A short introduction to honeypots

Download Report

Transcript A short introduction to honeypots 

A short introduction to
honeypots
Εμμανουήλ Βασιλομανωλάκης
Υποψήφιος Διδάκτωρ
Telecooperation Group, Technische Universität Darmstadt
Center for Advanced Security Research Darmstadt (CASED)
Συνεργάτης Εργ. Δικτύων ISLAB, ΙΠΤ, ΔΗΜΟΚΡΙΤΟΣ
[email protected]
Outline
 Introduction
 Classifications
 Deployment Architectures
 Open source vs. nothing
 2 Honeypots
 SURFcert IDS & experiences from Demokritos
 Future work - ideas
4/21/2013
Telecooperation Group | CASED
Introduction
 Definition: “A security resource who's value lies in being probed,
attacked or compromised”
 Doesn’t have to be a system: Honeytokens
 We want to get compromised!
 Certainly not a standalone security mechanism.
 Why?
• FUN!
• No false-positives!
• Research: Malware analysis/reverse engineering
• Reducing available attack surface/early warning system
4/21/2013
Telecooperation Group | CASED
Honeypot Classifications
 Low interaction: simulate network operations
(usually at the tcp/ip stack)
 [Medium interaction: simulate network operations
(with more “sophisticated” ways)]
 High interaction: real systems
(e.g., VMs)
 Other classifications:
• Purpose: Generic, Malware collectors, SSH, etc.
• Production – Research (not really useful)
4/21/2013
Telecooperation Group | CASED
Honeypot Deployment Architectures
4/21/2013
Telecooperation Group | CASED
Open Source vs. nothing (really!)
4/21/2013
Honeypot
Type
OS
Language
GUI
License
Honeyd
Generic
LINUX
C
N
GNU
Nepenthes
Malware
LINUX
C
N
GNU
Dionaea
Malware
LINUX
PYTHON
N
GNU
Honeytrap
Generic
LINUX
C
N
GNU
LaBrea
Generic
LINUX
C
N
GNU
Tiny HP
Generic
LINUX
PERL
N
GNU
HoneyBot
Malware
WINDOWS
-
Y
CLOSED
Google Hack
HP
WEB
-
PHP
Y
GNU
Multipot
Malware
WINDOWS
VB 6
Y
GNU
Glastopf
WEB
-
PYTHON
Y
GNU
Kojoney
SSH
LINUX
PYTHON
N
GNU
Kippo
SSH
LINUX
PYTHON
N
BSD
Amun
Malware
LINUX
PYTHON
N
GNU
Omnirova
Malware
WINDOWS
Borland Delphi
Y
GNU
BillyGoat
Malware
-
?
?
CLOSED
Artemisa
VOIP
-
PYTHON
N
GNU
GHOST
USB
WINDOWS
C
Y
GNU
Telecooperation Group | CASED
Dionaea
 Low Interaction honeypot for collecting malware
 Nepenthes successor
 Basic protocol simulated: SMB (port 445)
 Others: HTTP, HTTPS, FTP, TFTP, MSSQL and SIP (VOIP)
 Also supports IPv6 and TLS
 Malware files: stored locally or/and sent to 3rd party entities
(CWSandbox, Norman Sandbox, Anubis, VirusTotal)
4/21/2013
Telecooperation Group | CASED
Kippo (1/2)
 Low interaction SSH honeypot
 Features:
• Presenting a fake (but “functional”) system to the attacker
(resembling a Debian 5.0 installation)
• Attacker can download his tools through wget, and we save
them for later inspection (cool!)
• Session logs are stored in an UML- compatible format for
easy replay with original timings (even cooler!)
 Easy to install, but hard to get hackers!
4/21/2013
Telecooperation Group | CASED
SURFcert IDS
 An open source (GPLv2) distributed intrusion detection
system based on honeypots
 Sensors, act as proxies, forwarding network traffic from the
monitored network to the system’s center using OpenVPN
 Supported Honeypots: Nepenthes, Dionaea, Argos, Kippo
Three parts:
Tunnel – honeypot server
Web – Logging server
Sensors
4/21/2013
Telecooperation Group | CASED
SURFcert IDS
 Also:
• Supports p0f for attackers’ OS detection
• Statistics, nice web-GUI, sensor status, geographical
visualizations, and more…
4/21/2013
Telecooperation Group | CASED
SURFcert IDS @ Demokritos
 Some stats:
• 21.000 attacks on 3 different sensors (1 month)
• 1500 malware files downloaded
• Main target: port 445
 Successfully detected infected systems, inside our network
(mostly with a Conficker Worm variant)
 Automatic malware analysis can give us valuable information
on Botnets (and their C&C IRC servers)
 Possible to find zero-date exploits / new malware
(or different variants)
4/21/2013
Telecooperation Group | CASED
Future Work - Ideas
Features:
Attacker scans our system
 Better visualization
 Anti-evasion techniques
 Cheap & easy mobile sensors:
Raspberry Pi
 Advertising honeypots
Attacker trying to connect
to our “ftp” server
Honeypots:
 Mobile honeypots (e.g., Android)
 SCADA – Industrial Control Systems (ICS)
4/21/2013
Telecooperation Group | CASED
Thank You 
Questions?
Telecooperation Group | CASED
Backup slides
Telecooperation Group | CASED
Useful Links
 Interesting stuff:
• http://www.islab.demokritos.gr – Many honeypot-related theses available
• https://www.enisa.europa.eu/activities/cert/support/proactivedetection/proactive-detection-of-security-incidents-II-honeypots - Report
from ENISA regarding honeypots
• http://publicids.surfnet.nl:8080/surfnetids/login.php - Demo version of
SURFcert IDS
 Honeypots:
•
•
•
•
http://www.honeynet.org – General information on honeypots
http://dionaea.carnivore.it – Dionaea honeypot
http://amunhoney.sourceforge.net – Amun honeypot
http://map.honeynet.org – Honeypots visualization
4/21/2013
Telecooperation Group | CASED
SURFcert IDS @ Demokritos
[outside main
firewall]
DMZ 1
Honeynet IP space
TUNNEL –
HONEYPOT
SERVER
Internal
Firewall
Sensor 3
DMZ 2
WEB – DB
SERVER
[inside main firewall]
Institute B
Institute A
DMZ X
INTERNAL
MANAGE
MENT PC
Sensor 2
4/21/2013
Sensor 1
Telecooperation Group | CASED