Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to deception technology

Introduction to deception technology

Johnny Vestergaard

April 25, 2017
Tweet

More Decks by Johnny Vestergaard

Other Decks in Education

Transcript

  1. Agenda • Introduction • The state of affairs • Decision

    loop (OODA) • Honeypots • Honeytokens • What’s on the commercial side?
  2. The speaker • Current ◦ Consultant, Danish National Police ◦

    Member, The Honeynet Project • Former ◦ Software engineer ◦ Military intelligence analyst • Online references ◦ linkedin.com/in/johnnykv ◦ github.com/johnnykv
  3. Disclaimer (woho!) The views and opinions expressed in this presentation

    are the personal views of the speaker and do not necessarily reflect the views, policies or procedures of present or past employers. All information, tactics, techniques and procedures used or mentioned during this presentation are based solely on either open and publicly accessible sources and/or generated with the help of publicly available tools.
  4. The Honeynet Project The Honeynet Project is a leading international

    501c3 non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security.
  5. The state of affairs The threat from cyber espionage is

    VERY HIGH. The threat from cybercrime is VERY HIGH. Median time to discovery of an attack was 469 days after the initial compromise.
  6. Attacker vs. Defender Attacker • Picks when and where. •

    Knows the target. • Adapts rapidly. • Not limited by law. • Fail? No problem, try again! Defender • Limited funds. • Static infrastructure ( ). • Adapts slowly ◦ tech, policy, staffing • Wide attack surface. • Limited knowledge about the opponent. • Fail? Start counting days...
  7. Quote time! Success in war is obtained by anticipating the

    plans of the enemy, and by diverting his attention from our own designs. Francesco Guicciardini Never attempt to win by force what can be won by deception. Niccolo Machiavelli
  8. The OODA loop Observe Act Orient Decide Cases • Initial

    Compromise ◦ Perimeter boxes ◦ Triggers • Internal recon ◦ Fake infrastructure documents ◦ Soft boxes, easy targets • Data exfiltration ◦ “Call backs” (link, token, etc) ◦ Misinformation
  9. Honeypots, basics An information system resource whose value lies in

    unauthorised or illicit use of that resource Lance Spitzner
  10. Honeypots, basics Real Service Honeypot Nov 23 20:31:12 server sshd[15798]:

    Connection from 188.124.3.41 port 32889 Nov 23 20:31:14 server sshd[15798]: Failed password for Joe from 188.124.3.41 port 32889 ssh2 Nov 23 20:31:14 server sshd[29323]: Received disconnect from 188.124.3.41: 11: Bye Bye Nov 23 22:04:56 server sshd[25438]: Connection from 21.54.81.233 port 45196 Nov 23 22:04:58 server sshd[25438]: Failed password for Joe from 200.54.84.233 port 45196 ssh2 Nov 23 22:04:58 server sshd[30487]: Received disconnect from 200.54.84.233: 11: Bye Bye Nov 23 22:04:59 server sshd[21358]: Connection from 123.54.84.233 port 45528 Nov 23 22:05:01 server sshd[21358]: Failed password for root from 200.54.84.233 port 45528 ssh2 Nov 23 22:05:01 server sshd[2624]: Received disconnect from 200.54.84.233: 11: Bye Bye Nov 23 23:31:12 server sshd[15798]: Connection from 199.124.3.41 port 32889 Nov 23 23:31:14 server sshd[15798]: Failed password for root from 188.124.3.41 port 32889 ssh2 Nov 23 23:31:11 server sshd[29323]: Received disconnect from 188.124.3.41: 11: Bye Bye Nov 23 23:04:56 server sshd[25438]: Connection from 100.54.84.223 port 45111 ... 2016-03-12 20:35:02.258198,192.168.2.129,51551,23,telnet,Joe,Joe123 2016-03-12 20:35:09.658593,192.168.2.129,51551,23,telnet,root,P@SSw0rd123 2016-03-18 19:31:38.064700,192.168.2.129,53416,22,ssh,dhcp,M@MS3 Users Attackers Legit probing
  11. High interaction vs Low interaction honeypots High Interaction • Real

    system • Applied monitoring • High maintenance • High risk Low Interaction • Scripted or emulated • Low maintenance • Low risk
  12. Cowrie (formerly known as Kippo) • Secure Shell (SSH) •

    Low interaction • Python based • Maintained by Michel Oosterhof ◦ Original work by Upi Tamminen
  13. Lyrebird • High-interaction honeypot framework • MiTM between attacker and

    honeypot • Decrypts and decodes SSH traffic • Utilizes docker for ease of deployment • Based on mitmproxy • Developed by Maximilian Hils
  14. Heralding A honeypot developed to answer the following questions: •

    Which protocols does my adversary try to brute-force? • Which username and password did he use? • At which speed did he brute-force? • From where did he proxy from? • What time of day did he brute-force?
  15. Heralding, preliminary results from deployment • 4 Heralding instances deployed

    ◦ Amazon, Digital Ocean, Meebox, End-user box • Setup deployed for 118 days
  16. Heralding, preliminary results from deployment • 4 Heralding instances deployed

    ◦ Amazon, Digital Ocean, Meebox, End-user box • Setup deployed for 118 days • 5.355.702 login attempts • 37501 unique IP addresses • 18176 unique usernames • 153747 unique passwords
  17. Conpot $ conpot -t kamstrup_382 _ ___ ___ ___ ___

    ___| |_ | _| . | | . | . | _| |___|___|_|_| _|___|_| |_| Version 0.5.1 MushMush Foundation
  18. Conpot $ python kamstrup.py 10.4.1.18 Energy in 7183.3 kWh Energy

    in hi-res 7183.3212 kWh Voltage p1 228.0 V Voltage p2 229.0 V Current p1 5.11 A Current p2 4.22 A Power p1 1.0 kW Power p2 5.499 kW
  19. $ telnet 10.4.1.18 50100 Connected to 10.4.1.254. Escape character is

    '^]'. Welcome... Connected to [00:13:EA:00:00:00] ============================ Service Menu ============================ H: Help [cmd]. !AC: Access control. !GC: Get Config. !GV: Software version. !SA: Set KAP Server IP and port (*1). !RC: Request connect !SC: Set Config (*1). < - CUT -> ============================ Kamstrup (R)
  20. Honeytokens, example 1 Real Service ? System log • 21:00

    admin login (OK) • 21:10 jamie login (OK) • 21:12 ollie login (OK) • 21:50 john login (ALERT!)
  21. Honeytokens, endpoint placement • Browser cache • SAM database •

    /etc/passwd • Hidden user • Cached credentials (third party) • Callbacks
  22. Honeybits • Cool feature: Cloud traps. • Note: Not tried

    it for myself yet! • Developed by Adel Karimi • https://github.com/0x4D31/honeybits
  23. A closer look at MazeRunner from Cymmetria Note: Since I

    don’t have much operational experience using MazeRunner, I can’t make any recommendations in regards to the product. But what makes MazeRunner stand out, is that Cymmetria offers a free community edition! That enables YOU to test the product.