BSA2016 - Honeypots for Network Security Monitoring

•Download as PPTX, PDF•

4 likes•3,371 views

At the BSides Augusta 2016 conference, I presented the economic challenges of defensive security and how honeypots can be used for cost effective network security monitoring.

Technology

Chris Sanders (@chrissanders88)
 Find Evil @ FireEye
 Founder @ Rural Tech
Fund
 PhD Researcher
 GSE # 64
 BBQ Pit Master
 Author:
 Practical Packet Analysis
 Applied NSM

Agenda
 Security Economics
 Traditional Honeypots
 NSM Honeypots
 Honeypot Applications
“Why honeypots are a cost effective strategy for
enhancing your network security monitoring
strategy.”

Economics of Security
“If you want to understand the world of nature,
master physics. If you want to understand the
world of man, master economics.” - Taufiq
Rashid
High
Demand for
Security
Expertise
Low Supply
of Security
Practitioners
Expertise
Services
Software

Cost Effective NSM
C
O
S
T
EFFECTIVENESS
Analytics/ML
Antivirus
NGFW
SIEM
Endpoint
IDS/IPS
Honeypot
s
Where do most security solutions rank in
terms of cost effectiveness?

Seminal Work
 Large Orgs and Defense
 Many Academic Papers
 The Honeynet Project
 Honeyd Software

Traditional Honeypots
 Designed to be
attacked
 Intentionally vulnerable
 Primarily used for
specific research
 Originally useful for
learning about
attackers
 Useful for tracking
scanning and
proliferation of worms

Hold Your Horses!
1. Honeypots take a
lot of time to
maintain.
2. Honeypots
introduce
tremendous risk.
3. Attackers can use
honeypots as a
foothold.
4. Honeypots are
only for the most
mature

NSM Honeypots
 Premise:
 Nobody should ever talk
to a honeypot
 Attributes:
1. Placed inside the
network
2. Mimic existing systems
3. Low interaction
4. Extensive logging and
alerting
5. Goal oriented

Integrating NSM Honeypots
NSM
Strateg
y
Honeypot
s

Goal-Oriented Deception
Mimic Reality
Capture
Interaction
Generate an
Alert
Systems
UsersData

Protect the Systems
Mimic Reality
Capture
Interaction
Generate an
Alert
Protect: Windows Systems using RDP
1. Deploy an RDP Honeypot [Tom’s,
OpenCanary]
2. Capture any connection attempt
3. Generate an alert to your SIEM/SOC

Protect the Data
Mimic Reality
Capture
Interaction
Generate an
Alert
Protect: HR data in spreadsheets
1. Deploy a HoneyDoc
2. Embed web bug that phones home
3. Configure OS file access monitoring
4. Generate an alerts when doc phones home,
or when file is accessed.

Protect the Users
Mimic Reality
Capture
Interaction
Generate an
Alert
Protect: Service account credentials
1. Create limited access honeyusers [DCEPT]
2. Detect cleartext credentials in memory
3. Generate an alert to your SIEM/SOC

The Challenge
 Analysts…
 ...start looking for implementation opportunities.
 Managers…
 ...ensure this technique is part of your analysts
toolbelt.
 Vendors…
 ...develop affordable honeypot-based solutions.
 Open Source Contributors…
 ...drive innovation in this space.

Recommended Honeypot
Software
Honeypots
OpenCanary
Tom’s Honeypot
Cowrie (SSH)
RDPY (RDP)
CanaryTokens.org
Management
Ansible
Docker
Chef
Alerting
Snort
Suricata
Bro
SIEM

Other Honeypot Software
Conpot
Dioneae
Ensnare
ESPot
Gaspot
Glastopf
Gridpot
Honeyd
Honeyntp
HoneyPotter
HoneyPress
Honeyprint
HoneyPy
Kippo
Nodepot
NoSQLpot
Shadow Daemon
TelnetHoney
Thug
Wordpot
https://github.com/paralax/awesome-honeypots

BSA2016 - Honeypots for Network Security Monitoring

What's hot

Honeypots (Ravindra Singh Rathore)Ravindra Singh Rathore

Honeypots for Active DefenseGreg Foss

Art into Science 2017 - Investigation Theory: A Cognitive Approachchrissanders88

Virtual honeypotElham Hormozi

All about Honeypots & HoneynetsMehdi Poustchi Amin

Honey potsDivya korrapati

Honey Potiradarji

Honeypot based intrusion detection system PPTparthan t

IDS+Honeypots Making Security SimpleGregory Hanis

HoneypotsRushikesh Kulkarni

HoneypotShashwat Shriparv

Honey potsAlok Singh

Honeypots.ppt1800363876Momita Sharma

HoneypotsSARANYA S

Lecture 7Education

Honey po tpptArya AR

Honeypot-A Brief OverviewSILPI ROSAN

HONEYPOTS: Definition, working, advantages, disadvantagesamit kumar

HoneypotsPresentaionslive.blogspot.com

Threat HuntingSplunk

What's hot (20)

Honeypots (Ravindra Singh Rathore)

Honeypots for Active Defense

Art into Science 2017 - Investigation Theory: A Cognitive Approach

Virtual honeypot

All about Honeypots & Honeynets

Honey pots

Honey Pot

Honeypot based intrusion detection system PPT

IDS+Honeypots Making Security Simple

Honeypots

Honeypot

Honey pots

Honeypots.ppt1800363876

Honeypots

Lecture 7

Honey po tppt

Honeypot-A Brief Overview

HONEYPOTS: Definition, working, advantages, disadvantages

Honeypots

Threat Hunting

Viewers also liked

Using Canary Honeypots for Network Security Monitoringchrissanders88

HoneypotsJayant Gandhi

Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng

Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88

honey pots introduction and its typesVishal Tandel

SOC2016 - The Investigation Labyrinthchrissanders88

Honeypot ppt1samrat saurabh

Minding the Metacognitive Gap - BSides NOLAchrissanders88

Applied Detection and Analysis with Flow Data - SO Con 2014chrissanders88

CISSA Lightning Talk - Building a Malware Analysis Lab on a Budgetchrissanders88

Choice and Moral Design in Interactive StorytellingNelson Zagalo

[CLASS 2014] Palestra Técnica - Regis CarvalhoTI Safe

Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Jason Trost

Modern Honey Network (MHN)Jason Trost

HoneypotsBilal ZIANE

Honeypot 101 (slide share)Emil Tan

Honeypot Presentation - Using Honeydicanhasfay

Honeypot BasicsManoj kumawat

Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Jason Trost

Viewers also liked (19)

Using Canary Honeypots for Network Security Monitoring

Honeypots

Honeycon2016-honeypot updates for public

Applied Detection and Analysis Using Flow Data - MIRCon 2014

honey pots introduction and its types

SOC2016 - The Investigation Labyrinth

Honeypot ppt1

Minding the Metacognitive Gap - BSides NOLA

Applied Detection and Analysis with Flow Data - SO Con 2014

CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget

Choice and Moral Design in Interactive Storytelling

[CLASS 2014] Palestra Técnica - Regis Carvalho

Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...

Modern Honey Network (MHN)

Honeypots

Honeypot 101 (slide share)

Honeypot Presentation - Using Honeyd

Honeypot Basics

Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...

Similar to BSA2016 - Honeypots for Network Security Monitoring

Honeypots for Cloud Providers - SDN World CongressVallie Joseph

Honeypot- An OverviewIRJET Journal

Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...BAINIDA

honeypots.pptDetSersi

Honeypot: A Security Tool in Intrusion DetectionINFOGAIN PUBLICATION

Automating Event Driven Security in the AWS CloudAmazon Web Services

3 Tips to Stay Safe Online in 2017Bret Piatt

Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP

SECURITY TOOLS AND PRACTICES THAT ARE MINIMISING THE SURGE IN SUPPLY CHAIN AT...VOROR

Peter Allor - The New Era of Cognitive Securityscoopnewsgroup

SACON - Threat Hunting Workshop (Shomiron Das Gupta)Priyanka Aash

Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba

Short Term Effects Of Cocaine EssayMelissa Luster

HoneypotsSARANYA S

PaloAlto Enterprise Security SolutionPrime Infoserv

Cyber Threat Hunting Workshop.pdfssuser4237d4

Advanced Threat Protection - Sandboxing 101Blue Coat

Cyber Defense - How to be prepared to APTSimone Onofri

Similar to BSA2016 - Honeypots for Network Security Monitoring (20)

Honeypots for Cloud Providers - SDN World Congress

Honeypot- An Overview

Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...

honeypots.ppt

Honeypot: A Security Tool in Intrusion Detection

Automating Event Driven Security in the AWS Cloud

3 Tips to Stay Safe Online in 2017

Security Analytics for Data Discovery - Closing the SIEM Gap

SECURITY TOOLS AND PRACTICES THAT ARE MINIMISING THE SURGE IN SUPPLY CHAIN AT...

Peter Allor - The New Era of Cognitive Security

SACON - Threat Hunting Workshop (Shomiron Das Gupta)

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks

Short Term Effects Of Cocaine Essay

Honeypots

PaloAlto Enterprise Security Solution

Cyber Threat Hunting Workshop.pdf

Advanced Threat Protection - Sandboxing 101

Cyber Defense - How to be prepared to APT

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93

Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech

Real Time Object Detection Using Open CVKhem

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous

Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun

AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10

Developing An App To Navigate The Roads of BrazilV3cube

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer

HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics

Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun

2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer

What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco

Finology Group – Insurtech Innovation Award 2024The Digital Insurer

Partners Life - Insurer Innovation Award 2024The Digital Insurer

TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc

Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1

GenCyber Cyber Security Day PresentationMichael W. Hawkins

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Advantages of Hiring UIUX Design Service Providers for Your Business

Real Time Object Detection Using Open CV

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Powerful Google developer tools for immediate impact! (2023-24 C)

AWS Community Day CPH - Three problems of Terraform

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Developing An App To Navigate The Roads of Brazil

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

HTML Injection Attacks: Impact and Mitigation Strategies

Data Cloud, More than a CDP by Matt Robison

2024: Domino Containers - The Next Step. News from the Domino Container commu...

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Tata AIG General Insurance Company - Insurer Innovation Award 2024

What Are The Drone Anti-jamming Systems Technology?

Finology Group – Insurtech Innovation Award 2024

Partners Life - Insurer Innovation Award 2024

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

Boost Fertility New Invention Ups Success Rates.pdf

GenCyber Cyber Security Day Presentation

BSA2016 - Honeypots for Network Security Monitoring

2. Chris Sanders (@chrissanders88)  Find Evil @ FireEye  Founder @ Rural Tech Fund  PhD Researcher  GSE # 64  BBQ Pit Master  Author:  Practical Packet Analysis  Applied NSM

3. Agenda  Security Economics  Traditional Honeypots  NSM Honeypots  Honeypot Applications “Why honeypots are a cost effective strategy for enhancing your network security monitoring strategy.”

5. Economics of Security “If you want to understand the world of nature, master physics. If you want to understand the world of man, master economics.” - Taufiq Rashid High Demand for Security Expertise Low Supply of Security Practitioners Expertise Services Software

7. Cost Effective NSM C O S T EFFECTIVENESS Analytics/ML Antivirus NGFW SIEM Endpoint IDS/IPS Honeypot s Where do most security solutions rank in terms of cost effectiveness?

9. Seminal Work  Large Orgs and Defense  Many Academic Papers  The Honeynet Project  Honeyd Software

10. Traditional Honeypots  Designed to be attacked  Intentionally vulnerable  Primarily used for specific research  Originally useful for learning about attackers  Useful for tracking scanning and proliferation of worms

11. Honeypot Architecture

12. Hold Your Horses! 1. Honeypots take a lot of time to maintain. 2. Honeypots introduce tremendous risk. 3. Attackers can use honeypots as a foothold. 4. Honeypots are only for the most mature

13.

14. NSM Honeypots  Premise:  Nobody should ever talk to a honeypot  Attributes: 1. Placed inside the network 2. Mimic existing systems 3. Low interaction 4. Extensive logging and alerting 5. Goal oriented

15.

16.

17. Integrating NSM Honeypots NSM Strateg y Honeypot s

18. Integrating NSM Honeypots Honeypots

19.

20. Goal-Oriented Deception Mimic Reality Capture Interaction Generate an Alert Systems UsersData

21. Protect the Systems Mimic Reality Capture Interaction Generate an Alert Protect: Windows Systems using RDP 1. Deploy an RDP Honeypot [Tom’s, OpenCanary] 2. Capture any connection attempt 3. Generate an alert to your SIEM/SOC

22. Protect the Data Mimic Reality Capture Interaction Generate an Alert Protect: HR data in spreadsheets 1. Deploy a HoneyDoc 2. Embed web bug that phones home 3. Configure OS file access monitoring 4. Generate an alerts when doc phones home, or when file is accessed.

23. Protect the Users Mimic Reality Capture Interaction Generate an Alert Protect: Service account credentials 1. Create limited access honeyusers [DCEPT] 2. Detect cleartext credentials in memory 3. Generate an alert to your SIEM/SOC

24.

25.

26. The Challenge  Analysts…  ...start looking for implementation opportunities.  Managers…  ...ensure this technique is part of your analysts toolbelt.  Vendors…  ...develop affordable honeypot-based solutions.  Open Source Contributors…  ...drive innovation in this space.

27. Recommended Honeypot Software Honeypots OpenCanary Tom’s Honeypot Cowrie (SSH) RDPY (RDP) CanaryTokens.org Management Ansible Docker Chef Alerting Snort Suricata Bro SIEM

28. Other Honeypot Software Conpot Dioneae Ensnare ESPot Gaspot Glastopf Gridpot Honeyd Honeyntp HoneyPotter HoneyPress Honeyprint HoneyPy Kippo Nodepot NoSQLpot Shadow Daemon TelnetHoney Thug Wordpot https://github.com/paralax/awesome-honeypots

Editor's Notes

Security is only affordable for: Military/Gov Financial Post-Breach Orgs Economics of security are heavily tilted towards the attacker. As long as this remains, we continue to lose and lose ground.
This is why most new tech fails. We’ve had electric cars forever, they are just too expensive to operate, maintain, and charge. We can go to space, but not affordably, yet.
TIME CHECK – 15 MINUTES
TIME CHECK – 20 MINUTES
If you get an alert from a honeypot, it’s worth investigating. If someone hits your sign, the honeypot, they might hit your bridge, the sensitive system.
A great NSM strategy is like a great cheeseburger.
TIME CHECK – 30 MINUTES
Kippo, Tom’s Honeypot, Thinkst
Canary docs, canary DB tables, hash changes
Honey Accounts, Honey SIDs, social media profiles
TIME CHECK – 45 MIN

BSA2016 - Honeypots for Network Security Monitoring

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to BSA2016 - Honeypots for Network Security Monitoring

Similar to BSA2016 - Honeypots for Network Security Monitoring (20)

Recently uploaded

Recently uploaded (20)

BSA2016 - Honeypots for Network Security Monitoring

Editor's Notes