modeling malware driven honeypots
play

Modeling Malware-driven Honeypots Gerardo Fernndez, Ana Nieto and - PowerPoint PPT Presentation

Oct 16, 2022 •150 likes •500 views

TRUSTBUS 2017 Modeling Malware-driven Honeypots Gerardo Fernndez, Ana Nieto and Javier Lopez {gerardo,nieto,jlm}@lcc.uma.es Network, Information and Computer Security (NICS) Lab University of Malaga, Spain TrustBus 2017, August 30 th 2017

  1. TRUSTBUS 2017 Modeling Malware-driven Honeypots Gerardo Fernández, Ana Nieto and Javier Lopez {gerardo,nieto,jlm}@lcc.uma.es Network, Information and Computer Security (NICS) Lab University of Malaga, Spain TrustBus 2017, August 30 th 2017

  2. Content 1 1. Honeypots, objectives and limitations 2. Malware Intelligence 3. Hogney Architecture 4. Study Case: Mirai 5. Conclusions Lyon, August 30th, 2017 TRUSTBUS 2017

  3. Honeypots 2 § Honeypots: what are they used for ? – All traffic received in them are considered suspicious. – Replicate live services of the production environment: showing a footprint similar to that of the services offered in the production network. – Research environments: showing a configuration of honeypots that enables attacks to be captured, to later analyse new techniques used. Lyon, August 30th, 2017 TRUSTBUS 2017

  4. Honeypots 3 § Honeypots: what are they used for ? – All traffic received in them are considered suspicious. – Replicate live services of the production environment: showing a footprint similar to that of the services offered in the production network. – Research environments: showing a configuration of honeypots that enables attacks to be captured, to later analyse new techniques used. § Limitations : – General purpose: hard to unleashed all stages of malware behaviour – Specific to protocols/applications: + reduced visibility – Specialized in predetermined attacks: + reduced visibility – Adaptive honeypots: usually combine previous techniques inheriting these problems Lyon, August 30th, 2017 TRUSTBUS 2017

  5. Honeypots 4 § Honeypots: what are they used for ? – All traffic received in them are considered suspicious. – Replicate live services of the production environment: showing a footprint similar to that of the services offered in the production network. – Research environments: showing a configuration of honeypots that enables attacks to be captured, to later analyse new techniques used. § Limitations : – General purpose: hard to unleashed all stages of malware behaviour – Specific to protocols/applications: + reduced visibility – Specialized in predetermined attacks: + reduced visibility – Adaptive honeypots: usually combine previous techniques inheriting these problems Lyon, August 30th, 2017 TRUSTBUS 2017

  6. Honeypots 5 § Nowadays, there are myriad of honeypots available... Nepenthes HoneyBOT Cowrie Dionaea HoneyTrap Kippo Conpot LaBrea Lyon, August 30th, 2017 TRUSTBUS 2017

  7. Honeypots 6 § Nowadays, there are myriad of honeypots available... Nepenthes HoneyBOT Cowrie Dionaea IoTPOT Glastopf H o elastichoney n e y S i n k HoneyTrap Kippo Conpot LaBrea Lyon, August 30th, 2017 TRUSTBUS 2017

  8. Honeypots 7 § Nowadays, there are myriad of honeypots available... Nepenthes HoneyBOT Cowrie Dionaea IoTPOT Why not offer them... Glastopf H “à la carte” ? o elastichoney n e y S i n k HoneyTrap Kippo Conpot LaBrea Lyon, August 30th, 2017 TRUSTBUS 2017

  9. Malware Intelligence 8 We use the term malware intelligence to refer to information § regarding the behaviour and propagation of malware. – Which OS is targeted ? – What components are attacked? – Who communicates with? – What activity is performed? – Who created and launched ? Lyon, August 30th, 2017 TRUSTBUS 2017

  10. Malware Intelligence 9 We use the term malware intelligence to refer to information § regarding the behaviour and propagation of malware. – Which OS is targeted ? – What components are attacked? – Who communicates with? – What activity is performed? – Who created and launched ? Depending on the information requested, different types of malware § intelligence services can be used. We classify them in three levels : – L1 : information about IP and URLs – L2 : information about files: processor, O.S., applications affected, etc. – L3 : intelligence information sharing services (files, URLs, domains, C2 nodes, etc.) Lyon, August 30th, 2017 TRUSTBUS 2017

  11. Malware Intelligence 10 L1 Lyon, August 30th, 2017 TRUSTBUS 2017

  12. Malware Intelligence 11 L2 Lyon, August 30th, 2017 TRUSTBUS 2017

  13. Malware Intelligence 12 L2 Lyon, August 30th, 2017 TRUSTBUS 2017

  14. Malware Intelligence 13 < response > L3 < Event > < date >2016-12-07</ date > < info >Locky 2016-12-07 : "Card Receipt" - "CARD123 456789.docm"</ info > < published >1</ published > < Attribute > < type >ip-dst</ type > < category >Network activity</ category > < value >91.142.90.46</ value > < RelatedAttribute > < Attribute > < info >"Emailing: MX62EDO 08.12.2016" - "MX62EDO 08.12.2016.docm"</ info > < value >91.142.90.46</ value > </ Attribute > </ RelatedAttribute > </ Attribute > < Attribute > < type >url</ type > < category >Payload delivery</ category > < value >http://wahanaputrayudha.com/hfycn33</ value > </ Attribute > < Attribute > < type >md5</ type > < category >Payload delivery</ category > < value >b923db309a973d7229a1e77352e89486</ value > </ Attribute > < Tag >< name >misp-galaxy:ransomware=”Locky"</ name ></ Tag > </ Event > </ response > Lyon, August 30th, 2017 TRUSTBUS 2017

  15. Malware Intelligence 14 < response > L3 < Event > < date >2016-12-07</ date > < info >Locky 2016-12-07 : "Card Receipt" - "CARD123 456789.docm"</ info > < published >1</ published > < Attribute > < type >ip-dst</ type > < category >Network activity</ category > < value >91.142.90.46</ value > < RelatedAttribute > < Attribute > < info >"Emailing: MX62EDO 08.12.2016" - "MX62EDO 08.12.2016.docm"</ info > < value >91.142.90.46</ value > </ Attribute > </ RelatedAttribute > </ Attribute > < Attribute > < type >url</ type > < category >Payload delivery</ category > < value >http://wahanaputrayudha.com/hfycn33</ value > </ Attribute > < Attribute > < type >md5</ type > < category >Payload delivery</ category > < value >b923db309a973d7229a1e77352e89486</ value > </ Attribute > < Tag >< name >misp-galaxy:ransomware=”Locky"</ name ></ Tag > </ Event > </ response > Lyon, August 30th, 2017 TRUSTBUS 2017

  16. Malware Intelligence 15 < response > L3 < Event > < date >2016-12-07</ date > < info >Locky 2016-12-07 : "Card Receipt" - "CARD123 456789.docm"</ info > < published >1</ published > < Attribute > < type >ip-dst</ type > < category >Network activity</ category > < value >91.142.90.46</ value > < RelatedAttribute > < Attribute > < info >"Emailing: MX62EDO 08.12.2016" - "MX62EDO 08.12.2016.docm"</ info > < value >91.142.90.46</ value > </ Attribute > </ RelatedAttribute > </ Attribute > < Attribute > < type >url</ type > < category >Payload delivery</ category > < value >http://wahanaputrayudha.com/hfycn33</ value > </ Attribute > < Attribute > < type >md5</ type > < category >Payload delivery</ category > < value >b923db309a973d7229a1e77352e89486</ value > </ Attribute > < Tag >< name >misp-galaxy:ransomware=”Locky"</ name ></ Tag > </ Event > </ response > Lyon, August 30th, 2017 TRUSTBUS 2017

  17. Hogney Architecture 16 Objective : to facilitate the analysis of the three stages of malware: § exploration, infection and execution of the payload. – Focusing on auto-propagated malware – Obtaining information before offering a honeypot – Integrating tools to capture evidence – Adapting services for unleashing all stages of malware Lyon, August 30th, 2017 TRUSTBUS 2017

  18. Hogney Architecture 17 Objective : to facilitate the analysis of the three stages of malware: § exploration, infection and execution of the payload. – Focusing on auto-propagated malware – Obtaining information before offering a honeypot – Integrating tools to capture evidence – Adapting services for unleashing all stages of malware 3 main modules: § – Interception of connections – Configuration of trap services – Evidence monitoring Lyon, August 30th, 2017 TRUSTBUS 2017

  19. Hogney Architecture 18 Objective : to facilitate the analysis of the three stages of malware: § exploration, infection and execution of the payload. – Focusing on auto-propagated malware – Obtaining information before offering a honeypot – Integrating tools to capture evidence – Adapting services for unleashing all stages of malware 3 main modules: § – Interception of connections – Configuration of trap services – Evidence monitoring Using… § – Low and medium interaction honeypot templates – Execution environments (real and virtual) for high interaction honeypots Lyon, August 30th, 2017 TRUSTBUS 2017

  20. Hogney Architecture 19 Lyon, August 30th, 2017 TRUSTBUS 2017

  21. Hogney Architecture 20 Lyon, August 30th, 2017 TRUSTBUS 2017

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Overview Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots What can you do with them? Claire OShea Problems with honeypots COMP 290 Spring 2005 Overview Motivation Examples of

645 views • 15 slides
Data-driven COVID-19 modeling Data-driven COVID-19 modeling 1 Cyprien Neverov th August 28 ,

Data-driven COVID-19 modeling Data-driven COVID-19 modeling 1 Cyprien Neverov th August 28 ,

Data-driven COVID-19 modeling Data-driven COVID-19 modeling 1 Cyprien Neverov th August 28 , 2020 1 Student at IMT Mines Ales and intern at FAU Erlangen-Nurnberg under the supervision of Prof. Enrique Zuazua. Table of Contents Table of

790 views • 43 slides
Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and Collin Mulliner Security in Telecommunications Technische Universit at Berlin, Germany { steffen,mlange } @sec.t-labs.tu-berlin.de Northeastern

713 views • 11 slides
Hacking Attacks The power of IPv6 driven malware m-r Mane Piperevski IT Security Researcher

Hacking Attacks The power of IPv6 driven malware m-r Mane Piperevski IT Security Researcher

Hacking Attacks The power of IPv6 driven malware m-r Mane Piperevski IT Security Researcher Ethical Hacker mane@piperevski.com Piperevski &amp; Associates Skopje, Macedonia What's your favorite Malware? Who we are? A. Popup

297 views • 13 slides
Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland

Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland

Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland National Cybersecurity and Communications Integration Center Security whoami Cyber Threat Analyst at Northrop Grumman Performed wide range of

550 views • 20 slides
INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS JOSH PYORRE Security Researcher Threat Analyst at NASA Threat Analyst at Mandiant @joshpyorre HONEYPOTS CURRENTLY IN USE

1.25k views • 96 slides
Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 1 / 28 Outline Introduction 1 History 2 Types of honeypots 3 Deception techniques using Honeypots

632 views • 61 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. ! Founder, Honeynet Project &amp; Moderator, honeypot mailing list ! Author, Honeypots: Tracking Hackers &amp; Co- author, Know Your Enemy ! Work

676 views • 52 slides
Overview Information-driven modeling of biomolecular complexes ! Introduction ! Information

Overview Information-driven modeling of biomolecular complexes ! Introduction ! Information

Overview Information-driven modeling of biomolecular complexes ! Introduction ! Information sources ! General aspects of docking ! Information-driven docking with HADDOCK ! Protein-DNA HADDOCKing ! HADDOCKs adventures in CAPRI ! Small molecule

675 views • 28 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Modeling Dynamics of and on Networks Simultaneously Theory-Driven and Data-Driven Approaches

Modeling Dynamics of and on Networks Simultaneously Theory-Driven and Data-Driven Approaches

Modeling Dynamics of and on Networks Simultaneously Theory-Driven and Data-Driven Approaches Hiroki Sayama Binghamton University, SUNY sayama@binghamton.edu 2 6/3/2014 Sayama -- HONS @ NetSci 2014 Complex Systems Modeled as Networks 3

347 views • 33 slides
Centre de Morphologie Mathmatique (CMM) Mines ParisTech Overview - Founding Concept -

Centre de Morphologie Mathmatique (CMM) Mines ParisTech Overview - Founding Concept -

Centre de Morphologie Mathmatique (CMM) Mines ParisTech Overview - Founding Concept - Software Development Layers - Fundamental Notion - Algorithm Decomposition - Content - Conclusion Founding Concept Aim Improve and Extend our old

390 views • 21 slides
COVID-19 Love in a time of crisis Mobilising Active Citizenship, fostering cross-sectoral

COVID-19 Love in a time of crisis Mobilising Active Citizenship, fostering cross-sectoral

COVID-19 Love in a time of crisis Mobilising Active Citizenship, fostering cross-sectoral collaboration and building our PfP Presentation social fabric to address the critical issues facing our country. Presentation name goes here - Insert

377 views • 16 slides
MACHINE LEARNING FOR PARTICLE ACCELERATOR CONTROL SYSTEMS Auralee Edelen Fermilab New

MACHINE LEARNING FOR PARTICLE ACCELERATOR CONTROL SYSTEMS Auralee Edelen Fermilab New

MACHINE LEARNING FOR PARTICLE ACCELERATOR CONTROL SYSTEMS Auralee Edelen Fermilab New Perspectives Meeting 8-9 June, 2015 Abstract Particle accelerators are host to myriad nonlinear and complex physical phenomena. They often involve a

613 views • 25 slides
Parallel Stochastic Programing Airlift Allocation Problem Charm++ Workshop 2011 University of

Parallel Stochastic Programing Airlift Allocation Problem Charm++ Workshop 2011 University of

Parallel Stochastic Programing Airlift Allocation Problem Charm++ Workshop 2011 University of Illinois at Urbana-Champaign 1 Department of Business Administration University of Illinois at Urbana-Champaign Parallel Stochastic Programming:

331 views • 20 slides
Energy systems modelling Energy systems are Most decisions dynamic , non-linea r, are

Energy systems modelling Energy systems are Most decisions dynamic , non-linea r, are

Energy systems modelling Energy systems are Most decisions dynamic , non-linea r, are ill-informed. systemic and stochastic . Simulation supports multi-variate assessments. 1 Myriad supply side transition options strategic fossil

789 views • 33 slides
What i t is j justice ce? Death a and Life Demographi phics cs a are d destiny: c

What i t is j justice ce? Death a and Life Demographi phics cs a are d destiny: c

What i t is j justice ce? Death a and Life Demographi phics cs a are d destiny: c chang nging ng, shrink nking ng househo eholds ds Death a and Life Demographics are destiny: changing, shrinking households 2010-30:

643 views • 35 slides
through Exam Preparation Click to edit Master subtitle style Gerardo Valazza Aims of the

through Exam Preparation Click to edit Master subtitle style Gerardo Valazza Aims of the

Fostering Learner Autonomy through Exam Preparation Click to edit Master subtitle style Gerardo Valazza Aims of the Presentation To discuss the relationship between learner autonomy , sustainable assessment and exam preparation To

567 views • 37 slides
WHY BAD DATA RUINS WHY BAD DATA RUINS PROJECTS AND HOW PROJECTS AND HOW TO FIX IT TO FIX IT

WHY BAD DATA RUINS WHY BAD DATA RUINS PROJECTS AND HOW PROJECTS AND HOW TO FIX IT TO FIX IT

KEEP IT CLEAN KEEP IT CLEAN 30/04/2019 reveal.js WHY BAD DATA RUINS WHY BAD DATA RUINS PROJECTS AND HOW PROJECTS AND HOW TO FIX IT TO FIX IT localhost:8080/?print-pdf#/ 1/65 1 HOW BAD DATA AFFECTS RESULTS HOW BAD DATA AFFECTS RESULTS

1.17k views • 65 slides

More recommend