securing networks with honeypots motivation
play

Securing networks with Honeypots Motivation Scenario : Web server - PowerPoint PPT Presentation

Oct 06, 2022 •115 likes •246 views

Benjamin Braun, Klemens Mang Securing networks with Honeypots Motivation Scenario : Web server Internet SSH How to detect attackers accessing your service? How to analyze attack patterns? How to detect yet unknown attack

  1. Benjamin Braun, Klemens Mang Securing networks with Honeypots

  2. Motivation ● Scenario : Web server Internet SSH ● How to detect attackers accessing your service? ● How to analyze attack patterns? ● How to detect yet unknown attack patterns? Source: own graphic

  3. Lecture Overview ● Attacking a network ● Protecting your network ● What are Honeypots? ● Types of Honeypots ● Honeypot lab ● Summary 3

  4. Attacking a network ● Random attacks: ● Automated tools searching for weaknesses ● Known vulnerabilities ● Already installed backdoors ● Weak or default login credentials ● Often preceded by IP range scans Oct 3 14:11:54 xxxxxx sshd[29972]: Invalid user admin from 212.64.151.233 Oct 3 14:11:54 xxxxxx sshd[29972]: input_userauth_request: invalid user admin [preauth] Oct 3 14:11:54 xxxxxx sshd[29972]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth] 183.60.244.29 - - [13/Dec/2013:15:13:23 +0100] "GET /cgi- bin/rtpd.cgi?echo&AdminPasswd_ss|tdb&get&HTTPAccount HTTP/1.1" 301 185 "-" "Python-urllib/2.7"

  5. Attacking a network ● Sophisticated attacks: ● Find out how the network is structured ● Get to know valuable or vulnerable targets ● Active Fingerprinting: ● Varying protocol implementations reveal operating system ● Port scan shows running services ● Service banners reveal specific version root@evil ~ % telnet 131.159.202.97 22 Trying 131.159.202.97... Connected to 131.159.202.97. Escape character is '^]'. SSH-1.99-OpenSSH_3.5p1 FreeBSD-20060930 CVE-2010-1938 OpenSSH 3.5p1 Remote Root Exploit For FreeBSD: Off-by-one error [...] execute arbitrary code via a long username

  6. Protecting your network ● Prevention: Firewall ● Block unwanted traffic at edge of network ● Detection: Network Intrusion Detection System ● Signature-based detection ● Very effective against known threads ● Anomaly detection ● Problem: False positives ● Response strategies: ● Packet filtering ● Redirecting traffic ● Rate limiting ● Tracking

  7. Example: Snort rule ● # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"|0D 0A|Accept|2D|Language|3A|"; http_header; content:!"|0D 0A|Referer|3A|"; http_header; content:!"|0D 0A|Cookie|3A|"; http_header; content:"Content-Length: "; nocase; byte_test:8,<,201,0,string,relative; pcre:"/[^\x20- \x7e\x0d\x0a]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25050; rev:5;)

  8. What are Honeypots? ● Problem with NIDS: high rate of false-positives and need to know attack signatures -> honeypots ● A honeypot is “ an information system resource whose value lies in unauthorized or illicit use of that resource ” . ● All access attempts are logged and considered unusual behavior ● Features: ● Higher degree of accuracy (low false positive rate) ● Creates more information ● Detects yet unknown attacks

  9. Types of Honeypots ● High interaction Honeypot: ● Real, sophisticated system without productive value Enables collecting comprehensive data about attacking techniques  May be comprised completely - Requires more maintenance - ● Low interaction Honeypot: ● Implement only some parts of a system (service, network stack behavior) ● May be used as an early warning system Easy to set up and maintain + Limited risk of compromise + Generates less information -

  10. Honeyd – an overview ● Low interaction honeynet tool ● Simulation of: ● Thousands of virtual hosts ● Network stack behavior of different OS ’ s ● Arbitrary services via configuration ● Arbitrary routing topologies ● Subsystem virtualization Source: “ Virtual Honeypots- From Botnet Tracking to Intrusion Detection ”

  11. Honeypot Lab Attacker Router 1. Build virtual honeypots with honeyd Honeyd 2. Attack the network from the outside Server 3. Try to distinguish honeypots from real systems 4. Analyse the log files from your honeypot Virtual Honeypots

  12. Summary ● Most attacks aim to exploit known weaknesses ● Network IDS have difficulties with unknown attacks ● Honeypots help to detect and analyze network attacks ● They feature: ● Low false positive rate ● Confuse attackers ● We distinguish between high and low interaction honeypots

  13. Expected Time: 5 minutes Flight Through Your Lab Prepare which things you want to highlight Here, you will open the exercise on the browser on the laptop and scroll through it with explanation This slide is just the place holder for your live presentation. No changes needed. 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Overview Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots What can you do with them? Claire OShea Problems with honeypots COMP 290 Spring 2005 Overview Motivation Examples of

645 views • 15 slides
Mobile Networks Module I Part 2 Securing Vehicular Networks Prof. J.-P. Hubaux 1 Outline

Mobile Networks Module I Part 2 Securing Vehicular Networks Prof. J.-P. Hubaux 1 Outline

Mobile Networks Module I Part 2 Securing Vehicular Networks Prof. J.-P. Hubaux 1 Outline Motivation Threat model and specific attacks Security architecture Security analysis Certificate revocation

751 views • 43 slides
Securing Home Networks Securing Home Networks protocols protocols A SWN04 A SWN04 K.

Securing Home Networks Securing Home Networks protocols protocols A SWN04 A SWN04 K.

Securing Home Networks Securing Home Networks protocols protocols A SWN04 A SWN04 K. MASMOUDI, K. MASMOUDI, H. AFIFI H. AFIFI Boston, 08/2004 6 th PCRD Integrated Project Goal : provide secure communication

450 views • 22 slides
Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and Collin Mulliner Security in Telecommunications Technische Universit at Berlin, Germany { steffen,mlange } @sec.t-labs.tu-berlin.de Northeastern

713 views • 11 slides
A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande

A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande

Honeypots architecture Security Properties Statistical results Conclusion A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande C. Toinard LIFO Universit dOrlans ENSI de Bourges SHPCS08,

401 views • 19 slides
Securing Networks in the Programmable Data Plane Era Luciano Gaspary paschoal@inf.ufrgs.br

Securing Networks in the Programmable Data Plane Era Luciano Gaspary paschoal@inf.ufrgs.br

Securing Networks in the Programmable Data Plane Era Luciano Gaspary paschoal@inf.ufrgs.br Instituto de Informtica UFRGS Securing Networks in the Programmable Data Plane Era Network softwarization : the first wave P4 programs are

607 views • 12 slides
INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS JOSH PYORRE Security Researcher Threat Analyst at NASA Threat Analyst at Mandiant @joshpyorre HONEYPOTS CURRENTLY IN USE

1.25k views • 96 slides
Securing Smart Homes Using NDN Lei Pi, Lan Wang Motivation IoT technology has great

Securing Smart Homes Using NDN Lei Pi, Lan Wang Motivation IoT technology has great

Securing Smart Homes Using NDN Lei Pi, Lan Wang Motivation IoT technology has great potential in a wide range of fields Numbers of IoT devices is increasing at high speed Security issues is emerging and posing a challenging

413 views • 5 slides
Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 1 / 28 Outline Introduction 1 History 2 Types of honeypots 3 Deception techniques using Honeypots

632 views • 61 slides
Securing Robotics with SROS2 Motivation | Medical Patient Mobility Safely

Securing Robotics with SROS2 Motivation | Medical Patient Mobility Safely

Securing Robotics with SROS2 Motivation | Medical Patient Mobility Safely transferring immobilised patients Offloading strenuous lifting from nurse Indoor logistics Routine deliveries of supplies, food, medicine

170 views • 15 slides
Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. ! Founder, Honeynet Project &amp; Moderator, honeypot mailing list ! Author, Honeypots: Tracking Hackers &amp; Co- author, Know Your Enemy ! Work

676 views • 52 slides
Securing 5G Networks Stavros Papadopoulos, Anastasios Drosou, and Dimitrios Tzovaras 5 th

Securing 5G Networks Stavros Papadopoulos, Anastasios Drosou, and Dimitrios Tzovaras 5 th

Behavioural Network Traffic Analytics for Securing 5G Networks Stavros Papadopoulos, Anastasios Drosou, and Dimitrios Tzovaras 5 th International Workshop on 5G Architecture (5GARCH) Presenter: Dr. Stavros Papadopoulos Post-doctoral research

426 views • 23 slides
Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 19 Page 1 CS 236 Online Putting It All Together Weve talked a lot about security principles And about security problems And

209 views • 17 slides
Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

CPS-SPC 16 @ Vienna AU Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O. T IPPENHAUER daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box 1 Overview In this

922 views • 25 slides
Securing IPv6 neighbor discovery and SLAAC in access networks through SDN Daniel Nelle,

Securing IPv6 neighbor discovery and SLAAC in access networks through SDN Daniel Nelle,

Securing IPv6 neighbor discovery and SLAAC in access networks through SDN Daniel Nelle, dnelle@uni-potsdam.de Thomas Scheffler, thomas.scheffler@htw-berlin.de ANRW 2019, Montreal, July 22nd 2019 Outline Security issues in ICMPv6 Stateless

663 views • 21 slides
IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
Picviz finding a needle in a haystack Sbastien Tricaud INL Usenix, San Diego 2008 Sbastien

Picviz finding a needle in a haystack Sbastien Tricaud INL Usenix, San Diego 2008 Sbastien

Picviz finding a needle in a haystack Sbastien Tricaud INL Usenix, San Diego 2008 Sbastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 1 / 47 Speaker: Sebastien Tricaud I Live and work in Paris (FR)

601 views • 48 slides
Network reconnaissance and IDS CS642: Computer Security

Network reconnaissance and IDS CS642: Computer Security

Network reconnaissance and IDS CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of

701 views • 44 slides
IST-Africa Talk Slides Conference Paper May 2016 CITATIONS READS 0 122 3 authors ,

IST-Africa Talk Slides Conference Paper May 2016 CITATIONS READS 0 122 3 authors ,

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/303210806 IST-Africa Talk Slides Conference Paper May 2016 CITATIONS READS 0 122 3 authors , including: Victor R Kebande Nickson

389 views • 23 slides
HoneydV6 A low-interaction IPv6 honeypot Sven Schindler Potsdam University Institute for

HoneydV6 A low-interaction IPv6 honeypot Sven Schindler Potsdam University Institute for

HoneydV6 A low-interaction IPv6 honeypot Sven Schindler Potsdam University Institute for Computer Science Operating Systems and Distributed Systems Reykjavk, July 29, 2013 Outline 1 Introduction 2 An IPv6 darknet experiment HoneydV6 -

890 views • 31 slides
A Security Enforcement Kernel for OpenFlow Networks HotSDN 2012 Phillip Porras, Vinod Yegneswaran

A Security Enforcement Kernel for OpenFlow Networks HotSDN 2012 Phillip Porras, Vinod Yegneswaran

A Security Enforcement Kernel for OpenFlow Networks HotSDN 2012 Phillip Porras, Vinod Yegneswaran , Martin Fong, Mabry Tyson (SRI International) Seungwon Shin, Guofei Gu (Texas A&amp;M University) Classic Network Perimeter Defense Security

207 views • 20 slides
Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti

Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti

Monitoring, Attack Detection and Mitigation Monitoring, Attack Detection and Mitigation MonAM 2006 MonAM 2006 Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti Authors: merson Virti, Liane

474 views • 16 slides
Catch me if you can! Angelo Dell'Aera Bologna 29/10/2016 A Little About Me Angelo Dell'Aera

Catch me if you can! Angelo Dell'Aera Bologna 29/10/2016 A Little About Me Angelo Dell'Aera

Catch me if you can! Angelo Dell'Aera Bologna 29/10/2016 A Little About Me Angelo Dell'Aera &lt;angelo.dellaera@honeynet.org&gt; Security Researcher @ Area 1 Security Full Member @ Honeynet Project Information Security Independent

680 views • 48 slides
Attack Patterns Recognition Framework Noor-ul-hassan Shirazi, Alberto Schaeffer-Filho and David

Attack Patterns Recognition Framework Noor-ul-hassan Shirazi, Alberto Schaeffer-Filho and David

Attack Patterns Recognition Framework Noor-ul-hassan Shirazi, Alberto Schaeffer-Filho and David Hutchison Lancaster University MSN2012:The Multi Service Networks Workshop Coseners House, Abingdon, Oxfordshire, UK 12-13 July 2012 1

348 views • 17 slides

More recommend