InfoSec analysts are all somewhat familiar with Honeypots. When they are given the proper attention, care and feeding, they produce invaluable information and can be a critical asset when it comes to defending the network. This intel has been primarily used by security researchers and organizations with advanced defensive capabilities to study their adversaries and learn from their actions. But what about the rest of us? Honeypots are a lot of work to configure, maintain, and monitor, right? Not exactly; when deployed and monitored properly, Honeypots and Honey Tokens are a simple way to alert on anomalous activity inside the network. But how can an organization that is not focused on research gain valuable threat intelligence using Honeypots and actively defend their network using indicators generated from an internal Honeynet?
The answer is Honeypots for Active Defense. There are currently many open source security tool distributions that come pre-loaded with Honeypots among other useful tools, however the Honeypot software is often not deployed in an effective manner. This session will discuss techniques to leverage Honeypots in ways that will not overburden the security team with massive logs to sift through and focuses efforts on correlating active threat data observed in the Honeypots with the production environment. When deploying Honeypots effectively, this can give security analysts one additional mechanism to tip them off to nefarious activity within their network before they become the next headline.
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Honeypots for Active Defense
1. Honeypots for Active Defense
A Practical Guide to Honeynets within the Enterprise
Greg Foss
SecOps Lead / Senior Researcher
@heinzarelli
2. # whoami
Greg Foss
SecOps Team Lead
Sr. Security Research Engineer
OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT
3. Traditional Defensive
Concepts
• Maintain a tough perimeter
• Implement layered security controls
• Block known attacks and ban malicious IP’s
• Create and enforce policy to discourage misuse
5. InfoSec Realities
• There is no magic security product that
will protect you or your company. Period.
• It’s when, not if — there’s always a way in…
8. What is ‘Active Defense’
• All comes down to tipping the odds in our
favor as defenders…
• Annoying the attacker
• Trapping them and wasting time
• Gather data + attempt attribution
• ‘Attacking Back’
• Reduce the MTTD and MTTR
• MTTD => Mean-Time-to-Detect
• MTTR => Mean-Time-to-Respond
9.
10. Why Internal Honeypots?
• Easy to configure, deploy, and maintain
• Fly traps for anomalous activity
• They don’t even need to look legit once
breached… Just enough to raise a flag.
• You will learn a ton about your adversaries.
Information that will help in the future…
• *Honeypots are something to focus on after
the basics have been taken care of.
11. Honeypot Use Cases
• Research
• Understand how attackers think, what
works, what doesn’t, and what they are
after.
• Defense
• Learn from the adversary and adapt…
Lay traps to catch subtle yet abnormal
activities.
14. First things first…
• Honeypots and Active Defense come after
baseline security controls are in place.
• Warning banners are critical and assist in the
event prosecution is necessary / desired.
15. Types of Honeypots
No Interaction
Low Interaction
Medium Interaction
High Interaction
Honey Tokens / Drives / Strings / Etc.
*note - this is my interpretation, not necessarily ‘industry standard’
21. Artillery Logging
• Port Scanning and/or Illegitimate Service Access
• Local Syslog, Flat File, or Remote Syslog options
• IP’s are added to the banlist and blocked locally
via IPTables
32. Medium Interaction Honeypots
• TONS! But one of my favorites:
• https://github.com/desaster/kippo
• https://github.com/gfoss/kippo
• Simulate SSH Service…
33. Kippo
• Python script which simulates an SSH service that is
highly customizable, portable, and adaptable.
• Logs to flat files and stores the full TTY session
for each connection, so that attacks can be replayed
in real-time.
• One of the more popular honeypots out there, as a
result, attackers know how to differentiate between
this and a real Linux host very quickly. Be cautious…
• When deploying externally, there is a risk of CnC’s
maintaining persistent connections.
• Can be used as a pentest tool as well :-)
36. High Interaction
Honeypots
Imitate real systems or modify real hosts to act as
honeypots in order to verbosely log attacker activity
and capture all network and related flow data.
39. Routers and Switches
• ROMAN Hunter - Router Man Hunter
• http://sourceforge.net/projects/romanhunter/
• Configure real AP as a honeypot
• Capture MAC of
attacker that
bypasses
security
• Correlate the MAC and
add it to an
organizational blacklist…
40. High Interaction
Warning!
• Deploying real systems / devices / services is
dangerous and requires dedicated monitoring.
• Whenever hosts can actually be compromised
there is huge risk if not monitored
appropriately.
• Never use the organization’s gold-standard
image for the honeypot.
• Segment these hosts from the production
network!
43. Honey Tokens
• Use file integrity monitoring to track all
interactions with files/folders/etc of interest.
Great for network shares.
• Not just files, this can be strings, drives,
directories, etc.
• Any predefined item that
will generate a log when
accessed/modified/etc.
• Trivial to configure…
44. Document Bugging
• WebBug How To:
• http://ha.ckers.org/webbug.html
• WebBug Server:
• https://bitbucket.org/ethanr/webbugserver
• Bugged Files - Is your Document Telling on You?
• Daniel Crowley + Damon Smith
• https://www.youtube.com/watch?v=co1gFikKLpA
45. Document Tracking
• Same tricks used by Marketing for years,
normally for tracking emails.
• Why loading external
images within email
is risky…
46. Document Tracking
• Documents can be tracked in the same way as email /
web.
• Automating the process…
• https://github.com/gfoss/misc/tree/master/Bash/webbug
47. Document Tracking Issues
• If the document is opened up offline it will
divulge information about the tracking service.
• *There is no telling how someone will react
once it is discovered that they were being
tracked…
60. Monitoring
• Dedicated SOC - Security Operations Center
• SIEM - Security Information Event Management
• Correlate and Track Events
• Evaluate Impact on the Real Environment
• Measure Risk and Actively Respond to
Threats
• IDS, Network Flow Analysis, Firewalls, etc.
• Configure once and it’s smooth sailing from there…
61. Enterprise Threat Intelligence
• Develop Context-Aware Threat Intelligence
• Leverage knowledge gained from attackers to
create IOC’s and custom IDS and SIEM rules…
63. Automating Response
• Dynamic Honeypotting
• Deploy PowerShell and Command Line Logging
• http://www.slideshare.net/Hackerhurricane/ask-
aalware-archaeologist/25
64. Automating Response
• Google Rapid Response - GRR
• https://github.com/google/grr
• Netflix FIDO
• https://github.com/Netflix/Fido
• Kansa
• https://github.com/davehull/Kansa
• Power Forensics
• https://github.com/Invoke-IR/PowerForensics
65. 1 PowerShell Script
Live Data Acquisition and Incident Response
Integrates into Existing Security Processes
Remote Forensic Acquisition
Host and User Lockdown
https://github.com/gfoss/PSRecon/
68. Honeypot Dashboards
• HoneyDrive3 comes complete with
dashboards and enhancement scripts to
display interesting data.
• Kippo Graph
• http://bruteforce.gr/kippo-graph
• The Modern Honey Network - can also
deploy!
• https://threatstream.com/blog/mhn-modern-
honey-network
• LogRhythm SIEM - Honeypot Analytics Suite
69.
70. Works Cited & Recommended Reading
• Strand, John, and Asadoorian, Paul. Offensive
Countermeasures: The Art of Active Defense. 2013.
• Murdoch, D. W. Blue Team Handbook: Incident
Response Edition: A Condensed Field Guide for
the Cyber Security Incident Responder. United
States: CreateSpace Independent, 2014.
• Chuvakin, Anton, and Kevin Schmidt. Logging and
Log Management: The Authoritative Guide to
Dealing with Syslog, Audit Logs, Events, Alerts and
Other IT 'noise' Rockland, MA: Syngress, 2012.
• Bodmer, Sean. Reverse Deception: Organized Cyber
Threat Counter-exploitation. N.p.: n.p., n.d. Print.