honeypots - the art of building secure systems by making them vulnerable

1

Honeypots The Art of Building Secure Systems by Making them Vulnerable

15th of January 2014, Talks #32

Andrei AvădăneiPresident of Cyber Security Research Center from Romaniahttp://ccsir.org

Cyber Security Research Center from Romania

2

Summary

1. Short bio

2. Into the Honeypots world..

3. Why should you care?

4. Types of Honeypots

5. Examples

6. Resources & References

7. Questions?


3

1. Short bioPresident at CCSIR

Founder aand coordinator of DefCamp

Blogger @worldit.info

Speaker at Talks #1 :>

Ambassador of Talks by Softbinator

Proof:

… and others.


4

2. Into the Honeypots world..

"A honeypot is a trap set to detect, deflect or in some

manner counteract attempts at unauthorized use of

information systems." [1]

"A honeypot is a security resource who's value lies in

being probed, attacked or compromised" [2]

- often, honeypot features are found in IDS products

- it's just another layer of security


5

3. Why should you care?

- collect little data of high value

- usually no resource exhaustion

- no fancy algorithm to develop, no signature databases

to maintain, no rule base to misconfigure

- has a good return of investment if your setup is properly

configured

- prevent attacks before they really happens

- catch 0day (malware and attacks)

-> better security


6

4. Honeypot types#1 – by enviroment

Production - one used within an organization's

environment to help mitigate risk. Ex: kippo, honeyd,

bubblegum, specter.

- distraction

- detect internal threats

- security assement

Research – add value to research in computer security

by providing a platform to study the threat. Ex:

Honeywall, Sombria, Sebek

- discover new attacks

- understand blackhat community

- help building some better defenses against threats


7

4. Honeypot types#2 – by interaction

1. Low-interaction – honeyd, kfsensor

2. Medium-interaction – kippo, specter

3. High-interaction – Honeynet

- full enviroments/architecture

- maybe both defensive and offensive interaction [3]


8

5. ExamplesCase study #1 – Softbinator.ro

- change ssh default port and install kippo as a

honeypot

- they run on WP so they should fake some WP plugins

versions

- add some fake configs pointing to a ftp (or others

services) that is logged

- create a folder that it can be brute forced where you

have some vulnerable script that is proxy reversed to

other server/VM

- log all this stuff in a fancy dashboard

- you can block requests automatically from iptables if

are you sure that nobody should be there

Estimating time of implementation: <= 24-48 hours.


9

5. ExamplesCase study #2 – A network #I

- Gen1 honeynet

- create a separate dedicated network, layer 3 routing

firewall to limit/block outbound connections

- disadvantage on data capture, fingerprinting, destroying

Estimating time of implementation: <= 1-2 weeks.


10

5. ExamplesCase study #2 – A network #II

- Gen2 honeynet

- can be used in the production network, honeynet

sensor act like a bridge on layer 2

- detect unauthorised/unknown activities

- Hogwash is an example of IDS gateway that can drop

or modify the packets that passes through the gateway

Estimating time of implementation: <= 1-2 weeks.


11

5. ExamplesCase study #3 – Database of emails

- buy a random domain, lets say: honeyyyy.com

- configure a minimal mail service

- add some random users through your database. Ex:

[email protected], [email protected]

- create some triggers on the mail service to forward all

incoming mails from these particular adresses to you.

Estimating time of implementation: <= 1-4 hours.


mailto:[email protected]

mailto:[email protected]

12

5. ExamplesCase study #4 – some fun with kippo

“Kippo is a medium interaction SSH honeypot designed

to log brute force attacks and, most importantly, the

entire shell interaction performed by the attacker.”

- you can download logs from ccsir.org/files/logs.tgz

- PS: tx shark0der for the logs

Lets play: utils/playlog.py logname.log

20130929-154735-3196.log

20130924-185020-4539.log

Etc.


13

Bonus - ethical issues concerning Honeypots

- M.E. Kabay, the author of 'Liability and Ethics of

Honeypots' is unethical, proposing the next question:

“Since it is both unethical and illegal to lure someone into

stealing an object, why is it legal or ethical to lure an

individual into commiting a computer crime?”

- Other experts consider honeypots not only unethical,

but a disadvantage to the computer world since they are

in essence “building the better hacker”

- B. Scottberg, author of 'Internet Honeypots: Protection

or Entrapment?'

"tracking an intruder in a honeypot reveals invaluable

insights into attacker techniques and ultimately motives

so that production systems can be better protected. You

may learn of vulnerabilities before they are exploited."


14

6. Resources & References1.http://ethics.csc.ncsu.edu/abuse/hacking/honeypots/st

udy.php

2. http://en.wikipedia.org/wiki/Honeypot

3.

http://www.darkreading.com/vulnerability/honeypot-sting

s-attackers-with-counterat/240151740

4. http://www.it-docs.net/ddata/792.pdf ← Awesome!

Honeypots:

https://github.com/rep/hpfeeds

http://www.honeyd.org/

https://github.com/buffer/thug

http://glastopf.org/

http://dionaea.carnivore.it/

http://www.specter.com/introduction50.htm

http://www.keyfocus.net/kfsensor/

http://map.honeycloud.net/

https://www.projecthoneypot.org/index.php


http://en.wikipedia.org/wiki/Honeypot

http://www.darkreading.com/vulnerability/honeypot-stings-attackers-with-counterat/240151740

http://www.darkreading.com/vulnerability/honeypot-stings-attackers-with-counterat/240151740

http://www.it-docs.net/ddata/792.pdf

15

7. Questions?

or

Stay safe! :-)


honeypots - the art of building secure systems by making them vulnerable

Technology

computer security

security resource whos

honeypot types

honeypot features

mediuminteraction kippo

offensive interaction

types of honeypots

highinteraction honeynet