hey! you! get off my cloud! attacks against cloud honeypots · honeypot types • simulates high...
Post on 24-May-2020
10 Views
Preview:
TRANSCRIPT
HEY! YOU! GET OFF MY CLOUD! ATTACKS AGAINST CLOUD HONEYPOTS
Martin Lee Neil Rankin
Cloud Adoption
Choose two:
Fast Cheap Good
Cloud Models
Public
IaaS PaaS SaaS
Private
Cloud Models
Public
IaaS PaaS SaaS
Private
IaaS Cloud Security Layers
SECURE API / GUI
Application Code
Operating System
Virtual Machine
Hypervisor
Device
Network
Facility
Provider’s responsibility
Your problem
Threat Model
Cyber Criminal
Hacktivist APT
Elastic Computing
Development Deployment
Low utilisation Low cost
Heavy utilisation High cost
Elastic Computing
Source: Quora.com
Threat Types - Customers
application-attack
brute-force
suspicious-activity
recon
trojan-activity
denial-of-service
other
application-attack
brute-force
trojan-activity
suspicious-activity
recon
denial-of-service
other
Cloud Environment On Premise Environment
Source: Alert Logic ASR 2015
Relative Threats - Cloud vs On Premise
Source: Alert Logic ASR 2015
0 1 2 3 4 5 6
denial-of-service
suspicious-activity
recon
brute-force
application-attack
other
trojan-activity
Cloud Threats by Customer Industry Vertical
Source: Alert Logic ASR 2015
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Application attack
Brute force
Recon
Suspicious
DoS
Subtle Differences
Cloud threats ≠ On premise threats Your threats ≠ Your neighbour’s threats
Honeypot Infrastructure
Cloud Production
System Cloud Honeypot Cloud Honeypot
Threat Intelligence Threat Intelligence
Increased Protection
123.45.67.89 sys.example.com
123.45.67.90 db.example.com
123.45.67.88 share.example.com
Honeypot Types
• Simulates high level services • Collects basic information Low Interaction
• Simulates generic functions • Records interaction
Medium Interaction
• Simulates specific environment • Collects details of attack High Interaction
Medium Interaction
Kippo – medium interaction
https://github.com/desaster/kippo
• Simulates SSH shell
• Fake file system
• Easily detected! – we use heavily modified version
• We used to log brute force attacks & replay session
Medium Interaction
Dionaea – medium interaction
http://dionaea.carnivore.it/
• Simulates network services
• SMB / HTTP / FTP / MySQL / SIP (VOIP)
• Simulates shellcode execution
• We see mostly SMB activity
Low Interaction
Amun – low interaction
http://amunhoney.sourceforge.net/
• Modular Honeypot
• Simulates vulnerable services
• We see mostly SMB activity
Low Interaction
p0f – low interaction
http://amunhoney.sourceforge.net/
• Fingerprint connecting IPs
• Run in tandem
Custom Interaction
Create your own
• Modify modular honeypot
• Reflect your environment
• Respond to new threats
• Research attacks against specific vulnerabilities
Results
What do we find? April 2015
Findings – Top 20 IP Addresses
82.211.147.147 114.47.9.182 61.227.174.2
186.92.54.111 93.118.46.197 190.37.94.20
36.236.150.66 186.92.51.249 186.92.36.215
43.255.190.167 190.204.147.44
177.143.161.164 186.92.122.154 186.92.180.244 43.255.190.119 43.255.190.130 186.92.57.234
177.143.167.30 177.143.161.1
198.101.193.22
0 20000 40000 60000 80000 100000 120000 140000
Number of Attacks
Findings – Top 20 Source Countries Japan Taiwan
Venezuela China
Brazil Georgia
Unknown Romania
United States Mexico
Russian Federation Netherlands
Bulgaria United Kingdom
Armenia India
Kazakhstan Korea, Republic of
Ukraine Iran, Islamic Republic of
Taiwan
Venezuela
China
Georgia Japan
Brazil
Findings – Attacker OS
Linux 2.4.x
Windows XP
Linux 3.1-3.10
Linux 2.2.x-3.x
Windows 7 or 8
Linux 2.6.x
Linux 3.11 and newer
Linux 2.4.x-2.6.x
Linux 2.2.x-3.x (no timestamps)
Linux 3.x
Linux 2.2.x-3.x (barebone)
Windows NT kernel
Linux 2.0
Linux 2.4.x
Win XP
Linux 3.1
Linux 2.2.x
Win 7/8
Findings – Top 20 Destination Ports Secure Shell (SSH) Microsoft Directory Service Remote Desktop Protocol NETBIOS Session Service SMTP HTTP Active API Server Port (Proxy) Telnet POP3 HTTP Alternate (Proxy) MySQL Microsoft SQL Server Abyess Web Server HTTPS FTP Socks (Proxy) Universal Plug 'N Play (UPnP) Microsoft DCOM IMAP Apple OSX RPC Services
SSH (22)
Active Directory Service / SMB (445)
Findings – Top 20 Brute Forced Usernames
root admin
oracle ubnt
support user
test guest
MGR ubuntu
administrator
ftpuser operator
admindb PlcmSpIp
info Administrator
pi db01
Root (98.5%)
Findings – Top 20 Brute Forced Username/Password
root/admin root/123456]
admin/admin root/654321
root/123654 root/administrator
root/default root/qazwsx
root/zaq1xsw2 root/888888
root/a123456 root/aaaaaa
root/11111111 root/root
root/changeme root/159357
root/qwerty root/meiyoumima
root/admin1 root/vision
Findings – Top 20 Uploads
Troj/Agent-AMRO PsExec
Unknown Mal/HckPk-A
Troj/Agent-AMRO Troj/DLoad-IK
Mal/PWS-JJ W32/Parite-B
Mal/HckPk-A Mal/Spy-Y
Unknown Unknown
Unknown Unknown
Unknown Unknown
Unknown Unknown
Mal/Spy-Y Unknown
Troj/Agent-AMRO
PsExec
? .exe
Mal/HckPk-A
Deployment
Honeypots in Operation
Honeypots for Managed Services
Customer Cloud System Cloud Honeypot
Blocklist update
Threat Intelligence
Security Agent
Connecting IPs
Honeypots for Managed Services
Customer Cloud System Cloud Honeypot
Correlate
Threat Intelligence
Security Agent
Malware
Conclusion
Cloud environments have a specific threat profile.
Well placed honeypots provide timely intelligence.
Apply intelligence to protect production systems.
Get Connected
@alertlogic @mlee_security www.alertlogic.com
linkedin.com/company/alert-logic
alertlogic.com/resources/blog/
youtube.com/user/AlertLogicTV
brighttalk.com/channel/11587
Thank you
Will Semple – VP ActiveIntelligence
Brian Wilson – Director, Intelligence
Michael Laughlin – Tools Engineer
Thank you.
top related