Honeypot Hacker Tracking and Computer Forensics

Similar documents
CE Advanced Network Security Honeypots

Honey Pot Be afraid Be very afraid

Firewall Identification: Banner Grabbing

Ethical Hacking and Prevention

Comparative Study of Different Honeypots System

Honeypots. Security on Offense. by Kareem Sumner

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

UMSSIA INTRUSION DETECTION

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

8/19/2010. Computer Forensics Network forensics. Data sources. Monitoring

HONEYNET SOLUTIONS. A deployment guide 1. INTRODUCTION. Ronald C Dodge JR, Richard T Brown, Daniel J Ragsdale

Internet Security: Firewall

What a Honeynet Is H ONEYPOTS

Know Your Enemy: Honeynets What a Honeynet is, its value, how it works, and risk/issues involved.

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Systrome Next Gen Firewalls

CSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS)

Building an IPS solution for inline usage during Red Teaming

Outline. Internet Security Mechanisms. Basic Terms. Example Attacks

AIT 682: Network and Systems Security

Computer Security: Principles and Practice

2. INTRUDER DETECTION SYSTEMS

Chapter 9. Firewalls

A Distributed Intrusion Alert System

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Certified Ethical Hacker (CEH)

Venusense UTM Introduction

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

The Bro Cluster The Bro Cluster

Darknet Traffic Monitoring using Honeypot

Network Infrastructure Security

CSE 565 Computer Security Fall 2018

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

IBM Zürich Research Laboratory. Billy Goat Overview. James Riordan Diego Zamboni Yann Duponchel IBM Research Zurich Switzerland IBM Corporation

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Overview of Firewalls. CSC 474 Network Security. Outline. Firewalls. Intrusion Detection System (IDS)

Host. Computer system #1. Host Hardening

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

ARAKIS An Early Warning and Attack Identification System

CIH

Certified Penetration Testing Consultant

GCIH. GIAC Certified Incident Handler.

Design your network to aid forensics investigation

Lecture 08: When disaster strikes and all else fails

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Certified Vulnerability Assessor

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Securing CS-MARS C H A P T E R

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Certified Ethical Hacker

Ethical Hacker Foundation and Security Analysts Course Semester 2

: Administration of Symantec Endpoint Protection 14 Exam

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Introduction.

Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development

ECCouncil Exam v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ]

CSC 474/574 Information Systems Security

ECE 4112 Internetwork Security Lab 7: Honeypots and Network Monitoring and Forensics. Group Number: Member Names:

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Training UNIFIED SECURITY. Signature based packet analysis

Three interface Router without NAT Cisco IOS Firewall Configuration

Honeynet Data Analysis: A technique for correlating sebek and network data

AccessEnforcer Version 4.0 Features List

Introduction to Computer Security

Advanced Computer Networking. CYBR 230 Jeff Shafer University of the Pacific. Honeypots

CompTIA Security+(2008 Edition) Exam

OpenFire: Opening Networks to Reduce Network Attacks on Legitimate Services

Curso: Ethical Hacking and Countermeasures

Firewalls 1. Firewalls. Alexander Khodenko

Global Information Assurance Certification Paper

Journal Online Jaringan COT POLIPD (JOJAPS) Network Defender with Fake Server: A New Way for Network Protection

Overview Intrusion Detection Systems and Practices

Cisco WAAS Software Command Summary

CS System Security 2nd-Half Semester Review

Strategic Infrastructure Security

Fundamentals of Information Systems Security Lesson 8 Mitigation of Risk and Threats to Networks from Attacks and Malicious Code

SANS Exam SEC504 Hacker Tools, Techniques, Exploits and Incident Handling Version: 7.1 [ Total Questions: 328 ]

Network Security Platform Overview

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

CompTIA E2C Security+ (2008 Edition) Exam Exam.

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Network Traffic Analysis - Course Outline

Gigabit SSL VPN Security Router

What action do you want to perform by issuing the above command?

Vulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?

Transcription:

Honeypot Hacker Tracking and Computer Forensics Manfred Hung manfred.hung@pisa.org.hk

Agenda Honeypot History Value of Honeypot Honeypot Technology Common Honypot products/solutions Honeypot deployment tips Future of Honeypot

Intruders Motivation High speed network/internet bandwidth High speed processors Enormous disk storage Value of information stored Business/Political issues Script Kiddies, Worms

Value of Honeypot Research based Honeypot Research the threats organization may face Detect new threat Deploy in University, Government, IT Vendor Production based Honeypot Secure product environment by detect attack Waste intruders time on honeypot system Deploy in customers production net

Real System History of Honeypot 1990 or before Network services simulation 1998 Virtual System 1999

Real System Honeypot Technology Unprotected network Wide open firewall rules Insecure system Default install, no patch Insecure setting

Honeypot Technology Network Service Simulation NFR BOF, Sting, Honeyd Unable to capture details information Easy to deploy Low interaction, lower risk, no real OS Virtual System Honeynet, Decoy Server (ManTrap) Able to capture details information Complex to deploy High interaction, higher risk, virtual OS

Honeypot Technology NFR BOF CyberCop Sting Honeyd Symantec Decoy Server HoneyNet Lower interaction Lower risk Higher interaction Higher risk

NFR BackOfficer Friendly (BOF) Network services simulation Slow-interaction honeypot

NFR BOF Limited Services Limited Services BO2K, FTP, Telnet, SMTP, HTTP, POP3, IMAP

NFR BOF Slow Interaction Slow Interaction HTTP 401 Authorization Failed FTP, SMTP, POP3-503 Service Unavailable

CyberCop Sting Network Service Simulation Low interaction honeypot Network device, Windows, Unix Limitation - Windows NT only

Honeyd Network Service Simulation Low interaction honeypot Network device, various OS system Resists fingerprinting

Honeyd Route traffic Blackholing Route net traffic TTL, latency, packet loss

Honeyd ARP request ARP spoofing Arpd monitor arp traffic Map non-exist IP addr. to honeyd MAC addr. ARP proxy Static map IP addr. to honeyd MAC addr.

Honeyd fingerprint Nmap, Xprobe Database of known OS signature

Honeyd fingerprint ICMP TCP UDP ICMP Response WinSize, DF, TTL, TOS, TCP ISN Fingerprint system

Honeyd Interactive Response stdin Service script stdout

Symantec Decoy Server (ManTrap( ManTrap) Internet/Intranet Cage Cage Cage Cage Host system kernel DB Host system Console

Symantec Decoy Server Cage Content Management Module (CGM) Network sniffer Kernel process create, File I/O Hardware token - ibutton

Decoy Server Data Control Intruder unable to access host system Multiple cage are under separate network Cage shutdown File system

Decoy Server Data Capture Kernel level data capture Network (sniffer) Process (PID, EUID, EGID) File I/O Device I/O

Decoy Server Data Capture Network capture Kernel level capture Session playback

Decoy Server - Data Collect Content Generation Management (CGM) Alerts (e-mail, SNMP ) Collected data integrity protection ibutton Secure copy (SCP)

Honeynet Data Control Firewall control inbound traffic Limited access to pre-defined service Firewall control outbound traffic Allow outgoing traffic if not excess pre-defined no. of connection count Firewall manual control Allow console or remote control traffic

Honeynet Data Capture Network level Firewall Network IDS System level Trojan shell System/Application log (ie. Syslog) File I/O

Honeynet Data Collect Firewall log IDS log (ie ACID) Trojan shell Syslog

Fingerprint Honeynet GenI Problem Connection Limit TTL Risk Low connection limit not equal to safe High connection limit not equal to unsafe

Honeynet GenII - Improvement Data Control Connection Limitation Snort-Inline Drop If intrusion occurs, drop Snort-Inline Replace If intrusion occurs, replace attack action

Honeynet GenII - Improvement Bridge Gateway Internet production Honeynet

Honeynet GenII - Improvement Data Capture Trojan shell Fingerprint Capture at kernel module

Honeypot Deployment Tips Placement outside or inside firewall Extensive probe No. of honeypot system Map all unused IP addr., port to honeypot Data in the honeypot system Network/System traffic, application data

Honeypot Deployment Tips Security Data collected Modified activity log, wiping disk Syslog/SNMP Trap to other system Write-One Media (multi-session write) Content management Lookup source Collected data integrity Hash checksum Digital signed

Risk Associated with Honeypot Fingerprint Fingerprint honeypot system Based on OS, services running Customization Honey environment does not match real system Victim standard system does not match honeypot Apply similar production system setting Match OS Realism Honeypot don t like real system Monitor network/system activity Real application and production data

Risk Associated with Honeypot Intruders stepping stone Firewall, NIDS, HIDS Response action Automatically vs Manually

Honeypot Development Auto-build honeypot content Simulate real environment Operation System Application Data GUI Management Console Centralized data collection User mode Linux (UML)

Thank You Manfred Hung manfred.hung@pisa.org.hk Professional Information Security Association www.pisa.org.hk

Honeynet A platform for studying Hacker Behaviors and Computer Forensics Alan S H Lam alan.lam@pisa.org.hk

Outlines Objectives of our Honeynet Implementation of our Honeynet Intruders Activities and Forensics Techniques (with live demo) Deployment Tips Future Development Q& A

Objectives of our Honeynet To learn from the hackers To give early warning of potential attacks To collect research material for our computer forensic lab To improve our skill in security incident response

Existing Honeynet Network Infrastructure

Implementation Data Control Egress filter rule IPtable rule in firewall to drop or cut Honeypot traffic when NIDS detects any attack originated from Honeypot Packet rate higher than R After N outbound connections from Honeypot After M packets go through the Honeynet An alert message will be sent to the system admin when the connection is cut

Implementation (cont ) Data Capture Capture all network packets in/out the Honeynet Capture hackers keystroke by a trojaned login shell in Honeypot Remote syslog Dump backup Firewall and SNORT NIDS log All data captured are stored in the firewall host

Intruders Activities Identify/locate the victim by some scanning tools Break-in the victim through system security holes. The following vulnerabilities were used by the hackers to break-in our Honeynet. sshd CRC32 Overflow Buffer overflow in openssl WU-FTP RNFR././ attack execve/ptrace race condition Microsoft's DCOM RPC (W32/BlasterA/D Worm)

Intruders Activities (cont ) After break-in, the hackers may Install rootkit to setup backdoor, sniffer, IRC proxy, or streaming server Use victim as a stepping stone to find and attack other victims Fix the victim vulnerability and undo other hackers jobs Send back the victim information through e-mail Propagate the attack to other victims Deface/remove victim web page

Forensic Tools scp, dd, tar, nc tcptrace, tcpdump, snort ps, netstat, lsof, fuser, kill -STOP, pcat, ltrace, strace, /dev/kmem, coreography /proc directory find, ldd, strings, gbd, od, bvi, icat, elfsh Coroner s Toolkit (TCT), Chkrootkit

Deployment Tips Do not deploy your Honeynet unless you are sure about your data control Start with tight data control first Capture data at different levels Make sure your Honeynet does not violate your company policy

Future Development Enhance the Honeynet to include more other OS systems Honey the Honeypots so as to attract different classes of hackers (e.g. building a web portal or on-line bank) Set up a forensic lab

Q & A Questions Comments Suggestions Thank You alan@ie.cuhk.edu.hk Professional Information Security Association www.pisa.org.hk

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback