INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS - - PowerPoint PPT Presentation

intelligent honeynet
SMART_READER_LITE
LIVE PREVIEW

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS - - PowerPoint PPT Presentation

Jan 14, 2023 272 likes •1.25k views

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS JOSH PYORRE Security Researcher Threat Analyst at NASA Threat Analyst at Mandiant @joshpyorre HONEYPOTS CURRENTLY IN USE

slide-1
SLIDE 1

INTELLIGENT HONEYNET

ACTIONABLE INFORMATION FROM HONEYPOTS

slide-2
SLIDE 2

Threat Analyst at NASA

JOSH PYORRE

Security Researcher @joshpyorre

INTELLIGENT HONEYNET

ACTIONABLE INFORMATION FROM HONEYPOTS Threat Analyst at Mandiant

slide-3
SLIDE 3

HONEYPOTS CURRENTLY IN USE

SSH: COWRIE MALWARE: DIONAEA GAS TANKS: GASPOT SCADA: CONPOT

slide-4
SLIDE 4

SSH

Cowrie (a fork of Kippo)

slide-5
SLIDE 5

SSH

Cowrie (a fork of Kippo) Writes two log files

slide-6
SLIDE 6

SSH

Cowrie (a fork of Kippo) Writes two log files cowrie.json cowrie.log

slide-7
SLIDE 7

SSH

Cowrie (a fork of Kippo) Writes two log files Creates session files

slide-8
SLIDE 8

SSH

Cowrie (a fork of Kippo) Writes two log files Creates session files tty/sessionreplayfiles

slide-9
SLIDE 9

SSH

Cowrie (a fork of Kippo) Writes two log files Creates session files IPTABLES Rule sends port 22 to Cowrie Admin access changes to port 2223

slide-10
SLIDE 10

Video or Demo of replaying an ssh logfile

slide-11
SLIDE 11

DIONAEA

Catches malware

slide-12
SLIDE 12

DIONAEA

Catches malware Writes to sqlite db

slide-13
SLIDE 13

DIONAEA

Catches malware Writes to sqlite db Saves malware in a folder called ‘bistreams’

slide-14
SLIDE 14

DIONAEA

Video of what the database looks like

slide-15
SLIDE 15

CONPOT SCADA HoneyPot

Imitates industrial control systems

slide-16
SLIDE 16

GASPOT

Imitates sensors that control gas tanks

slide-17
SLIDE 17

OPEN PORTS ON THE HONEYPOTS

slide-18
SLIDE 18

OBSTACLES

  • Installation is a pain
  • They’re all different
  • Dionaea doesn’t like Ubuntu after 12.04
slide-19
SLIDE 19

CURRENT HONEYPOT NETWORKS

What has inspired me…

slide-20
SLIDE 20

CURRENT HONEYPOT NETWORKS

Modern Honey Network is a great implementation of a well-organized honeypot installation system

slide-21
SLIDE 21

CURRENT HONEYPOT NETWORKS

It provides statistics and easy installation options for various honeypots

slide-22
SLIDE 22

THEY HAVE MAPS!

slide-23
SLIDE 23

THEY HAVE MAPS!

MOSTLY USELESS

Maps are cool if you’re a pilot

slide-24
SLIDE 24

BUT WE WANT MORE

slide-25
SLIDE 25

WE WANT TO BE LIKE THIS GUY

To be like this guy

I’m already this guy


Note: This is Josh, 
 the author of this 
 presentation.

Brian Krebs

  • He gets close to the 

attacker source.
  • He is often the source of

information for us.
slide-26
SLIDE 26

…OR LIKE THIS CHARACTER

From the show, Mr Robot. Watch it!

slide-27
SLIDE 27

TO KNOW HOW THEY THINK…

slide-28
SLIDE 28

BUT WE HAVE SOME PROBLEMS

slide-29
SLIDE 29

WE WORK IN THE PAST

slide-30
SLIDE 30

WE GET REPORTS FROM THE GOVERNMENT

And they are often late and full of mistakes

slide-31
SLIDE 31

WE GET REPORTS FROM COMPANIES

This one was ok, but outdated when it was released

slide-32
SLIDE 32

WE GET REPORTS FROM COMPANIES

Also fine, but outdated

slide-33
SLIDE 33

WE GET REPORTS FROM COMPANIES

That is actually just marketing :(

slide-34
SLIDE 34

WE GET REPORTS FROM NEWS

Outdated, inaccurate

slide-35
SLIDE 35

WE GET REPORTS FROM OTHER PLACES TOO

Better, but usually outdated

slide-36
SLIDE 36

WHAT WE WANT IS

slide-37
SLIDE 37

ACTIONABLE INTELLIGENCE

Predicting the future a little bit

slide-38
SLIDE 38

MANAGEMENT ISSUES

The data is available on all your honeypots

slide-39
SLIDE 39

MANAGEMENT ISSUES

The data is available on all your honeypots All over the world

slide-40
SLIDE 40

MANAGEMENT ISSUES

The data is available on all your honeypots All over the world In all your log files and databases

slide-41
SLIDE 41

MANAGEMENT ISSUES

The data is available on all your honeypots All over the world In all your log files and databases And the malware is there too

slide-42
SLIDE 42

MANAGEMENT ISSUES

The data is available on all your honeypots All over the world In all your log files and databases And the malware is there too

Just SCP everything and then analyze it

?!?

slide-43
SLIDE 43

CHANGING THE WAY IT WORKS

slide-44
SLIDE 44

GOALS

  • Easy Installation
  • Secure communication
  • Automatic & Central Analysis
slide-45
SLIDE 45

THE STRUCTURE

slide-46
SLIDE 46

Honeypots all over the place

slide-47
SLIDE 47

analysis scripts

Minimal analysis scripts on the honeypot servers

slide-48
SLIDE 48

analysis scripts logstash

Logstash processing log files

slide-49
SLIDE 49

analysis scripts logstash stunnel

Stunnel listening to send data securely to server

slide-50
SLIDE 50

analysis scripts logstash stunnel stunnel

Stunnel on server listening for data

slide-51
SLIDE 51

analysis scripts logstash stunnel stunnel redis

Redis acts as a data broker

slide-52
SLIDE 52

analysis scripts logstash stunnel stunnel redis logstash

Logstash further processing files and logs

slide-53
SLIDE 53

analysis scripts logstash stunnel stunnel redis logstash analysis scripts

Analysis scripts (python) doing stuff

slide-54
SLIDE 54

analysis scripts logstash stunnel stunnel redis logstash analysis scripts elasticsearch mongodb

Data is sent to elasticsearch or mongodb

slide-55
SLIDE 55

analysis scripts logstash stunnel stunnel redis logstash analysis scripts elasticsearch mongodb Kibana Flask

Kibana for dashboard, flask for intelligence display

slide-56
SLIDE 56

EASY INSTALLATION

One Shell script

slide-57
SLIDE 57

CLIENT INSTALLATION

One Shell script

slide-58
SLIDE 58

CLIENT SCRIPTS

Gets the sha256 hash for any malware samples and writes information to a file for Logstash. Reads tty files from ssh honeypot and saves

  • utput to normal text files for Logstash
slide-59
SLIDE 59

Runs on the client, plays the ssh log files 
 and saves to text for processing

slide-60
SLIDE 60

Want to find out who owns this IP? 
 You can copy/paste all day or look it up programmatically.

slide-61
SLIDE 61

What whois looks like when you copy/paste to your whois search

slide-62
SLIDE 62

What it looks like when you copy/paste into virustotal

slide-63
SLIDE 63

Intel as seen on HoneyPot server Information from OpenDNS Investigate (not a sales pitch, just an example) Programmatically instead of copy/paste

slide-64
SLIDE 64

Programmatically instead of copy/paste

slide-65
SLIDE 65

It’s better to have the honeypot server do all that for you

slide-66
SLIDE 66

FILES FROM HONEYPOTS

Log files get pushed to the server from all the honeypots:

slide-67
SLIDE 67

PROCESSING LOGS

These run on the server

slide-68
SLIDE 68
  • virustotal_api.py 


Read hashes and send to VirusTotal

  • conpot_reader.py 


Read conpot logs, Look up info, format for database

  • cowrie_log_analysis.py 


Read ssh logs, Look up info, format for database

  • gaspot_reader.py 


Read gasp logs, Look up info, format for database

PROCESSING LOGS

These run on the server

slide-69
SLIDE 69

EXTRA SPECIAL THINGS

  • VirusTotal API
  • OpenDNS Investigate
  • Send to Cuckoo and/or malwr.com
  • Other options that don’t cost $$$
  • More coming…
slide-70
SLIDE 70

OTHER THINGS YOU MIGHT NEED

slide-71
SLIDE 71

METRICS

  • A Dashboard

(I googled ‘ugliest dashboard’) …ew

slide-72
SLIDE 72

METRICS

  • A Dashboard
  • Searching
slide-73
SLIDE 73

METRICS

  • Threat map


(management NEEDS it)

  • A Dashboard
  • Searching
slide-74
SLIDE 74

VIEW OF MY DASHBOARD

T H R E A T M A P ! ! ! ! ! !

slide-75
SLIDE 75

VIEW OF SEARCHING

slide-76
SLIDE 76

GETTING INTEL

slide-77
SLIDE 77

GETTING INTEL

slide-78
SLIDE 78

GETTING INTEL

slide-79
SLIDE 79

GETTING INTEL

slide-80
SLIDE 80

IN PROGRESS

  • Dionaea Reader
  • Passive DNS
  • Malwr Analysis
  • Download malware
  • Docker images for various honeypots
slide-81
SLIDE 81

AND MOST IMPORTANT

slide-82
SLIDE 82

REAL ANALYSIS

slide-83
SLIDE 83

FINDING PATTERNS

slide-84
SLIDE 84

PATTERNS, ETC

slide-85
SLIDE 85

TIME SERIES ANALYSIS

slide-86
SLIDE 86

EXAMPLES:

Video of using python and pandas for analysis

slide-87
SLIDE 87

DIFFERENT TYPES OF ANALYSIS

Attack times based on location Malware based on type of honeypot Data based on current events Attacks based on your industry

slide-88
SLIDE 88

CURRENT MODIFICATIONS

Actually in the works at the time of this presentation

slide-89
SLIDE 89

CURRENT MODIFICATIONS

Compartmentalizing

slide-90
SLIDE 90

CURRENT MODIFICATIONS

Adding identifiers to each honeypot server

slide-91
SLIDE 91

CURRENT MODIFICATIONS

Adding identifiers to each honeypot server Creating docker images for honeypots Adding dynamic information to the dashboard for pattern matching

slide-92
SLIDE 92

A CLOSER LOOK

slide-93
SLIDE 93

Video or Demo of intelligence portion

slide-94
SLIDE 94

Video or Demo of intelligence portion

slide-95
SLIDE 95

Go get it

https://github.com/jpyorre/IntelligentHoneyNet https://github.com/jpyorre/IntelligentHoneyNet https://github.com/jpyorre/IntelligentHoneyNet https://github.com/jpyorre/IntelligentHoneyNet https://github.com/jpyorre/IntelligentHoneyNet https://github.com/jpyorre/IntelligentHoneyNet https://github.com/jpyorre/IntelligentHoneyNet https://github.com/jpyorre/IntelligentHoneyNet https://github.com/jpyorre/IntelligentHoneyNet https://github.com/jpyorre/IntelligentHoneyNet https://github.com/jpyorre/IntelligentHoneyNet https://github.com/jpyorre/IntelligentHoneyNet https://github.com/jpyorre/IntelligentHoneyNet

jpyorre@ @joshpyorre cisco.com, opendns.com, gmail.com

slide-96
SLIDE 96

GASPOT http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/ wp_the_gaspot_experiment.pdf

REFERENCES

COWRIE (SSH HoneyPot) https://github.com/micheloosterhof/cowrie CONPOT (SCADA HoneyPot) http://www.conpot.org/