In this presentation I talk about how honeypots that have more traditionally been used for research purposes can also be used as an effective part of a network security monitoring strategy.
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
Using Canary Honeypots for Network Security Monitoring
1. Deceive to Detect:
Using Canary Honeypots for
Network Security Monitoring
Chris Sanders
Charleston ISSA
November 2014
2. Chris Sanders
• Christian & Husband
• Kentuckian and South
Carolinian
• MS, GSE, et al.
• Non-Profit Director
• BBQ Pit Master
3. Chris Sanders
“[Practical Packet Analysis] gives you everything you need, step by step, to become
proficient in packet analysis. I could not find a better book.”
“[Applied NSM] should be required reading for all intrusion analysts and those
looking to develop a security monitoring program.”
– Amazon Reviewers
4. Outline
Objectives:
Traditional Honeypots
Canary Honeypot Architecture
Honeypot Platforms
• Honeyd
• Kippo
• Tom’s Honeypot
• Honeydocs
“How can I use honeypots as an effective part of my
detection strategy?”
5. ***Disclaimer***
• Tactics in this presentation may be
controversial, depending on your viewpoint.
• Only orgs with mature security programs
should attempt the use of canary honeypots.
• Any time you invite an attacker to dance, you
might get your feet stepped on.
6. Traditional Honeypot Design
• Intentionally Vulnerable System
• Designed to Mimic Real Services
• Easily Compromised
7.
8. Traditional Honeypot Uses
• Specific Research Purposes
• Tracking Unstructured Threats
– Commodity Malware
– Opportunistic Attackers
• Vaguely Useful for Building Basic Threat Intel
No Current Significant Production Value
10. US Information Ops Doctrine
• US DoD JP 3-13 IO Capabilities*
– Detect
– Deny
– Disrupt
– Degrade
– Destroy
– Deceive
* More commonly applied as the Cyber Kill Chain
16. Enter Canary Honeypots
• Deceive to Detect
• Honeypots for
Detection
1. Placed Inside the
Network
2. Mimic Existing Systems
3. Detailed Alerting &
Logging
Nobody Should Ever Talk to a Honeypot
17. Making the Case
• How do you detect a malicious user logging in
to a Windows system?
– Multiple Failed Logins
– Weird External IP Address
– IP Heuristics and Trending
• What if the malicious user logs in from
another compromised system using
legitimate credentials?
20. High vs. Low Interaction
• High Interaction...
– Real Operating
System
– Real Services
– Locked Down
– Detailed Logging
• Low Interaction…
– Software-Based
– Mimics Real Services
– Fake Environments
– Limited Logging
* Some honeypots call themselves “medium” interaction, but these
are still basically low interaction.
21. Exploitable vs. Non-Exploitable
• Exploitable...
– Mimic Services
– Contain
Vulnerabilities
– Designed to be
Compromised
– Compromises are
Monitored
• Non-Exploitable...
– Mimic Services
– No Vulnerabilities
– Any Interaction is
Monitored
22. Canary Honeypot Architecture
1. Identify the Devices or Services to be
Mimicked
2. Determine Honeypot Placement
3. Develop Alerting and Logging Capabilities
23. Identify Devices/Services to Mimic
• All About Risk - What is your biggest fear?
• How would attackers exploit that?
• Mimic critical services and components.
– Confidentiality – File Server (SSH?)
– Integrity – Database Server (SQL?)
– Availability – Web Server (HTTP?)
24. Determine Honeypot Placement
• Close to the Asset Being Mimicked
• Ability to Transmit Logs
• Limit Communication of High Interaction
Honeypots (***IMPORTANT***)
28. Honeyd
• The father of honeypots
• Developed by Neil Provos 10+ years ago
• Low Interaction
• Can mimic operating systems and services
• Capable of spinning up thousands of
honeypot instances
29. Honeyd Config
create default
set default default tcp action block
set default default udp action block
set default default icmp action block
create ansm_winserver_1
set ansm_winserver_1 personality “Microsoft Windows
Server 2003 Standard Edition”
30. Honeyd Config (cont.)
add ansm_winserver_1 tcp port 135 open
add ansm_winserver_1 tcp port 139 open
add ansm_winserver_1 tcp port 445 open
set ansm_winserver_1 ethernet “d3:ad:b3:3f:11:11”
bind 172.16.16.202 ansm_winserver_1
33. Honeyd Alerting
alert ip !$TRUSTED_MS_HOSTS any
->$MS_HONEYPOT_SERVERS [135,139,445]
(msg:“Attempted Communication with
Windows Honeypot on MS Ports”;
sid:5000000; rev:1;)
34. Extended Service Emulation
• Emulate an ISS Web Server
add ansm_winserver_1 tcp port 80 “sh
/usr/share/honeyd/scripts/win32/ web.sh”
35. Kippo SSH Honeypot
• Low Interaction SSH Honeypot
• Provides a Fake File System
• Detailed Logging and Replay
• Written in Python
37. Kippo Alerting
alert tcp $HONEYPOT_SERVERS $SSH_PORTS ->any any
(msg:“ET POLICY SSH Server Banner Detected on
Expected Port – Honeypot System”; flow: from_
server,established; content:“SSH-”; offset: 0;
depth: 4; byte_test: 1,>,48,0,relative;
byte_test:1,<,51,0,relative; byte_test:1,1⁄ 4,46,1,
relative;
reference:url,doc.emergingthreats.net/2001973;
classtype: misc-activity; sid:2001973; rev:8;)
alert tcp any any <> $HONEYPOT_SERVERS $SSH_PORTS
(msg:“ET POLICY SSH session in progress on Expected
Port – Honeypot System”; threshold: type both, track
by_src, count 2, seconds 300;
reference:url,doc.emerging- threats.net/2001978;
classtype:misc-activity; sid:2001978; rev:7;)
38. Tom’s Honeypot
• Developed by Tom Liston of InGuardians
• Low Interaction Multi-Protocol Honeypot
• Emulates RDP, VNC, Radmin, MSSQL, SIP
• Written in Python
• http://labs.inguardians.com/tomshoneypot
41. Honeydocs
• Documents designed to “phone home” when
opened.
• Placed with/near other critical documents
• Honeydocs should never be opened
• Provides alerting when documents are
exfiltrated
45. MHN: Modern Honey Network
• Centralized Management
• Web Interface w/ RESTful API
• http://threatstream.github.io/mhn/
46. Conclusion
• Honeypots aren’t just for research!
• They can be useful for intrusion detection.
• Great care should be taken when deploying
honeypots inside the network perimeter.
• Multiple useful tools already exist.