SlideShare uma empresa Scribd logo

Honeypots for Active Defense

Greg Foss
Greg Foss

InfoSec analysts are all somewhat familiar with Honeypots. When they are given the proper attention, care and feeding, they produce invaluable information and can be a critical asset when it comes to defending the network. This intel has been primarily used by security researchers and organizations with advanced defensive capabilities to study their adversaries and learn from their actions. But what about the rest of us? Honeypots are a lot of work to configure, maintain, and monitor, right? Not exactly; when deployed and monitored properly, Honeypots and Honey Tokens are a simple way to alert on anomalous activity inside the network. But how can an organization that is not focused on research gain valuable threat intelligence using Honeypots and actively defend their network using indicators generated from an internal Honeynet? The answer is Honeypots for Active Defense. There are currently many open source security tool distributions that come pre-loaded with Honeypots among other useful tools, however the Honeypot software is often not deployed in an effective manner. This session will discuss techniques to leverage Honeypots in ways that will not overburden the security team with massive logs to sift through and focuses efforts on correlating active threat data observed in the Honeypots with the production environment. When deploying Honeypots effectively, this can give security analysts one additional mechanism to tip them off to nefarious activity within their network before they become the next headline.

Tecnologia
1 de 71
Baixar para ler offline
Honeypots for Active Defense A Practical Guide to Honeynets within the Enterprise Greg Foss SecOps Lead / Senior Researcher @heinzarelli
# whoami Greg Foss SecOps Team Lead Sr. Security Research Engineer OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT
Traditional Defensive Concepts • Maintain a tough perimeter • Implement layered security controls • Block known attacks and ban malicious IP’s • Create and enforce policy to discourage misuse
…cross our fingers
InfoSec Realities • There is no magic security product that will protect you or your company. Period. • It’s when, not if — there’s always a way in…
Not Just ‘APTs’
Active Defense
What is ‘Active Defense’ • All comes down to tipping the odds in our favor as defenders… • Annoying the attacker • Trapping them and wasting time • Gather data + attempt attribution • ‘Attacking Back’ • Reduce the MTTD and MTTR • MTTD => Mean-Time-to-Detect • MTTR => Mean-Time-to-Respond
Why Internal Honeypots? • Easy to configure, deploy, and maintain • Fly traps for anomalous activity • They don’t even need to look legit once breached… Just enough to raise a flag. • You will learn a ton about your adversaries. Information that will help in the future… • *Honeypots are something to focus on after the basics have been taken care of.
Honeypot Use Cases • Research • Understand how attackers think, what works, what doesn’t, and what they are after. • Defense • Learn from the adversary and adapt… Lay traps to catch subtle yet abnormal activities.
Defense
VM’s ADHD http://sourceforge.net/projects/adhd/ Honey Drive 3 http://sourceforge.net/projects/honeydrive/
First things first… • Honeypots and Active Defense come after baseline security controls are in place. • Warning banners are critical and assist in the event prosecution is necessary / desired.
Types of Honeypots No Interaction Low Interaction Medium Interaction High Interaction Honey Tokens / Drives / Strings / Etc. *note - this is my interpretation, not necessarily ‘industry standard’
No Interaction Honeypots Primarily referred to as Honeyports, or services that simply log and/or ban on full TCP connect.
‘No Interaction’ Honeypots • Basic Honeyports • Linux - NetCat and IPTables • Windows - NetCat and Netsh • Python and PowerShell options as well…
Windows PowerShell Honeyports
Windows PowerShell Honeyports
Linux Honeyports • Artillery — supports Windows too! • https://www.trustedsec.com/downloads/artillery/
Artillery Logging • Port Scanning and/or Illegitimate Service Access • Local Syslog, Flat File, or Remote Syslog options • IP’s are added to the banlist and blocked locally via IPTables
Artillery Logging Bonus! • File Integrity Monitoring
Low Interaction Honeypots Honeypots that serve up basic content and are not interactive once breached.
WordPot • https://github.com/gbrindisi/wordpot • Fake WordPress app, written in Python…
Fake PhpMyAdmin • https://github.com/gfoss/phpmyadmin_honeypot • Simple fake phpmyadmin ‘app’ that logs to flat files. This same approach can be applied to anything…
$any fake login panel • Custom - but believable and hidden from normal users • Can be used in ‘reverse phishing’ — discussing later…
$any fake login panel • Logging attacker data is standard, what if you need evidence that is a bit more tangible…
Honeybadger • https://bitbucket.org/LaNMaSteR53/honeybadger/ • Gain *true attribution on your adversaries…
Medium Interaction Honeypots Interactive honeypots that resemble real services and provide limited functionality once breached.
Medium Interaction Honeypots • TONS! But one of my favorites: • https://github.com/desaster/kippo • https://github.com/gfoss/kippo • Simulate SSH Service…
Kippo • Python script which simulates an SSH service that is highly customizable, portable, and adaptable. • Logs to flat files and stores the full TTY session for each connection, so that attacks can be replayed in real-time. • One of the more popular honeypots out there, as a result, attackers know how to differentiate between this and a real Linux host very quickly. Be cautious… • When deploying externally, there is a risk of CnC’s maintaining persistent connections. • Can be used as a pentest tool as well :-)
Kippo Alert Automation https://github.com/gfoss/kippo/blob/master/replay-alert.sh
High Interaction Honeypots Imitate real systems or modify real hosts to act as honeypots in order to verbosely log attacker activity and capture all network and related flow data.
Analysis Tools • LogRhythm Network Monitor and SIEM • Suricata IDS • http://suricata-ids.org/download/ • BRO IDS • https://www.bro.org/ • Cuckoo Sandbox • http://www.cuckoosandbox.org/
Routers and Switches • ROMAN Hunter - Router Man Hunter • http://sourceforge.net/projects/romanhunter/ • Configure real AP as a honeypot • Capture MAC of 
 attacker that 
 bypasses 
 security • Correlate the MAC and
 add it to an
 organizational blacklist…
High Interaction Warning! • Deploying real systems / devices / services is dangerous and requires dedicated monitoring. • Whenever hosts can actually be compromised there is huge risk if not monitored appropriately. • Never use the organization’s gold-standard image for the honeypot. • Segment these hosts from the production network!
Honey Tokens and Document Bugging Tracking file access, modification, exfiltration, etc…
File Integrity Monitoring
Honey Tokens • Use file integrity monitoring to track all interactions with files/folders/etc of interest. Great for network shares. • Not just files, this can be strings, drives, directories, etc. • Any predefined item that
 will generate a log when 
 accessed/modified/etc. • Trivial to configure…
Document Bugging • WebBug How To: • http://ha.ckers.org/webbug.html
 • WebBug Server: • https://bitbucket.org/ethanr/webbugserver
 • Bugged Files - Is your Document Telling on You? • Daniel Crowley + Damon Smith • https://www.youtube.com/watch?v=co1gFikKLpA
Document Tracking • Same tricks used by Marketing for years, normally for tracking emails. • Why loading external
 images within email
 is risky…
Document Tracking • Documents can be tracked in the same way as email / web. • Automating the process… • https://github.com/gfoss/misc/tree/master/Bash/webbug
Document Tracking Issues • If the document is opened up offline it will divulge information about the tracking service. • *There is no telling how someone will react once it is discovered that they were being tracked…
Screwing with Attackers • Reverse Phishing and ‘Attacking Back’ • A
 case
 study…
• Zip Bombs • http://unforgettable.dk - 42.zip • BeEF - Browser Exploitation Framework • http://beefproject.com/ • USB Killer • http://kukuruku.co/hub/diy/usb-killer • Clippy! • http://www.irongeek.com/i.php?page=security/ phpids-install-notes More Tricks
cat /dev/random | nc -nl 22
https://github.com/nitram509/ascii-telnet-server ASCII Art Distraction
Monitoring • Dedicated SOC - Security Operations Center • SIEM - Security Information Event Management • Correlate and Track Events • Evaluate Impact on the Real Environment • Measure Risk and Actively Respond to Threats • IDS, Network Flow Analysis, Firewalls, etc. • Configure once and it’s smooth sailing from there…
Enterprise Threat Intelligence • Develop Context-Aware Threat Intelligence • Leverage knowledge gained from attackers to create IOC’s and custom IDS and SIEM rules…
Event Correlation
Automating Response • Dynamic Honeypotting • Deploy PowerShell and Command Line Logging • http://www.slideshare.net/Hackerhurricane/ask- aalware-archaeologist/25
Automating Response • Google Rapid Response - GRR • https://github.com/google/grr • Netflix FIDO • https://github.com/Netflix/Fido • Kansa • https://github.com/davehull/Kansa • Power Forensics • https://github.com/Invoke-IR/PowerForensics
1 PowerShell Script Live Data Acquisition and Incident Response Integrates into Existing Security Processes Remote Forensic Acquisition Host and User Lockdown https://github.com/gfoss/PSRecon/
Bringing it all together…
Honeypot Dashboards • HoneyDrive3 comes complete with dashboards and enhancement scripts to display interesting data. • Kippo Graph • http://bruteforce.gr/kippo-graph • The Modern Honey Network - can also deploy! • https://threatstream.com/blog/mhn-modern- honey-network • LogRhythm SIEM - Honeypot Analytics Suite
Works Cited & Recommended Reading • Strand, John, and Asadoorian, Paul. Offensive Countermeasures: The Art of Active Defense. 2013. • Murdoch, D. W. Blue Team Handbook: Incident Response Edition: A Condensed Field Guide for the Cyber Security Incident Responder. United States: CreateSpace Independent, 2014. • Chuvakin, Anton, and Kevin Schmidt. Logging and Log Management: The Authoritative Guide to Dealing with Syslog, Audit Logs, Events, Alerts and Other IT 'noise' Rockland, MA: Syngress, 2012. • Bodmer, Sean. Reverse Deception: Organized Cyber Threat Counter-exploitation. N.p.: n.p., n.d. Print.
Thank You! Questions? https://github.com/gfoss/ Greg Foss
 OSCP, GAWN, GPEN, GWAPT, GCIH, CEH
 SecOps Lead / Sr. Researcher
 greg.foss[at]LogRhythm.com
 @heinzarelli

Recomendados

100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Jason Trost
 
Honeypot
Honeypot Honeypot
Honeypot Sushan Sharma
 
Honeynet architecture
Honeynet architectureHoneynet architecture
Honeynet architectureamar koppal
 
All about Honeypots & Honeynets
All about Honeypots & HoneynetsAll about Honeypots & Honeynets
All about Honeypots & HoneynetsMehdi Poustchi Amin
 
Infoblox Secure DNS Solution
Infoblox Secure DNS SolutionInfoblox Secure DNS Solution
Infoblox Secure DNS SolutionSrikrupa Srivatsan
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explainedTeja Babu
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 

Recomendados

100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Jason Trost
 
Honeypot
Honeypot Honeypot
Honeypot Sushan Sharma
 
Honeynet architecture
Honeynet architectureHoneynet architecture
Honeynet architectureamar koppal
 
All about Honeypots & Honeynets
All about Honeypots & HoneynetsAll about Honeypots & Honeynets
All about Honeypots & HoneynetsMehdi Poustchi Amin
 
Infoblox Secure DNS Solution
Infoblox Secure DNS SolutionInfoblox Secure DNS Solution
Infoblox Secure DNS SolutionSrikrupa Srivatsan
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explainedTeja Babu
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
DDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceDDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceEr. Shiva K. Shrestha
 
Honeypot ss
Honeypot ssHoneypot ss
Honeypot ssKajal Mittal
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
Firewall
FirewallFirewall
FirewallMuhammad Sohaib Afzaal
 
Honeypot Basics
Honeypot BasicsHoneypot Basics
Honeypot BasicsManoj kumawat
 
Honeypots
HoneypotsHoneypots
HoneypotsSARANYA S
 
Honeypots
HoneypotsHoneypots
HoneypotsJ. Scott Christianson
 
Honeypots
HoneypotsHoneypots
HoneypotsJayant Gandhi
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
Security in IoT
Security in IoTSecurity in IoT
Security in IoTgr9293
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAparna Bhadran
 
Security threats
Security threatsSecurity threats
Security threatsQamar Farooq
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack pptOECLIB Odisha Electronics Control Library
 
Honeypot ppt1
Honeypot ppt1Honeypot ppt1
Honeypot ppt1samrat saurabh
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Crowdstrike .pptx
Crowdstrike .pptxCrowdstrike .pptx
Crowdstrike .pptxuthayakumar174828
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief OverviewSILPI ROSAN
 
Honeypot honeynet
Honeypot honeynetHoneypot honeynet
Honeypot honeynetSina Manavi
 

Mais conteúdo relacionado

Mais procurados

DDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceDDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceEr. Shiva K. Shrestha
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
Security in IoT
Security in IoTSecurity in IoT
Security in IoTgr9293
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAparna Bhadran
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 

Mais procurados (20)

DDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceDDoS - Distributed Denial of Service
DDoS - Distributed Denial of Service
 
Honeypot ss
Honeypot ssHoneypot ss
Honeypot ss
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Firewall
FirewallFirewall
Firewall
 
Honeypot Basics
Honeypot BasicsHoneypot Basics
Honeypot Basics
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
 
Security in IoT
Security in IoTSecurity in IoT
Security in IoT
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Security threats
Security threatsSecurity threats
Security threats
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack ppt
 
Honeypot ppt1
Honeypot ppt1Honeypot ppt1
Honeypot ppt1
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Crowdstrike .pptx
Crowdstrike .pptxCrowdstrike .pptx
Crowdstrike .pptx
 

Destaque

Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief OverviewSILPI ROSAN
 
Honeypot honeynet
Honeypot honeynetHoneypot honeynet
Honeypot honeynetSina Manavi
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar reportInder NeGi
 
0x3E9 Ways To DIE
0x3E9 Ways To DIE0x3E9 Ways To DIE
0x3E9 Ways To DIEynvb
 
SecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingSecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingGreg Foss
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 
DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseGreg Foss
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Greg Foss
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network SecurityKirubaburi R
 
Interactive presentation screen format 16-9 - minimal for slideshare
Interactive presentation screen format 16-9 - minimal for slideshareInteractive presentation screen format 16-9 - minimal for slideshare
Interactive presentation screen format 16-9 - minimal for slidesharePatrick Keyzer
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeydicanhasfay
 
Honey po tppt
Honey po tpptHoney po tppt
Honey po tpptArya AR
 
Honeypot Social Profiling
Honeypot Social ProfilingHoneypot Social Profiling
Honeypot Social ProfilingBryan Conde
 

Destaque (20)

Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief Overview
 
Honeypot honeynet
Honeypot honeynetHoneypot honeynet
Honeypot honeynet
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar report
 
Honey Pot
Honey PotHoney Pot
Honey Pot
 
0x3E9 Ways To DIE
0x3E9 Ways To DIE0x3E9 Ways To DIE
0x3E9 Ways To DIE
 
SecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingSecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture Training
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 
DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven Defense
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network Security
 
Interactive presentation screen format 16-9 - minimal for slideshare
Interactive presentation screen format 16-9 - minimal for slideshareInteractive presentation screen format 16-9 - minimal for slideshare
Interactive presentation screen format 16-9 - minimal for slideshare
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Lecture 7
Lecture 7Lecture 7
Lecture 7
 
CDE future sonar webinar
CDE future sonar webinar CDE future sonar webinar
CDE future sonar webinar
 
Honeypot Project
Honeypot ProjectHoneypot Project
Honeypot Project
 
Ppt
PptPpt
Ppt
 
GIS for Defence
GIS for DefenceGIS for Defence
GIS for Defence
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeyd
 
Honey po tppt
Honey po tpptHoney po tppt
Honey po tppt
 
Honeypot Social Profiling
Honeypot Social ProfilingHoneypot Social Profiling
Honeypot Social Profiling
 

Semelhante a Honeypots for Active Defense

Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.pptDetSersi
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
Visualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber SecurityVisualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber SecurityCambridge Intelligence
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoringchrissanders88
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 

Semelhante a Honeypots for Active Defense (20)

Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.ppt
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Visualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber SecurityVisualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber Security
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate Espionage
 

Mais de Greg Foss

Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime OpsGreg Foss
 
Future of Destructive Malware
Future of Destructive MalwareFuture of Destructive Malware
Future of Destructive MalwareGreg Foss
 
Crypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto FarmerCrypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto FarmerGreg Foss
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018Greg Foss
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Greg Foss
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and OrchestrationGreg Foss
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataGreg Foss
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 

Mais de Greg Foss (10)

Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime Ops
 
Future of Destructive Malware
Future of Destructive MalwareFuture of Destructive Malware
Future of Destructive Malware
 
Crypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto FarmerCrypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto Farmer
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and Orchestration
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint Data
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking Drupal
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Último (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Honeypots for Active Defense

  • 1. Honeypots for Active Defense A Practical Guide to Honeynets within the Enterprise Greg Foss SecOps Lead / Senior Researcher @heinzarelli
  • 2. # whoami Greg Foss SecOps Team Lead Sr. Security Research Engineer OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT
  • 3. Traditional Defensive Concepts • Maintain a tough perimeter • Implement layered security controls • Block known attacks and ban malicious IP’s • Create and enforce policy to discourage misuse
  • 5. InfoSec Realities • There is no magic security product that will protect you or your company. Period. • It’s when, not if — there’s always a way in…
  • 8. What is ‘Active Defense’ • All comes down to tipping the odds in our favor as defenders… • Annoying the attacker • Trapping them and wasting time • Gather data + attempt attribution • ‘Attacking Back’ • Reduce the MTTD and MTTR • MTTD => Mean-Time-to-Detect • MTTR => Mean-Time-to-Respond
  • 9.
  • 10. Why Internal Honeypots? • Easy to configure, deploy, and maintain • Fly traps for anomalous activity • They don’t even need to look legit once breached… Just enough to raise a flag. • You will learn a ton about your adversaries. Information that will help in the future… • *Honeypots are something to focus on after the basics have been taken care of.
  • 11. Honeypot Use Cases • Research • Understand how attackers think, what works, what doesn’t, and what they are after. • Defense • Learn from the adversary and adapt… Lay traps to catch subtle yet abnormal activities.
  • 14. First things first… • Honeypots and Active Defense come after baseline security controls are in place. • Warning banners are critical and assist in the event prosecution is necessary / desired.
  • 15. Types of Honeypots No Interaction Low Interaction Medium Interaction High Interaction Honey Tokens / Drives / Strings / Etc. *note - this is my interpretation, not necessarily ‘industry standard’
  • 16. No Interaction Honeypots Primarily referred to as Honeyports, or services that simply log and/or ban on full TCP connect.
  • 17. ‘No Interaction’ Honeypots • Basic Honeyports • Linux - NetCat and IPTables • Windows - NetCat and Netsh • Python and PowerShell options as well…
  • 20. Linux Honeyports • Artillery — supports Windows too! • https://www.trustedsec.com/downloads/artillery/
  • 21. Artillery Logging • Port Scanning and/or Illegitimate Service Access • Local Syslog, Flat File, or Remote Syslog options • IP’s are added to the banlist and blocked locally via IPTables
  • 22. Artillery Logging Bonus! • File Integrity Monitoring
  • 23.
  • 24. Low Interaction Honeypots Honeypots that serve up basic content and are not interactive once breached.
  • 25. WordPot • https://github.com/gbrindisi/wordpot • Fake WordPress app, written in Python…
  • 26. Fake PhpMyAdmin • https://github.com/gfoss/phpmyadmin_honeypot • Simple fake phpmyadmin ‘app’ that logs to flat files. This same approach can be applied to anything…
  • 27. $any fake login panel • Custom - but believable and hidden from normal users • Can be used in ‘reverse phishing’ — discussing later…
  • 28. $any fake login panel • Logging attacker data is standard, what if you need evidence that is a bit more tangible…
  • 30.
  • 31. Medium Interaction Honeypots Interactive honeypots that resemble real services and provide limited functionality once breached.
  • 32. Medium Interaction Honeypots • TONS! But one of my favorites: • https://github.com/desaster/kippo • https://github.com/gfoss/kippo • Simulate SSH Service…
  • 33. Kippo • Python script which simulates an SSH service that is highly customizable, portable, and adaptable. • Logs to flat files and stores the full TTY session for each connection, so that attacks can be replayed in real-time. • One of the more popular honeypots out there, as a result, attackers know how to differentiate between this and a real Linux host very quickly. Be cautious… • When deploying externally, there is a risk of CnC’s maintaining persistent connections. • Can be used as a pentest tool as well :-)
  • 34.
  • 36. High Interaction Honeypots Imitate real systems or modify real hosts to act as honeypots in order to verbosely log attacker activity and capture all network and related flow data.
  • 37.
  • 38. Analysis Tools • LogRhythm Network Monitor and SIEM • Suricata IDS • http://suricata-ids.org/download/ • BRO IDS • https://www.bro.org/ • Cuckoo Sandbox • http://www.cuckoosandbox.org/
  • 39. Routers and Switches • ROMAN Hunter - Router Man Hunter • http://sourceforge.net/projects/romanhunter/ • Configure real AP as a honeypot • Capture MAC of 
 attacker that 
 bypasses 
 security • Correlate the MAC and
 add it to an
 organizational blacklist…
  • 40. High Interaction Warning! • Deploying real systems / devices / services is dangerous and requires dedicated monitoring. • Whenever hosts can actually be compromised there is huge risk if not monitored appropriately. • Never use the organization’s gold-standard image for the honeypot. • Segment these hosts from the production network!
  • 41. Honey Tokens and Document Bugging Tracking file access, modification, exfiltration, etc…
  • 43. Honey Tokens • Use file integrity monitoring to track all interactions with files/folders/etc of interest. Great for network shares. • Not just files, this can be strings, drives, directories, etc. • Any predefined item that
 will generate a log when 
 accessed/modified/etc. • Trivial to configure…
  • 44. Document Bugging • WebBug How To: • http://ha.ckers.org/webbug.html
 • WebBug Server: • https://bitbucket.org/ethanr/webbugserver
 • Bugged Files - Is your Document Telling on You? • Daniel Crowley + Damon Smith • https://www.youtube.com/watch?v=co1gFikKLpA
  • 45. Document Tracking • Same tricks used by Marketing for years, normally for tracking emails. • Why loading external
 images within email
 is risky…
  • 46. Document Tracking • Documents can be tracked in the same way as email / web. • Automating the process… • https://github.com/gfoss/misc/tree/master/Bash/webbug
  • 47. Document Tracking Issues • If the document is opened up offline it will divulge information about the tracking service. • *There is no telling how someone will react once it is discovered that they were being tracked…
  • 48. Screwing with Attackers • Reverse Phishing and ‘Attacking Back’ • A
 case
 study…
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57. • Zip Bombs • http://unforgettable.dk - 42.zip • BeEF - Browser Exploitation Framework • http://beefproject.com/ • USB Killer • http://kukuruku.co/hub/diy/usb-killer • Clippy! • http://www.irongeek.com/i.php?page=security/ phpids-install-notes More Tricks
  • 58. cat /dev/random | nc -nl 22
  • 60. Monitoring • Dedicated SOC - Security Operations Center • SIEM - Security Information Event Management • Correlate and Track Events • Evaluate Impact on the Real Environment • Measure Risk and Actively Respond to Threats • IDS, Network Flow Analysis, Firewalls, etc. • Configure once and it’s smooth sailing from there…
  • 61. Enterprise Threat Intelligence • Develop Context-Aware Threat Intelligence • Leverage knowledge gained from attackers to create IOC’s and custom IDS and SIEM rules…
  • 63. Automating Response • Dynamic Honeypotting • Deploy PowerShell and Command Line Logging • http://www.slideshare.net/Hackerhurricane/ask- aalware-archaeologist/25
  • 64. Automating Response • Google Rapid Response - GRR • https://github.com/google/grr • Netflix FIDO • https://github.com/Netflix/Fido • Kansa • https://github.com/davehull/Kansa • Power Forensics • https://github.com/Invoke-IR/PowerForensics
  • 65. 1 PowerShell Script Live Data Acquisition and Incident Response Integrates into Existing Security Processes Remote Forensic Acquisition Host and User Lockdown https://github.com/gfoss/PSRecon/
  • 66.
  • 68. Honeypot Dashboards • HoneyDrive3 comes complete with dashboards and enhancement scripts to display interesting data. • Kippo Graph • http://bruteforce.gr/kippo-graph • The Modern Honey Network - can also deploy! • https://threatstream.com/blog/mhn-modern- honey-network • LogRhythm SIEM - Honeypot Analytics Suite
  • 69.
  • 70. Works Cited & Recommended Reading • Strand, John, and Asadoorian, Paul. Offensive Countermeasures: The Art of Active Defense. 2013. • Murdoch, D. W. Blue Team Handbook: Incident Response Edition: A Condensed Field Guide for the Cyber Security Incident Responder. United States: CreateSpace Independent, 2014. • Chuvakin, Anton, and Kevin Schmidt. Logging and Log Management: The Authoritative Guide to Dealing with Syslog, Audit Logs, Events, Alerts and Other IT 'noise' Rockland, MA: Syngress, 2012. • Bodmer, Sean. Reverse Deception: Organized Cyber Threat Counter-exploitation. N.p.: n.p., n.d. Print.
  • 71. Thank You! Questions? https://github.com/gfoss/ Greg Foss
 OSCP, GAWN, GPEN, GWAPT, GCIH, CEH
 SecOps Lead / Sr. Researcher
 greg.foss[at]LogRhythm.com
 @heinzarelli