Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BSA2016 - Honeypots for Network Security Monitoring

3,147 views

Published on

At the BSides Augusta 2016 conference, I presented the economic challenges of defensive security and how honeypots can be used for cost effective network security monitoring.

Published in: Technology
  • Hello! I do no use writing service very often, only when I really have problems. But this one, I like best of all. The team of writers operates very quickly. It's called ⇒ www.HelpWriting.net ⇐ Hope this helps!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I'd advise you to use this service: ⇒ www.WritePaper.info ⇐ The price of your order will depend on the deadline and type of paper (e.g. bachelor, undergraduate etc). The more time you have before the deadline - the less price of the order you will have. Thus, this service offers high-quality essays at the optimal price.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • hey, could you please explain me the 11th slide i.e. Honeypot architecture with clear description. Thank you.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

BSA2016 - Honeypots for Network Security Monitoring

  1. 1. Chris Sanders (@chrissanders88)  Find Evil @ FireEye  Founder @ Rural Tech Fund  PhD Researcher  GSE # 64  BBQ Pit Master  Author:  Practical Packet Analysis  Applied NSM
  2. 2. Agenda  Security Economics  Traditional Honeypots  NSM Honeypots  Honeypot Applications “Why honeypots are a cost effective strategy for enhancing your network security monitoring strategy.”
  3. 3. Economics of Security “If you want to understand the world of nature, master physics. If you want to understand the world of man, master economics.” - Taufiq Rashid High Demand for Security Expertise Low Supply of Security Practitioners Expertise Services Software
  4. 4. Cost Effective NSM C O S T EFFECTIVENESS Analytics/ML Antivirus NGFW SIEM Endpoint IDS/IPS Honeypot s Where do most security solutions rank in terms of cost effectiveness?
  5. 5. Seminal Work  Large Orgs and Defense  Many Academic Papers  The Honeynet Project  Honeyd Software
  6. 6. Traditional Honeypots  Designed to be attacked  Intentionally vulnerable  Primarily used for specific research  Originally useful for learning about attackers  Useful for tracking scanning and proliferation of worms
  7. 7. Honeypot Architecture
  8. 8. Hold Your Horses! 1. Honeypots take a lot of time to maintain. 2. Honeypots introduce tremendous risk. 3. Attackers can use honeypots as a foothold. 4. Honeypots are only for the most mature
  9. 9. NSM Honeypots  Premise:  Nobody should ever talk to a honeypot  Attributes: 1. Placed inside the network 2. Mimic existing systems 3. Low interaction 4. Extensive logging and alerting 5. Goal oriented
  10. 10. Integrating NSM Honeypots NSM Strateg y Honeypot s
  11. 11. Integrating NSM Honeypots Honeypots
  12. 12. Goal-Oriented Deception Mimic Reality Capture Interaction Generate an Alert Systems UsersData
  13. 13. Protect the Systems Mimic Reality Capture Interaction Generate an Alert Protect: Windows Systems using RDP 1. Deploy an RDP Honeypot [Tom’s, OpenCanary] 2. Capture any connection attempt 3. Generate an alert to your SIEM/SOC
  14. 14. Protect the Data Mimic Reality Capture Interaction Generate an Alert Protect: HR data in spreadsheets 1. Deploy a HoneyDoc 2. Embed web bug that phones home 3. Configure OS file access monitoring 4. Generate an alerts when doc phones home, or when file is accessed.
  15. 15. Protect the Users Mimic Reality Capture Interaction Generate an Alert Protect: Service account credentials 1. Create limited access honeyusers [DCEPT] 2. Detect cleartext credentials in memory 3. Generate an alert to your SIEM/SOC
  16. 16. The Challenge  Analysts…  ...start looking for implementation opportunities.  Managers…  ...ensure this technique is part of your analysts toolbelt.  Vendors…  ...develop affordable honeypot-based solutions.  Open Source Contributors…  ...drive innovation in this space.
  17. 17. Recommended Honeypot Software Honeypots OpenCanary Tom’s Honeypot Cowrie (SSH) RDPY (RDP) CanaryTokens.org Management Ansible Docker Chef Alerting Snort Suricata Bro SIEM
  18. 18. Other Honeypot Software Conpot Dioneae Ensnare ESPot Gaspot Glastopf Gridpot Honeyd Honeyntp HoneyPotter HoneyPress Honeyprint HoneyPy Kippo Nodepot NoSQLpot Shadow Daemon TelnetHoney Thug Wordpot https://github.com/paralax/awesome-honeypots

×