Honeypots for Cloud Providers

Matthew A JohnsonProfessional Lecturer of Computing TechnologyMatthew.Johnson1@marist.edu

Daniel JastVallie JosephPiradon Liengtiraphan

Challenges for providers/carriers Networks are moving toward SDN and NFV

Adoption/migration presents new challenges Virtualized appliances are software

Typically VMs running familiar OS (Linux, BSD, Windows) May be accessed remotely (e.g., via SSH)

As such they have traditional IT vulnerabilities Remote intrusion Denial of service Imagine losing a vrouter, firewall, controller, load balancer!

Security policy implications Awareness of threats to network resources is critical

Actively monitor access attempts Record attack data for future audit or analysis

Defensive measures must be appropriately deployed Block/divert unauthorized access Hide virtual network resources to mitigate DDoS

Analytics can transform attack data into threat intelligence Orchestrate/deploy both proactive + reactive measures

Traditional defense strategies Corporations often use Patch-and-Pray 1

Patching security software after harmful attacks Keeping security software up to date Find tools to deal specifically with attack types suffered previously

These strategies assume that the attacks have already happened By the time a company discovers an attack, it’s usually too late

Damage is already done Business now spends additional funds to remedy the situation Examples: Yahoo, Sony, AT&T

1. http://blog.eiqnetworks.com/blog/don-t-rely-on-patch-and-pray-use-vulnerability-management-to-secure-your-network

Evolving threat landscape Threat landscape is constantly changing

Attack technologies evolve alongside new security measures Various types of threats

Brute force attackers Botnets Advanced persistent threats

Attackers have the advantage Only one vector needs to work Defenders must account for all attack vectors

Cannot stay ahead of attackers using only traditional defense strategies

“Smart” Defense Using analytics to adjust security protocols as needed

Generated from detailed attacker information collected from honeypots Constantly updated with new attacker data

Predict attack patterns Patterns drawn from similarities in data

Allow firewalls and other cybersecurity protocols to learn from attacks Data collection and analytics are required for adaptive security protocols

Honeypots can collect this data

Cowrie

What is a honeypot?A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, which are then blocked.1

More generally… “a security resource whose value lies in being probed, attacked, or compromised.”2

1. https://www.sans.org/security-resources/idfaq/what-is-a-honeypot/1/92. http://www.honeypots.net/

Why do we need honeypots? Honeypots keep systems and information safer by attracting attacks

Breaches result from gaps in - or lack of - security Easily accessible resources that appear valuable shift will divert attackers Protected resources with real value might be overlooked

Why not simply block all attacks? Plethora of valuable information gained from the attacks to the system Information can be used for auditing as well as analytics Analytics enable predictive security protocols

Additional capabilities Learn not only how attackers get in… but what they do once they get in

Honeypot data collection Honeypots typically provide analytics software with basic information

IP address Username/password credentials Time stamps

Analytics can be improved through providing additional details Client information (operating system, web browser, etc.) GeoLocation ISP data

What can we do with the data? Learn more about attackers

Classifying attack patterns Detecting trends

Use what is learned to perform predictive analytics Use dynamically provisioned firewalls to prevent future attacks Blacklist IP addresses Identify harmful geographical groups and areas

How do we do this? Longtail Syslog Analyzers (IP Counting functions, Country Counting functions, etc.)

Longtail Analytics Open source analytics software

Developed at Marist College Crawls through information provided by honeypots Analyzes different types of attacks to sort them into attack patterns

Attack Patterns Example: determine if the attack is a botnet attack

Identifies and classifies botnets Information has use for the future

Could be used to create dynamic firewalls Proactively deploy security protocols to help defend against attacks

Issues with honeypots Vulnerable to fingerprinting

Scanning a network will reveal identifying characteristics Attackers can find weaknesses specific to the network they fingerprint If a honeypot can be fingerprinted then attackers can avoid it Need to make honeypots hard to fingerprint

Original resources are still vulnerable Prone to reconnaissance scans Honeypots effectively fail if attacker finds the real resource Need to also hide the real resources

12 Open Ports Found

Fingerprinting Examples

Preventing Fingerprinting A convincing honeypot must mimic fingerprint of the real resource Approach depends on the type of honeypot (SSH, client, application, etc.)

SSH honeypot same open ports as the real portal same responses to login attempts same libraries installed

Client honeypot same server type and version same look and feel

Nearly impossible to mimic real resource exactly Honeypot must always reside on different server or port

Current security products start after network sessions are established.

First Packet Authentication stops unauthorized access at the earliest possible time.

time

Data

Packet Flows

SessionSetup

Before caller-ID…must answer to determine identity

After caller-ID…only answer knownand trusted callers

First-Packet Authentication™ Problem with traditional protocols

Identity of user/device determined only AFTER establishing session Leaves networks vulnerable to several kinds of attacks

BlackRidge Transport Access Control (TAC) solves the problem Authenticate identity & enforce policy on first packet before session

Cloaking with BlackRidge Hiding critical resources

First-packet authentication™ blocks without revealing info to an attacker With BlackRidge we can completely cloak desired devices

These devices include but are not limited to: SDN Controllers, ESXI Servers, Virtual Machines, etc.

Defense in Depth Combine with honeypots to more effectively divert traffic Optimal data collection requires catching more attacks on the honeypot

Without BlackRidge Open Ports

Host Details

With BlackRidge Open Ports

Host Details

BlackRidge examples

Firewall IPS Protection

Firewall/IPS allows large number of TCP connection attempts through and information to leak.

BlackRidge Protection

BlackRidge does not allow any unauthorized connection attempts or scans (information leakage) to occur.

BlackRidge in testbed

WDM Node CWDM Node B

SDN Controller and Network Hypervisor

With cloud orchestrator API

Brocade/Vyatta 5600

V-Router/FirewallCiena Metro

Ethernet

Marist API code

Marist LongTailHoneypots & Analytics

SDN Controller and Network Hypervisor

With cloud orchestrator API

Orchestrator with Application Security Policy

Brocade/Vyatta 5600

V-Router/Firewall

Marist RemoteManagement App

NetConf

NYS CCAC Ecosystem

1. A. Jain, B. Buksh, Advance Trends in Network Security with Honeypot and its Comparative Study with other Techniques, IJETT 29/6 Nov 20152. http://www.infoworld.com/article/3128818/security/10-decisions-youll-face-when-deploying-a-honeypot.html3. https://www.honeynet.org/blog4. http://searchsecurity.techtarget.com/definition/Security-as-a-Service

Honeypot popularity Companies are increasingly interested in this space1,2,3

Seeking more data to support security analytics Setting up honeypots in their networks Tenants might be deploying these technologies in the cloud

Providers have an opportunity to enhance their cloud offerings SECurity as a Service

“a business model in which a large service provider integrates their securityservices into a corporate infrastructure on a subscription basis more costeffectively than most individuals or corporations can provide on their own,when total cost of ownership is considered”4

What can providers do? Deploy their own honeypots Collect data for historical and predictive analytics

Honeypots as a service Offer templates to customers who wish to use honeypots Simplify setup and deployment

Security analytics as a service Up-to-date threat intelligence can enable dynamic security policies Offer tenants access to valuable information from honeypot analytics

Opportunities for SECaas

Conclusion SDN+NFV poses new cybersecurity challenges for providers Adaptive intelligence-driven security measures are needed Honeypots not only add a layer of security… they can also capture vital data Analytics (e.g. “Longtail”) leverages data for prediction and real-time response Pair honeypots with cloaking technologies for Defense in Depth Honeypots and threat analytics also present SECaaS opportunities

AcknowledgementsThis work is supported in part by the National Science Foundation grant 1541384 Campus Cyberinfrastructure - Data, Networking and Innovation Program (CC-DNI), per NSF solicitation 15-534, for the project entitled CC-DNI (Integration (Area 4): Application Aware Software-Defined Networks for Secure Cloud Services (SecureCloud))

Questions?