1 / 16

FORTH’s Honeypots

Learn the basics of honeypots, how they work, their classification, and a hands-on guide to using a honeypot VM tool for network security monitoring.

stevepugh
Download Presentation

FORTH’s Honeypots

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. FORTH’s Honeypots CIPSEC workshop Frankfurt 16/10/2018 Manos Athanatos, FORTH Co-funded by the Horizon 2020 Framework Programme of the European Union

  2. Honeypot -What is it? • A non production computer resource whose task is to be probed, attacked, compromised or accessed in any other unauthorized way. • It could be: • A piece of information/data • A service • An application • An entire system • It has: • No ordinary users • No regular services • Like an “undercover” computer which is built to be an “easy” target for the attacker and waits to be compromised! • A trap for attackers

  3. Honeypot - How it works? • Honeypots are deployed in the network • Mimic the behavior of a server • Listen to an unused IP range • A possible attacker probes the unused IPs for services • Honeypots reply and interact with the entity • Entities attempting to communicate with honeypots, are by default suspicious • Activity between entities and honeypots is monitored: • Commands executed • Files downloaded • Links visited • Attacker IP is blacklisted to prevent potential attacks • Firewalls can be updated to block traffic from this IP address

  4. Honeypots Classification -Type of attacked resources • Server Side Honeypots • Act like a real server • Mimic network services • Listen on their standard ports • Monitor any connections initiated by remote clients • Detect scanning worms or manual attack attempts • Client Side Honeypots • Employ a set of client applications (e.g. web browser) • Connect to remote services • Monitor the activity and the remote content • Detect malicious behavior and content online Indicates whether the honeypot’s resources are exploited in server or client mode:

  5. Honeypots Classification -Level of interaction • Low Interaction Honeypots • Resources are emulated • Services (for server side honeypots) • Applications (for client side honeypots) • High Interaction Honeypots • Provide real OS, services and applications • Hybrid Honeypots • Combine both low and high interaction honeypots Indicates whether the honeypot’s resource is a real one, an emulated one or of a mixed type:

  6. Honeypots VM tool - Components • Ubuntu VMs with pre-installed software • Dionaea Honeypot • DDOS tool • ICS/SCADA honeypot • Kippo SSH Honeypot • REST API server for remote access • Communication with the control panel over SSL • Logs aggregator XMPP server • Central PostgreSQL database • Incidents stored in a unified format • Web based control panel • Remote administration of VMs • Visualization of attacks • Monitoring of honeypots’ VM performance • Extra features include: • LDAP authentication for users • Delivery of personalized alerts via email in PDF format

  7. Dionaea Honeypot • Dionaea is a low interaction honeypot • Uses Python to emulate well known services • HTTP, HTTPs, FTP, TFTP, SMB, MSSQL, MySQL • Accurate implementation of the Server Message Block (SMB) protocol • Providing share access to printers and files (port 445) • Popular target for worms and bots to spread • Modular architecture • New protocols can be emulated and added • Supports IPv6 • Good performance and stability • Can monitor many IP addresses simultaneously

  8. Kippo Honeypot • Kippo emulates the SSH service • Provides high level accuracy • Implemented in Python • Emulates a Debian filesystem • Provides content for some files (e.g. /etc/password) • Stores all files that are downloaded • Simulates wget and curl commands • Stores all commands executed • Enables the analyst to replay the commands • Good performance and stability • Can monitor many IP addresses simultaneously

  9. ICS/SCADA Honeypot • CONPOT emulates SCADA Services • Supports 12 known protocols including modbus, http, bacnet, ftp, enip, ipmi, s7comm and more • Basic emulation capabilities • Implemented in Python • Modified for CIPSEC to provide logging via syslog • Easy to configure/use • Low logging capabilities

  10. FORTH’s DDoS Tool • Detects DoS amplification attack attempts • Able to monitor attacks targeting multiple protocols such as: DNS, NetBIOS, NTP, SNMP and more • Provides syslog output to the ATOS XL-SIEM • Visualisation of the detected events to the unified CIPSEC dashboard

  11. Honeypots’ VM tool - Workflow • Security Administrator Initialize the Honeypots’ VM in the network that needs to be protected. • It can choose which honeypots to enable( Dionaea Honeypot,DDOStool,ICS/SCADA honeypot,KippoSSH Honeypot ) • Through the Control panel initializes the Honeypots’ VM • Applies a unique ID to the sensor • Configures the monitoring IP Dark Space • Starts all services • Automated updated and patching mechanism • Honeypots monitor the network for attacks • Attackers discover services and try to compromise them • Honeypots track their activity • Honeypots logs are sent to ATOS XL-SIEM and stored to a database • CIPSEC Integrated Dashboard visualizes the attacks

  12. Honeypots VM tool - Architecture

  13. CIPSEC Integrated Dashboard – Honeypots View

  14. CIPSEC Framework Reference Architecture

  15. Partners’ role in CIPSEC Reference Architecture CriticalInfrastructurePlatform CIPSEC Core Framework System manager User/System manager Layer Contingency plan Recommendations PresentationLayer ForensicsAnalysisVisualizationtool Dashboard Data ProcessingLayer Anonymized Sensitive Data Historic anomalies DB Forensics service Data anonymization and Privacy Updating/Patching DetectionLayer Compliance Management Anomalydetectionreasoner AcquisitionLayer External Security Services Futuresecurityservicesplugged EndpointDetection and Response VulnerabilityAssessment Identity Access Management Integrity Management Crypto services Network Security (DPI firewalls, routerswith ACL, networksegmentation, DMZ, NAC, etc.) CriticalInfrastructureComponents (sensors, computers, network, servers, routers, …) User Training

  16. Thanksforyourattention! Questions? Contact: Project Coordinator Antonio Álvarez ATOS antonio.alvarez@atos.net Technical Coordinator Sotiris Ioannidis FORTH sotiris@ics.forth.gr www.cipsec.eu @CIPSECproject https://www.linkedin.com/in/cipsec-project/ https://www.youtube.com/channel/UCekxicSFAwZdIPAV3iLHttg CIPSEC TechnicalReview Meeting Barcelona 22/11/2017

More Related