Embed Size (px)
Citation preview
Turning Honeypots into an Offensive Toolkit to Secure
Critical Assets
Hackit Ukraine Andrei AvădăneiOctober 7th, 2016 CEO BIT SENTINEL
Short Bio ● CEO BIT SENTINEL (2015 - now)
● President at CCSIR.org (2013 - now)
● Founder & Coordinator of DefCamp (2011 - now)
#programming, #pentest, #reverse engineering, #code review, #social engineering, #ctf
Into The Honeypots World
● "A honeypot is a trap set to detect, deflect or in some manner counteract attempts at unauthorized use of information systems." [1]
● "A honeypot is a security resource who's value lies in being probed, attacked or compromised" [2]
● Often, honeypot features are found in IDS/IPS products
● It's just another layer of security
Honeypots by type
Low-interaction
● Might detect probing
● Attackers are unlikely to be distracted for long
● Ex: honeyd, kfsensor
Medium/High-interaction
● Might collect consistent evidences
● Can hold attackers for a while
● Ex: kippo, specter
Pure-interaction
● Full-fledged production systems
● Technology deception
● Found often in large infrastructures
Honeypots by specialisation
● Web honeypots - Glastopf, servlet, honeypress, nodepot, phpmyadmin_honeypot
● Service Honeypots - Kippo, honeyntp, troje, RDPy, honeyprint, hornet
● ICS/SCADA honeypots - conpot, gaspot, scada honeynet, gridpot
● Distributed sensor deployment - Smarthoneypot, Modern Honey Network, Active Defense Harbinger Distribution (ADHD)
Offensive HoneypotsWhat they should be like
● 24/7 “hacker” who automatically seeks for offenders & counter-attack
● Emulates pure-interaction honeypots in order to maintain a large window so the “hacker” can collect evidence about the intruder
● In some cases you won’t get a better shot on the hacker’s real identity
● Usually they have attention somewhere else (for instance, stealing your valuable data)
Offensive HoneypotsWhat they really are
● 24/7 “hacker” who automatically seeks for offenders & counter-attack
● Emulates pure-interaction honeypots in order to maintain a large window so the “hacker” can collect evidence about the intruder
● In some cases you won’t get a better shot on the hacker’s real identity
● Usually they have attention somewhere else (for instance, stealing your valuable data)
● Active Defense/Decoy - increase cost of the attack
● Increase hacking costs
● Scaring techniques
● Counter-intelligence
● Counter-fingerprinting
● Hackers profiling
● Counter-hacking
Hint: Search for Alexey Sintsov’s experiment from ‘11. Not much since then.
Motivation for Offensive Honeypots
Issues with Offensive Honeypots
● Cat and mouse game
● Forbidden by default in many countries
● Data collected might not be accepted in court
● Expensive to maintain
● Not clear what and how to do
● Hard to know when/who should be targeted from the pool of attackers
● Hard to scale/adapt to different networks
How to do it? ● Identify & Prioritize your assets based on risk (CVSS)
● Define your valuable data at risk (types)
● Look for existent honeypots or DYI
● Prepare the “weapon” according to:
○ Data type (database, documents etc)
○ Asset type (website, workstation, IoT etc)
○ Source of the attack (network layer, remote/internal etc)
● Launch dedicated honeypots with real capabilities (energize them with traffic)
● Collect, analyze and improve (still room for startups)
● Combine
Study Cases#1 The website
Asset: CMS (i.e WP), Virtual Machine
Data: Database of clients
Honeypots: wordpot, honeypress, honnypotter
Source of Attack: layer 7 (web service)
Weapons
● Network & Vulns Scanning: Openvas, Arachni, Nmap etc.
● Pwn Tools: Metasploit
● Tracking: social media, accounts history, browser vulnerabilities
● Increase time spent: decoy features
Study Cases#2 The network
Asset: Workstations, IoT, Servers
Data: Customers, Employees, Discussions, Blueprints, Documents, Backups
Honeypots: Smarthoneypot, Modern Honey Network, cloned devices
Source of Attack: layer 7 (web service)
Weapons
● Network & Vulns Scanning: Openvas, Arachni, Nmap etc.
● Pwn Tools: Metasploit
● Tracking: social media, accounts history, browser vulnerabilities, infected documents
● Increase time spent: cloned / almost real devices / develop low-hanging fruit
Take aways ● Keep your honeypot approaches as stealthy as possible
● Always rely on “defence in depth” and multiple detection methodologies
● There is room for the “real” offensive honeypot
● Build honeypots which increase the costs and also help you get more evidence about the incidents/attacker
Resources ● http://ethics.csc.ncsu.edu/abuse/hacking/honeypots/study.php
● http://en.wikipedia.org/wiki/Honeypot
● https://media.blackhat.com/eu-13/briefings/Sintsov/bh-eu-13-honeypot-sintsov-wp.pdf
● http://www.it-docs.net/ddata/792.pdf
● http://www.darkreading.com/vulnerability/honeypot-stings-attackers-with-counterat/240151740
● http://www.slideshare.net/AndreiAvadanei/honeypots-30081437
● http://revuln.com/files/Ferrante_A_Zero_Day_Life.pdf
● https://blog.smarthoneypot.com/what-active-defence-is-and-is-not/
● https://github.com/paralax/awesome-honeypots
● https://www.honeynet.org/node/1267
