Presentation on theme: "Εμμανουήλ Βασιλομανωλάκης Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED)"— Presentation transcript:
Εμμανουήλ Βασιλομανωλάκης Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED) Συνεργάτης Εργ. Δικτύων ISLAB, ΙΠΤ, ΔΗΜΟΚΡΙΤΟΣ firstname.lastname@example.org A short introduction to honeypots
Outline 4/21/2013Telecooperation Group | CASED Introduction Classifications Deployment Architectures Open source vs. nothing 2 Honeypots SURFcert IDS & experiences from Demokritos Future work - ideas
Introduction (1/2) 4/21/2013Telecooperation Group | CASED Axiom: Attackers are always (at least) one step forward Attacks are getting overwhelming, targeted and also more sophisticated Intrusion Detection Systems (IDSs): produce a significant large number of false positive/negative alerts. More proactive solutions, and more information regarding the attacks are needed.
Introduction 4/21/2013Telecooperation Group | CASED Definition: “A security resource who's value lies in being probed, attacked or compromised” Doesn’t have to be a system: Honeytokens We want to get compromised! Certainly not a standalone security mechanism. Why? FUN! No false-positives! Research: Malware analysis/reverse engineering Reducing available attack surface/early warning system
Honeypot Classifications 4/21/2013Telecooperation Group | CASED Low interaction: simulate network operations (usually at the tcp/ip stack) [Medium interaction: simulate network operations (with more “sophisticated” ways)] High interaction: real systems (e.g., VMs) Other classifications: Purpose: Generic, Malware collectors, SSH, etc. Production – Research (not really useful)
Honeypot Deployment Architectures 4/21/2013Telecooperation Group | CASED
Open Source vs. nothing (really!) 4/21/2013Telecooperation Group | CASED HoneypotTypeOSLanguageGUILicense HoneydGenericLINUXCNGNU NepenthesMalwareLINUXCNGNU DionaeaMalwareLINUXPYTHONNGNU HoneytrapGenericLINUXCNGNU LaBreaGenericLINUXCNGNU Tiny HPGenericLINUXPERLNGNU HoneyBotMalwareWINDOWS-YCLOSED Google Hack HP WEB-PHPYGNU MultipotMalwareWINDOWSVB 6YGNU GlastopfWEB-PYTHONYGNU KojoneySSHLINUXPYTHONNGNU KippoSSHLINUXPYTHONNBSD AmunMalwareLINUXPYTHONNGNU OmnirovaMalwareWINDOWSBorland DelphiYGNU BillyGoatMalware-??CLOSED ArtemisaVOIP-PYTHONNGNU GHOSTUSBWINDOWSCYGNU
Dionaea 4/21/2013Telecooperation Group | CASED Low Interaction honeypot for collecting malware Nepenthes successor Basic protocol simulated: SMB (port 445) Others: HTTP, HTTPS, FTP, TFTP, MSSQL and SIP (VOIP) Also supports IPv6 and TLS Malware files: stored locally or/and sent to 3 rd party entities (CWSandbox, Norman Sandbox, Anubis, VirusTotal)
Kippo (1/2) 4/21/2013Telecooperation Group | CASED Low interaction SSH honeypot Features: Presenting a fake (but “functional”) system to the attacker (resembling a Debian 5.0 installation) Attacker can download his tools through wget, and we save them for later inspection (cool!) Session logs are stored in an UML- compatible format for easy replay with original timings (even cooler!) Easy to install, but hard to get hackers!
SURFcert IDS 4/21/2013Telecooperation Group | CASED An open source (GPLv2) distributed intrusion detection system based on honeypots Sensors, act as proxies, forwarding network traffic from the monitored network to the system’s center using OpenVPN Supported Honeypots: Nepenthes, Dionaea, Argos, Kippo Three parts: Tunnel – honeypot server Web – Logging server Sensors
SURFcert IDS 4/21/2013Telecooperation Group | CASED Also: Supports p0f for attackers’ OS detection Statistics, nice web-GUI, sensor status, geographical visualizations, and more…
SURFcert IDS @ Demokritos 4/21/2013Telecooperation Group | CASED Some stats: 21.000 attacks on 3 different sensors (1 month) 1500 malware files downloaded Main target: port 445 Successfully detected infected systems, inside our network (mostly with a Conficker Worm variant) Automatic malware analysis can give us valuable information on Botnets (and their C&C IRC servers) Possible to find zero-date exploits / new malware (or different variants)
Future Work - Ideas 4/21/2013Telecooperation Group | CASED Features: Better visualization Anti-evasion techniques Cheap & easy mobile sensors: Raspberry Pi Advertising honeypots Honeypots: Mobile honeypots (e.g., Android) SCADA – Industrial Control Systems (ICS) Attacker scans our system Attacker trying to connect to our “ftp” server
Thank You Questions? Telecooperation Group | CASED