Honeypots observations and their usefulness

Transcription

1 Honeypots observations and their usefulness Gerard Wagener - TLP:WHITE CIRCL March 15, 2017

2 The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents CIRCL is the CERT for the private sector, communes and non-governmental entities in Luxembourg 2 of 17

3 Honeypots - introduction Definition (Honeypots) A honeypot is security resource whose value lies in being probed, attacked, or compromised. 1 Evolution Keeping attacker was experimented by Stoll in the late 80s 2 Honeypot concept pushed in the year Lance Spitzner. Honeypots: Tracking Hackers. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2002, page Clifford Stoll. Stalking the wily hacker. Commun. ACM, 31(5): , of 17

4 Honeypots - introduction Opportunistic automated attacks Host 1 attacker Host 2 Host 3 Host 4 Attacker scans arbitrary hosts 2 32 possibilities for IPv4 Abuse of vulnerable hosts Host 5 Monitor unused IPs Honeypots

5 Honeypots - introduction Opportunistic automated attacks Host 1 attacker Host 2 Host 3 Host 4 Attacker scans arbitrary hosts 2 32 possibilities for IPv4 Abuse of vulnerable hosts Host 5 Monitor unused IPs Honeypots 4 of 17

6 Honeypots - introduction Motivation to monitor unused IP addresses Do not monitor legitimate traffic Reduce false positives Avoid privacy issues Detect opportunistic attacks Detect misconfigured machines Detect victims: DDOS, compromised servers,... 5 of 17

7 Honeypot observations capabilities Interactions Information gain The more protocols you speak, the more information you get The more information you get, the more you get involved Honeypot interaction levels Low interaction honeypots Mid interaction honeypots High interaction honeypots 6 of 17

8 Honeypot observations capabilities data packets t 1, t 2, t 3, t 4 protocol 1 protocol 2 ip port protocol 3 botnet command = b 1 + b 2 + b 3 + b 4 7 of 17

9 Observing SYN floods attacks in backscatter traffic Attack description Attacker Spoofed requests H 0, H 1, H 2, H 3,... Victim H 0 H 1 H 2 H 3 Connections H 0 H 1 H 2 H 3 Fill up state connection state table of the victim 8 of 17

10 Observing SYN floods attacks in backscatter traffic Plotting TCP acknowledgement numbers Honeypot captures - TCP ACK distribution ACK value Time - Hour 9 of 17

11 Observing amplification attacks Definition y request of x bytes triggers responses of (x+ ) bytes selected vulnerable server (y) Abuse of vulnerable servers data request from v Attacker Server 3 Server 2 data delivery to v Victim (v) Server 1 10 of 17

12 Discovering the attacking infrastructure Historical example: Allaple worm from Attackers constantly scan for vulnerable hosts 11 of 17 Number of IPs Unique IP addresses infected with Allaple per day /10 15/01 15/04 15/07 15/10 16/01 16/04 16/07 16/10 17/01 17/04 Time (year/month/day) Probes for more than 10 years

13 Discovering the attacking infrastructure Popular example: Mirai Variant ISN=destination IP Number of unique IP addresses 12 of Unique IP addresses with Mirai behaviour /07 16/08 16/09 16/10 16/11 16/12 17/01 17/02 17/03 Month/year isn=ip dest

14 Observing misconfigured systems Human and Internet addressing is a good mix for errors Just look at internal 3 addresses that should not go on Internet Further reading: circl-blackhole-honeynetworkshop2014.pdf Hit wrong key 192.x.z.y 193.x.y.z Omission of number 192.x.y.z 12.x.y.z Doubling of keys 10.a.b.c 100.a.b.c 172.x.y.z 152.x.y.z 3 RFC of 17

15 Observing misconfigured systems Generic metrics compressed volume collected by honeypot volume in kb /26 02/02 02/09 02/16 02/23 03/02 03/09 time - month/day 14 of 17

16 Observing misconfigured systems Badly configured DNS resolvers KASPERSKY AVAST KASPERSKY-LABS SYMANTEC MCAFEE SYMANTECLIVEUPDATE TRENDMICRO BITDEFENDER AVG COMODO SOPHOSXL SOPHOS F-SECURE DRWEB PANDASECURITY PANDADOMAINADVISOR KINGSOFT SYMANTECCLOUD PANDASOFTWARE CLAMAV SYMANTECMAIL AVGMOBILATION RISING KASPERSKYLABS FORTINET MCAFEESECURE NPROTECT NORMAN PANDA AVGCLOUD BAIDU PANDAAPP GDATASECURITY NPROTECT2 MALWAREBYTES MCAFEEMOBILESECURITY MCAFEEASAP AVGTHREATLABS AVGATE PANDAPOST BITDEFENDER-ES Antivirus software trying to fetch their updates from honeypots 15 of 17

17 Improving threat intelligence data MISP sightings Definition Threat intelligence data lookup in honeypot data Feedback to threat intelligence platform Link threat intelligence data with honeypot observations Identify opportunistic attacks Identify misconfigured systems Determine the freshness of information 16 of 17

18 Conclusions Usefulness of honeypots Detect opportunistic attacks Detect trends: Netis backdoor,heartbleed, Mirai,... Detect misconfigured machines Discover victims: DDOS, compromised servers,... Measuring attacker s capabilities Ongoing best effort research activities at CIRCL Getting involved of 17