HOW TO MAKE A HONEYPOT
Piradon (Tien) LiengtiraphanVallie M. Joseph
Prof. Robert CannistraMarist College
© 2016 Internet2
ThreatstoInternetSecurityCybersecuritythreatsareconstantlyincreasingTechnologyusedbyattackerssteadilyadvancingalongsidesecuritymeasures
Attackersalwayshavetheadvantage.(Onevectorneeded)Defenders(Allvectorsmustbeaccountedfor)
TypesofThreatsBotnetsDOS/DDOSBulkLoginAttemptsManyothers
Nearlyimpossibletostayaheadofattackersusingonlydefensestrategies
DefensivevsProactiveStrategiesBusinessesmustnowemploytheuseofnotonlydefensivebutproactivestrategiesaswell.Defensive
PatchingsecuritysoftwareafterharmfulattacksKeepingsecuritysoftwareuptodateSearchfortoolsthatdealspecificallywiththetypeofattackthebusinessissufferingfrom
Example:Patch-and-PrayProactive
UsinganalyticstoadjustsecurityprotocolsasneededPredict/IdentifyattackpatternsAllowfirewallsandothercybersecurityprotocolstolearnfromattacks
Example:Honeypots
Whatisahoneypot?“Ahoneypot isacomputersecuritymechanismsettodetect,deflect,or,insomemanner,counteractattemptsatunauthorizeduseofinformationsystems.Generally,ahoneypotconsistsofdata(forexample,inanetworksite)thatappearstobealegitimatepartofthesitebutisactuallyisolatedandmonitored,andthatseemstocontaininformationoraresourceofvaluetoattackers,whicharethenblocked.”
-Loras R.Even(SANS)
Cowrie
Whydoweneedhoneypots?DivertingAttackers
Adatabreachistheunfortunateresultofalackofsecurity.Howeverhavingawallthatabsorbsamajorityofattackscankeepyoursystemandinformationsafe.Havingaresourcethatlookvaluableandiseasilyaccessedhelpsshiftfocusfromotherbetterprotectedresources.
Whynotsimplyblockallattacks?PlethoraofvaluableinformationgainedfromtheattackstothesysteminformationcanbeusedforlateranalyticsAnalyticscanthenbeusedtocreatepredictivesecurityprotocolsItisjustasimportanttoknowwhatpeopledooncetheyareinaswellashowtheygetin.
Whydoweneedhoneypots?DataCollection
Whattocollect?IP,Username\PasswordCombination,Geolocation,ISP,etc..
IsrelativetowhatpurposethehoneypotservesWhatdowedowiththedata?
LearnmoreaboutattackersUsewhatislearnedtoperformpredictiveanalytics
Howdowedothis?LongtailSyslogAnalyzers
IPCountingfunctions,CountryCountingfunctions,etc.
LongtailAnalyticsOpensourceanalyticssoftware
CreatedatMaristCollegeCrawlsthroughinformationprovidedbySSHhoneypotsAnalyzesdifferenttypesofattackstosortthemintoattackpatterns
AttackPatternsCandetermineiftheattackisabotnetattack
AlsoidentifiesandclassifiesbotnetsInformationhasuseforthefuture
CouldbeusedtocreatedynamicfirewallsProactivelydeploysecurityprotocolstohelpdefendagainstattacks
IssuewithHoneypots:Fingerprinting/FingerprintScanning
Fingerprinting“Theactofperformingadeep,intensivescanonanetworkorprogramtoenumerateitssourcesanddependencies”
-TechTarget
AttackercanthenfindtheweaknessspecifictothenetworktheyfingerprintIfaresourcecanbefingerprinted,theinformationgainedcouldbeusedtocompromisethesystem.
Ahoneypotmustbeconvincing,ergoitmustmimiceverything,downtotheresource’sfingerprintAchievingafullmimiccanbedifficult,especiallyifthehoneypotliesonadifferentserverorport
FingerprintingThroughourvendorpartnerswehavebeenabletopreventfingerprintingofaprotectedresource.
HoweverforahoneypottoworkitmuststillmimictheresourcetothebestofitsabilityBesttospoofthefingerprint
Dependingonthetypeofhoneypotcreated(client,ssh,applicationspecific,etc),differentitemsmayneedtobespoofed
ForExampleSSHHoneypot:
NeedstohaveanequalamountofopenportsastherealSSHportalShouldhavesimilarlibrariesinstalledonit
ClientHoneypotShouldrunonthesamekindofserverastherealclientMustmimicthelookandfeeloftheclient
ExamplesofFingerprinting
12 Open Ports Found
FingerprintingwithBlackRidge
ConclusionAneffectivesecurityplanmustincludebothoffensiveanddefensivestrategiesThebestwaytohaveadequatesecurity,thereneedstobedefenseindepth
Useofamultitudeoftechnologiessuchasfirewalls,specificsecurityprotocolsandadaptivesecurity
Honeypotsaddanadditionallayerofsecurity,butcanalsobeusedtogeneratedataforpredictivesecurityThehoneypotshouldfingerprintasthedetectedresourceDataiscollectedfromthehoneypotsenttobeanalyzedbyanopensourceanalyticssoftwarecodenamed“Longtail”TheoutputofLongtail isthenusedtogenerateinformationthatservetorepresentthegeneraltrendofattackstowardthesecuredresource