Date post: | 20-Jan-2017 |
Category: |
Documents |
Upload: | vallie-joseph |
View: | 39 times |
Download: | 0 times |
Honeypots for Cloud Providers
Matthew A JohnsonProfessional Lecturer of Computing [email protected]
Daniel JastVallie JosephPiradon Liengtiraphan
Challenges for providers/carriers Networks are moving toward SDN and NFV
Adoption/migration presents new challenges Virtualized appliances are software
Typically VMs running familiar OS (Linux, BSD, Windows) May be accessed remotely (e.g., via SSH)
As such they have traditional IT vulnerabilities Remote intrusion Denial of service Imagine losing a vrouter, firewall, controller, load balancer!
Security policy implications Awareness of threats to network resources is critical
Actively monitor access attempts Record attack data for future audit or analysis
Defensive measures must be appropriately deployed Block/divert unauthorized access Hide virtual network resources to mitigate DDoS
Analytics can transform attack data into threat intelligence Orchestrate/deploy both proactive + reactive measures
Traditional defense strategies Corporations often use Patch-and-Pray 1
Patching security software after harmful attacks Keeping security software up to date Find tools to deal specifically with attack types suffered previously
These strategies assume that the attacks have already happened By the time a company discovers an attack, it’s usually too late
Damage is already done Business now spends additional funds to remedy the situation Examples: Yahoo, Sony, AT&T
1. http://blog.eiqnetworks.com/blog/don-t-rely-on-patch-and-pray-use-vulnerability-management-to-secure-your-network
Evolving threat landscape Threat landscape is constantly changing
Attack technologies evolve alongside new security measures Various types of threats
Brute force attackers Botnets Advanced persistent threats
Attackers have the advantage Only one vector needs to work Defenders must account for all attack vectors
Cannot stay ahead of attackers using only traditional defense strategies
“Smart” Defense Using analytics to adjust security protocols as needed
Generated from detailed attacker information collected from honeypots Constantly updated with new attacker data
Predict attack patterns Patterns drawn from similarities in data
Allow firewalls and other cybersecurity protocols to learn from attacks Data collection and analytics are required for adaptive security protocols
Honeypots can collect this data
Cowrie
What is a honeypot?A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, which are then blocked.1
More generally… “a security resource whose value lies in being probed, attacked, or compromised.”2
1. https://www.sans.org/security-resources/idfaq/what-is-a-honeypot/1/92. http://www.honeypots.net/
Why do we need honeypots? Honeypots keep systems and information safer by attracting attacks
Breaches result from gaps in - or lack of - security Easily accessible resources that appear valuable shift will divert attackers Protected resources with real value might be overlooked
Why not simply block all attacks? Plethora of valuable information gained from the attacks to the system Information can be used for auditing as well as analytics Analytics enable predictive security protocols
Additional capabilities Learn not only how attackers get in… but what they do once they get in
Honeypot data collection Honeypots typically provide analytics software with basic information
IP address Username/password credentials Time stamps
Analytics can be improved through providing additional details Client information (operating system, web browser, etc.) GeoLocation ISP data
What can we do with the data? Learn more about attackers
Classifying attack patterns Detecting trends
Use what is learned to perform predictive analytics Use dynamically provisioned firewalls to prevent future attacks Blacklist IP addresses Identify harmful geographical groups and areas
How do we do this? Longtail Syslog Analyzers (IP Counting functions, Country Counting functions, etc.)
Longtail Analytics Open source analytics software
Developed at Marist College Crawls through information provided by honeypots Analyzes different types of attacks to sort them into attack patterns
Attack Patterns Example: determine if the attack is a botnet attack
Identifies and classifies botnets Information has use for the future
Could be used to create dynamic firewalls Proactively deploy security protocols to help defend against attacks
Issues with honeypots Vulnerable to fingerprinting
Scanning a network will reveal identifying characteristics Attackers can find weaknesses specific to the network they fingerprint If a honeypot can be fingerprinted then attackers can avoid it Need to make honeypots hard to fingerprint
Original resources are still vulnerable Prone to reconnaissance scans Honeypots effectively fail if attacker finds the real resource Need to also hide the real resources
12 Open Ports Found
Fingerprinting Examples
Preventing Fingerprinting A convincing honeypot must mimic fingerprint of the real resource Approach depends on the type of honeypot (SSH, client, application, etc.)
SSH honeypot same open ports as the real portal same responses to login attempts same libraries installed
Client honeypot same server type and version same look and feel
Nearly impossible to mimic real resource exactly Honeypot must always reside on different server or port
Current security products start after network sessions are established.
First Packet Authentication stops unauthorized access at the earliest possible time.
time
Data
Packet Flows
SessionSetup
Before caller-ID…must answer to determine identity
After caller-ID…only answer knownand trusted callers
First-Packet Authentication™ Problem with traditional protocols
Identity of user/device determined only AFTER establishing session Leaves networks vulnerable to several kinds of attacks
BlackRidge Transport Access Control (TAC) solves the problem Authenticate identity & enforce policy on first packet before session
Cloaking with BlackRidge Hiding critical resources
First-packet authentication™ blocks without revealing info to an attacker With BlackRidge we can completely cloak desired devices
These devices include but are not limited to: SDN Controllers, ESXI Servers, Virtual Machines, etc.
Defense in Depth Combine with honeypots to more effectively divert traffic Optimal data collection requires catching more attacks on the honeypot
Without BlackRidge Open Ports
Host Details
With BlackRidge Open Ports
Host Details
BlackRidge examples
Firewall IPS Protection
Firewall/IPS allows large number of TCP connection attempts through and information to leak.
BlackRidge Protection
BlackRidge does not allow any unauthorized connection attempts or scans (information leakage) to occur.
BlackRidge in testbed
WDM Node CWDM Node B
SDN Controller and Network Hypervisor
With cloud orchestrator API
Brocade/Vyatta 5600
V-Router/FirewallCiena Metro
Ethernet
Marist API code
Marist LongTailHoneypots & Analytics
SDN Controller and Network Hypervisor
With cloud orchestrator API
Orchestrator with Application Security Policy
Brocade/Vyatta 5600
V-Router/Firewall
Marist RemoteManagement App
NetConf
NYS CCAC Ecosystem
1. A. Jain, B. Buksh, Advance Trends in Network Security with Honeypot and its Comparative Study with other Techniques, IJETT 29/6 Nov 20152. http://www.infoworld.com/article/3128818/security/10-decisions-youll-face-when-deploying-a-honeypot.html3. https://www.honeynet.org/blog4. http://searchsecurity.techtarget.com/definition/Security-as-a-Service
Honeypot popularity Companies are increasingly interested in this space1,2,3
Seeking more data to support security analytics Setting up honeypots in their networks Tenants might be deploying these technologies in the cloud
Providers have an opportunity to enhance their cloud offerings SECurity as a Service
“a business model in which a large service provider integrates their securityservices into a corporate infrastructure on a subscription basis more costeffectively than most individuals or corporations can provide on their own,when total cost of ownership is considered”4
What can providers do? Deploy their own honeypots Collect data for historical and predictive analytics
Honeypots as a service Offer templates to customers who wish to use honeypots Simplify setup and deployment
Security analytics as a service Up-to-date threat intelligence can enable dynamic security policies Offer tenants access to valuable information from honeypot analytics
Opportunities for SECaas
Conclusion SDN+NFV poses new cybersecurity challenges for providers Adaptive intelligence-driven security measures are needed Honeypots not only add a layer of security… they can also capture vital data Analytics (e.g. “Longtail”) leverages data for prediction and real-time response Pair honeypots with cloaking technologies for Defense in Depth Honeypots and threat analytics also present SECaaS opportunities
AcknowledgementsThis work is supported in part by the National Science Foundation grant 1541384 Campus Cyberinfrastructure - Data, Networking and Innovation Program (CC-DNI), per NSF solicitation 15-534, for the project entitled CC-DNI (Integration (Area 4): Application Aware Software-Defined Networks for Secure Cloud Services (SecureCloud))
Questions?