act

14. [OODA] Observe Orient Decide Act

15. [OODA] Observe Orient Decide Act Banner grabbing Study result -

    COA Choose COA Exploitation

16. [honeypots]

17. [definition] A honeypot is an information system resource whose value

    lies in unauthorized or illicit use of that resource. Lance Spitzner

18. [honeypot?] O Observe Orient Decide Act

19. Observe Orient Decide Act [honeypot?] SSH VPN

20. [kippo]

21. [kippo] • Secure Shell (SSH). • Offers fake Debian 5.0

    filesystem. • Playback of sessions. • Nice starter honeypot! • Developed by Upi Tamminen.

22. [session overview] 1. Setup and test core capabilities 2. Add

    more users and passwords 3. Add simple text command 4. Session playback 5. Kippo-graph 6. Utils ’n’ stuff

23. [kippo analysis] • Analysis by Jose Nazario • http://monkey.org/~jose/ honeynet/kippo/

    • Analysis by Andrea De Pasquale • http://bl.ocks.org/adepasquale/ raw/6571226/

24. [kippo analysis]

25. None

26. [ICS & Smartgrid]

27. [conpot] • ICS/Smartmeter honeypot. • Kamstrup, Modbus, HTTP, SNMP, S7Comm.

    • Easily modifiable, mixing protocols to adapt to reality. • How not do deploy: https://www.shodan.io/search?query=Mouser +Factory

28. [conpot] DHCP SSH ICS SMTP

29. [session overview] 1. Setup and test core capabilities. 2. Modify

    Siemens S7 template. 3. Using the Kamstrup template. 4. Modifying the Kamstrup template.

30. [beeswarm] • Simplifies honeypot deployment. • Management through web ui.

    • Active honeypots with bait traffic. • Detection over analytical details! • Currently in beta-stage.

31. [see a problem here?] DHCP SSH ICS SMTP

32. [beeswarm overview]

33. [session overview] 1. Setup and connect to management interface. 2.

    Adding and configuring Honeypot drones. 3. Adding and configuring Client drones. 4. Investigating the network.

34. [work work work] • Continue setup of honeypot of own

    choice. • Fix bugs, code away! • Potential discussion points: • Deployment strategies and risks. • Active vs. Passive security measures. • Involvement in The Honeynet Project
35. None