tracing the ghosts of cyber world !
DESCRIPTION
Tracing the Ghosts of Cyber World !. DEFCON BANGALORE 17 Aug, 2013. Daniel Singh [email protected]. About the Presenter. CISO @ TechNGeeks Security Researcher Cyber Security Evangelist C|EH, E|CSA. About the Presenter. DAY JOB: IM A PROGRAMMER. - PowerPoint PPT PresentationTRANSCRIPT
![Page 2: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/2.jpg)
About the Presenter
• CISO @ TechNGeeks
• Security Researcher
• Cyber Security Evangelist
• C|EH, E|CSA
![Page 3: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/3.jpg)
About the PresenterDAY JOB: IM A PROGRAMMER.(I GET 21 ERRORS IN A 20 LINE CODE)
My 1st successful program @S**t Inc.
do {!flush(commode);} //please
while (paperTowels.in(/*BOOL*/)==true);
throw(paperTowels); //in garbage collector
![Page 4: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/4.jpg)
About the PresenterBY NIGHTFALL: Transform into 1337 h4x0r
MyTO DOLIST !!!
![Page 5: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/5.jpg)
• Introduction to Honeypots & Honeynets
• Honeypot Background & History• Benefits & Downside of Honeypots• Classification & Implementation• Introduction to Honey Analysis• Legal aspects of Honeypots• Detection of Honeypots• Future of Honeypots• Anti-Honeypot Techniques• Summary• Further information
Agenda
![Page 6: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/6.jpg)
What is a Honeypot?
• A pot, used to store honey
But as a Metaphor, a honeypot refers to:• Espionage Recruitment involving
Sexual Seduction (reality/fiction)• Honeypot Site is a popular visitor
attraction for tourists• A Sting Operation (like ‘Bait Car’)
![Page 7: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/7.jpg)
• Honeypot (noun), An esoteric slang used to refer to Physically attractive women under 30 years of age who exude a measure of restrained yet potent sexuality
What is a Honeypot?
![Page 8: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/8.jpg)
• Term originated from the Military
• Its a Fake target for ambush
• Here it is used in Network Security Environment
Background
![Page 9: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/9.jpg)
Abstract definition: “A honeypot is an information
system resource whose value lies in unauthorized or illicit use of that resource.” (Lance Spitzner)Concrete definition:
“A honeypot is a fictitious vulnerable IT system used for the purpose of being attacked, probed, exploited & compromised.”
Some more definitions
![Page 10: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/10.jpg)
What Honeypot actually is?
![Page 11: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/11.jpg)
‘A honeypot is a resource which is expected to be
attacked or compromised.’ • Distraction of an attacker • To gain of information about
attacker• Attack Methods and Tools
Definition
![Page 12: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/12.jpg)
• Risk Mitigation: A honeypot deployed in a productive environment may lure an attacker away from the real production systems
• IDS-like functionality: since no legitimate traffic takes place to/from the honeypot, any traffic appearing is malicious
Benefits of Honeypots
![Page 13: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/13.jpg)
Benefits of Honeypots•Attack Strategies: find out reasons and strategies why and how attacks happen•Attack Tools: detailed information of attack tools•Increased knowledge: knowing how to respond & prevent future attacks•Identification and Classification: Find out who is attacking you and profile them
![Page 14: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/14.jpg)
Benefits of Honeypots•Evidence: after identification of attacker, all data captured can be used in a legal procedure•Research: reveal internal communications of hackers, infections, spreading techniques of worms & viruses
![Page 15: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/15.jpg)
Benefits of Honeypots• Honeypot VS Antivirus
• Honeypot VS Sandboxes
• Honeypot VS IDS/IPS
• Honeypot VS Darknets
• Honeypot VS Secure Web Proxies
![Page 16: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/16.jpg)
Downside of Honeypots•Limited View: Honeypots cannot track & capture activity directed towards other systems•Additional Risk: Deploying a honeypot can create additional risks for whole organization•Legal risk: if honeypot is compromised and joins a bot army, this could lead to serious legal consequences
![Page 17: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/17.jpg)
Classification of Honeypots
Low Interaction
Medium Interaction
Physical
Virtual
Server-side
Client-side
Multifunction
Specialized
Production Level
Research Level
Distributed
Stand-alone
Jails
Tarpits Web Applications
General Purpose
SSH Pot
SCADA Pot
VOIP Pot
Bluetooth Pot
USB Pot
Sinkholes
High Interaction
Hybrid Pots
![Page 18: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/18.jpg)
Examples of HoneypotsLow Interaction Server Side:
General Purpose based
Amun, Dionaea, HoneyD, Tiny Honeypot
Web Application based
Glastopf, Google Hack Honeypot
SSH based KippoSCADA based Honeynet (Digital Bond), ConpotVOIP based ArtemisaBluetooth based BluepotSinkhole HoneysinkUSB based GhostUSBEuropean Network and Information Security Agency
Report
![Page 19: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/19.jpg)
Examples of HoneypotsHigh Interaction Server Side:Argos, HiHAT, Sebek
Low Interaction Client Side:PHoneyC, Thug
High Interaction Client Side:Capture-HPC HG, SheilaEuropean Network and Information Security Agency
Report
![Page 20: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/20.jpg)
Examples of Honeypots*• HoneyMonkey• Canary Trap• Tarpits• Pseudoserver• Network
Telescope/Darknets
![Page 21: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/21.jpg)
HoneyPot SensorsTwo types of Honeypot Sensors:
Fat Sensor: is a complete system, processes, data from the node and sends it to the central server for further analysis and correlation.
![Page 22: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/22.jpg)
HoneyPot SensorsTwo types of Honeypot Sensors:
Thin Sensor: is just a reflector – it forwards all the connections directly to the central server for processing and data analysis
![Page 23: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/23.jpg)
‘A honeynet is a network of honeypots supplemented by
Firewalls & IDS’ • These are more relaistic
environments• Imporved Data Capture &
Analysis • Better Fingerprinting
Honeynet
![Page 24: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/24.jpg)
Implementation of HoneyPot
192.168.1.15
192.168.1.20
192.168.1.25
192.168.1.101
192.168.1.254
Honeywall
Gateway
eth0
eth1
eth2
10.1.1.1
INTERNET
Production Network
Honeypot
![Page 25: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/25.jpg)
Implementation of HoneyNet
192.168.1.15
192.168.1.20
192.168.1.25
192.168.1.101
192.168.1.102
192.168.1.103
Gateway
eth0
eth1
eth2
10.1.1.1
INTERNET
Production Network
HoneyNet 192.168.1.254
ROUTER
![Page 26: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/26.jpg)
Honey Analysis
![Page 27: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/27.jpg)
Honey Analysis
Attacks over Time
![Page 28: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/28.jpg)
Honey Analysis
Distriubution over Time Metric
![Page 29: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/29.jpg)
Honey Analysis
Attack Origin over Time
![Page 30: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/30.jpg)
Honey AnalysisImportant Security Metrics:
Service Port # DescriptionFTP-Data 20 File Transfer [Default Data]FTP 21 File Transfer [Control]SSH 22 Secure ShellTelnet 23 TelnetSMTP 25 Simple Mail TransferDNS 53 Domain Name Server
Important Services and Ports:
• $Destination IP • $Destination Port
• $Source IP• $Source Port
![Page 31: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/31.jpg)
Honey AnalysisImportant Services and Ports:
Service Port # DescriptionBOOTPS 67 Bootstrap Protocol SeverBOOTPC 68 Bootstrap Protocol ClientHTTP 80 Hyper Text Transmission ProtocolPOP3 110 Post Office ProtocolNNTP 119 Network News TransferNTP 123 Network Time ProtocolNETBIOS-NS 137 NETBIOS Name ServiceNETBIOS-DGM 138 NETBIOS DatagramNETBIOS-SSN 139 NETBIOS Session ServiceIMAP 143 Internet Message Access
Protocol V4
![Page 32: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/32.jpg)
Honey AnalysisImportant Services and Ports:
Service Port # DescriptionSNMP 161 Simple Network ManagementIRC 194 Internet Relay ChatHTTPS 443 HTTP over TLS/SSLMS-DS 445 Microsoft-DSSMTPS 465 Secure SMTPSMTP SUBMISSION
587 Simple Mail Transfer Protocol Submission
IMAPS 993 IMAP over TLS/SSLIRCS 994 IRC over TLS/SSLPOP3S 995 POP3 over TLS/SSL
![Page 33: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/33.jpg)
Honey AnalysisImportant Services and Ports:
Service Port # DescriptionAstaro 1026 Astaro User PortalKazaa 1214 Kazaa MediaMS-SQL-S 1433 Microsoft SQL ServerMS-SQL-M 1434 Microsoft SQL MonitorHP-SIM 2381 HP System ManagementBES 3101 Blackberry Enterprise ServerMS-WBT-Server
3389 RDP Terminal Server
Kerio 4040 Kerio Connect Web AdminAstaro 4444 Astaro Web AdminICQ 5190 ICQ.com
![Page 34: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/34.jpg)
Legal Aspects of HoneypotsNew Technology: The legal framework & its adjudicators are going to take the case in as-and-when circumstances
Varied Applications: Honeypots have varied applications (simple port scanner to a virtual machine) which are created on demand. Thus a common law, cannot be internationalised & hard to achieve
![Page 35: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/35.jpg)
Legal Aspects of HoneypotsNo Legal Cases: As of now, there hasn’t been any legal case pertaining to honeypots & their usage
Concepts legalised still debatable: some issues relating to honeypots themselves have debatable rulings in difference scenarios
![Page 36: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/36.jpg)
Legal Aspects of HoneypotsThe basic legal themes related to honeypots are:
1. Entrapment (including enticement)
2. Privacy
3. Downstream liability
![Page 37: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/37.jpg)
Detection of HoneypotsTechnical Attributes of Honeypot:• Respond time & Banners• Registry entries• Inconsistent parameters• “Social” properties of the
System• Usage Interaction & access logs• Network Sniffing• Packets going to/from the
system• Search for traces of VMware
![Page 38: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/38.jpg)
Detection of Honeypots• Sending invalid TCP packet
(S+R)• Spotting System Anomalies• Spotting TTL, Window Size• Spotting IPID, DF-bit• Detect BIOS Version• Detect VMware tools extension• Detect VMware Magic Value
(0x564D5868)
![Page 39: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/39.jpg)
Future of Honeypots• HoneyTokens• SCADA Honeypots• Wireless Honeypots• SPAM Honeypots• Search-Engine
Honeypots• Honeypot Farms
![Page 40: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/40.jpg)
Future of HoneypotsHoneyTokens are resources used for detecting & tracking insider interaction with legitimate resources.
Tokens are fake and crafted items, counterparts of resources that should not be normally accessed (important documents & research, source codes, MS Word & Excel docs, SSNs & CC numbers, confidential emails, login & password detail files)
![Page 41: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/41.jpg)
Future of Honeypots• HoneyTokens• SCADA Honeypots• Mobile Device based• Wireless Honeypots• SPAM Honeypots• Search-Engine
Honeypots• Honeypot Farms
![Page 42: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/42.jpg)
Anti-Honeypot Techniques• Automated Honeypot
Scanners• Honeypot Confusers• Honeypot Exploits• Honeypot Disablers• Checking HTTPS & SOCKS
proxies
![Page 43: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/43.jpg)
SUMMARYHoneypots are a new field and much is to be done:
• Recommend Honeypot setups
• Recommend Honeynet farms• Increase Honeypot accuracy• Invent Anti-Honeypot
techniques
![Page 44: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/44.jpg)
Further Information
![Page 45: Tracing the Ghosts of Cyber World !](https://reader035.vdocuments.site/reader035/viewer/2022062815/5681695c550346895de10dcc/html5/thumbnails/45.jpg)
TH4NK5