SlideShare a Scribd company logo

Honeycon2016-honeypot updates for public

Julia Yu-Chin Cheng
Julia Yu-Chin Cheng

This slide is related to honeypot tools. Also introduce what kinds of attacks collecting by honeypots

Technology
1 of 65
Download to read offline
Updates and highlights from recent honeypot tools development The Honeynet project Julia Yu-Chin Cheng (Julia.yc.cheng@gmail.com)
Outline • Part 1: Basic Concept • Part 2: Updates and highlights of often-used honeypots • Part 3: Integrated Multi-Honeypot Framework
PART 1: BASIC CONCEPT
By Lance Spitzner 2002 What is Honeypot ?
What is Honeypot ? (Cont.) ‘A honeypot is a resource which is expected to be attacked or compromised.‘ • Goals of Honeypot : – Learn HOW we are being attacked – Learn WHO is attacking us – Learn WHAT the attackers try to achieve – Learn HOW TO DEFEND
Honeypot(s) can be very useful ! • If deployed in internal placement (behind your firewall): – Catch internal scanning hosts – Catch insider threats • If deployed in external placement – Early warning system via threat feeds – Attack trends – Information exchange Low-false positive rate
Honeypot Components Design : Mimic Vulnerability Interaction Handler Capture/ Analysis Logging Mimic Vulnerability: Used as bait to deceive or detect hackers, malware or misbehaving users Interaction handler: Handler the interaction of honeypot and attack(er). Capture/Analysis: Designed to capture/Analyze attack data. Logging: Log attacking events.
PART 2: Updates and highlights of often-used honeypots
Catch up the latest tool developmentat https://honeynet.org/blog
Often-used Tools and Honeypot Hpfeeds
Dionaea and Libemu
Dionaea – Malware Capture Honeypot • Server-side low interaction honeypot • Emulate remote exploitable bugs to trap malware exploiting and ultimately obtain a copy of the malware • Emulate vulnerabilities in Windows services such as SMB, HTTP, TFTP, FTP, mssql, mysql and sip • Libemu - Full shellcode emulation • Expandable through plugins and modules
Dionaea – Malware Capture Honeypot How Dionaea traps malicious content: Worm/Virus Network Service Emulation: SMB, http, ftp, tftp, MSSQL, MySQL, SIP Dionaea 1. Connect and chat with the network service 2. Reply Exploiting Payloads Gathering (mimic vulnerability) 3. Sending exploiting payloads Exploiting Payloads Detection Using Libemu 4. Shellcode Detection using Libemu Logging and Submit 6. Logging into files/DB or submit 3- party Malware Download 5. Dionaea use tftp/http/ftp protocol to gather the remote malware
LibEmu- Emulating the x86 shellcode • Step 1: Detect, measure and execute payloads (shellcode) sent by attackers • Step 2: Running the shellcode in the libemu vm Executing the shellcode to record API calls and arguments • Step 3: Take action to acquire a copy of the malware. – Shell Binding / Connect Back, Exec – Dionaea offers shell emulation for payload that offers a shell to the attacker (usually via port binding or connecting back to the attacker). – URLDownToFileAPI : Use URLDownloadToFileAPI call to retrieve files via HTTP and execute retrieved files afterwards.
Kippo and Cowrie
Kippo and Cowrie: SSH Honeypot • Kippo: – https://github.com/desaster/kippo – A medium-interaction SSH honeypot written in Python – Emulates an OpenSSH server and shell with virtual filesystem – Log brute force attacks and the entire attacking shell interaction • Cowrie: – http://www.micheloosterhof.com/cowrie/ – A full fake filesystem resembling a Debian 5.0 installation is included. Possibility of adding fake file contents – SFTP and SCP support for file upload – Support for SSH exec commands – Forward SMTP connections to SMTP Honeypot (e.g. mailoney)
Cowrie Logs
Conpot
SCADA System Monitor,Collect,Decide Conpot - What is SCADA System ?
An introduction to SCADA RTU/PLC RTU/PLC HMI (Web Interface) Data Historian SCADA Server Work Station ModBus TCP/IP– DNP3 protocols communicate between SCADA server and RTU/PLC Communication Router TemperatureOil Pressure Alarm Radioactivity Industrial Equipment A SCADA system works by operating with signals that communicate via channels to provide the user with remote controls of any equipment.
• Five essential composing parts of a SCADA system: – Human Machine Interface (HMI): Each tag and sends it to a human operator – Supervisory system (SCADA Server): Gathers the data from each tag and sends commands or operations to the process. – Remote Terminal Units (RTUs): Connect sensors and convert their signals to digital data and send it to the supervisory system. – Programmable Logic Controllers (PLCs): Economical field devices – Communication infrastructures: Delivers connectivity to the supervisory system and then to the RTUs and PLCs for the user to command. An introduction to SCADA (Cont.)
An example of SCADA Software http://controltechme.com/en/full-tek/scada-software
SCADA Attack https://blog.fortinet.com/2015/02/12/known-scada-attacks-over-the-years
SCADA Communication Protocol • RTU collects data from sensors and converts the readings into a protocol, such as MODBUS or DNP3, that can be transported across your communications network Modbus is typically used for SCADA-style network communication between devices implementations over serial, TCP/IP Standard port 502 TCP ModBus DNP3(Distributed Network Protocol) used for communications between master station and RTUs Port 20000 TCP/UDP DNP3
Unsecure !? Modbus Profinet, s3/5/7 CIP, Ethernet/IP CC-Link No authentication, No encryption, No validation
Conpot - ICS/SCADA Honeypot • http://conpot.org/ • Trap attackers who attack SCADA system. • Low-interactive server side Industrial Control Systems honeypot • Emulator: – Common industrial control protocols - complex infrastructures – Productive HMI’s or real hardware with the complete stacks of the protocol
Conpot – Testing Conpot
Glastopf and Wordpot
Glastopf – Web Application Honeypot • http://glastopf.org/ • Server-side low interaction honeypot • Glastopf operates like a normal web server but emulates often-exploited web application vulnerabilities – SQL Injection – Remote File Inclusion (RFI) – Local File Inclusion (LFI) • When attacker sends HTTP request, Glastopf attempts to respond the expectations to, for example, download malicious files, system information exposure.
Glastopf – Web Application Honeypot http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1 http://www.example.com/product.php?id=10 AND 1=1 http://www.example.com/product.php?id=10||UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )--
Glastopf – Web Application Honeypot The Attacker Vulnerable Web Server (http://www.target.com) 1.Send HTTP Request: http://www.target.com/index.php? page=../../../../../var/log/auth.log LFI Attack
Glastopf – Web Application Honeypot • Glastopf v3 Project Update: – Vulenrability Emulator concerns with what attacker expects to see when sending HTTP requests. – Dynamic dork list – Advanced SQL injection handler
Bot execute file collected from Glastopf
From Glastopf to Wordpot • Wordpot is a Wordpress honeypot which detects probes for plugins, themes, timthumb and other common files used to fingerprint a wordpress installation. • http://brindi.si/g/projects/wordpot.html
Thug
Drive-by-download attack 37 Vulnerable Web Server Phishing Site 瀏覽惡意連結,導 致瀏覽器遭受 Exploit Code攻擊, 下載遠端惡意程式 設置一個以假亂真的網站,來欺騙網路瀏覽者上當 利用網路瀏覽者對於正常網站的信任感, 讓使用者在不知不覺中被植入木馬程式 惡意程式伺服器( 秘密基地) 下載新型惡意程式,接受駭客控制
Exploit Kit (EK) • Exploit kit (EK) – A server-based framework that uses exploits to take advantage of vulnerabilities in browser- related software applications to infect a client without the user’s knowledge Reference:http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-angler-exploit-kit-part-1-exploit-kit- fundamentals/ check if a user’s computer is vulnerable and send the appropriate exploit. Adobe Flash Player,Java Runtime, Microsoft Silverlight, Web Browsers (IE) Retrieve/Download malware designed to infect a Windows computer (an .exe or .dll file). “execute arbitrary code” to infect vulnerability
Angler Exploit Kit + Ransomware Compromised Legitimate website Gate Landing Page Exploit Ransomware ( TeslaCrypt) https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/
Angler Exploit Kit + Ransomware Compromised Legitimate website Gate Landing Page Exploit Ransomware ( TeslaCrypt) Compromised site has been injected pseudo-Darleech script pointing to Gate https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/
Angler Exploit Kit + Ransomware Compromised Legitimate website Gate Landing Page Exploit Ransomware ( TeslaCrypt) No-IP.com Domain or legal website has been used as a gate to check O.S. and redirect to Angler Exploit Kit Landing Page https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/
Angler Exploit Kit + Ransomware Compromised Legitimate website Gate Landing Page Exploit Ransomware ( TeslaCrypt) 1. Check for security tools or virtual machine 2. Dynamically construct shellcode 3. Vulnerable application https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/
Angler Exploit Kit + Ransomware Compromised Legitimate website Gate Landing Page Exploit Ransomware ( TeslaCrypt) https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/ 1. Shellcode upon exploitation of CVE-2014-6332 and Payload URL (Ransomware) and payload decryption key. 2. Load Malicious Flash Content
Angler Exploit Kit + Ransomware Compromised Legitimate website Gate Landing Page Exploit Ransomware ( Cryptowall) https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/
Thug – Detect malicious web content • Thug is a client-side honeypot (honeyclient) that emulates a web browser. • http://buffer.github.io/thug/ • Mimic the behavior of a web browser • It is designed to automatically interact with the malicious website to explore its exploits and malicious artifacts, often in the form of JavaScript.
Thug core components Thug emulating browser interacts with malicious website, analyzes malicious JavaScripts, detect shellcode and then download malicious files.
PART 3: Integrated Multi- Honeypot Framework
The Problem • Deploying and managing honeypots is difficult and time-consuming – Installing honeypot packages and dependency libraries – Update new version – Managing honeypot sensors – Setting up data flow – Uniform data formats of different honeypots – Data storage – Analyzing collected data – Visualization Not Used as much as they could be in production
New Trend ! New Business ! Easy Deployment Multi-pots & Tools Centralized Management Visualization Integrated Multi-pots Framework MHN and T-pot
Modern Honey Network (MHN) • Open Source Honeypot Management Platform • https://github.com/threatstream/mhn • http://threatstream.github.io/mhn/ • Blog: https://blog.anomali.com/mhn-modern-honey-network • The goal of MHN is to simplify honeypot deployment and ultimately to make these tools a mainstream, inherent part of the security arsenal for companies in various industries.
Modern Honey Network (MHN) • Business Model is to provide an inexpensive public provider with MHM (SaaS), anyone can start experimenting with and learning from honeypots • Leverages some existing open source tools: – Hpfeeds – Nmemosyne – Honeymap – MongoDB – Dionaea – Conpot – Snort • Soon: Suricate, Kippo, others
Modern Honey Network (MHN) • Leverages some existing open source tools: – Hpfeeds – Nmemosyne – Honeymap – MongoDB – Dionaea – Conpot – Snort • Soon: Suricate, Kippo, others
MHN Architecture
• Honeypot Management: – MHN Automates management tasks – Easy to deploy new honeypots – Setting up data flows using hpfeeds – Store and index the resulting data – Correlate with IP Geo data – Real-time visualization Modern Honey Network (MHN)
Modern Honey Network (MHN)
T-Pot: A Multi-honeypot Platform • http://dtag-dev-sec.github.io/mediator/feature/2016/03/11/t- pot-16.03.html • T-pot is a multi-honeypot platform based on the well- established honeypots, IDS/IPS, ELK • Make this technology available to everyone who is interested and release it as a Community Edition • The data gathered by those honeypots is a core component for our Early Warning System and feeds the data for the Sicherheitstacho /Securitydashboard
T-Pot Architecture
T-pot components: • Elasticsearch / logstash / kibana (ELK) – structure and vizualize data in realtime. • Suricata – a Network IDS, IPS and Network Security Monitoring engine. • Honeytrap – a low-interaction honeypot daemon for observing attacks against network services. aims for catching the initial exploit • Kippo/Cowrie • Glastopf • Dionaea • Conpot • Elasticpot: Basic elasticsearch honeypot • eMobility: a high-interaction honeynet with the goal to collect intelligence about the motives and methods of adversaries targeting next-generation transport infrastructure.
http://securitydashboard.eu/
Conclusion • http://www.darkreading.com/vulnerabilities---threats/5-reasons-every- company-should-have-a-honeypot/d/d-id/1140595 1. Low false positives, high success 2. Able to confuse attackers 3. Only a time sink, if you allow it 4. Help train your security team 5. Many free options
TRY IT NOW ! Conclusion
Email : Julia.yc.cheng@gmail.com Slideshare: http://www.slideshare.net/YuChinCheng

Recommended

Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
 
The Honeynet Project Introduction
The Honeynet Project IntroductionThe Honeynet Project Introduction
The Honeynet Project IntroductionJulia Yu-Chin Cheng
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active DefenseGreg Foss
 
Honeypots
HoneypotsHoneypots
HoneypotsRushikesh Kulkarni
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesamit kumar
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoringchrissanders88
 

Recommended

Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
 
The Honeynet Project Introduction
The Honeynet Project IntroductionThe Honeynet Project Introduction
The Honeynet Project IntroductionJulia Yu-Chin Cheng
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active DefenseGreg Foss
 
Honeypots
HoneypotsHoneypots
HoneypotsRushikesh Kulkarni
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesamit kumar
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoringchrissanders88
 
Honeypot
HoneypotHoneypot
HoneypotChandrak Trivedi
 
Honeypot a trap to hackers
Honeypot a trap to hackersHoneypot a trap to hackers
Honeypot a trap to hackersBhaskarasai Chitturi
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012Andrew Morris
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to RespondThomas Roccia
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 
Honeypots
HoneypotsHoneypots
HoneypotsSARANYA S
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Lastline, Inc.
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation toolsBangladesh Network Operators Group
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its DefenceGreater Noida Institute Of Technology
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoringchrissanders88
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
Anonymizers
AnonymizersAnonymizers
AnonymizersGregory Hanis
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And PreventionNicholas Davis
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판Minseok(Jacky) Cha
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Get Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationGet Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationSecurity Innovation
 
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Jason Trost
 
Modern Honey Network (MHN)
Modern Honey Network (MHN)Modern Honey Network (MHN)
Modern Honey Network (MHN)Jason Trost
 

More Related Content

What's hot

Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012Andrew Morris
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to RespondThomas Roccia
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Lastline, Inc.
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoringchrissanders88
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And PreventionNicholas Davis
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판Minseok(Jacky) Cha
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Get Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationGet Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationSecurity Innovation
 

What's hot (20)

Honeypot
HoneypotHoneypot
Honeypot
 
Honeypot a trap to hackers
Honeypot a trap to hackersHoneypot a trap to hackers
Honeypot a trap to hackers
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cns
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoring
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
 
Anonymizers
AnonymizersAnonymizers
Anonymizers
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And Prevention
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
 
Get Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationGet Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and Organization
 

Viewers also liked

Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Jason Trost
 
Modern Honey Network (MHN)
Modern Honey Network (MHN)Modern Honey Network (MHN)
Modern Honey Network (MHN)Jason Trost
 
Honeypot honeynet
Honeypot honeynetHoneypot honeynet
Honeypot honeynetSina Manavi
 
Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...AFCEA International
 
HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.Shantanu Kumar Das
 
Honeypot 101 (slide share)
Honeypot 101 (slide share)Honeypot 101 (slide share)
Honeypot 101 (slide share)Emil Tan
 
Андрей Аваданей - Как с помощью honeypot защитить критические активы компании
Андрей Аваданей - Как с помощью honeypot защитить критические активы компанииАндрей Аваданей - Как с помощью honeypot защитить критические активы компании
Андрей Аваданей - Как с помощью honeypot защитить критические активы компанииHackIT Ukraine
 
Honeynet architecture
Honeynet architectureHoneynet architecture
Honeynet architectureamar koppal
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!EnergySec
 
SANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat IntelligenceSANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat IntelligenceJason Trost
 
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Jason Trost
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
Anomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceAnomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceJason Trost
 
Container con toronto
Container con torontoContainer con toronto
Container con torontoDan Lambright
 

Viewers also liked (20)

Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
 
Modern Honey Network (MHN)
Modern Honey Network (MHN)Modern Honey Network (MHN)
Modern Honey Network (MHN)
 
Honeypot honeynet
Honeypot honeynetHoneypot honeynet
Honeypot honeynet
 
Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 
HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.
 
Honeypot 101 (slide share)
Honeypot 101 (slide share)Honeypot 101 (slide share)
Honeypot 101 (slide share)
 
Андрей Аваданей - Как с помощью honeypot защитить критические активы компании
Андрей Аваданей - Как с помощью honeypot защитить критические активы компанииАндрей Аваданей - Как с помощью honeypot защитить критические активы компании
Андрей Аваданей - Как с помощью honeypot защитить критические активы компании
 
Honeynet architecture
Honeynet architectureHoneynet architecture
Honeynet architecture
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
 
Honeypot
HoneypotHoneypot
Honeypot
 
SANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat IntelligenceSANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat Intelligence
 
Honeypot
HoneypotHoneypot
Honeypot
 
Honeypot Basics
Honeypot BasicsHoneypot Basics
Honeypot Basics
 
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
Anomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceAnomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat Intelligence
 
revisedhoneypot429
revisedhoneypot429revisedhoneypot429
revisedhoneypot429
 
WXRCTVYV
WXRCTVYVWXRCTVYV
WXRCTVYV
 
Container con toronto
Container con torontoContainer con toronto
Container con toronto
 

Similar to Honeycon2016-honeypot updates for public

Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentationisc2-hellenic
 
Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptxmalikmuzammil2326
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101Rafel Ivgi
 
Part3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docxPart3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docxfarrahkur54
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajaliwebhostingguy
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.pptshreyng
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...Eric Vanderburg
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkDefCamp
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web WorkshopDennis Maldonado
 

Similar to Honeycon2016-honeypot updates for public (20)

Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptx
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101
 
Part3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docxPart3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docx
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
 

More from Julia Yu-Chin Cheng

2022年_程式教育迎向未來新視野v2.pptx
2022年_程式教育迎向未來新視野v2.pptx2022年_程式教育迎向未來新視野v2.pptx
2022年_程式教育迎向未來新視野v2.pptxJulia Yu-Chin Cheng
 
20100826-證交所-誘捕系統與殭屍網路(Botnet and honeypot)
20100826-證交所-誘捕系統與殭屍網路(Botnet and honeypot)20100826-證交所-誘捕系統與殭屍網路(Botnet and honeypot)
20100826-證交所-誘捕系統與殭屍網路(Botnet and honeypot)Julia Yu-Chin Cheng
 
Clientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyClientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyJulia Yu-Chin Cheng
 
網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- Wireshark網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- WiresharkJulia Yu-Chin Cheng
 
Malware Analysis - Basic and Concept
Malware Analysis - Basic and ConceptMalware Analysis - Basic and Concept
Malware Analysis - Basic and ConceptJulia Yu-Chin Cheng
 
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptShellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptJulia Yu-Chin Cheng
 

More from Julia Yu-Chin Cheng (9)

2022年_程式教育迎向未來新視野v2.pptx
2022年_程式教育迎向未來新視野v2.pptx2022年_程式教育迎向未來新視野v2.pptx
2022年_程式教育迎向未來新視野v2.pptx
 
Honeywall roo 1
Honeywall roo 1Honeywall roo 1
Honeywall roo 1
 
Honeywall roo 2
Honeywall roo 2Honeywall roo 2
Honeywall roo 2
 
20100826-證交所-誘捕系統與殭屍網路(Botnet and honeypot)
20100826-證交所-誘捕系統與殭屍網路(Botnet and honeypot)20100826-證交所-誘捕系統與殭屍網路(Botnet and honeypot)
20100826-證交所-誘捕系統與殭屍網路(Botnet and honeypot)
 
Clientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyClientside attack using HoneyClient Technology
Clientside attack using HoneyClient Technology
 
Malware Analysis - Example
Malware Analysis - ExampleMalware Analysis - Example
Malware Analysis - Example
 
網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- Wireshark網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- Wireshark
 
Malware Analysis - Basic and Concept
Malware Analysis - Basic and ConceptMalware Analysis - Basic and Concept
Malware Analysis - Basic and Concept
 
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptShellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and Concept
 

Recently uploaded

Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 

Recently uploaded (20)

Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 

Honeycon2016-honeypot updates for public

  • 1. Updates and highlights from recent honeypot tools development The Honeynet project Julia Yu-Chin Cheng (Julia.yc.cheng@gmail.com)
  • 2. Outline • Part 1: Basic Concept • Part 2: Updates and highlights of often-used honeypots • Part 3: Integrated Multi-Honeypot Framework
  • 4. By Lance Spitzner 2002 What is Honeypot ?
  • 5. What is Honeypot ? (Cont.) ‘A honeypot is a resource which is expected to be attacked or compromised.‘ • Goals of Honeypot : – Learn HOW we are being attacked – Learn WHO is attacking us – Learn WHAT the attackers try to achieve – Learn HOW TO DEFEND
  • 6. Honeypot(s) can be very useful ! • If deployed in internal placement (behind your firewall): – Catch internal scanning hosts – Catch insider threats • If deployed in external placement – Early warning system via threat feeds – Attack trends – Information exchange Low-false positive rate
  • 7. Honeypot Components Design : Mimic Vulnerability Interaction Handler Capture/ Analysis Logging Mimic Vulnerability: Used as bait to deceive or detect hackers, malware or misbehaving users Interaction handler: Handler the interaction of honeypot and attack(er). Capture/Analysis: Designed to capture/Analyze attack data. Logging: Log attacking events.
  • 8. PART 2: Updates and highlights of often-used honeypots
  • 9. Catch up the latest tool developmentat https://honeynet.org/blog
  • 10. Often-used Tools and Honeypot Hpfeeds
  • 12. Dionaea – Malware Capture Honeypot • Server-side low interaction honeypot • Emulate remote exploitable bugs to trap malware exploiting and ultimately obtain a copy of the malware • Emulate vulnerabilities in Windows services such as SMB, HTTP, TFTP, FTP, mssql, mysql and sip • Libemu - Full shellcode emulation • Expandable through plugins and modules
  • 13. Dionaea – Malware Capture Honeypot How Dionaea traps malicious content: Worm/Virus Network Service Emulation: SMB, http, ftp, tftp, MSSQL, MySQL, SIP Dionaea 1. Connect and chat with the network service 2. Reply Exploiting Payloads Gathering (mimic vulnerability) 3. Sending exploiting payloads Exploiting Payloads Detection Using Libemu 4. Shellcode Detection using Libemu Logging and Submit 6. Logging into files/DB or submit 3- party Malware Download 5. Dionaea use tftp/http/ftp protocol to gather the remote malware
  • 14. LibEmu- Emulating the x86 shellcode • Step 1: Detect, measure and execute payloads (shellcode) sent by attackers • Step 2: Running the shellcode in the libemu vm Executing the shellcode to record API calls and arguments • Step 3: Take action to acquire a copy of the malware. – Shell Binding / Connect Back, Exec – Dionaea offers shell emulation for payload that offers a shell to the attacker (usually via port binding or connecting back to the attacker). – URLDownToFileAPI : Use URLDownloadToFileAPI call to retrieve files via HTTP and execute retrieved files afterwards.
  • 16. Kippo and Cowrie: SSH Honeypot • Kippo: – https://github.com/desaster/kippo – A medium-interaction SSH honeypot written in Python – Emulates an OpenSSH server and shell with virtual filesystem – Log brute force attacks and the entire attacking shell interaction • Cowrie: – http://www.micheloosterhof.com/cowrie/ – A full fake filesystem resembling a Debian 5.0 installation is included. Possibility of adding fake file contents – SFTP and SCP support for file upload – Support for SSH exec commands – Forward SMTP connections to SMTP Honeypot (e.g. mailoney)
  • 20. An introduction to SCADA RTU/PLC RTU/PLC HMI (Web Interface) Data Historian SCADA Server Work Station ModBus TCP/IP– DNP3 protocols communicate between SCADA server and RTU/PLC Communication Router TemperatureOil Pressure Alarm Radioactivity Industrial Equipment A SCADA system works by operating with signals that communicate via channels to provide the user with remote controls of any equipment.
  • 21. • Five essential composing parts of a SCADA system: – Human Machine Interface (HMI): Each tag and sends it to a human operator – Supervisory system (SCADA Server): Gathers the data from each tag and sends commands or operations to the process. – Remote Terminal Units (RTUs): Connect sensors and convert their signals to digital data and send it to the supervisory system. – Programmable Logic Controllers (PLCs): Economical field devices – Communication infrastructures: Delivers connectivity to the supervisory system and then to the RTUs and PLCs for the user to command. An introduction to SCADA (Cont.)
  • 22. An example of SCADA Software http://controltechme.com/en/full-tek/scada-software
  • 24. SCADA Communication Protocol • RTU collects data from sensors and converts the readings into a protocol, such as MODBUS or DNP3, that can be transported across your communications network Modbus is typically used for SCADA-style network communication between devices implementations over serial, TCP/IP Standard port 502 TCP ModBus DNP3(Distributed Network Protocol) used for communications between master station and RTUs Port 20000 TCP/UDP DNP3
  • 25. Unsecure !? Modbus Profinet, s3/5/7 CIP, Ethernet/IP CC-Link No authentication, No encryption, No validation
  • 26. Conpot - ICS/SCADA Honeypot • http://conpot.org/ • Trap attackers who attack SCADA system. • Low-interactive server side Industrial Control Systems honeypot • Emulator: – Common industrial control protocols - complex infrastructures – Productive HMI’s or real hardware with the complete stacks of the protocol
  • 27.
  • 30. Glastopf – Web Application Honeypot • http://glastopf.org/ • Server-side low interaction honeypot • Glastopf operates like a normal web server but emulates often-exploited web application vulnerabilities – SQL Injection – Remote File Inclusion (RFI) – Local File Inclusion (LFI) • When attacker sends HTTP request, Glastopf attempts to respond the expectations to, for example, download malicious files, system information exposure.
  • 31. Glastopf – Web Application Honeypot http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1 http://www.example.com/product.php?id=10 AND 1=1 http://www.example.com/product.php?id=10||UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )--
  • 32. Glastopf – Web Application Honeypot The Attacker Vulnerable Web Server (http://www.target.com) 1.Send HTTP Request: http://www.target.com/index.php? page=../../../../../var/log/auth.log LFI Attack
  • 33. Glastopf – Web Application Honeypot • Glastopf v3 Project Update: – Vulenrability Emulator concerns with what attacker expects to see when sending HTTP requests. – Dynamic dork list – Advanced SQL injection handler
  • 34. Bot execute file collected from Glastopf
  • 35. From Glastopf to Wordpot • Wordpot is a Wordpress honeypot which detects probes for plugins, themes, timthumb and other common files used to fingerprint a wordpress installation. • http://brindi.si/g/projects/wordpot.html
  • 36. Thug
  • 38. Exploit Kit (EK) • Exploit kit (EK) – A server-based framework that uses exploits to take advantage of vulnerabilities in browser- related software applications to infect a client without the user’s knowledge Reference:http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-angler-exploit-kit-part-1-exploit-kit- fundamentals/ check if a user’s computer is vulnerable and send the appropriate exploit. Adobe Flash Player,Java Runtime, Microsoft Silverlight, Web Browsers (IE) Retrieve/Download malware designed to infect a Windows computer (an .exe or .dll file). “execute arbitrary code” to infect vulnerability
  • 39. Angler Exploit Kit + Ransomware Compromised Legitimate website Gate Landing Page Exploit Ransomware ( TeslaCrypt) https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/
  • 40. Angler Exploit Kit + Ransomware Compromised Legitimate website Gate Landing Page Exploit Ransomware ( TeslaCrypt) Compromised site has been injected pseudo-Darleech script pointing to Gate https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/
  • 41. Angler Exploit Kit + Ransomware Compromised Legitimate website Gate Landing Page Exploit Ransomware ( TeslaCrypt) No-IP.com Domain or legal website has been used as a gate to check O.S. and redirect to Angler Exploit Kit Landing Page https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/
  • 42. Angler Exploit Kit + Ransomware Compromised Legitimate website Gate Landing Page Exploit Ransomware ( TeslaCrypt) 1. Check for security tools or virtual machine 2. Dynamically construct shellcode 3. Vulnerable application https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/
  • 43. Angler Exploit Kit + Ransomware Compromised Legitimate website Gate Landing Page Exploit Ransomware ( TeslaCrypt) https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/ 1. Shellcode upon exploitation of CVE-2014-6332 and Payload URL (Ransomware) and payload decryption key. 2. Load Malicious Flash Content
  • 44. Angler Exploit Kit + Ransomware Compromised Legitimate website Gate Landing Page Exploit Ransomware ( Cryptowall) https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/
  • 45. Thug – Detect malicious web content • Thug is a client-side honeypot (honeyclient) that emulates a web browser. • http://buffer.github.io/thug/ • Mimic the behavior of a web browser • It is designed to automatically interact with the malicious website to explore its exploits and malicious artifacts, often in the form of JavaScript.
  • 46. Thug core components Thug emulating browser interacts with malicious website, analyzes malicious JavaScripts, detect shellcode and then download malicious files.
  • 48. The Problem • Deploying and managing honeypots is difficult and time-consuming – Installing honeypot packages and dependency libraries – Update new version – Managing honeypot sensors – Setting up data flow – Uniform data formats of different honeypots – Data storage – Analyzing collected data – Visualization Not Used as much as they could be in production
  • 49. New Trend ! New Business ! Easy Deployment Multi-pots & Tools Centralized Management Visualization Integrated Multi-pots Framework MHN and T-pot
  • 50. Modern Honey Network (MHN) • Open Source Honeypot Management Platform • https://github.com/threatstream/mhn • http://threatstream.github.io/mhn/ • Blog: https://blog.anomali.com/mhn-modern-honey-network • The goal of MHN is to simplify honeypot deployment and ultimately to make these tools a mainstream, inherent part of the security arsenal for companies in various industries.
  • 51. Modern Honey Network (MHN) • Business Model is to provide an inexpensive public provider with MHM (SaaS), anyone can start experimenting with and learning from honeypots • Leverages some existing open source tools: – Hpfeeds – Nmemosyne – Honeymap – MongoDB – Dionaea – Conpot – Snort • Soon: Suricate, Kippo, others
  • 52. Modern Honey Network (MHN) • Leverages some existing open source tools: – Hpfeeds – Nmemosyne – Honeymap – MongoDB – Dionaea – Conpot – Snort • Soon: Suricate, Kippo, others
  • 54. • Honeypot Management: – MHN Automates management tasks – Easy to deploy new honeypots – Setting up data flows using hpfeeds – Store and index the resulting data – Correlate with IP Geo data – Real-time visualization Modern Honey Network (MHN)
  • 56. T-Pot: A Multi-honeypot Platform • http://dtag-dev-sec.github.io/mediator/feature/2016/03/11/t- pot-16.03.html • T-pot is a multi-honeypot platform based on the well- established honeypots, IDS/IPS, ELK • Make this technology available to everyone who is interested and release it as a Community Edition • The data gathered by those honeypots is a core component for our Early Warning System and feeds the data for the Sicherheitstacho /Securitydashboard
  • 58. T-pot components: • Elasticsearch / logstash / kibana (ELK) – structure and vizualize data in realtime. • Suricata – a Network IDS, IPS and Network Security Monitoring engine. • Honeytrap – a low-interaction honeypot daemon for observing attacks against network services. aims for catching the initial exploit • Kippo/Cowrie • Glastopf • Dionaea • Conpot • Elasticpot: Basic elasticsearch honeypot • eMobility: a high-interaction honeynet with the goal to collect intelligence about the motives and methods of adversaries targeting next-generation transport infrastructure.
  • 59.
  • 61.
  • 62.
  • 63. Conclusion • http://www.darkreading.com/vulnerabilities---threats/5-reasons-every- company-should-have-a-honeypot/d/d-id/1140595 1. Low false positives, high success 2. Able to confuse attackers 3. Only a time sink, if you allow it 4. Help train your security team 5. Many free options
  • 64. TRY IT NOW ! Conclusion
  • 65. Email : Julia.yc.cheng@gmail.com Slideshare: http://www.slideshare.net/YuChinCheng