Copyright 2010 Justin C. Klei n Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise Behavior Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania, School of Arts and Sciences
27
Embed
Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Copyright 2010 Justin C. Klein Keane
Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and
Fingerprint Post-Compromise Behavior
Justin C. Klein KeaneSr. InfoSec Specialist
University of Pennsylvania, School of Arts and Sciences
Copyright 2010 Justin C. Klein Keane
Background
SSH
Secure replacement for telnet RFC defined protocol (open) Available on most Linux/Unix machines
Ongoing brute force attacks are seen on SSH servers Unfortunately we don't know what are attackers after
Tempting logical fallacy to assume motivation Threat modeling and risk analysis depend on
knowing motivation
Copyright 2010 Justin C. Klein Keane
Honeypots
What is a honeypot? Service deliberately configured to attract
malicious attention Why would you use one?
Tar pit, waste attacker time Early warning, warn of attacks Profiling, determine the types of attacks that
are being utilized against your resources
Copyright 2010 Justin C. Klein Keane
Types of Honeypots
High interaction
Full system installation Advantage is attacker has a full stack to interact
with Disadvantage is attacker has more tools, could
hide or break out of the honeypot Low interaction
Software implementation that simulates a system Controlled environment, but is much easier for
attackers to detect
Copyright 2010 Justin C. Klein Keane
Danger!
Downstream liability Attackers could user your honeypot as a
launching pad to attack others Attackers could host malicious content on your
server Attacker could use your honeypot as a dump site
for illegal material
Pivot point Attackers could end-run access control to internal
resources using the honeypot
Copyright 2010 Justin C. Klein Keane
Logistical Considerations
Resource intensive Set up is time consuming, installation of OS
and configuring software Analysis – it takes time to pore through logs
and recreate attacker activity Redeployment can be a hassle, although
virtual machine snap-shots make this much easier
Copyright 2010 Justin C. Klein Keane
Kojoney
Open source low interaction SSH honeypot Written in Python so it should work on any
platfrom http://kojoney.sourceforge.net/ Has some flaws...
Static timestamps, many commands unsupported, limited filesystem, etc.