Securing networks with Honeypots Motivation Scenario : Web server - - PowerPoint PPT Presentation

securing networks with honeypots motivation
SMART_READER_LITE
LIVE PREVIEW

Securing networks with Honeypots Motivation Scenario : Web server - - PowerPoint PPT Presentation

Oct 06, 2022 115 likes •246 views

Benjamin Braun, Klemens Mang Securing networks with Honeypots Motivation Scenario : Web server Internet SSH How to detect attackers accessing your service? How to analyze attack patterns? How to detect yet unknown attack

slide-1
SLIDE 1

Securing networks with Honeypots

Benjamin Braun, Klemens Mang

slide-2
SLIDE 2

Internet

SSH Web server

Motivation

  • Scenario:

Source: own graphic

  • How to detect attackers accessing your service?
  • How to analyze attack patterns?
  • How to detect yet unknown attack patterns?
slide-3
SLIDE 3

Lecture Overview

  • Attacking a network
  • Protecting your network
  • What are Honeypots?
  • Types of Honeypots
  • Honeypot lab
  • Summary

3

slide-4
SLIDE 4

Attacking a network

  • Random attacks:
  • Automated tools searching for weaknesses
  • Known vulnerabilities
  • Already installed backdoors
  • Weak or default login credentials
  • Often preceded by IP range scans

Oct 3 14:11:54 xxxxxx sshd[29972]: Invalid user admin from 212.64.151.233 Oct 3 14:11:54 xxxxxx sshd[29972]: input_userauth_request: invalid user admin [preauth] Oct 3 14:11:54 xxxxxx sshd[29972]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth] 183.60.244.29 - - [13/Dec/2013:15:13:23 +0100] "GET /cgi- bin/rtpd.cgi?echo&AdminPasswd_ss|tdb&get&HTTPAccount HTTP/1.1" 301 185 "-" "Python-urllib/2.7"

slide-5
SLIDE 5

Attacking a network

  • Sophisticated attacks:
  • Find out how the network is structured
  • Get to know valuable or vulnerable targets
  • Active Fingerprinting:
  • Varying protocol implementations reveal operating system
  • Port scan shows running services
  • Service banners reveal specific version

root@evil ~ % telnet 131.159.202.97 22 Trying 131.159.202.97... Connected to 131.159.202.97. Escape character is '^]'. SSH-1.99-OpenSSH_3.5p1 FreeBSD-20060930 CVE-2010-1938 OpenSSH 3.5p1 Remote Root Exploit For FreeBSD: Off-by-one error [...] execute arbitrary code via a long username

slide-6
SLIDE 6

Protecting your network

  • Prevention: Firewall
  • Block unwanted traffic at edge of network
  • Detection: Network Intrusion Detection System
  • Signature-based detection
  • Very effective against known threads
  • Anomaly detection
  • Problem: False positives
  • Response strategies:
  • Packet filtering
  • Redirecting traffic
  • Rate limiting
  • Tracking
slide-7
SLIDE 7

Example: Snort rule

  • # alert tcp $HOME_NET any -> $EXTERNAL_NET

$HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"|0D 0A|Accept|2D|Language|3A|"; http_header; content:!"|0D 0A|Referer|3A|"; http_header; content:!"|0D 0A|Cookie|3A|"; http_header; content:"Content-Length: "; nocase; byte_test:8,<,201,0,string,relative; pcre:"/[^\x20- \x7e\x0d\x0a]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25050; rev:5;)

slide-8
SLIDE 8

What are Honeypots?

  • Problem with NIDS: high rate of false-positives and need to know

attack signatures -> honeypots

  • A honeypot is “an information system resource whose value lies in

unauthorized or illicit use of that resource”.

  • All access attempts are logged and considered unusual behavior
  • Features:
  • Higher degree of accuracy (low false positive rate)
  • Creates more information
  • Detects yet unknown attacks
slide-9
SLIDE 9

Types of Honeypots

  • High interaction Honeypot:
  • Real, sophisticated system without productive value

Enables collecting comprehensive data about attacking techniques

  • May be comprised completely
  • Requires more maintenance
  • Low interaction Honeypot:
  • Implement only some parts of a system (service, network stack behavior)
  • May be used as an early warning system

+

Easy to set up and maintain

+

Limited risk of compromise

  • Generates less information
slide-10
SLIDE 10

Honeyd – an overview

  • Low interaction honeynet tool
  • Simulation of:
  • Thousands of virtual hosts
  • Network stack behavior of different OS’s
  • Arbitrary services via configuration
  • Arbitrary routing topologies
  • Subsystem virtualization

Source: “Virtual Honeypots- From Botnet Tracking to Intrusion Detection”

slide-11
SLIDE 11

Honeypot Lab

  • 1. Build virtual honeypots with

honeyd

  • 2. Attack the network from the
  • utside
  • 3. Try to distinguish honeypots from

real systems

  • 4. Analyse the log files from your

honeypot Router Attacker Server Honeyd Virtual Honeypots

slide-12
SLIDE 12

Summary

  • Most attacks aim to exploit known weaknesses
  • Network IDS have difficulties with unknown attacks
  • Honeypots help to detect and analyze network attacks
  • They feature:
  • Low false positive rate
  • Confuse attackers
  • We distinguish between high and low interaction honeypots
slide-13
SLIDE 13

Flight Through Your Lab

Prepare which things you want to highlight

13

Here, you will open the exercise on the browser on the laptop and scroll through it with explanation

This slide is just the place holder for your live presentation. No changes needed.

Expected Time: 5 minutes