Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BSA2016 - Honeypots for Network Security Monitoring


Published on

At the BSides Augusta 2016 conference, I presented the economic challenges of defensive security and how honeypots can be used for cost effective network security monitoring.

Published in: Technology
  • Login to see the comments

BSA2016 - Honeypots for Network Security Monitoring

  1. 1. Chris Sanders (@chrissanders88)  Find Evil @ FireEye  Founder @ Rural Tech Fund  PhD Researcher  GSE # 64  BBQ Pit Master  Author:  Practical Packet Analysis  Applied NSM
  2. 2. Agenda  Security Economics  Traditional Honeypots  NSM Honeypots  Honeypot Applications “Why honeypots are a cost effective strategy for enhancing your network security monitoring strategy.”
  3. 3. Economics of Security “If you want to understand the world of nature, master physics. If you want to understand the world of man, master economics.” - Taufiq Rashid High Demand for Security Expertise Low Supply of Security Practitioners Expertise Services Software
  4. 4. Cost Effective NSM C O S T EFFECTIVENESS Analytics/ML Antivirus NGFW SIEM Endpoint IDS/IPS Honeypot s Where do most security solutions rank in terms of cost effectiveness?
  5. 5. Seminal Work  Large Orgs and Defense  Many Academic Papers  The Honeynet Project  Honeyd Software
  6. 6. Traditional Honeypots  Designed to be attacked  Intentionally vulnerable  Primarily used for specific research  Originally useful for learning about attackers  Useful for tracking scanning and proliferation of worms
  7. 7. Honeypot Architecture
  8. 8. Hold Your Horses! 1. Honeypots take a lot of time to maintain. 2. Honeypots introduce tremendous risk. 3. Attackers can use honeypots as a foothold. 4. Honeypots are only for the most mature
  9. 9. NSM Honeypots  Premise:  Nobody should ever talk to a honeypot  Attributes: 1. Placed inside the network 2. Mimic existing systems 3. Low interaction 4. Extensive logging and alerting 5. Goal oriented
  10. 10. Integrating NSM Honeypots NSM Strateg y Honeypot s
  11. 11. Integrating NSM Honeypots Honeypots
  12. 12. Goal-Oriented Deception Mimic Reality Capture Interaction Generate an Alert Systems UsersData
  13. 13. Protect the Systems Mimic Reality Capture Interaction Generate an Alert Protect: Windows Systems using RDP 1. Deploy an RDP Honeypot [Tom’s, OpenCanary] 2. Capture any connection attempt 3. Generate an alert to your SIEM/SOC
  14. 14. Protect the Data Mimic Reality Capture Interaction Generate an Alert Protect: HR data in spreadsheets 1. Deploy a HoneyDoc 2. Embed web bug that phones home 3. Configure OS file access monitoring 4. Generate an alerts when doc phones home, or when file is accessed.
  15. 15. Protect the Users Mimic Reality Capture Interaction Generate an Alert Protect: Service account credentials 1. Create limited access honeyusers [DCEPT] 2. Detect cleartext credentials in memory 3. Generate an alert to your SIEM/SOC
  16. 16. The Challenge  Analysts…  ...start looking for implementation opportunities.  Managers…  ...ensure this technique is part of your analysts toolbelt.  Vendors…  ...develop affordable honeypot-based solutions.  Open Source Contributors…  innovation in this space.
  17. 17. Recommended Honeypot Software Honeypots OpenCanary Tom’s Honeypot Cowrie (SSH) RDPY (RDP) Management Ansible Docker Chef Alerting Snort Suricata Bro SIEM
  18. 18. Other Honeypot Software Conpot Dioneae Ensnare ESPot Gaspot Glastopf Gridpot Honeyd Honeyntp HoneyPotter HoneyPress Honeyprint HoneyPy Kippo Nodepot NoSQLpot Shadow Daemon TelnetHoney Thug Wordpot