![Protect the Systems
Mimic Reality
Capture
Interaction
Generate an
Alert
Protect: Windows Systems using RDP
1. Deploy an RDP Honeypot [Tom’s,
OpenCanary]
2. Capture any connection attempt
3. Generate an alert to your SIEM/SOC](https://image.slidesharecdn.com/bsa2016-practicalhoneypots-160910150810/85/BSA2016-Honeypots-for-Network-Security-Monitoring-21-320.jpg)
![Protect the Users
Mimic Reality
Capture
Interaction
Generate an
Alert
Protect: Service account credentials
1. Create limited access honeyusers [DCEPT]
2. Detect cleartext credentials in memory
3. Generate an alert to your SIEM/SOC](https://image.slidesharecdn.com/bsa2016-practicalhoneypots-160910150810/85/BSA2016-Honeypots-for-Network-Security-Monitoring-23-320.jpg)
BSA2016 - Honeypots for Network Security Monitoring
- 2. Chris Sanders (@chrissanders88) Find Evil @ FireEye Founder @ Rural Tech Fund PhD Researcher GSE # 64 BBQ Pit Master Author: Practical Packet Analysis Applied NSM
- 3. Agenda Security Economics Traditional Honeypots NSM Honeypots Honeypot Applications “Why honeypots are a cost effective strategy for enhancing your network security monitoring strategy.”
- 5. Economics of Security “If you want to understand the world of nature, master physics. If you want to understand the world of man, master economics.” - Taufiq Rashid High Demand for Security Expertise Low Supply of Security Practitioners Expertise Services Software
- 7. Cost Effective NSM C O S T EFFECTIVENESS Analytics/ML Antivirus NGFW SIEM Endpoint IDS/IPS Honeypot s Where do most security solutions rank in terms of cost effectiveness?
- 9. Seminal Work Large Orgs and Defense Many Academic Papers The Honeynet Project Honeyd Software
- 10. Traditional Honeypots Designed to be attacked Intentionally vulnerable Primarily used for specific research Originally useful for learning about attackers Useful for tracking scanning and proliferation of worms
- 12. Hold Your Horses! 1. Honeypots take a lot of time to maintain. 2. Honeypots introduce tremendous risk. 3. Attackers can use honeypots as a foothold. 4. Honeypots are only for the most mature
- 14. NSM Honeypots Premise: Nobody should ever talk to a honeypot Attributes: 1. Placed inside the network 2. Mimic existing systems 3. Low interaction 4. Extensive logging and alerting 5. Goal oriented
- 20. Goal-Oriented Deception Mimic Reality Capture Interaction Generate an Alert Systems UsersData
- 21. Protect the Systems Mimic Reality Capture Interaction Generate an Alert Protect: Windows Systems using RDP 1. Deploy an RDP Honeypot [Tom’s, OpenCanary] 2. Capture any connection attempt 3. Generate an alert to your SIEM/SOC
- 22. Protect the Data Mimic Reality Capture Interaction Generate an Alert Protect: HR data in spreadsheets 1. Deploy a HoneyDoc 2. Embed web bug that phones home 3. Configure OS file access monitoring 4. Generate an alerts when doc phones home, or when file is accessed.
- 23. Protect the Users Mimic Reality Capture Interaction Generate an Alert Protect: Service account credentials 1. Create limited access honeyusers [DCEPT] 2. Detect cleartext credentials in memory 3. Generate an alert to your SIEM/SOC
- 26. The Challenge Analysts… ...start looking for implementation opportunities. Managers… ...ensure this technique is part of your analysts toolbelt. Vendors… ...develop affordable honeypot-based solutions. Open Source Contributors… ...drive innovation in this space.
- 27. Recommended Honeypot Software Honeypots OpenCanary Tom’s Honeypot Cowrie (SSH) RDPY (RDP) CanaryTokens.org Management Ansible Docker Chef Alerting Snort Suricata Bro SIEM
- 28. Other Honeypot Software Conpot Dioneae Ensnare ESPot Gaspot Glastopf Gridpot Honeyd Honeyntp HoneyPotter HoneyPress Honeyprint HoneyPy Kippo Nodepot NoSQLpot Shadow Daemon TelnetHoney Thug Wordpot https://github.com/paralax/awesome-honeypots
Editor's Notes
- #6: Security is only affordable for: Military/Gov Financial Post-Breach Orgs Economics of security are heavily tilted towards the attacker. As long as this remains, we continue to lose and lose ground.
- #7: This is why most new tech fails. We’ve had electric cars forever, they are just too expensive to operate, maintain, and charge. We can go to space, but not affordably, yet.
- #9: TIME CHECK – 15 MINUTES
- #14: TIME CHECK – 20 MINUTES
- #16: If you get an alert from a honeypot, it’s worth investigating. If someone hits your sign, the honeypot, they might hit your bridge, the sensitive system.
- #18: A great NSM strategy is like a great cheeseburger.
- #20: TIME CHECK – 30 MINUTES
- #22: Kippo, Tom’s Honeypot, Thinkst
- #23: Canary docs, canary DB tables, hash changes
- #24: Honey Accounts, Honey SIDs, social media profiles
- #25: TIME CHECK – 45 MIN