1 / 33

Disclaimer

Disclaimer. This is a technical session that contain non-technical content. Get relaxed so to get ready for some details. We will have fun because we will take seriously. Build a Security Intelligence Center ( SiC ). Know your enemy tactics and motives Ahmed A. Selim

vinson
Download Presentation

Disclaimer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Disclaimer This is a technical session that contain non-technical content. Get relaxed so to get ready for some details. We will have fun because we will take seriously

  2. Build a Security Intelligence Center (SiC) Know your enemy tactics and motives Ahmed A. Selim Information Security Consultant

  3. Bottom Line How to boost your SoC activity efficiency by introducing a set of intelligence techniques That’s All 

  4. Overview Defensive Attacker Reactive Sword Offensive Analyst Shield Proactive

  5. Good must win!

  6. May the force be with you • What we really need….. We need a move SoC SiC Security operation Center Security intelligence Center

  7. The Answer ? Be bad - Poison the Honey

  8. Honeypots • “Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource” KYE- Know Your Enemy • “Honeypot a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.” Wiki • “Honeypot is system that through lot of log, that need us to analyze for predicting attacker action, analyze malware or preforming attack …!” The speaker

  9. Types of Honeypots • Low-interaction • Emulates services, applications, and OS’s • Low risk and easy to deploy/maintain • But capture limited information – attackers’ activities are contained to what the emulated systems allow • High-interaction • Real services, applications, and OS’s • Capture extensive information, but high risk and time intensive to maintain • Can capture new, unknown, or unexpected behavior

  10. Uses of Honeypots • Preventing attacks • Automated attacks – (e.g. worms) • “Sticky honeypots” monitor unused IP spaces, and slows down the attacker when probed • Human attacks • Confuse the attackers, making them waste their time and resources • Detecting attacks • Traditional IDSs generate too much logs, large percentage of false positives and false negatives • Traditional IDSs may be ineffective in IPv6 or encrypted environment • Honeypots generate small data, reduce both false positives and false negatives

  11. Uses of Honeypots • Responding to attacks • Responding to a failure/attack requires in-depth information about the attacker • If a production system is hacked (e.g. mail server) it can’t be brought offline to analyze • Honeypots can be easily brought offline for analysis, while production not. • Research purposes • Research honeypots collect information on threats. • Attacking purposes • Simulating legal service for legal users 

  12. Data Control • Mitigate risk of honeynet • being used to harm non-honeynet systems • Tradeoff • need to provide freedom to attacker to learn about him • More freedom – greater risk that the system will be compromised • Some controlling mechanisms • Restrict outbound connections (e.g. limit to 1) • IDS (Snort-Inline) • Bandwidth Throttling

  13. No Data Control Data Control

  14. Honeypot Theory Control & Capture

  15. Data Capture • Capture all activity at a variety of levels. • Network activity. • Application activity. • System activity. • Issues • No captured data should be stored locally on the honeypot • No data pollution should contaminate • Admin should be able to remotely view honeynet activity in real time • Must use unified time zone

  16. Data Control • Mitigate risk of honeynet • being used to harm non-honeynet systems • Tradeoff • need to provide freedom to attacker to learn about him • More freedom – greater risk that the system will be compromised • Some controlling mechanisms • Restrict outbound connections (e.g. limit to 1) • IDS (Snort-Inline) • Bandwidth Throttling

  17. How It Works • A highly controlled network • where every packet entering or leaving is monitored, captured, and analyzed. • Should satisfy two critical requirements: • Data Control: defines how activity is contained within the honeynet, without an attacker knowing it • Data Capture: logging all of the attacker’s activity without the attacker knowing it • Data control has priority over data capture

  18. Types of Deployments • Gen-I (1999): • served as a proof of concept and were very simple to deploy. • basic mechanisms for fulfilling data control and capture requirements. • Data Control through reveres firewall • Data Collection through IDS

  19. Types of Deployments • Gen-II (2002): • improved a lot of honeypot features where it provide a high level of interaction with a malicious user • Data Control replace reveres firewall with honeywall • Data Collection using different techniques

  20. Do The Right!

  21. Control, Capture, Analysis & Act • Control • Honeywall/IPTables • Capture • User-Mode Linux – UML • Honeyd • Analysis • PicViz • Hflaw2 • Act • Honey snap • Honeysink • Nebula/Honeycomb

  22. Capture: User-Mode Linux - UML • Opensource virtualization solution • Limited to Linux only • Sandbox • Self contained virtual honeypot • Can be used with image of existing Filesystem • Need tool to capture traffic (ex: Snort ,system logs)

  23. Capture: User-Mode Linux - UML Booting Halting

  24. Capture: Honeyd • Opensoure low-interactive honeypot. • One of the active projects. • Simulate wide range of systems & service: • Read Nmaposfigureprint format /usr/share/nmap/nmap-os-db /usr/share/honeyd/nmap.print • Emulate multi-vendor service: /usr/share/honeyd/scripts/ • Let’s Configure….

  25. Capture: generator.sh • Generator.sh, is part of Ohoneynet project. • Simple tool to create a low-interagtionHoneynet (upto 254 node) in seconds. • Distributed under opensource license

  26. Analysis

  27. Logs…Logs…Logs • Info Sec = logs  • Need a way to visualize logs instead of analyzing raw logs • Logs dimensions…? Answer Parallel Coordinate 6D 4D 5D

  28. Analysis: PicViz • The simplest visualization method • No need for excessive data processing • Only need to know PGDL (PicViz Graphic Description Language) sudo pcv -Tpngcairo apache.log -r -a -o apache.png • Lets Check it.....

  29. The web server is being used all the time, no difference between daytime and nighttime • Only two protocols are being used (that are HTTP/1.1 and HTTP/1.0) • Six request types were used. While GET is the main one, there are other interesting requests that we could investigate • One request type (actually GET) covers fully the URL axis while other request types seems to cover only a subset.

  30. Act: Honeycomb • Automated IDS signature generator • Plugin integrates with Honeyd • Signatures are generated /tmp/honeycomb.log • Lets generate.....

  31. Raping Up • SoC is good idea but we need intelligence for fast response • Being a good guy doesn’t mean you don’t think badly • Honeypot is a good technique but need good care

  32. Ohoneynet • Project sponsored by Lognitive.com • Create a honeypot framework • Framework: offer Control, Capture & analysis • Finally with User friendly GUI

  33. Ahmed A. Selim ahmed.s3lim@gmail.com Ohoneynet Project Lognitive.net

More Related