HoneySpider Network 2.0 detecting client-side attacks the easy way - - PowerPoint PPT Presentation

honeyspider network 2 0
SMART_READER_LITE
LIVE PREVIEW

HoneySpider Network 2.0 detecting client-side attacks the easy way - - PowerPoint PPT Presentation

Dec 07, 2023 10 likes •283 views

HoneySpider Network 2.0 detecting client-side attacks the easy way Pawe Pawli nski CERT Polska / NASK 24th Annual FIRST Conference 21 June 2012 Pawe Pawli nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 1 / 23

slide-1
SLIDE 1

HoneySpider Network 2.0

detecting client-side attacks the easy way Paweł Pawli´ nski

CERT Polska / NASK

24th Annual FIRST Conference 21 June 2012

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 1 / 23

slide-2
SLIDE 2

Outline

1

Introduction

2

Architecture

3

Services

4

Demonstration

5

Future plans

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 2 / 23

slide-3
SLIDE 3

Introduction

Outline

1

Introduction

2

Architecture

3

Services

4

Demonstration

5

Future plans

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 3 / 23

slide-4
SLIDE 4

Introduction

Origins of HSN 2.0

Joint project

CERT Polska NCSC-NL (GOVCERT.NL)

Started in 2011 Successor to HoneySpider Network version 1.x

used in production by CERTs we gained experience in scanning web pages automatically

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 4 / 23

slide-5
SLIDE 5

Introduction

Project goals

Detect attacks on client applications

web pages files

Apply multiple analyses

PDF, SWF, JavaScript, . . . low and high interaction honeypots

Configurable (processing details) Scalable (crawling) Open architecture

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 5 / 23

slide-6
SLIDE 6

Introduction

Project goals

Detect attacks on client applications

web pages files

Apply multiple analyses

PDF, SWF, JavaScript, . . . low and high interaction honeypots

Configurable (processing details) Scalable (crawling) Open architecture

version 1

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 5 / 23

slide-7
SLIDE 7

Architecture

Outline

1

Introduction

2

Architecture

3

Services

4

Demonstration

5

Future plans

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 6 / 23

slide-8
SLIDE 8

Architecture Overview

HSN: 1.x vs 2.0

Framework

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 7 / 23

1.x 2.0

slide-9
SLIDE 9

Architecture Overview

Architecture overview

Reporting

Web GUI Alerts CLI Report DB

Operational

Framework

Monitoring Job Job Job Job

export

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 8 / 23

slide-10
SLIDE 10

Architecture Overview

Technical foundations

Network communication

Advanced Message Queueing Protocol Google Protocol Buffers

Storage

CouchDB JSON documents

  • perational data + flexible mapping → persistent reports

Programming languages

Java Python (C++)

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 9 / 23

slide-11
SLIDE 11

Architecture Configurability

Sample workflow

Job start parameter A = "some value" ... accepted rejected yes no

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 10 / 23

slide-12
SLIDE 12

Architecture Configurability

Sample workflow

Job start accepted

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 10 / 23

slide-13
SLIDE 13

Architecture Configurability

Sample workflow

parameter A = "some value" ... accepted rejected yes no

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 10 / 23

slide-14
SLIDE 14

Services

Outline

1

Introduction

2

Architecture

3

Services

4

Demonstration

5

Future plans

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 11 / 23

slide-15
SLIDE 15

Services Implemented services

Web client emulators

HtmlUnit-based custom browser emulator

implemented in Java uses Rhino engine complete control over all behaviors (requests, redirects, frames) link extraction

Thug (low interaction honeypot)

implemented in Python uses V8 engine less control detects common attacks

These are not crawlers!

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 12 / 23

slide-16
SLIDE 16

Services Implemented services

Analyzers

Static JavaScript analyzer

port from version 1 n-grams + Bayes classifier

SWF analyzer (NASK) Shellcode detection (scdbg) Cuckoo Sandbox Capture-HPC

high-interaction honeypot used in HSN 1.x new features and stability fixes

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 13 / 23

slide-17
SLIDE 17

Services Implemented services

Utilities

Feeder

file with URLs search engine results . . .

URL normalizer Reporter (persistent data)

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 14 / 23

slide-18
SLIDE 18

Services Razorback integration

Razorback: short introduction

Modular IDS Data acquisition decoupled from offline analyses Dispatcher: routes data Nuggets (services)

collection (Snort, SMTP , . . . ) analyzers enrichment (DNS, . . . )

SQL database GUI

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 15 / 23

slide-19
SLIDE 19

Services Razorback integration

Razorback: short introduction

Modular IDS Data acquisition decoupled from offline analyses Dispatcher: routes data Nuggets (services)

collection (Snort, SMTP , . . . ) analyzers enrichment (DNS, . . . )

SQL database GUI

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 15 / 23

slide-20
SLIDE 20

Services Razorback integration

Razorback analyzers

Universal Razorback-to-HSN 2.0 adapter Only recompilation required, no changes to source code Tested nuggets:

swfScanner pdfFox clamavNugget

  • fficeCat

virusTotal archiveInflate

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 16 / 23

slide-21
SLIDE 21

Services Extensibility

Extensibility

Open communication protocol Well-defined data contract for each service Open technologies: AMQP , protobuf, REST, JSON Libraries provided for Java and Python

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 17 / 23

slide-22
SLIDE 22

Demonstration

Outline

1

Introduction

2

Architecture

3

Services

4

Demonstration

5

Future plans

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 18 / 23

slide-23
SLIDE 23

Demonstration

Demonstration

. . .

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 19 / 23

slide-24
SLIDE 24

Future plans

Outline

1

Introduction

2

Architecture

3

Services

4

Demonstration

5

Future plans

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 20 / 23

slide-25
SLIDE 25

Future plans

Current state of HSN 2.0

All essential components implemented

framework storage web client

Growing set of analyzers Functional web interface More tests and stabilization needed

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 21 / 23

slide-26
SLIDE 26

Future plans

Future plans

Release as open source (soon!) Improve management of the whole system More analyzers

integrate existing tools analysis of sandbox data alternative web clients (high-interactive?) looking for more ideas!

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 22 / 23

slide-27
SLIDE 27

Thank you for your attention. Questions?

Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 23 / 23