Transcript Document

Honeynets
Detecting Insider Threats
Kirby Kuehl
[email protected]
Your Speaker
 Honeynet Project member since 1999.
 Honeynet application beta testing.
 Honeywall CD
 Sebek LKM
 Technical Review of
Know Your Enemy 2nd Edition
 Cisco Systems since 2000.
 Internal Facing Information Security
 Intrusion Detection and Event correlation
 Internal Security Tools development
 Open Source developer
 http://winfingerprint.sourceforge.net
Insider Definition
in·sid·er n.
 An accepted member of a group.
 One who has special knowledge or access
to confidential information.



Network, System, and Database Administrators
Employees and Contractors
Business Partners
How can being an accepted member
of the group be used by an insider?
 Leverage existing credentials on valuable
systems.
 Sniff clear text protocols to obtain valid credentials.
 Use valid accounts to exploit unpatched local
vulnerabilities to escalate privileges.
 System Administrators can obviously access any
sensitive information on the machines.
 Companies typically focus on external threats.
 Less secure intranet web applications and
databases.
 Ability to share internal data easily often more
important that to share data securely.
How can an insider leverage
existing knowledge?
 Insiders know the location of valuable resources
such as financial data and employee records.
 Physical Access.
 Insiders may be aware of company security
weaknesses and defenses.
 Familiar with the practices of the Security Team, IDS
Locations, log rotations, patch cycles, access control
lists.
 Take advantage of unpatched remote vulnerabilities
and backdoors left open by worms.
Possible Insider Motives
Financial Gain
 Industrial Espionage
 Intellectual Property
 Sensitive Customer Information
 Sensitive Employee Information
 Identity Theft
Sabotage
 Disgruntlement
 Employee may be quitting or know they are about to be
fired.
 Damage another employee’s work.
Should you run an Insider
Honeypot?
 Consult your Legal Department.
 Need their support for prosecution and or termination.
 Company Acceptable Use Policy
 Data Privacy Expectations
 Security team has the authority to sniff traffic, image hard
drives, obtain backups, read user email, etc. during an
investigation.
 What is considered abuse/misuse.
 Outline abuse of privileges, policy against vulnerability
scanning, running sniffers, sharing passwords, etc.
 How will misuse / abuse be handled?
 Employee Termination, Legal Action
How will Forensic Data be handled?
 The Honeynet Project is interested in learning the
tools, tactics, and motives of the Blackhat
community and are not interested in prosecution.
 How will your company handle forensic data?
Evidence may have to be presented in a court of
law.
 Ensure Evidence is not damaged, destroyed, or
tainted
 Preserve Chain of Custody
Defining an Internal Honeypot
 A Honeypot is an information system resource whose value lies in
unauthorized or illicit use of that resource.
Key Honeypot components:
 Data Capture
 Capture detailed information of host and network events.
 Data Control
 Ability to limit inbound and outbound connections when a threshold is
reached.
 Alerting
 Ability to inform the honeypot administrators when an event is
occurring.
Insider Honeypot Types
 Low Interaction
 High Interaction
 Honeynets using the Honeywall CD
 Hotzoning
 Honeytokens
Low-Interaction Insider Honeypots
Advantages:
 Easy to deploy, minimal risk
Disadvantages:
 Emulated services provide limited interaction which makes it
difficult to determine the real motives of the insider.
 Internal low-interaction honeypots are probably only useful for
detecting worms or sweeping vulnerability scans.
Examples:
 Black hole routers advertising dark IP space.
Arbor Networks Whitepaper on Sink holes
 Specter, KFSensor, Honeyd, and Labrea.
 Commercial HIDS: Cisco Security Agent, McAfee Entercept,
ISS BlackIce.
High-interaction Insider Honeypots
 Insider Honeypots should be deployed in the same IP space as
real resources such as development web servers and cvs
repositories.
 Advantages:
 Provide real operating systems and services, no emulation.
 Insider may interact with real services for a long time capturing
extensive information.
 Any interaction should be considered malicious. Does not have
to match an attack signature from an IDS.
Disadvantages:
 Complex to deploy (easier with Honeywall CD), greater risk.
 Captures insiders less familiar with your environment.
 Examples include Symantec Decoy and Honeynets.
Honeywall bootable CD-ROM
Simplifies the deployment, maintenance, and customization of a
honeynet.
Layer 2 bridging firewall (iptables) used to count and limit connections.
 No IP Address
 Doesn’t decrement TTL
Snort-inline
 Modified version of Snort that accepts packets from iptables instead
of libpcap. It then tell iptables whether the packet should be
dropped, rejected, modified, or allowed to pass based on a snort
rule set.
 Also used for alerting
Sebek_extract
 Server component of (kernel module based logger) data capture
http://www.honeynet.org/tools/cdrom/
Honeywall CD / Honeynet Diagram
Hot Zoning – Divert Traffic Destined
for unused services on production
systems to an internal honeypot.
Honeytokens
 Resources used for detecting and tracking
insider interaction with legitimate resources.
 Items that should not normally be accessed.
 Fake documents. Fake source code, Microsoft
Word and Excel documents.
 Bogus SSN or CC numbers
 Emails
 Login and password. Example test:test
 Ability send notification when accessed.
Question and Answer Session
http://www.honeynet.org
Kirby Kuehl
<[email protected]>