Turning Honeypots into an Offensive Toolkit to Secure Critical Assets Hackit Ukraine Andrei Avădănei October 7th, 2016 CEO BIT SENTINEL
Apr 09, 2017
Turning Honeypots into an Offensive Toolkit to Secure
Critical Assets
Hackit Ukraine Andrei AvădăneiOctober 7th, 2016 CEO BIT SENTINEL
Short Bio ● CEO BIT SENTINEL (2015 - now)
● President at CCSIR.org (2013 - now)
● Founder & Coordinator of DefCamp (2011 - now)
#programming, #pentest, #reverse engineering, #code review, #social engineering, #ctf
Into The Honeypots World
● "A honeypot is a trap set to detect, deflect or in some manner counteract attempts at unauthorized use of information systems." [1]
● "A honeypot is a security resource who's value lies in being probed, attacked or compromised" [2]
● Often, honeypot features are found in IDS/IPS products
● It's just another layer of security
Honeypots by type
Low-interaction
● Might detect probing
● Attackers are unlikely to be distracted for long
● Ex: honeyd, kfsensor
Medium/High-interaction
● Might collect consistent evidences
● Can hold attackers for a while
● Ex: kippo, specter
Pure-interaction
● Full-fledged production systems
● Technology deception
● Found often in large infrastructures
Honeypots by specialisation
● Web honeypots - Glastopf, servlet, honeypress, nodepot, phpmyadmin_honeypot
● Service Honeypots - Kippo, honeyntp, troje, RDPy, honeyprint, hornet
● ICS/SCADA honeypots - conpot, gaspot, scada honeynet, gridpot
● Distributed sensor deployment - Smarthoneypot, Modern Honey Network, Active Defense Harbinger Distribution (ADHD)
Offensive HoneypotsWhat they should be like
● 24/7 “hacker” who automatically seeks for offenders & counter-attack
● Emulates pure-interaction honeypots in order to maintain a large window so the “hacker” can collect evidence about the intruder
● In some cases you won’t get a better shot on the hacker’s real identity
● Usually they have attention somewhere else (for instance, stealing your valuable data)
Offensive HoneypotsWhat they really are
● 24/7 “hacker” who automatically seeks for offenders & counter-attack
● Emulates pure-interaction honeypots in order to maintain a large window so the “hacker” can collect evidence about the intruder
● In some cases you won’t get a better shot on the hacker’s real identity
● Usually they have attention somewhere else (for instance, stealing your valuable data)
● Active Defense/Decoy - increase cost of the attack
● Increase hacking costs
● Scaring techniques
● Counter-intelligence
● Counter-fingerprinting
● Hackers profiling
● Counter-hacking
Hint: Search for Alexey Sintsov’s experiment from ‘11. Not much since then.
Motivation for Offensive Honeypots
Issues with Offensive Honeypots
● Cat and mouse game
● Forbidden by default in many countries
● Data collected might not be accepted in court
● Expensive to maintain
● Not clear what and how to do
● Hard to know when/who should be targeted from the pool of attackers
● Hard to scale/adapt to different networks
How to do it? ● Identify & Prioritize your assets based on risk (CVSS)
● Define your valuable data at risk (types)
● Look for existent honeypots or DYI
● Prepare the “weapon” according to:
○ Data type (database, documents etc)
○ Asset type (website, workstation, IoT etc)
○ Source of the attack (network layer, remote/internal etc)
● Launch dedicated honeypots with real capabilities (energize them with traffic)
● Collect, analyze and improve (still room for startups)
● Combine
Study Cases#1 The website
Asset: CMS (i.e WP), Virtual Machine
Data: Database of clients
Honeypots: wordpot, honeypress, honnypotter
Source of Attack: layer 7 (web service)
Weapons
● Network & Vulns Scanning: Openvas, Arachni, Nmap etc.
● Pwn Tools: Metasploit
● Tracking: social media, accounts history, browser vulnerabilities
● Increase time spent: decoy features
Study Cases#2 The network
Asset: Workstations, IoT, Servers
Data: Customers, Employees, Discussions, Blueprints, Documents, Backups
Honeypots: Smarthoneypot, Modern Honey Network, cloned devices
Source of Attack: layer 7 (web service)
Weapons
● Network & Vulns Scanning: Openvas, Arachni, Nmap etc.
● Pwn Tools: Metasploit
● Tracking: social media, accounts history, browser vulnerabilities, infected documents
● Increase time spent: cloned / almost real devices / develop low-hanging fruit
Take aways ● Keep your honeypot approaches as stealthy as possible
● Always rely on “defence in depth” and multiple detection methodologies
● There is room for the “real” offensive honeypot
● Build honeypots which increase the costs and also help you get more evidence about the incidents/attacker
Resources ● http://ethics.csc.ncsu.edu/abuse/hacking/honeypots/study.php
● http://en.wikipedia.org/wiki/Honeypot
● https://media.blackhat.com/eu-13/briefings/Sintsov/bh-eu-13-honeypot-sintsov-wp.pdf
● http://www.it-docs.net/ddata/792.pdf
● http://www.darkreading.com/vulnerability/honeypot-stings-attackers-with-counterat/240151740
● http://www.slideshare.net/AndreiAvadanei/honeypots-30081437
● http://revuln.com/files/Ferrante_A_Zero_Day_Life.pdf
● https://blog.smarthoneypot.com/what-active-defence-is-and-is-not/
● https://github.com/paralax/awesome-honeypots
● https://www.honeynet.org/node/1267