using canary honeypots for network security monitoring

Deceive to Detect:Using Canary Honeypots for Network Security Monitoring

Chris SandersCharleston ISSA November 2014

Chris Sanders

• Christian & Husband• Kentuckian and South

Carolinian• MS, GSE, et al.• Non-Profit Director• BBQ Pit Master

Chris Sanders

“[Practical Packet Analysis] gives you everything you need, step by step, to become proficient in packet analysis. I could not find a better book.”

“[Applied NSM] should be required reading for all intrusion analysts and those looking to develop a security monitoring program.”

– Amazon Reviewers

Outline

Objectives: Traditional Honeypots Canary Honeypot Architecture Honeypot Platforms• Honeyd• Kippo• Tom’s Honeypot• Honeydocs

“How can I use honeypots as an effective part of my detection strategy?”

***Disclaimer***

• Tactics in this presentation may be controversial, depending on your viewpoint.

• Only orgs with mature security programs should attempt the use of canary honeypots.

• Any time you invite an attacker to dance, you might get your feet stepped on.

Traditional Honeypot Design

• Intentionally Vulnerable System• Designed to Mimic Real Services• Easily Compromised

Traditional Honeypot Uses

• Specific Research Purposes• Tracking Unstructured Threats– Commodity Malware– Opportunistic Attackers

• Vaguely Useful for Building Basic Threat Intel

No Current Significant Production Value

How can honeypots be useful for operational purposes?

US Information Ops Doctrine

• US DoD JP 3-13 IO Capabilities*– Detect– Deny– Disrupt– Degrade– Destroy

* More commonly applied as the Cyber Kill Chain

– Deceive

Let’s Take Honeypots Farther…

Kentucky is Coal Country

Coal Mining is Hard

Coal Mining is Dangerous

Canaries for Methane Detection

Enter Canary Honeypots• Deceive to Detect• Honeypots for

Detection1. Placed Inside the

Network

2. Mimic Existing Systems

3. Detailed Alerting & Logging

Nobody Should Ever Talk to a Honeypot

Making the Case

• How do you detect a malicious user logging in to a Windows system?– Multiple Failed Logins– Weird External IP Address– IP Heuristics and Trending

• What if the malicious user logs in from another compromised system using legitimate credentials?

Honeypots in the Attack Life Cycle

Attackers Get Sloppy

High vs. Low Interaction

• High Interaction...– Real Operating

System– Real Services– Locked Down– Detailed Logging

• Low Interaction…– Software-Based– Mimics Real Services– Fake Environments– Limited Logging

* Some honeypots call themselves “medium” interaction, but these are still basically low interaction.

Exploitable vs. Non-Exploitable

• Exploitable...– Mimic Services– Contain

Vulnerabilities– Designed to be

Compromised– Compromises are

Monitored

• Non-Exploitable...– Mimic Services– No Vulnerabilities– Any Interaction is

Monitored

Canary Honeypot Architecture

1. Identify the Devices or Services to be Mimicked

2. Determine Honeypot Placement

3. Develop Alerting and Logging Capabilities

Identify Devices/Services to Mimic

• All About Risk - What is your biggest fear?• How would attackers exploit that?• Mimic critical services and components.– Confidentiality – File Server (SSH?)– Integrity – Database Server (SQL?)– Availability – Web Server (HTTP?)

Determine Honeypot Placement

• Close to the Asset Being Mimicked• Ability to Transmit Logs• Limit Communication of High Interaction

Honeypots (***IMPORTANT***)

Determine Honeypot Placement (cont.)

Develop Alerting and Logging

• Logging– High Interaction – OS Logs, HIDS– Low Interaction – Software Logs– Network – PCAP, Flow, etc

• Alerting– IDS Signatures– alert tcp any any -> $HONEYPOT 22 (msg:”Communication with SSH Honeypot”; sid:12345; rev:1;)

Honeypot Software

Honeyd

• The father of honeypots• Developed by Neil Provos 10+ years ago• Low Interaction• Can mimic operating systems and services• Capable of spinning up thousands of

honeypot instances

Honeyd Config

create defaultset default default tcp action block

set default default udp action block

set default default icmp action block

create ansm_winserver_1

set ansm_winserver_1 personality “Microsoft Windows Server 2003 Standard Edition”

Honeyd Config (cont.)

add ansm_winserver_1 tcp port 135 open

add ansm_winserver_1 tcp port 139 open

add ansm_winserver_1 tcp port 445 open

set ansm_winserver_1 ethernet “d3:ad:b3:3f:11:11”

bind 172.16.16.202 ansm_winserver_1

Running Honeyd

• Running Honeydsudo honeyd –d –f /etc/honeypot/ansm.conf

• Scan Results

Honeyd Logging

Honeyd Alerting

alert ip !$TRUSTED_MS_HOSTS any ->$MS_HONEYPOT_SERVERS [135,139,445] (msg:“Attempted Communication with Windows Honeypot on MS Ports”; sid:5000000; rev:1;)

Extended Service Emulation

• Emulate an ISS Web Serveradd ansm_winserver_1 tcp port 80 “sh /usr/share/honeyd/scripts/win32/ web.sh”

Kippo SSH Honeypot

• Low Interaction SSH Honeypot• Provides a Fake File System• Detailed Logging and Replay• Written in Python

Kippo Demo

Kippo Alertingalert tcp $HONEYPOT_SERVERS $SSH_PORTS ->any any (msg:“ET POLICY SSH Server Banner Detected on Expected Port – Honeypot System”; flow: from_ server,established; content:“SSH-”; offset: 0; depth: 4; byte_test: 1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,1 4,46,1, ⁄relative; reference:url,doc.emergingthreats.net/2001973; classtype: misc-activity; sid:2001973; rev:8;)

alert tcp any any <> $HONEYPOT_SERVERS $SSH_PORTS (msg:“ET POLICY SSH session in progress on Expected Port – Honeypot System”; threshold: type both, track by_src, count 2, seconds 300; reference:url,doc.emerging- threats.net/2001978; classtype:misc-activity; sid:2001978; rev:7;)

Tom’s Honeypot

• Developed by Tom Liston of InGuardians• Low Interaction Multi-Protocol Honeypot• Emulates RDP, VNC, Radmin, MSSQL, SIP• Written in Python• http://labs.inguardians.com/tomshoneypot

Tom’s Honeypot – RDP

Tom’s Honeypot – More

Honeydocs

• Documents designed to “phone home” when opened.

• Placed with/near other critical documents• Honeydocs should never be opened• Provides alerting when documents are

exfiltrated

Honeydoc Manual Example

Honeydoc Manual Example

Honeydoc Automated Example

MHN: Modern Honey Network

• Centralized Management• Web Interface w/ RESTful API• http://threatstream.github.io/mhn/

Conclusion

• Honeypots aren’t just for research!• They can be useful for intrusion detection.• Great care should be taken when deploying

honeypots inside the network perimeter.• Multiple useful tools already exist.

Thank You!

E-Mail: chris@chrissanders.orgTwitter: @chrissanders88

Blog: http://www.chrissanders.orgBook Blog: http://www.appliednsm.com

Testimony: http://www.chrissanders.org/mytestimony