1 / 45

Tracing the Ghosts of Cyber World !

Tracing the Ghosts of Cyber World !. DEFCON BANGALORE 17 Aug, 2013. Daniel Singh Daniel@techngeeks.com. About the Presenter. CISO @ TechNGeeks Security Researcher Cyber Security Evangelist C|EH, E|CSA. About the Presenter. DAY JOB: IM A PROGRAMMER.

lucian
Download Presentation

Tracing the Ghosts of Cyber World !

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tracing the Ghosts of Cyber World ! DEFCON BANGALORE17 Aug, 2013 Daniel SinghDaniel@techngeeks.com

  2. About the Presenter • CISO @ TechNGeeks • Security Researcher • Cyber Security Evangelist • C|EH, E|CSA

  3. About the Presenter DAY JOB: IM A PROGRAMMER. (I GET 21 ERRORS IN A 20 LINE CODE) My 1st successful program@S**t Inc.do {!flush(commode);} //please while (paperTowels.in(/*BOOL*/)==true); throw(paperTowels); //in garbage collector

  4. About the Presenter BY NIGHTFALL: Transform into 1337 h4x0r My TO DO LIST !!!

  5. Agenda • Introduction to Honeypots & Honeynets • Honeypot Background & History • Benefits & Downside of Honeypots • Classification & Implementation • Introduction to Honey Analysis • Legal aspects of Honeypots • Detection of Honeypots • Future of Honeypots • Anti-Honeypot Techniques • Summary • Further information

  6. What is a Honeypot? • A pot, used to store honey • But as a Metaphor, a honeypot refers to: • Espionage Recruitment involving Sexual Seduction (reality/fiction) • Honeypot Site is a popular visitor attraction for tourists • A Sting Operation (like ‘Bait Car’)

  7. What is a Honeypot? • Honeypot (noun), An esoteric slang used to refer to Physically attractive women under 30 years of age who exude a measure of restrained yet potent sexuality

  8. Background • Term originated from the Military • Its a Fake target for ambush • Here it is used in Network Security Environment

  9. Some more definitions Abstract definition: “A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.” (Lance Spitzner) Concrete definition: “A honeypot is a fictitious vulnerable IT system used for the purpose of being attacked, probed, exploited & compromised.”

  10. What Honeypot actually is?

  11. Definition ‘A honeypot is a resource which is expected to be attacked or compromised.’ • Distraction of an attacker • To gain of information about attacker • Attack Methods and Tools

  12. Benefits of Honeypots • Risk Mitigation:A honeypot deployed in a productive environment may lure an attacker away from the real production systems • IDS-like functionality:since no legitimate traffic takes place to/from the honeypot, any traffic appearing is malicious

  13. Benefits of Honeypots • Attack Strategies:find out reasons and strategies why and how attacks happen • Attack Tools: detailed information of attack tools • Increased knowledge:knowing how to respond & prevent future attacks • Identification and Classification: Find out who is attacking you and profile them

  14. Benefits of Honeypots • Evidence:after identification of attacker, all data captured can be used in a legal procedure • Research: reveal internal communications of hackers, infections, spreading techniques of worms & viruses

  15. Benefits of Honeypots • Honeypot VS Antivirus • Honeypot VS Sandboxes • Honeypot VS IDS/IPS • Honeypot VS Darknets • Honeypot VS Secure Web Proxies

  16. Downside of Honeypots • Limited View: Honeypots cannot track & capture activity directed towards other systems • Additional Risk:Deploying a honeypot can create additional risks for whole organization • Legal risk: if honeypot is compromised and joins a bot army, this could lead to serious legal consequences

  17. Classification of Honeypots Server-side Distributed Physical Production Level Client-side Virtual Research Level Stand-alone High Interaction Medium Interaction Low Interaction Multifunction Jails General Purpose VOIP Pot Specialized Tarpits Web Applications Bluetooth Pot Hybrid Pots SSH Pot USB Pot SCADA Pot Sinkholes

  18. Examples of Honeypots European Network and Information Security Agency Report

  19. Examples of Honeypots European Network and Information Security Agency Report

  20. Examples of Honeypots* • HoneyMonkey • Canary Trap • Tarpits • Pseudoserver • Network Telescope/Darknets

  21. HoneyPot Sensors Two types of Honeypot Sensors: Fat Sensor:is a complete system, processes, data from the node and sends it to the central server for further analysis and correlation.

  22. HoneyPot Sensors Two types of Honeypot Sensors: Thin Sensor: is just a reflector – it forwards all the connections directly to the central server for processing and data analysis

  23. Honeynet ‘A honeynet is a network of honeypots supplemented by Firewalls & IDS’ • These are more relaistic environments • Imporved Data Capture & Analysis • Better Fingerprinting

  24. Implementation of HoneyPot INTERNET Production Network 192.168.1.15 192.168.1.20 192.168.1.25 eth0 10.1.1.1 Honeywall Gateway eth2 192.168.1.254 eth1 Honeypot 192.168.1.101

  25. Implementation of HoneyNet INTERNET Production Network 192.168.1.15 192.168.1.20 192.168.1.25 eth0 10.1.1.1 Gateway eth2 192.168.1.254 eth1 ROUTER HoneyNet 192.168.1.101 192.168.1.102 192.168.1.103

  26. Honey Analysis

  27. Honey Analysis Attacks over Time

  28. Honey Analysis Distriubution over Time Metric

  29. Honey Analysis Attack Origin over Time

  30. Honey Analysis Important Security Metrics: • $Source IP • $Source Port • $Destination IP • $Destination Port Important Services and Ports:

  31. Honey Analysis Important Services and Ports:

  32. Honey Analysis Important Services and Ports:

  33. Honey Analysis Important Services and Ports:

  34. Legal Aspects of Honeypots New Technology:The legal framework & its adjudicators are going to take the case in as-and-when circumstances Varied Applications: Honeypots have varied applications (simple port scanner to a virtual machine) which are created on demand. Thus a common law, cannot be internationalised & hard to achieve

  35. Legal Aspects of Honeypots No Legal Cases: As of now, there hasn’t been any legal case pertaining to honeypots & their usage Concepts legalised still debatable: some issues relating to honeypots themselves have debatable rulings in difference scenarios

  36. Legal Aspects of Honeypots The basic legal themes related to honeypots are: 1. Entrapment (including enticement) 2. Privacy 3. Downstream liability

  37. Detection of Honeypots • Technical Attributes of Honeypot: • Respond time & Banners • Registry entries • Inconsistent parameters • “Social” properties of the System • Usage Interaction & access logs • Network Sniffing • Packets going to/from the system • Search for traces of VMware

  38. Detection of Honeypots • Sending invalid TCP packet (S+R) • Spotting System Anomalies • Spotting TTL, Window Size • Spotting IPID, DF-bit • Detect BIOS Version • Detect VMware tools extension • Detect VMware Magic Value (0x564D5868)

  39. Future of Honeypots • HoneyTokens • SCADA Honeypots • Wireless Honeypots • SPAM Honeypots • Search-Engine Honeypots • Honeypot Farms

  40. Future of Honeypots HoneyTokens are resources used for detecting & tracking insider interaction with legitimate resources. Tokens are fake and crafted items, counterparts of resources that should not be normally accessed (important documents & research, source codes, MS Word & Excel docs, SSNs & CC numbers, confidential emails, login & password detail files)

  41. Future of Honeypots • HoneyTokens • SCADA Honeypots • Mobile Device based • Wireless Honeypots • SPAM Honeypots • Search-Engine Honeypots • Honeypot Farms

  42. Anti-Honeypot Techniques • Automated Honeypot Scanners • Honeypot Confusers • Honeypot Exploits • Honeypot Disablers • Checking HTTPS & SOCKS proxies

  43. SUMMARY • Honeypots are a new field and much is to be done: • Recommend Honeypot setups • Recommend Honeynet farms • Increase Honeypot accuracy • Invent Anti-Honeypot techniques

  44. Further Information

  45. TH4NK5

More Related