IDS+Honeypots Making Security Simple

Gregory Hanis
Cyber Security Specialist
https://www.linkedin.com/in/gregtampa
About the Author:
Gregory Hanis has been an extraordinary individual who has done invaluable research
in the field of Cyber Security. From a young kid at the age of 13 he has wrote software
which is still used today in cyber security. He has owned a computer repair company
for over three years. Has a 4 year bachelor’s degree in Information Security Systems.
Greg has also been featured in the Rolling Stones magazine and has been on CBS news
numerous times, along with other publications. He gives talks and trainings around the
country sharing his knowledge with the public and private sectors. He sits on the board
of directors of SFISSA (South Florida Information Systems Security Association).

Preventative Controls
Used to Implement C-I-A
Crypto, Firewall, Antivirus
PKI, VPN, SSL, DLP, EIEIO
Prevent an incident
Detective Controls
Provide visibility & response
Asset Discovery, VA, IDS/IPS,
Log Management, Analytics
Detect & respond to an incident
2 Types of Security Controls

IF WE ALREADY HAVE PREVENTATIVE
CONTROLS…
WHY SHOULD WE CARE ABOUT
DETECTIVE CONTROLS?

Firewalls/Antivirus are not enough
• Firewalls are usually not the target – too difficult to effectively penetrate
• Endpoints are the target, usually via email, url redirects, misc malicious
files, etc.
• With 160,000 new malware
samples seen every day,
antivirus apps will not find
every threat
• Needs to be bolstered by
regular and comprehensive
monitoring

“There are two types of companies that use
computers. Victims of crime that know they are
victims of crime and victims of crime that don’t
have a clue yet.”
- James Routh, 2007
CISO Depository Trust Clearing Corporation
Prevention is elusive

• More and more organizations are finding
themselves in the crosshairs of various bad
actors for a variety of reasons.
• The number of organizations experiencing high
profile breaches is unprecedented.
• The “security arms race” cannot continue
indefinitely as the economics of securing your
organization is stacked so heavily in favor of
those launching attacks that incremental
security investments are seen as impractical.
Threat landscape: Our new reality
84%
of organizations breached
had evidence of the
breach in their log files…
Source: Verizon Data Breach Report, 2014

Prevent Detect & Respond
Get good at detection & response
The basics are in
place. Beyond
that, buyer
beware!
New prevention thingy
9.0 with advanced
fuzzy logic. Stops 100%
of all web-born threats
at the perimeter!
New capabilities to develop

“How would you change your strategy if you
knew for certain that you were going to be
compromised?”
- Martin Roesch, 2013
Founder & CTO Sourcefire, Author SNORT

Many professional SOC’s are powered by open source
THERE’S AN APP FOR THAT!
PRADS NFSend
P0F
OVALdi
MDL
OpenFPC
PADS

Challenge: Name that tool!
Vulnerability
Assessment
Threat Detection
Behavioral
Monitoring
Analytics &
Intelligence
Asset
Discovery
open source
alternatives for
each of the 5
categories

LETS TALK ABOUT SOME OF
THE TOOLS
Asset Discovery with Nmap & PRADS
Wireless IDS with Kismet
Unified Security Management with OSSIM
includes (OSSEC, SNORT, ntop, opnVAS)

NMAP & PRADS
Problem it solves:
I need an inventory of assets on my network (Nmap) and I need to continuously keep it up to
date as things change (PRADS).
Pros:
Nmap is very mature, robust & feature rich.
Both tools produce verbose output.
Cons:
Both tools produce extremely very verbose output.
PRADS does not have a GUI
Why we like it:
These cover both active and passive asset discovery. PRADS is relatively new but it covers
the same functionality as two older tools (PADS and p0f).

KISMET
Problem it solves:
I need to know how are wireless networks being accessed and if anyone setup a rogue access
point in my facility.
Pros:
Great command line interface.
Outputs log events for WIDS events and a periodic XML report for observed networks.
Cons:
Wireless adapter can’t transmit when in monitor mode- need a dedicated adapter
Why we like it:
This tool is very versatile. There are plugins for DECT and Ubertooth devices.

OSSIM
Problem it solves:
I need all the essential detective controls, but it takes too long to install them and I have way
too many dashboards to look at when I am done.
Pros:
USM: Unifies management of these tools and offers correlation between event sources.
Includes incident response templates & workflows
Cons:
Full intelligence feed, log management and management features requires commercial
version
Why we like it:
It makes it easy to implement and manage all these tools at once.
(OSSEC, Snort, Ntop, OpenVAS & others)

Open Source Asset Discovery Tools
Nmap http://nmap.org
The de-facto standard utility for network mapping. Use to scan network
on a periodic basis to create and update inventory of assets.
PADS
http://passive.sourceforge.ne
t
Passive Asset detection system is a network sniffer that detects (infers)
assets by monitoring traffic. Use to augment Nmap scans.
P0f
http://lcamtuf.coredump.cx/p
0f3/
Passive OS fingerprinting tool. Use to identify and profile assets on your
network (including that of the attackers).
PRADS
http://gamelinux.github.io/pr
ads
Passive Real-Time Asset Detection. Alternative to PADS - listens to
network and gathers information on hosts and services.
Open Source Threat Detection Tools
Snort http://www.snort.org
The world’s most popular network IDS/IPS. Provides signature, protocol,
and anomaly-based inspection. Use to identify attacks.
Suricata http://suricata-ids.org
“Next Generation” alternative (or not) to SNORT funded by US DHS/DoD.
Use to identify attacks and extract malware from network traffic.
Kismet
http://www.kismetwireless.n
et
An 802.11 layer 2 wireless IDS. Use to identify and monitor (legitimate
and rogue) networks via passively monitoring traffic.
OSSEC http://www.ossec.net
Host-based Intrusion Detection System. Use to perform log analysis, file
integrity monitoring, policy monitoring and rootkit detection on
endpoint assets.

Open Source Behavioral Monitoring Tools
Ntop http://www.ntop.org
A Unix tool that shows the network usage, similar to what the
popular top Unix command does Use to determine what processes
and services are running.
Nfsen
http://nfsen.sourceforge.n
et
A web-based GUI for the nfdump netflow tools. Use to monitor
netfows.
OpenFPC http://www.openfpc.org
A set of tools that combine to provide a lightweight full-packet
network traffic recorder & buffering system. Use to monitor network
traffic & flows.
Nagios http://www.nagios.org
Open source IT monitoring system. Use to monitor activity on
servers.
Open Source Vulnerability Assessment Tools
OpenVAS http://openvas.org
Framework of services and tools for vulnerability scanning and
vulnerability management. The open source fork of Nessus that
converted to closed source.
OVALdi
http://www.decalage.info/
en/ovaldi
An open source reference implementation of a vulnerability scanner
based on the OVAL definition. Alternative to OpenVAS.
Open Source Intelligence and Analytics Tools
OSSIM
http://www.alienvault.com
/ossim
Unified security management & the world’s most popular SIEM. Use
to combine essential controls into a single unified system managed
from single pane of glass.
Logstash http://http://logstash.net/
A tool for managing events and logs. Use to collect logs, parse them,
and store for later use or analysis.

What is a HoneyPot?
A honeypot is a machine placed on the network for the purpose of
posing as an enticing target but triggers alarms when it is attacked.
Drawbacks:Benefits:
High detection accuracy
Consume large amounts of
attackers time.
Highly effective if properly
employed.
Difficult to manage
Experienced attackers have learned
to ignore targets that are too good to
be true.
Leaves a vulnerable system on your
network

The Modern Honey Network project:
Makes deploying and managing secure honeypots extremely
simple.
From the secure deployment to the aggregation of thousands of
events MHN provides enterprise grade management of the most
current open source honeypot software.
MHN is completely free open source software which supports
external and internal honeypot deployments at a large and
distributed scale.
MHN uses the HPFeeds standard and low-interaction
honeypots to keep effectiveness and security at enterprise grade
levels. MHN provides full REST API out of the box and are
making CEF and STIX support available now for direct SIEM
integration.

Open-Source honeypots
Snort – Network Listener- https://www.snort.org/
Suricata – 64bit multicore version of Snort - http://suricata-ids.org/
Dionaea – Malware Capture and dissection - http://dionaea.carnivore.it/
Conpot – SCADA network Emulation - http://conpot.org/
Kippo – Brute force attack logging - https://github.com/desaster/kippo
Amun – Malware Capture - http://amunhoney.sourceforge.net/
Glastopf – Vulnerability emulation- http://glastopf.org/
Wordpot – Wordpress emulation honeypot - http://brindi.si/g/projects/wordpot.html
ShockPot – Shell Shock honeypot - https://github.com/threatstream/shockpot
*For More information visit The honeynet project @ http://www.honeynet.org/

What’s going to happen?
https://flic.kr/p/gMhZLV

MORE in 2015
• More breaches
• More noise
• More “silver bullets”
• More complexity
https://flic.kr/p/9FGgsK

And LESS…
• Less time
• Less Available People with Proper Skills
• Less margin for error
https://flic.kr/p/hndeH

Bad Year. For Retail!
• Breach-O-Rams
• What did we learn?
• Attack surface
• POS devices
• The value of alerts

Increasingly Advanced Attacks
• More sophisticated malware
• Better C&C
• Shorter window to mass distribution

Benefiting from the Misfortune of
Others
• You can’t “get ahead of the threat”
• But you can learn from high profile folks
• Threat intelligence broke out in 2014
• How can you use it?
• Changing market dynamics
https://flic.kr/p/82JDK8

We haven’t addressed the security skills
gap
http://www.flickr.com/photos/morton/2305095296/

Complexity Ahead
• Hybrid Cloud
• DevOps
• Increased Attack Surface
https://flic.kr/p/ahKnn1

On the Horizon
Mobile Everything. Cloud Everything. Connected Everything (IoT)
http://www.flickr.com/photos/52859023@N00/644335254 https://flic.kr/p/aGWfWB

Network Security
• NGFW vs. UTM vs. IPS
• Sandbox for the masses
• SDN emerging? (and how do you secure it?)
• Consistency of Policy is Paramount
https://flic.kr/p/4pK11q

Endpoint Security
• Lots of new “solutions” that are shiny.
• Advanced Malware Protection
• Bundled with Network Security?
• Whither traditional AV? (Finally)
https://flic.kr/p/4Weo8G

Security Management
• Threat Intelligence hits the mainstream
• Forensics and IR to the forefront
• Monitoring the Hybrid Cloud

Introduction
• How has IDS/IPS changed in the
past 10 years?
• First, there’s been more of a move
to prevention vs. just passive
detection
• Second, IDS really doesn’t
function as a “standalone” tool
anymore (for most)
• The context of what is happening
in and around the environment is
key

Packets? What packets?
• Getting access to network traffic
was one of the first goals of
intrusion detection platforms
• Classic sniffers like TCPdump led
to the creation of Snort and Bro,
as well as commercial options
• Gaining access to the network
traffic itself was a challenge
– Promiscuous mode interfaces
– Dual-homed configs
– Finally, SPAN ports or taps

Aha. Now we’ve got packets!
• Packets! We have them!
• But…now what?
• For most, setting up IDS sensors led
to the realization that we needed
better knowledge of the environment

Patterns of packets make more
sense.
• We now can start to analyze
patterns of behavior
– Who is talking to who
– Types of traffic
– Source/destination ports
– Protocols
• Patterns of traffic ebbs and flows
are useful for volume analysis and
troubleshooting, too
Sif SrcIPaddress Dif DstIPaddress Pr SrcP DstP Pkts Octets StartTime EndTime Active B/Pk Ts Fl
0059 127.0.0.1 005b 219.140.194.174 06 50 4f3 1 40 0721.21:58:00.593 0721.21:58:00.593 0.000 40 00 14
0059 127.0.0.1 005b 219.148.205.228 06 50 6ef 1 40 0721.21:57:56.533 0721.21:57:56.533 0.000 40 00 14

Patterns -> Blocking.
• Intrusion detection gave way to
blocking with intrusion prevention
systems
– This was driven by better
understanding of traffic patterns
and signature sets
• Most IDS and IPS platforms, even
in blocking mode, did not have
much understanding of context
– Most blocks were “point in time”
matches based on packet attributes

What do the patterns MEAN?
• IDS and IPS needed to evolve to
make better sense of what was
happening in the environment
• To that end, more data is needed
– Events from other network devices
– Events from scans and user
information
– Data from vulnerability scanners and
monitoring tools
• This is how we can start to build
context of what’s happening in the
environment.

Event Data, and Lots of It
[**] SQL Injection [**]
10/30-20:38:56.753145 192.168.1.52:2360 -> 192.168.1.61:80
TCP TTL:128 TOS:0x0 ID:22376 IpLen:20 DgmLen:809 DF
***AP*** Seq: 0xF69FDBE3 Ack: 0x3D5C8C4 Win: 0xF991 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Traditional IDS and IPS alerts
are
often overwhelming

Event Data, and Lots of It (2)
Firewalls and routers are simple,
static filtering devices with no
understanding of context

Context + Alerting
• With event data from numerous
sources, you can start to build
context in the environment
– What systems communicate in a
given subnet?
– What known vulnerabilities are
there in the environment?
– What network devices does the
traffic pass through?
• The IDS/IPS by itself, however,
will still only report what it “sees”

Visibility: What IDS “Sees”
• Only traffic that passes by or through
the IDS/IPS is analyzed
– Subnets? Check.
– Source/Destination ports? Check.
– Applications or platforms in use? Nope.

Visibility: More Data = Better
• Attacks are no longer viewed as
discrete events at a “point in
time”
• More data adds context and tells a
better “security story”
– Passive scan data on OS,
applications
– Active scan data on vulnerabilities
– Behavioral trend data
– System logs and endpoint security
– User directory data

Hmmm. Too many alerts?
• Now we have to start paring down
alerts to get to *better* data
– Are there false positives we’ve
discovered?
– Can we prioritize some data?
– Can we start combining data types
into unique alert models?
• Data overload is a very common
problem with IDS/IPS sensors

Correlation -> BETTER alerts.
• Correlation makes a big difference
in how events are reported
• Not every unique event makes
sense to alert on
– Combinations of events
– Quantity of events
– Times of day or location
(source/destination)
• Having some context and
behavioral baseline can help

Which of my vulnerable assets are under attack?

Live Demo: Get Complete Security
Visibility in Under 1 Hour

@AlienVault
The breach – common ways attackers get in
What they do next to infiltrate the network
Why detecting their movements is tricky
Demo: How to detect attackers moving stealthily around
your network
Agenda

@AlienVault
Client-side vulnerabilities exploited by:
• Malicious website, i.e. watering hole attacks
• Malicious email attachment
Gives attackers access to the local system with
privileges of the local user
The Breach

@AlienVault
Grab credentials of cached users
Browse the domain
Exfiltrate data
What happens next

@AlienVault
Windows Credentials Editor
Allows an attacker to list Windows logon sessions and add, change, list
and delete associated credentials
• Pass-The-Hash on Windows machines
• Grab NTLM credentials from cached memory
• Grab Kerberos tickets from Windows machines
• Dump cleartext passwords stored by Windows authentication
packages
But how is this possible?

@AlienVault
Pass the Hash for using credentials in crafty ways
• WMIC (Windows Management Instrumentation Command-line)
- Used to issue queries like running processes
- wmic -U demo/administrator%hash //172.16.1.1 "select csname,name,processid,sessionid from
win32_process”

@AlienVault
Pass the Hash - using credentials in crafty ways (WMIS)
• WMIS (Windows Metadata and Internet Services)
- Can be used to create processes, sky is the limit with this attack vector
- wmis -U demo/administrator%hash //172.16.1.1 'cmd.exe /c dir c: > c:windowstempblog.txt’

@AlienVault
Pass the Hash - using credentials in crafty ways (SMBGET)
• SMBGET can pull files from Windows using a hash for the password
- smbget -w demo -u demoadministrator -O -p <hash> smb://172.16.1.1/c$/windows/temp/blog.txt

@AlienVault
CURL
• Pass the hash and we can view a default sharepoint page, logged in as john.smith
• curl --ntlm -u john.smith:<hash> http://intranet.demo.local/Pages/Default.aspx

@AlienVault
Pass the Hash Toolkit
• There is also a toolkit for Windows with several pass the hash utilities

@AlienVault
Tricky to detect because…
Firewall won’t catch it
• Exploiting client side vulnerabilities causes the victim’s machine to
initiate a connection back to the attacker’s server
• Attacker’s domain browsing activities are also originating from the
victim’s machine inside the network
Anti-virus is unlikely to catch it
• 82,000 new malware variants released every day*
No suspicious authentication failures
• Cached credentials are used to browse the domain so the attacker
doesn’t need to guess passwords
So, what will catch it?
Network Intrusion Detection and effective correlation
How do you detect this?
*http://www.pcworld.com/article/2109210/report-average-of-82-000-new-malware-threats-per-day-in-2013.html

IDS+Honeypots Making Security Simple

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to IDS+Honeypots Making Security Simple

Similar to IDS+Honeypots Making Security Simple (20)

More from Gregory Hanis

More from Gregory Hanis (13)

Recently uploaded

Recently uploaded (20)

IDS+Honeypots Making Security Simple

Editor's Notes