Honeypots for Active Defense

Honeypots for Active DefenseA Practical Guide to Honeynets within the Enterprise

Greg Foss SecOps Lead / Senior Researcher @heinzarelli

# whoami

Greg Foss

SecOps Team Lead

Sr. Security Research Engineer

OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT

Traditional Defensive Concepts

• Maintain a tough perimeter

• Implement layered security controls

• Block known attacks and ban malicious IP’s

• Create and enforce policy to discourage misuse

…cross our fingers

InfoSec Realities• There is no magic security product that

will protect you or your company. Period.

• It’s when, not if — there’s always a way in…

Not Just ‘APTs’

Active Defense

What is ‘Active Defense’• All comes down to tipping the odds in our

favor as defenders…

• Annoying the attacker

• Trapping them and wasting time

• Gather data + attempt attribution

• ‘Attacking Back’

• Reduce the MTTD and MTTR

• MTTD => Mean-Time-to-Detect

• MTTR => Mean-Time-to-Respond

Why Internal Honeypots?

• Easy to configure, deploy, and maintain

• Fly traps for anomalous activity

• They don’t even need to look legit once breached… Just enough to raise a flag.

• You will learn a ton about your adversaries. Information that will help in the future…

• *Honeypots are something to focus on after the basics have been taken care of.

Honeypot Use Cases

• Research

• Understand how attackers think, what works, what doesn’t, and what they are after.

• Defense

• Learn from the adversary and adapt… Lay traps to catch subtle yet abnormal activities.

Defense

VM’s

ADHD

http://sourceforge.net/projects/adhd/

Honey Drive 3

http://sourceforge.net/projects/honeydrive/

First things first…• Honeypots and Active Defense come after

baseline security controls are in place.

• Warning banners are critical and assist in the event prosecution is necessary / desired.

Types of Honeypots

No Interaction

Low Interaction

Medium Interaction

High Interaction

Honey Tokens / Drives / Strings / Etc.

*note - this is my interpretation, not necessarily ‘industry standard’

No Interaction Honeypots

Primarily referred to as Honeyports, or services that simply log and/or ban on full TCP connect.

‘No Interaction’ Honeypots• Basic Honeyports

• Linux - NetCat and IPTables

• Windows - NetCat and Netsh

• Python and PowerShell options as well…

Windows PowerShell Honeyports

Windows PowerShell Honeyports

Linux Honeyports• Artillery — supports Windows too!

• https://www.trustedsec.com/downloads/artillery/

Artillery Logging• Port Scanning and/or Illegitimate Service Access

• Local Syslog, Flat File, or Remote Syslog options

• IP’s are added to the banlist and blocked locally via IPTables

Artillery Logging Bonus!• File Integrity Monitoring

Low Interaction Honeypots

Honeypots that serve up basic content and are not interactive once breached.

WordPot• https://github.com/gbrindisi/wordpot

• Fake WordPress app, written in Python…

Fake PhpMyAdmin• https://github.com/gfoss/phpmyadmin_honeypot

• Simple fake phpmyadmin ‘app’ that logs to flat files. This same approach can be applied to anything…

$any fake login panel• Custom - but believable and hidden from normal

users

• Can be used in ‘reverse phishing’ — discussing later…

$any fake login panel• Logging attacker data is standard, what if you

need evidence that is a bit more tangible…

Honeybadger• https://bitbucket.org/LaNMaSteR53/honeybadger/

• Gain *true attribution on your adversaries…

Medium Interaction Honeypots

Interactive honeypots that resemble real services and provide limited functionality once breached.

Medium Interaction Honeypots

• TONS! But one of my favorites:

• https://github.com/desaster/kippo

• https://github.com/gfoss/kippo

• Simulate SSH Service…

Kippo• Python script which simulates an SSH service that is

highly customizable, portable, and adaptable.

• Logs to flat files and stores the full TTY session for each connection, so that attacks can be replayed in real-time.

• One of the more popular honeypots out there, as a result, attackers know how to differentiate between this and a real Linux host very quickly. Be cautious…

• When deploying externally, there is a risk of CnC’s maintaining persistent connections.

• Can be used as a pentest tool as well :-)

Kippo Alert Automation

https://github.com/gfoss/kippo/blob/master/replay-alert.sh

High Interaction Honeypots

Imitate real systems or modify real hosts to act as honeypots in order to verbosely log attacker activity and capture all network and related flow data.

Analysis Tools• LogRhythm Network Monitor and SIEM

• Suricata IDS

• http://suricata-ids.org/download/

• BRO IDS

• https://www.bro.org/

• Cuckoo Sandbox

• http://www.cuckoosandbox.org/

Routers and Switches• ROMAN Hunter - Router Man Hunter

• http://sourceforge.net/projects/romanhunter/

• Configure real AP as a honeypot

• Capture MAC of attacker that bypasses security

• Correlate the MAC and add it to anorganizational blacklist…

High Interaction Warning!

• Deploying real systems / devices / services is dangerous and requires dedicated monitoring.

• Whenever hosts can actually be compromised there is huge risk if not monitored appropriately.

• Never use the organization’s gold-standard image for the honeypot.

• Segment these hosts from the production network!

Honey Tokens and Document Bugging

Tracking file access, modification, exfiltration, etc…

File Integrity Monitoring

Honey Tokens• Use file integrity monitoring to track all

interactions with files/folders/etc of interest. Great for network shares.

• Not just files, this can be strings, drives, directories, etc.

• Any predefined item that will generate a log when accessed/modified/etc.

• Trivial to configure…

Document Bugging• WebBug How To:

• http://ha.ckers.org/webbug.html

• WebBug Server:

• https://bitbucket.org/ethanr/webbugserver

• Bugged Files - Is your Document Telling on You?

• Daniel Crowley + Damon Smith

• https://www.youtube.com/watch?v=co1gFikKLpA

Document Tracking• Same tricks used by Marketing for years,

normally for tracking emails.

• Why loading externalimages within email is risky…

Document Tracking• Documents can be tracked in the same way as email /

web.

• Automating the process…

• https://github.com/gfoss/misc/tree/master/Bash/webbug

Document Tracking Issues• If the document is opened up offline it will

divulge information about the tracking service.

• *There is no telling how someone will react once it is discovered that they were being tracked…

Screwing with Attackers• Reverse Phishing and ‘Attacking Back’

• A casestudy…

• Zip Bombs

• http://unforgettable.dk - 42.zip

• BeEF - Browser Exploitation Framework

• http://beefproject.com/

• USB Killer

• http://kukuruku.co/hub/diy/usb-killer

• Clippy!

• http://www.irongeek.com/i.php?page=security/phpids-install-notes

More Tricks

cat /dev/random | nc -nl 22

https://github.com/nitram509/ascii-telnet-server

ASCII Art Distraction

Monitoring• Dedicated SOC - Security Operations Center

• SIEM - Security Information Event Management

• Correlate and Track Events

• Evaluate Impact on the Real Environment

• Measure Risk and Actively Respond to Threats

• IDS, Network Flow Analysis, Firewalls, etc.

• Configure once and it’s smooth sailing from there…

Enterprise Threat Intelligence• Develop Context-Aware Threat Intelligence

• Leverage knowledge gained from attackers to create IOC’s and custom IDS and SIEM rules…

Event Correlation

Automating Response• Dynamic Honeypotting

• Deploy PowerShell and Command Line Logging

• http://www.slideshare.net/Hackerhurricane/ask-aalware-archaeologist/25

Automating Response• Google Rapid Response - GRR

• https://github.com/google/grr

• Netflix FIDO

• https://github.com/Netflix/Fido

• Kansa

• https://github.com/davehull/Kansa

• Power Forensics

• https://github.com/Invoke-IR/PowerForensics

1 PowerShell Script

Live Data Acquisition and Incident Response

Integrates into Existing Security Processes

Remote Forensic Acquisition

Host and User Lockdown

https://github.com/gfoss/PSRecon/

Bringing it all together…

Honeypot Dashboards• HoneyDrive3 comes complete with

dashboards and enhancement scripts to display interesting data.

• Kippo Graph

• http://bruteforce.gr/kippo-graph

• The Modern Honey Network - can also deploy!

• https://threatstream.com/blog/mhn-modern-honey-network

• LogRhythm SIEM - Honeypot Analytics Suite

Works Cited & Recommended Reading

• Strand, John, and Asadoorian, Paul. Offensive Countermeasures: The Art of Active Defense. 2013.

• Murdoch, D. W. Blue Team Handbook: Incident Response Edition: A Condensed Field Guide for the Cyber Security Incident Responder. United States: CreateSpace Independent, 2014.

• Chuvakin, Anton, and Kevin Schmidt. Logging and Log Management: The Authoritative Guide to Dealing with Syslog, Audit Logs, Events, Alerts and Other IT 'noise' Rockland, MA: Syngress, 2012.

• Bodmer, Sean. Reverse Deception: Organized Cyber Threat Counter-exploitation. N.p.: n.p., n.d. Print.

Thank You!

Questions?

https://github.com/gfoss/

Greg Foss OSCP, GAWN, GPEN, GWAPT, GCIH, CEH

SecOps Lead / Sr. Researchergreg.foss[at]LogRhythm.com

@heinzarelli