[PPT] - A Proposal for Securing a Large-Scale High-Interaction Honeypot J. PowerPoint Presentation

SLIDE 1

Honeypots architecture Security Properties Statistical results Conclusion

A Proposal for Securing a Large-Scale High-Interaction Honeypot

J. Briffaut – J.-F. Lalande – C. Toinard

LIFO Université d’Orléans ENSI de Bourges

SHPCS’08, June 2008

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 1/19

SLIDE 2

Honeypots architecture Security Properties Statistical results Conclusion

Outline

1

Honeypots architecture

2

Security Properties

3

Statistical results

4

Conclusion

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 2/19

SLIDE 3

Honeypots architecture Security Properties Statistical results Conclusion

Summary

1

Honeypots architecture

2

Security Properties

3

Statistical results

4

Conclusion

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 3/19

SLIDE 4

Honeypots architecture Security Properties Statistical results Conclusion

Honeypots

Honeypot: welcome an intruder or system cracker Low-Interaction

Leurré.com Simulation of OS/services Partial attack capture

Large-Scale Honeypot

Honeynet

High-Interaction

Real operating system Attacks really performed

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 4/19

SLIDE 5

Honeypots architecture Security Properties Statistical results Conclusion

1/4: Internet → Honeywall

Directly connected on the Internet Limitation of the bandwidth Frontal sensors to analyze the network traffic

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 5/19

SLIDE 6

Honeypots architecture Security Properties Statistical results Conclusion

2/4: Honeywall → Honeypot cluster

Real Linux/Windows OS Mandatory Access Control

Selinux/Grsecurity Security properties Never compromised

Discretionary Access Control

Could be compromised PXE auto-reinstallation

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 6/19

SLIDE 7

Honeypots architecture Security Properties Statistical results Conclusion

3/4: Honeypot cluster → Traces storage

OSSIM: stores events from

ssim agents into a mysql

server Prelude: aggregates the collected information from prelude agents Syslog (logger): stores all the syslog traces

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 7/19

SLIDE 8

Honeypots architecture Security Properties Statistical results Conclusion

4/4: Traces storage → Correlation

Correlation algorithms Alarms are visualized

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 8/19

SLIDE 9

Honeypots architecture Security Properties Statistical results Conclusion

Summary

1

Honeypots architecture

2

Security Properties

3

Statistical results

4

Conclusion

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 9/19

SLIDE 10

Honeypots architecture Security Properties Statistical results Conclusion

Security Properties

Integrity of executable contexts

integrity(SC.∗:.∗:user.∗,SCexec)

Integrity of user domain

int_domain(SC.∗:.∗:user.∗)

Confidentiality System/User

confidentiality(SCSysteme, sc.∗:.∗:user.∗)

Duties Separation of modification and execution privilegies

duties_sep(SCSysteme)

Transition into the user domain

bad_transition(.∗ : .∗ : user.∗, SCSysteme)

Respect of the Access Control Policy

conformity()

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 10/19

SLIDE 11

Honeypots architecture Security Properties Statistical results Conclusion

Security Properties Analysis

Name Passerelle Util-1 VMware Util-2 Graphe SC 577 3017 624 595 IV 17 684 314 582 21 359 18 215 integrity 137 9 461 186 140 int_domain 16 283 510 215 18 130 16 546 Signature confidentiality 29 510 726 842 29 510 29 510 duties_sep 243 16 405 320 270 bad_transition 3555 126 228 4250 3941 Total 49 728 1 389 151 52 396 50 407 Analysis Time 47s 10min31s 1min2s 52s

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 11/19

SLIDE 12

Honeypots architecture Security Properties Statistical results Conclusion

Summary

1

Honeypots architecture

2

Security Properties

3

Statistical results

4

Conclusion

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 12/19

SLIDE 13

Honeypots architecture Security Properties Statistical results Conclusion

Main results

Experimentation from February 27th 2007 to February 21th 2008 8,206,382 events / 302,543 alarms stored = 950 events/hour, 35 alarms/hour 45,590 opened sessions by scan robots 2,219 sessions performing activities

Sensor Description Ocurences Prelude-lml SSHd: Root login refused 498,468 Snort Destination udp port not reachable 452,011 Prelude-lml SSHd: Bad password 49,329 OSSIM SSHd: Possible brute force tentative 43,989 Prelude-lml SSHd: Invalid user 43,311 PIGA Integrity: system file modification 41,063 Prelude-lml FTP bad login 21,366 Snort Potential outbound SSH scan 19,983 PIGA Confidentiality: information flow 16,191 . . .

Table: Main types of alarms

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 13/19

SLIDE 14

Honeypots architecture Security Properties Statistical results Conclusion

Sensors and port statistics I

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 14/19

SLIDE 15

Honeypots architecture Security Properties Statistical results Conclusion

Sensors and port statistics II

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 15/19

SLIDE 16

Honeypots architecture Security Properties Statistical results Conclusion

Alerts per country - Incoming/outgoing I

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 16/19

SLIDE 17

Honeypots architecture Security Properties Statistical results Conclusion

Alerts per country - Incoming/outgoing II

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 17/19

SLIDE 18

Honeypots architecture Security Properties Statistical results Conclusion

Summary

1

Honeypots architecture

2

Security Properties

3

Statistical results

4

Conclusion

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 18/19

SLIDE 19

Honeypots architecture Security Properties Statistical results Conclusion

Conclusion/Perspective

Conclusion

Now : Uptime of 2 years Robustness of proposed architecture No reinstallation of MAC Hosts Frequent DAC PXE reinstallation

Perspectives

Correlation : Session reconstruction Distributed Attacks Automatic forensics of compromised host Malware and Attacks database

J. Briffaut – J.-F. Lalande – C. Toinard

Securing a Large-Scale High-Interaction Honeypot 19/19