Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2007 The MITRE Corporation. All rights reserved OWASP Conference 06 Sep 2007 Information Assurance Using Honeyclients for Detection and Response Against.

Published byRoberta Rich Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2007 The MITRE Corporation. All rights reserved OWASP Conference 06 Sep 2007 Information Assurance Using Honeyclients for Detection and Response Against."— Presentation transcript:

1 © 2007 The MITRE Corporation. All rights reserved OWASP Conference 06 Sep 2007 Information Assurance Using Honeyclients for Detection and Response Against New Attacks Kathy Wang MITRE Corporation knwang@mitre.org

2 © 2007 The MITRE Corporation. All rights reserved 2 Problem n Client-side exploits are a growing threat –Lots of client-side vulnerabilities n Microsoft Internet Explorer has more than 50 serious vulnerabilities in last 6 months (SecurityFocus database) –Lots of client-side exploits n 90% of all PCs harbor spyware (Webroot, 2006) n We need to be able to proactively detect and characterize client- side attacks before we get hit We lack a proactive detection technology for client-side attacks

3 © 2007 The MITRE Corporation. All rights reserved 3 Example of an Emerging Threat n Contagion worm-like attacks –Paxson, et al, How to 0wn the Internet in Your Spare Time –Wheel-and-spoke client-server infection model –Requires two exploits, one for client, one for server Vulnerable Client Contagion Worm Loaded Server Vulnerable Server Vulnerable Server Vulnerable Server Infected InfectedInfected Infected

4 © 2007 The MITRE Corporation. All rights reserved 4 Contagion Worm Model Assumptions n Assume: –1M vulnerable clients in the world –1M vulnerable web servers in the world n Out of 10M web servers –1K popular servers –Clients surf one server per minute –Clients have 90% chance of visiting popular server, 10% chance of visiting unpopular server –Contagion worm begins on one unpopular server

5 © 2007 The MITRE Corporation. All rights reserved 5 Possible Contagion Worm Propagation Vulnerable Web Clients Popular Web Servers Unpopular Web Servers

6 © 2007 The MITRE Corporation. All rights reserved 6 A New ‘Business’ Model

7 © 2007 The MITRE Corporation. All rights reserved 7 Another Business Model

8 © 2007 The MITRE Corporation. All rights reserved 8 Current Situation n Current coverage of client-side exploits is inadequate –Over 50% of recent vulnerabilities are client-based (SecurityFocus) –Only 1.5% of Snort Intrusion Detection System signatures are based on client-side attacks (www.snort.org) n Honeypots –Detect server-side attacks –Passive devices n Current methods of client-side exploit detection are reactive –Anti-virus –Anti-spyware –Clueful users

9 © 2007 The MITRE Corporation. All rights reserved 9 Background - Honeyclients n Honeyclients provide capability to proactively detect client-side exploits –A honeyclient is a system that drives a client application to potentially malicious servers –Any changes made on honeyclient system are unauthorized – no false positives! –We detect exploits even without prior signatures

10 © 2007 The MITRE Corporation. All rights reserved 10 Basic Honeyclient Package Client-side Exploit Database Malicious Server RequestResponse Linux Host Traffic logs Windows VM Honeyclient Prototype Capabilities Baseline integrity Drive IE Extract URLs Recurse (Internal) Integrity checks Recurse (External) Virtual host Protective firewall Exploit DB Image rotation Modular clients Traffic history Secure logging Memory checks Dedicated DSL Internet

11 © 2007 The MITRE Corporation. All rights reserved 11 Current Situation n Attackers are starting to include honeyclient avoidance technologies on malicious servers –Repeated visits from identical IPs result in blocked access to some malicious sites (SANS Internet Storm Center) –Detection of spidering from honeyclients led to redirection to benign sites (Robert Danford)

12 © 2007 The MITRE Corporation. All rights reserved 12 Technical Approach: Add Advanced Capabilities to Counter Attackers n Honeyclients should be able to: – Detect kernel modifying rootkits n Improve our integrity checks further n Analyze virtual hard drives outside of VM environment –Thwart exploits that detect virtual machine environments n Add honeyclient capability for physical sandbox environment n PXE boot image may allow us to network boot images quickly on real hardware –Handle active content sites n Be able to access and download content from these sites n Automated mouse clicking technology is available –Be difficult to distinguish from human activity n Attackers now recognize, and will actively counter honeyclients n Develop human-like web crawling algorithms

13 © 2007 The MITRE Corporation. All rights reserved 13 Human-like Honeyclient Prototype n Link scoring (good vs bad words, link location) n Browsing order for links (breadth vs depth) n Bandwidth footprint (humans do not access links at the same speeds)

14 © 2007 The MITRE Corporation. All rights reserved 14 Current Situation n Each honeyclient can only cover so many sites –Need to coordinate efforts to improve coverage –No capability exists for distributed scanning n Individual honeyclients can scan redundant servers n There is no central reporting mechanism –The above restrictions limit the depth and breadth that we can effectively cover the Internet

15 © 2007 The MITRE Corporation. All rights reserved 15 Technical Approach: Increase Our Coverage of Servers n Design and deploy distributed honeyclients –Sponsors are asking for this in order to coordinate efforts –Berkeley Open Infrastructure for Network Computing (BOINC) Project has framework for distributed computing –This will result in much better coverage of the servers on the Internet

16 © 2007 The MITRE Corporation. All rights reserved 16 Distributed Honeyclient Prototype Virtual Host Honeyclient Internet Virtual Host Report Virtual Host Honeyclient Virtual Host Honeyclient Central Repository Honeyclient Report = Bad server = Good server

17 © 2007 The MITRE Corporation. All rights reserved 17 Technical Approach: Gather and Correlate Honeyclient Data n Trend spotting of collected data and statistical correlation –What percentage of all servers are malicious? –How do exploits spread from one server to another? –Are there clusters of servers that become malicious around the same time? (i.e., can we infer the control structure of the malicious server community?) n Expand existing exploit database n Share results of correlation with community

18 © 2007 The MITRE Corporation. All rights reserved 18 Future Application for Honeyclients Virtual Host Honeyclient Email Server Email server sends email URLs and attachments to honeyclient for processing Honeyclient runs checks and notifies email server of bad URLs and/or attachments Only emails that pass checks are forwarded to recipient = Non-malicious email = Malicious email 1 2 3 Using Honeyclients to Detect Malicious Emails

19 © 2007 The MITRE Corporation. All rights reserved 19 Impact and Technology Transition n We plan to pilot honeyclient technology for several sponsors n Industry plans to run honeyclients –Verizon –Google –Symantec n Products and standards – Contact vendors about new vulnerabilities in client applications

20 © 2007 The MITRE Corporation. All rights reserved 20 Why Should You Run Honeyclients? n Operational benefits –Increase your visibility of emerging client-side threats –Malware collection and analysis –Share your results, and obtain other organizations’ results n Networking benefits –Group forum meetings –Government, industry, academic participation –Discussion on latest trends in client-side exploits

21 © 2007 The MITRE Corporation. All rights reserved 21 Why Should You Run Honeyclients? n Cost benefits –HoneyClient package and Linux OSes are open-sourced –VMWare Server is free –Your costs: hardware, Internet connection, Windows license, analysts n Other factors to consider –Your private data will not be leaked –Opportunity to provide public service through data sharing

22 © 2007 The MITRE Corporation. All rights reserved 22 Demonstration

23 © 2007 The MITRE Corporation. All rights reserved 23 Some Honeyclient Case Examples Please DO NOT go to any of the sites on the following slides unless you REALLY know what you’re doing!!!)

24 © 2007 The MITRE Corporation. All rights reserved 24 www.world0fwarcraft.net (Changes) Suspicious file

25 © 2007 The MITRE Corporation. All rights reserved 25 www.world0fwarcraft.net (Changes) Where’s /etc/hosts file??? Definitely suspicious

26 © 2007 The MITRE Corporation. All rights reserved 26 www.world0fwarcraft.net (Scans)

27 © 2007 The MITRE Corporation. All rights reserved 27 www.sharky.in (Changes) Suspicious behavior, let’s check it out further!

28 © 2007 The MITRE Corporation. All rights reserved 28 www.sharky.in (Changes) This definitely doesn’t look good…

29 © 2007 The MITRE Corporation. All rights reserved 29 www.sharky.in (Scan) Poor results on scans…

30 © 2007 The MITRE Corporation. All rights reserved 30 www.exploitoff.net (Changes) OK. Let’s check this out.

31 © 2007 The MITRE Corporation. All rights reserved 31 www.exploitoff.net (Changes) Definitely not normal…

32 © 2007 The MITRE Corporation. All rights reserved 32 www.exploitoff.net (Changes) More badness…

33 © 2007 The MITRE Corporation. All rights reserved 33 www.exploitoff.net (Scans) Note that this binary is very poorly identified…

34 © 2007 The MITRE Corporation. All rights reserved 34 www.haaretz.com (Changes) So many bad sites, so little time…

35 © 2007 The MITRE Corporation. All rights reserved 35 www.haaretz.com (Changes) What is this ’46W9GLCI.htm’ file anyway??? Trying to add a printer???

36 © 2007 The MITRE Corporation. All rights reserved 36 www.haaretz.com (Changes) Here it is again…

37 © 2007 The MITRE Corporation. All rights reserved 37 www.haaretz.com Clearly, a hacker with a political agenda!

38 © 2007 The MITRE Corporation. All rights reserved 38 ns1.hosting101.biz Yikes! Very, very bad sign…

39 © 2007 The MITRE Corporation. All rights reserved 39 Additional Project Information n Our project website http://honeyclient.mitre.org n Send us email, and we will add you to the mailing list honeyclient@mitre.org n We need beta testers! http://www.honeyclient.org/trac/wiki/download n Developers are welcome too! SVN repository is available, let us know if you’d like access

Download ppt "© 2007 The MITRE Corporation. All rights reserved OWASP Conference 06 Sep 2007 Information Assurance Using Honeyclients for Detection and Response Against."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.

Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Spring 2008 www.umsl.edu/~iclabs. Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.

Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.

Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.
Your technology solution partner.™ Security Enterprise Protection Gener C. Tongco Product Manager CT Link Systems Inc.

Your technology solution partner.™ Security Enterprise Protection Gener C. Tongco Product Manager CT Link Systems Inc.
Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.

Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
Data Security.

Data Security.

Similar presentations

Ads by Google