A short introduction to honeypots
16
Εμμανουήλ Βασιλομανωλάκης Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED) Συνεργάτης Εργ. Δικτύων ISLAB, ΙΠΤ, ΔΗΜΟΚΡΙΤΟΣ [email protected] A short introduction to honeypots
description
A short introduction to honeypots. Εμμανουήλ Βασιλομανωλάκης Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED) Συνεργάτης Εργ. Δικτύων ISLAB, ΙΠΤ, ΔΗΜΟΚΡΙΤΟΣ manolis @cased.de. Outline. Introduction - PowerPoint PPT Presentation
Transcript of A short introduction to honeypots
Εμμανουήλ Βασιλομανωλάκης
Υποψήφιος ΔιδάκτωρTelecooperation Group, Technische Universität DarmstadtCenter for Advanced Security Research Darmstadt (CASED)
Συνεργάτης Εργ. Δικτύων ISLAB, ΙΠΤ, ΔΗΜΟΚΡΙΤΟΣ[email protected]
A short introduction to honeypots
Outline
4/21/2013 Telecooperation Group | CASED
Introduction Classifications Deployment Architectures Open source vs. nothing 2 Honeypots SURFcert IDS & experiences from Demokritos Future work - ideas
Introduction
4/21/2013 Telecooperation Group | CASED
Definition: “A security resource who's value lies in being probed, attacked or compromised”
Doesn’t have to be a system: Honeytokens We want to get compromised! Certainly not a standalone security mechanism.
Why? • FUN!• No false-positives!• Research: Malware analysis/reverse engineering• Reducing available attack surface/early warning system
Honeypot Classifications
4/21/2013 Telecooperation Group | CASED
Low interaction: simulate network operations (usually at the tcp/ip stack)
[Medium interaction: simulate network operations(with more “sophisticated” ways)]
High interaction: real systems(e.g., VMs)
Other classifications: • Purpose: Generic, Malware collectors, SSH, etc.• Production – Research (not really useful)
Honeypot Deployment Architectures
4/21/2013 Telecooperation Group | CASED
Open Source vs. nothing (really!)
4/21/2013 Telecooperation Group | CASED
Honeypot Type OS Language GUI LicenseHoneyd Generic LINUX C N GNU
Nepenthes Malware LINUX C N GNUDionaea Malware LINUX PYTHON N GNU
Honeytrap Generic LINUX C N GNULaBrea Generic LINUX C N GNUTiny HP Generic LINUX PERL N GNU
HoneyBot Malware WINDOWS - Y CLOSEDGoogle Hack
HPWEB - PHP Y GNU
Multipot Malware WINDOWS VB 6 Y GNUGlastopf WEB - PYTHON Y GNUKojoney SSH LINUX PYTHON N GNUKippo SSH LINUX PYTHON N BSDAmun Malware LINUX PYTHON N GNU
Omnirova Malware WINDOWS Borland Delphi Y GNUBillyGoat Malware - ? ? CLOSEDArtemisa VOIP - PYTHON N GNUGHOST USB WINDOWS C Y GNU
Dionaea
4/21/2013 Telecooperation Group | CASED
Low Interaction honeypot for collecting malware
Nepenthes successor
Basic protocol simulated: SMB (port 445)
Others: HTTP, HTTPS, FTP, TFTP, MSSQL and SIP (VOIP) Also supports IPv6 and TLS
Malware files: stored locally or/and sent to 3rd party entities (CWSandbox, Norman Sandbox, Anubis, VirusTotal)
Kippo (1/2)
4/21/2013 Telecooperation Group | CASED
Low interaction SSH honeypot
Features:• Presenting a fake (but “functional”) system to the attacker
(resembling a Debian 5.0 installation) • Attacker can download his tools through wget, and we save
them for later inspection (cool!)• Session logs are stored in an UML- compatible format for
easy replay with original timings (even cooler!)
Easy to install, but hard to get hackers!
SURFcert IDS
4/21/2013 Telecooperation Group | CASED
An open source (GPLv2) distributed intrusion detection system based on honeypots
Sensors, act as proxies, forwarding network traffic from the monitored network to the system’s center using OpenVPN
Supported Honeypots: Nepenthes, Dionaea, Argos, Kippo
Three parts:Tunnel – honeypot serverWeb – Logging serverSensors
SURFcert IDS
4/21/2013 Telecooperation Group | CASED
Also:• Supports p0f for attackers’ OS detection• Statistics, nice web-GUI, sensor status, geographical
visualizations, and more…
SURFcert IDS @ Demokritos
4/21/2013 Telecooperation Group | CASED
Some stats:• 21.000 attacks on 3 different sensors (1 month)• 1500 malware files downloaded• Main target: port 445
Successfully detected infected systems, inside our network (mostly with a Conficker Worm variant)
Automatic malware analysis can give us valuable informationon Botnets (and their C&C IRC servers)
Possible to find zero-date exploits / new malware (or different variants)
Future Work - Ideas
4/21/2013 Telecooperation Group | CASED
Features:
Better visualization Anti-evasion techniquesCheap & easy mobile sensors:Raspberry PiAdvertising honeypots
Honeypots:
Mobile honeypots (e.g., Android)SCADA – Industrial Control Systems (ICS)
Attacker scans our system
Attacker trying to connect to our “ftp” server
Thank You Questions?
Telecooperation Group | CASED
Backup slides
Telecooperation Group | CASED
Useful Links
4/21/2013 Telecooperation Group | CASED
Interesting stuff: • http://www.islab.demokritos.gr – Many honeypot-related theses available • https://
www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-of-security-incidents-II-honeypots - Report from ENISA regarding honeypots
• http://publicids.surfnet.nl:8080/surfnetids/login.php - Demo version of SURFcert IDS
Honeypots:• http://www.honeynet.org – General information on honeypots• http://dionaea.carnivore.it – Dionaea honeypot• http://amunhoney.sourceforge.net – Amun honeypot• http://map.honeynet.org – Honeypots visualization
SURFcert IDS @ Demokritos
4/21/2013 Telecooperation Group | CASED
DMZ X
DMZ 1
DMZ 2
Institute AInstitute B
Honeynet IP space
InternalFirewall
WEB – DB SERVER
TUNNEL – HONEYPOT SERVER
INTERNAL MANAGEMENT PC
Sensor 1Sensor 2
Sensor 3
[outside main firewall]
[inside main firewall]
