Introduction to deception technology

Transcript

1. Introduction to deception technology deceptions, honeypots and honeytokens Johnny Vestergaard

   April 2017

2. Agenda • Introduction • The state of affairs • Decision

   loop (OODA) • Honeypots • Honeytokens • What’s on the commercial side?

3. The speaker • Current ◦ Consultant, Danish National Police ◦

   Member, The Honeynet Project • Former ◦ Software engineer ◦ Military intelligence analyst • Online references ◦ linkedin.com/in/johnnykv ◦ github.com/johnnykv

4. Disclaimer (woho!) The views and opinions expressed in this presentation

   are the personal views of the speaker and do not necessarily reflect the views, policies or procedures of present or past employers. All information, tactics, techniques and procedures used or mentioned during this presentation are based solely on either open and publicly accessible sources and/or generated with the help of publicly available tools.

5. The Honeynet Project The Honeynet Project is a leading international

   501c3 non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security.

6. The Honeynet Project

7. No silver bullet

8. No silver bullet • Expanding the toolbox • Expanding our

   mindset • Upping the game

9. No silver bullet • Expanding the toolbox • Expanding our

   mindset • Upping the game

10. The state of affairs The threat from cyber espionage is

    VERY HIGH. The threat from cybercrime is VERY HIGH. Median time to discovery of an attack was 469 days after the initial compromise.

11. Attacker vs. Defender Attacker • Picks when and where. •

    Knows the target. • Adapts rapidly. • Not limited by law. • Fail? No problem, try again! Defender • Limited funds. • Static infrastructure ( ). • Adapts slowly ◦ tech, policy, staffing • Wide attack surface. • Limited knowledge about the opponent. • Fail? Start counting days...

12. Quote time! Success in war is obtained by anticipating the

    plans of the enemy, and by diverting his attention from our own designs. Francesco Guicciardini Never attempt to win by force what can be won by deception. Niccolo Machiavelli

13. Task Force Troy 460 becomes 10.000

14. Pearl Harbour, 1941

15. A few houses on the outskirts of town

16. Lockheed Martin factory, 1942

17. Lockheed Martin factory, 1942

18. Deception in sports

19. Deception in IT security? Traditionally not so much...

20. The OODA loop Observe Act Orient Decide

21. The OODA loop Observe Act Orient Decide Proactive Reactive

22. The OODA loop Observe Act Orient Decide Cases • Initial

    Compromise ◦ Perimeter boxes ◦ Triggers • Internal recon ◦ Fake infrastructure documents ◦ Soft boxes, easy targets • Data exfiltration ◦ “Call backs” (link, token, etc) ◦ Misinformation

23. Honeypots

24. Honeypots, basics An information system resource whose value lies in

    unauthorised or illicit use of that resource Lance Spitzner

25. Honeypots, basics

26. Honeypots, basics SERVICE User Attackers Probing

27. Honeypots, basics Real Service ?

28. Honeypots, basics Real Service Honeypot Nov 23 20:31:12 server sshd[15798]:

    Connection from 188.124.3.41 port 32889 Nov 23 20:31:14 server sshd[15798]: Failed password for Joe from 188.124.3.41 port 32889 ssh2 Nov 23 20:31:14 server sshd[29323]: Received disconnect from 188.124.3.41: 11: Bye Bye Nov 23 22:04:56 server sshd[25438]: Connection from 21.54.81.233 port 45196 Nov 23 22:04:58 server sshd[25438]: Failed password for Joe from 200.54.84.233 port 45196 ssh2 Nov 23 22:04:58 server sshd[30487]: Received disconnect from 200.54.84.233: 11: Bye Bye Nov 23 22:04:59 server sshd[21358]: Connection from 123.54.84.233 port 45528 Nov 23 22:05:01 server sshd[21358]: Failed password for root from 200.54.84.233 port 45528 ssh2 Nov 23 22:05:01 server sshd[2624]: Received disconnect from 200.54.84.233: 11: Bye Bye Nov 23 23:31:12 server sshd[15798]: Connection from 199.124.3.41 port 32889 Nov 23 23:31:14 server sshd[15798]: Failed password for root from 188.124.3.41 port 32889 ssh2 Nov 23 23:31:11 server sshd[29323]: Received disconnect from 188.124.3.41: 11: Bye Bye Nov 23 23:04:56 server sshd[25438]: Connection from 100.54.84.223 port 45111 ... 2016-03-12 20:35:02.258198,192.168.2.129,51551,23,telnet,Joe,Joe123 2016-03-12 20:35:09.658593,192.168.2.129,51551,23,telnet,root,P@SSw0rd123 2016-03-18 19:31:38.064700,192.168.2.129,53416,22,ssh,dhcp,M@MS3 Users Attackers Legit probing

29. Honeypots, deployment Real Service Perimeter

30. Honeypots, external deployment Real Service Honeypot Perimeter

31. Honeypots, internal deployment Real Service Honeypot Perimeter

32. High interaction vs Low interaction honeypots High Interaction • Real

    system • Applied monitoring • High maintenance • High risk Low Interaction • Scripted or emulated • Low maintenance • Low risk

33. Cowrie (formerly known as Kippo) • Secure Shell (SSH) •

    Low interaction • Python based • Maintained by Michel Oosterhof ◦ Original work by Upi Tamminen

34. Cowrie Replay of three attacks, recorded by a member from

    The Honeynet Project.

35. Cowrie, results and logs

36. Lyrebird • High-interaction honeypot framework • MiTM between attacker and

    honeypot • Decrypts and decodes SSH traffic • Utilizes docker for ease of deployment • Based on mitmproxy • Developed by Maximilian Hils

37. Lyrebird Linux (Docker container) Attacker Shared docker network interface Transparent

    proxy (SSH decoding) Secret SSH key

38. Heralding A honeypot developed to answer the following questions: •

    Which protocols does my adversary try to brute-force? • Which username and password did he use? • At which speed did he brute-force? • From where did he proxy from? • What time of day did he brute-force?

39. Heralding, preliminary results from deployment • 4 Heralding instances deployed

    ◦ Amazon, Digital Ocean, Meebox, End-user box • Setup deployed for 118 days

40. Heralding, preliminary results from deployment • 4 Heralding instances deployed

    ◦ Amazon, Digital Ocean, Meebox, End-user box • Setup deployed for 118 days • 5.355.702 login attempts • 37501 unique IP addresses • 18176 unique usernames • 153747 unique passwords

41. Heralding, demo Demo time!

42. Conpot

43. Conpot $ conpot -t kamstrup_382 _ ___ ___ ___ ___

    ___| |_ | _| . | | . | . | _| |___|___|_|_| _|___|_| |_| Version 0.5.1 MushMush Foundation

44. Conpot $ python kamstrup.py 10.4.1.18 Energy in 7183.3 kWh Energy

    in hi-res 7183.3212 kWh Voltage p1 228.0 V Voltage p2 229.0 V Current p1 5.11 A Current p2 4.22 A Power p1 1.0 kW Power p2 5.499 kW

45. Conpot, demo Demo of kamstrup management interface

46. $ telnet 10.4.1.18 50100 Connected to 10.4.1.254. Escape character is

    '^]'. Welcome... Connected to [00:13:EA:00:00:00] ============================ Service Menu ============================ H: Help [cmd]. !AC: Access control. !GC: Get Config. !GV: Software version. !SA: Set KAP Server IP and port (*1). !RC: Request connect !SC: Set Config (*1). < - CUT -> ============================ Kamstrup (R)

47. Honeytokens

48. None

49. Honeytokens, example Real Service ? admin jamie john

50. Honeytokens, example Username Hash Plaintext admin 47e18907ce4b86e7e7089a155d64478d ????????????? jamie b3f30120cfad444632a39ab69f0019eb

    ????????????? john e10adc3949ba59abbe56e057f20f883e ?????????????

51. Honeytokens, example Username Hash Plaintext admin 47e18907ce4b86e7e7089a155d64478d ????????????? jamie b3f30120cfad444632a39ab69f0019eb

    ????????????? john e10adc3949ba59abbe56e057f20f883e 123456

52. Honeytokens, example 1 Real Service ? System log • 21:00

    admin login (OK) • 21:10 jamie login (OK) • 21:12 ollie login (OK) • 21:50 john login (ALERT!)

53. Honeytokens, endpoint placement • Browser cache • SAM database •

    /etc/passwd • Hidden user • Cached credentials (third party) • Callbacks

54. Honeytokens, placement • Unpublished shares (detect pickup) • Normal shares

    • Documents with service bait

55. Honeytokens, in transit

56. Honeybits • Cool feature: Cloud traps. • Note: Not tried

    it for myself yet! • Developed by Adel Karimi • https://github.com/0x4D31/honeybits

57. Commercial Side • DeceptionGrid (TrapX) • Deceptions Everywhere (Illusive Networks)

    • MazeRunner (Cymmetria) • ThinkstCanary (Thinkst)

58. A closer look at MazeRunner from Cymmetria Note: Since I

    don’t have much operational experience using MazeRunner, I can’t make any recommendations in regards to the product. But what makes MazeRunner stand out, is that Cymmetria offers a free community edition! That enables YOU to test the product.

59. MazeRunner, overview

60. MazeRunner, setting up a honeytoken

61. MazeRunner, attackers view

62. MazeRunner, alerts

63. Recap!

64. Getting more information github.com/paralax/awesome-honeypots by Jose Nazario … and also

    feel free to mail me questions!

65. Contact information Johnny Vestergaard [email protected] linkedin.com/in/johnnykv github.com/johnnykv