![Chris Sanders
“[Practical Packet Analysis] gives you everything you need, step by step, to become
proficient in packet analysis. I could not find a better book.”
“[Applied NSM] should be required reading for all intrusion analysts and those
looking to develop a security monitoring program.”
– Amazon Reviewers](https://image.slidesharecdn.com/issa-canaryhoneypotsfornsm-141121071518-conversion-gate01/85/Using-Canary-Honeypots-for-Network-Security-Monitoring-3-320.jpg)
![Honeyd Alerting
alert ip !$TRUSTED_MS_HOSTS any
->$MS_HONEYPOT_SERVERS [135,139,445]
(msg:“Attempted Communication with
Windows Honeypot on MS Ports”;
sid:5000000; rev:1;)](https://image.slidesharecdn.com/issa-canaryhoneypotsfornsm-141121071518-conversion-gate01/85/Using-Canary-Honeypots-for-Network-Security-Monitoring-33-320.jpg)
Using Canary Honeypots for Network Security Monitoring
- 1. Deceive to Detect: Using Canary Honeypots for Network Security Monitoring Chris Sanders Charleston ISSA November 2014
- 2. Chris Sanders • Christian & Husband • Kentuckian and South Carolinian • MS, GSE, et al. • Non-Profit Director • BBQ Pit Master
- 3. Chris Sanders “[Practical Packet Analysis] gives you everything you need, step by step, to become proficient in packet analysis. I could not find a better book.” “[Applied NSM] should be required reading for all intrusion analysts and those looking to develop a security monitoring program.” – Amazon Reviewers
- 4. Outline Objectives: Traditional Honeypots Canary Honeypot Architecture Honeypot Platforms • Honeyd • Kippo • Tom’s Honeypot • Honeydocs “How can I use honeypots as an effective part of my detection strategy?”
- 5. ***Disclaimer*** • Tactics in this presentation may be controversial, depending on your viewpoint. • Only orgs with mature security programs should attempt the use of canary honeypots. • Any time you invite an attacker to dance, you might get your feet stepped on.
- 6. Traditional Honeypot Design • Intentionally Vulnerable System • Designed to Mimic Real Services • Easily Compromised
- 8. Traditional Honeypot Uses • Specific Research Purposes • Tracking Unstructured Threats – Commodity Malware – Opportunistic Attackers • Vaguely Useful for Building Basic Threat Intel No Current Significant Production Value
- 9. How can honeypots be useful for operational purposes?
- 10. US Information Ops Doctrine • US DoD JP 3-13 IO Capabilities* – Detect – Deny – Disrupt – Degrade – Destroy – Deceive * More commonly applied as the Cyber Kill Chain
- 11. Let’s Take Honeypots Farther…
- 12. Kentucky is Coal Country
- 13. Coal Mining is Hard
- 14. Coal Mining is Dangerous
- 15. Canaries for Methane Detection
- 16. Enter Canary Honeypots • Deceive to Detect • Honeypots for Detection 1. Placed Inside the Network 2. Mimic Existing Systems 3. Detailed Alerting & Logging Nobody Should Ever Talk to a Honeypot
- 17. Making the Case • How do you detect a malicious user logging in to a Windows system? – Multiple Failed Logins – Weird External IP Address – IP Heuristics and Trending • What if the malicious user logs in from another compromised system using legitimate credentials?
- 18. Honeypots in the Attack Life Cycle
- 20. High vs. Low Interaction • High Interaction... – Real Operating System – Real Services – Locked Down – Detailed Logging • Low Interaction… – Software-Based – Mimics Real Services – Fake Environments – Limited Logging * Some honeypots call themselves “medium” interaction, but these are still basically low interaction.
- 21. Exploitable vs. Non-Exploitable • Exploitable... – Mimic Services – Contain Vulnerabilities – Designed to be Compromised – Compromises are Monitored • Non-Exploitable... – Mimic Services – No Vulnerabilities – Any Interaction is Monitored
- 22. Canary Honeypot Architecture 1. Identify the Devices or Services to be Mimicked 2. Determine Honeypot Placement 3. Develop Alerting and Logging Capabilities
- 23. Identify Devices/Services to Mimic • All About Risk - What is your biggest fear? • How would attackers exploit that? • Mimic critical services and components. – Confidentiality – File Server (SSH?) – Integrity – Database Server (SQL?) – Availability – Web Server (HTTP?)
- 24. Determine Honeypot Placement • Close to the Asset Being Mimicked • Ability to Transmit Logs • Limit Communication of High Interaction Honeypots (***IMPORTANT***)
- 25. Determine Honeypot Placement (cont.)
- 26. Develop Alerting and Logging • Logging – High Interaction – OS Logs, HIDS – Low Interaction – Software Logs – Network – PCAP, Flow, etc • Alerting – IDS Signatures – alert tcp any any -> $HONEYPOT 22 (msg:”Communication with SSH Honeypot”; sid:12345; rev:1;)
- 28. Honeyd • The father of honeypots • Developed by Neil Provos 10+ years ago • Low Interaction • Can mimic operating systems and services • Capable of spinning up thousands of honeypot instances
- 29. Honeyd Config create default set default default tcp action block set default default udp action block set default default icmp action block create ansm_winserver_1 set ansm_winserver_1 personality “Microsoft Windows Server 2003 Standard Edition”
- 30. Honeyd Config (cont.) add ansm_winserver_1 tcp port 135 open add ansm_winserver_1 tcp port 139 open add ansm_winserver_1 tcp port 445 open set ansm_winserver_1 ethernet “d3:ad:b3:3f:11:11” bind 172.16.16.202 ansm_winserver_1
- 31. Running Honeyd • Running Honeyd sudo honeyd –d –f /etc/honeypot/ansm.conf • Scan Results
- 32. Honeyd Logging
- 33. Honeyd Alerting alert ip !$TRUSTED_MS_HOSTS any ->$MS_HONEYPOT_SERVERS [135,139,445] (msg:“Attempted Communication with Windows Honeypot on MS Ports”; sid:5000000; rev:1;)
- 34. Extended Service Emulation • Emulate an ISS Web Server add ansm_winserver_1 tcp port 80 “sh /usr/share/honeyd/scripts/win32/ web.sh”
- 35. Kippo SSH Honeypot • Low Interaction SSH Honeypot • Provides a Fake File System • Detailed Logging and Replay • Written in Python
- 36. Kippo Demo
- 37. Kippo Alerting alert tcp $HONEYPOT_SERVERS $SSH_PORTS ->any any (msg:“ET POLICY SSH Server Banner Detected on Expected Port – Honeypot System”; flow: from_ server,established; content:“SSH-”; offset: 0; depth: 4; byte_test: 1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,1⁄ 4,46,1, relative; reference:url,doc.emergingthreats.net/2001973; classtype: misc-activity; sid:2001973; rev:8;) alert tcp any any <> $HONEYPOT_SERVERS $SSH_PORTS (msg:“ET POLICY SSH session in progress on Expected Port – Honeypot System”; threshold: type both, track by_src, count 2, seconds 300; reference:url,doc.emerging- threats.net/2001978; classtype:misc-activity; sid:2001978; rev:7;)
- 38. Tom’s Honeypot • Developed by Tom Liston of InGuardians • Low Interaction Multi-Protocol Honeypot • Emulates RDP, VNC, Radmin, MSSQL, SIP • Written in Python • http://labs.inguardians.com/tomshoneypot
- 39. Tom’s Honeypot – RDP
- 40. Tom’s Honeypot – More
- 41. Honeydocs • Documents designed to “phone home” when opened. • Placed with/near other critical documents • Honeydocs should never be opened • Provides alerting when documents are exfiltrated
- 45. MHN: Modern Honey Network • Centralized Management • Web Interface w/ RESTful API • http://threatstream.github.io/mhn/
- 46. Conclusion • Honeypots aren’t just for research! • They can be useful for intrusion detection. • Great care should be taken when deploying honeypots inside the network perimeter. • Multiple useful tools already exist.
- 47. Thank You! E-Mail: [email protected] Twitter: @chrissanders88 Blog: http://www.chrissanders.org Book Blog: http://www.appliednsm.com Testimony: http://www.chrissanders.org/mytestimony