Using Honeypots for Security Operations

Size: px

Start display at page:

Download "Using Honeypots for Security Operations"

Bertha Gibbs
5 years ago
Views:

Using Honeypots for Security Operations Jim Barlow <jbarlow@ncsa.uiuc.

1 Using Honeypots for Security Operations Jim Barlow Head of Security Operations and Incident Response National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign 1 National Center for Supercomputing Applications

2 Outline Honeypots and why did we start using them? Details on incident involved with Setting one up and honeypot activity What we learned Other areas of application Future work 2 National Center for Supercomputing Applications

3 Traditional Honeypots First used for researching blackhat activity Set up a honeypot, see who breaks in Know your enemy papers 3 National Center for Supercomputing Applications

4 Why did we set one up? Had incident where we wanted to get specific intruder on our honeypot to monitor Persistent intruder Generally intruders move to greener pastures when discovered 4 National Center for Supercomputing Applications

5 What did we want to find? Where are they coming from? Where are they going? What tools are they using? What exploits are being used? Motive? 5 National Center for Supercomputing Applications

6 More details on incident Miscreants were using trojaned ssh clients to compromise accounts Would then attempt local exploits Large number of compromised accounts and machines Tended to use same system to launch attacks for days or weeks Can we get them to use our system? 6 National Center for Supercomputing Applications

7 Setting up honeypot If we build it, will he come? Can be a hard problem, how to get specific intruder onto our honeypot? Bait and Switch honeypots US DoD Net Force Maneuver We decided to use Sebek from honeynet.org Used their own tool against themselves Use trojaned ssh client to log into honeypot 7 National Center for Supercomputing Applications

8 First honeypot activity Fed account into their collector using tojaned ssh client (on compromised machine). Intruders logged into our honeypot within 2 minutes There were no local vulnerabilities on honeypot Session 1 output 8 National Center for Supercomputing Applications

9 What did this tell us? Actively using and monitoring passwords collected Specific commands they used Some of what they initially look for ssh host sh -i IP address attacking from 9 National Center for Supercomputing Applications

10 Honeypot round 2 Second account fed took three hours to log into system Session 2 output Different command syntax Does that tell us anything? Few more hits over next couple days 10 National Center for Supercomputing Applications

11 Additional hits on second hp Spent more time on system around a week later Some interesting information Looking for exported filesystems Targeting our teragrid cluster Download and use of nfsshell tool Session 3 output 11 National Center for Supercomputing Applications

12 Third times a charm? Fed account on third honeypot system Knew format of password collector and could feed accounts at random Compromised machine on our network using scan and sploit. We were able to see everything they did on the compromised system. Lots of interesting items discovered Session 4 output 12 National Center for Supercomputing Applications

13 Other interesting sessions Started giving them boxes that could be rooted Would they start using the machine more? After getting root Didn't install standard rootkit Installed mod_rootme package Started web server as root OpenSSL led to additional compromise 13 National Center for Supercomputing Applications

14 How did this all help us? Categorize vulnerabilities being exploited Identify IP address attacking from Get tools being used How and where they were getting them from ie. uuencoding thought safe Share all this with trusted community Also created info file that could be shared with newly affected sites 14 National Center for Supercomputing Applications

15 What else did this tell us about the miscreant? Strange habit of logging in, out, and back in again Why? More than one person? Once on machine logs onto localhost Changes last login entry Seems all attacks were done manually Occasional special characters typed Foreign character set? Maybe possible to analyze commands to determine if more than one person Eventually hp not needed (at times) 15 National Center for Supercomputing Applications

16 Attack network Compromised hosts Route in Inside U.S. Password collector Outside U.S. Web server 16 National Center for Supercomputing Applications

17 Other areas we are using honeypots SSH brute force logger Logging usernames and passwords for last 9 mo. Create account with one of these common ones and watch what they do Wash/rinse/repeat Categorize attackers? X server honeypot Remote site with similar name ncsa.teragrid.org vs. ncsa.org 17 National Center for Supercomputing Applications

18 Other uses of honeypots/honeytokens Honeytokens/web bugs Bugged Web page/ archive How long till it's mined off of google? Online forensics from honeypot Needed to access remote machine Log in from ssh password collector Thought compromised host was blocked at border 18 National Center for Supercomputing Applications

19 Future Work Distributed honeynet Same username at multiple sites (known_hosts attack) 19 National Center for Supercomputing Applications

20 Questions? Gracias 20 National Center for Supercomputing Applications

Honey Pot Be afraid Be very afraid

Honey Pot Be afraid Be very afraid Presented By Shubha Joshi M.Tech(CS) Problems with internet Why? Problems The Internet security is hard New attacks every day Our computers are static targets What should