SlideShare a Scribd company logo

Digital Deception: Raising the Stakes on Hackers

Download as PPTX, PDF
D
Dan Houser

One of my well-received presentations on how to obfuscate the edge, frustrate hackers seeking to fingerprint the organization, and emulate a virtual network to create a low-interaction honeynet, by leverage unused IP address space in class A,B,C domains. While most hacks today are identity-based, a honeynet is still a viable means of finding attackers seeking to compromise internet-facing hosts.

Internet
Related topics:
Network Security
1 of 21
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
© 2005 Dan Houser, All Rights Reserved Digital Deception: Raising the Stakes on Hackers Dan Houser, CISM, CISSP, ISSAP
Overview Changes in Hacker Space Weather & Early warning systems Dirty Deeds Done Dirt Cheap Big Freakin’ Haystack Introduction • Emulation of 16 million node network • Intrusion Management Network What next? Q&A
Goals… Use of Digital Deception Confuse, Harass, Confound the enemy Dramatically, drastically, overwhelmingly increase the economic cost of system scanning and worm target acquisition Make script kiddy and worms infeasible Force a paradigm shift We are locked in a cold-war arms race, where only the arms dealer wins.
Internet attacks have changed…
Old school attack Lone interloper targets major firm Studies publicly available information Hangs out at local pub, befriends sales team Dumpster dives to obtain manuals, phone lists Uses war-dialer to find modems & remote hosts Uses social engineering to obtain passwords Dials up hosts, logs in, mayhem & mischief
“Modern” attack Lone interloper targets IP range Downloads script kiddy tools Scans IP range looking for vulnerable hosts Port scans hosts looking for exploitable services Uses exploit tool, mayhem & mischief Target selection now a target of opportunity… indiscriminate attack
Make your real servers look bogus  Save all .ASP code as .CGI files, perl as .ASP  Configure responses from Apache that mimic IIS  Open dummy NetBIOS ports on Unix servers  Open bogus 21, 23, 25, 80 & 443 ports on all servers, with netcat listening on the bogus ports  Call your database server “Firewall”  Route bogus traffic to IDS network Confuse and harass attackers
Worms hit 10,000 networks at once…
What we need is early warning
Hide in the open: Big freakin’ haystack  Virtual honeynets + Intrusion Management  Create server that emulates address range: 10.x.x.x  Open tons of ports: 20, 21, 23, 25, 37, 42, 43, 49, 67, 68, 69, 80, 109, 110, 137-139, 389, 443, 666, 6667  Emulate good hosts: MS-Exchange, Solaris/Oracle, MS- SQL, RedHat/Apache/Tomcat, WinXP Pro  Emulate bad boxes: botnet servers, Warez server, trojaned workstations, Win95 workstation, backdoor  Honeyd likely tool, or at least a starting point
 Convert unused address space into decoy tripwire nets - 16,320,000 decoys to 200 "real" servers  Stop swallowing packets: route unreachable hosts to the virtual honeynet  190,000 decoys per “real” server = 99.9995% detection  Any hits are malicious – route to IDS / IPS • Research attack profile. • Throttle attack / drop packets • Block attackers for 1 hour, 2 hours, 24 hours, 1 week.  You’ve gained breathing room to respond to real attacks Hide in the open: Big freakin’ haystack
Router Real Network BFH Emulator IDS Config IPS Hide in the Open: Big Freakin’ Haystack
Security Through Obscurity?
Hide in the open
The fun has just begun… LaBrea: SYN/ACK, TCP Window size = 0 (wait) • Use Tarpit to freeze a scan, run on random port • Freezes Windows-based scanners up to 4 minutes • Change window size to vary randomly, 0-15 • Scanning 10,000 hosts takes 27 days. • Detecting 100 unpublished hosts in Class B network would take approximately 110 days • Detecting 100 unpublished hosts in Class A would take approximately 112 years
Storm Surge Mode: active re-configuration • Suppose your “standard” BFH net emulates: 25% Apache/Tomcat on RedHat 7 25% Win2003 / SQL-Server 25% Lotus Notes/Domino on Win2k Server 25% Oracle 9i on Solaris • IDS telemetry reports spike in Win2k attacks • BFH configuration changes: 30% Win2000 / SQL 6.5 30% Win2000 / Exchange 30% Win2000 / IIS 10% Allocated among 30 other server/workstation images The fun has just begun…
• Virtual honeynets: Make legitimate servers look like bogus servers. • Make all servers (fake & real) look identical • BFH in your internal network  Malware outbreaks see your network with 16 million hosts  Ability to detect worms while slowing spread by 600x • Simulate sendmail open relays – Death to Spam!! • If all Class A, B & C networks ran BFH:  Emulation of 12,493,209,429,306 bogus hosts  Port scans & profiling a thing of the past • Worms and script kiddies would be economically infeasible. The fun has just begun…
Where do we go from here? Tactical changes Strategic changes Open source vs. commercial Platform Network changes? • Firewall, router, switch, smart-switch, blades Unintended consequences: little guys get beat up Interactive, collaborative BFHnet Do we even NEED a firewall anymore, with BFH?
Summary Stop script kiddies for $30k, seems like reasonable ROI Imagine if every class A, B & C network ran BFH • Emulation of 12,493,209,429,306 bogus hosts • Port scanning infeasible, profiling a moot point
Q&A
Contact Information Contact info: guru@xota.net Further info: “Submarine Warfare”, August 2003 issue of InformationSecurity Magazine: http://infosecuritymag.techtarget.com Big Freakin’ Haystack Initiative: http://sourceforge.net/projects/bfhi Some images courtesy of The Weather Channel, NASA. Trogdor the BURNiNATOR image courtesy homestarrunner.com

More Related Content

PPT
RSA 2005 H&T: Die Script Kiddie! Die, Die, Die!
Dan Houser
 
PDF
Honeypots, Deception, and Frankenstein
Phillip Maddux
 
PPT
Anton Chuvakin on Honeypots
Anton Chuvakin
 
PDF
Honeypots, Deception, and Frankenstein
Phillip Maddux
 
PPTX
Red Team Apocalypse
Beau Bullock
 
PPTX
Honeypots and honeynets
Rasool Irfan
 
PDF
20120329 Cybercrime threats on e-world
Luc Beirens
 
PPT
Honeypot honeynet
Sina Manavi
 
RSA 2005 H&T: Die Script Kiddie! Die, Die, Die!
Dan Houser
 
Honeypots, Deception, and Frankenstein
Phillip Maddux
 
Anton Chuvakin on Honeypots
Anton Chuvakin
 
Honeypots, Deception, and Frankenstein
Phillip Maddux
 
Red Team Apocalypse
Beau Bullock
 
Honeypots and honeynets
Rasool Irfan
 
20120329 Cybercrime threats on e-world
Luc Beirens
 
Honeypot honeynet
Sina Manavi
 

Similar to Digital Deception: Raising the Stakes on Hackers (20)

PPTX
Next Generation Firewalls
The eCore Group
 
PPT
Hacking and its Defence
Greater Noida Institute Of Technology
 
PPT
honeypots.ppt
DetSersi
 
PDF
Honeypots for Active Defense
Greg Foss
 
PPT
Honeypot Project
Manikyala Rao
 
PPT
Hackers
Mohamed Boudchiche
 
PDF
Honeypot 101 (slide share)
Emil Tan
 
PPT
Event - Internet Thailand - Total Security Perimeters
Somyos U.
 
PPTX
Honeypots.ppt1800363876
Momita Sharma
 
PPT
Hackers Cracker Network Intruder
Erdo Deshiant Garnaby
 
PPT
Security Assessment
Anil Nayak
 
PPTX
UNIT 5 (2).pptx
janani603976
 
PPTX
Red Team Apocalypse (RVAsec Edition)
Beau Bullock
 
PDF
Cisel1 d
chandu_sai
 
PDF
Virtualisasi Hacking
Novizul Evendi
 
PPT
Using Canary Honeypots for Network Security Monitoring
chrissanders88
 
PPTX
Attacks on the cyber world
Nikhil Tripathi
 
PPT
All about Hacking
Madhusudhan G
 
PDF
Know Your Enemy: Behind the Scenes of Malicious Web Servers
webhostingguy
 
PPT
Ethical Hacking
Keith Brooks
 
Next Generation Firewalls
The eCore Group
 
Hacking and its Defence
Greater Noida Institute Of Technology
 
honeypots.ppt
DetSersi
 
Honeypots for Active Defense
Greg Foss
 
Honeypot Project
Manikyala Rao
 
Hackers
Mohamed Boudchiche
 
Honeypot 101 (slide share)
Emil Tan
 
Event - Internet Thailand - Total Security Perimeters
Somyos U.
 
Honeypots.ppt1800363876
Momita Sharma
 
Hackers Cracker Network Intruder
Erdo Deshiant Garnaby
 
Security Assessment
Anil Nayak
 
UNIT 5 (2).pptx
janani603976
 
Red Team Apocalypse (RVAsec Edition)
Beau Bullock
 
Cisel1 d
chandu_sai
 
Virtualisasi Hacking
Novizul Evendi
 
Using Canary Honeypots for Network Security Monitoring
chrissanders88
 
Attacks on the cyber world
Nikhil Tripathi
 
All about Hacking
Madhusudhan G
 
Know Your Enemy: Behind the Scenes of Malicious Web Servers
webhostingguy
 
Ethical Hacking
Keith Brooks
 

More from Dan Houser (20)

PPT
MFA, 42 & Compliance - Answers to the Wrong Questions
Dan Houser
 
PPTX
Protect passwords - User Awareness Training
Dan Houser
 
PPTX
Cryptography Overview Presentation circa 2005
Dan Houser
 
PPTX
RSA2003: Forget Firewalls - early Zero Trust
Dan Houser
 
PPTX
The Hidden Enemy Within - Why Ungoverned Data is Such a Big Problem
Dan Houser
 
PPT
RSA2008: Sins of our Fathers, for which we still are punished
Dan Houser
 
PPTX
Now More than Ever: Ethics in Cybersecurity
Dan Houser
 
PPTX
Crypto in the Real World - ISACA 10-Jan-2008
Dan Houser
 
PPT
Power Up your LinkedIn Profile, Effectively Highlight your Branc
Dan Houser
 
PPTX
My Baby Done Bad Crypto - My Sweet Baby Done Me Wrong
Dan Houser
 
PPTX
The Death of Best-of-Breed - Leveraging Cloud for Security Transformation
Dan Houser
 
PPTX
2024 Security Outlook & Essential Security Practices
Dan Houser
 
PPTX
Hacking and Armoring Identity Ecosystems: When MFA Isn't Good Enough Any Longer
Dan Houser
 
PPTX
Driving Change and Resilience: Aligning Cybersecurity with Organizational St...
Dan Houser
 
ODP
2013 (ISC)² Congress: This Curious Thing Called Ethics
Dan Houser
 
PPTX
Securing Big Data and the Grid
Dan Houser
 
PPT
RSA2008: What Vendors Won’t Tell You About Federated Identity
Dan Houser
 
PPT
The Challenges & Risks of New Technology: Privacy Law & Policy
Dan Houser
 
PPT
Perimeter Defense in a World Without Walls
Dan Houser
 
PPT
Risk Based Planning for Mission Continuity
Dan Houser
 
MFA, 42 & Compliance - Answers to the Wrong Questions
Dan Houser
 
Protect passwords - User Awareness Training
Dan Houser
 
Cryptography Overview Presentation circa 2005
Dan Houser
 
RSA2003: Forget Firewalls - early Zero Trust
Dan Houser
 
The Hidden Enemy Within - Why Ungoverned Data is Such a Big Problem
Dan Houser
 
RSA2008: Sins of our Fathers, for which we still are punished
Dan Houser
 
Now More than Ever: Ethics in Cybersecurity
Dan Houser
 
Crypto in the Real World - ISACA 10-Jan-2008
Dan Houser
 
Power Up your LinkedIn Profile, Effectively Highlight your Branc
Dan Houser
 
My Baby Done Bad Crypto - My Sweet Baby Done Me Wrong
Dan Houser
 
The Death of Best-of-Breed - Leveraging Cloud for Security Transformation
Dan Houser
 
2024 Security Outlook & Essential Security Practices
Dan Houser
 
Hacking and Armoring Identity Ecosystems: When MFA Isn't Good Enough Any Longer
Dan Houser
 
Driving Change and Resilience: Aligning Cybersecurity with Organizational St...
Dan Houser
 
2013 (ISC)² Congress: This Curious Thing Called Ethics
Dan Houser
 
Securing Big Data and the Grid
Dan Houser
 
RSA2008: What Vendors Won’t Tell You About Federated Identity
Dan Houser
 
The Challenges & Risks of New Technology: Privacy Law & Policy
Dan Houser
 
Perimeter Defense in a World Without Walls
Dan Houser
 
Risk Based Planning for Mission Continuity
Dan Houser
 

Recently uploaded (20)

PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
PDF
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PPTX
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
PDF
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
PPTX
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PPTX
E -tech empowerment technologies PowerPoint
kylebalatero12
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PDF
Introduction to the IoT system, how the IoT system works
TinBinh
 
PDF
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
innovation process that make everything different.pptx
SoumyadipPaul18
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
Internet___Basics___Styled_ presentation
poonam62133
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
E -tech empowerment technologies PowerPoint
kylebalatero12
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
Introduction to the IoT system, how the IoT system works
TinBinh
 
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
tcp ip networks nd ip layering assotred slides
pakadamfdp
 

Digital Deception: Raising the Stakes on Hackers

  • 1. © 2005 Dan Houser, All Rights Reserved Digital Deception: Raising the Stakes on Hackers Dan Houser, CISM, CISSP, ISSAP
  • 2. Overview Changes in Hacker Space Weather & Early warning systems Dirty Deeds Done Dirt Cheap Big Freakin’ Haystack Introduction • Emulation of 16 million node network • Intrusion Management Network What next? Q&A
  • 3. Goals… Use of Digital Deception Confuse, Harass, Confound the enemy Dramatically, drastically, overwhelmingly increase the economic cost of system scanning and worm target acquisition Make script kiddy and worms infeasible Force a paradigm shift We are locked in a cold-war arms race, where only the arms dealer wins.
  • 5. Old school attack Lone interloper targets major firm Studies publicly available information Hangs out at local pub, befriends sales team Dumpster dives to obtain manuals, phone lists Uses war-dialer to find modems & remote hosts Uses social engineering to obtain passwords Dials up hosts, logs in, mayhem & mischief
  • 6. “Modern” attack Lone interloper targets IP range Downloads script kiddy tools Scans IP range looking for vulnerable hosts Port scans hosts looking for exploitable services Uses exploit tool, mayhem & mischief Target selection now a target of opportunity… indiscriminate attack
  • 7. Make your real servers look bogus  Save all .ASP code as .CGI files, perl as .ASP  Configure responses from Apache that mimic IIS  Open dummy NetBIOS ports on Unix servers  Open bogus 21, 23, 25, 80 & 443 ports on all servers, with netcat listening on the bogus ports  Call your database server “Firewall”  Route bogus traffic to IDS network Confuse and harass attackers
  • 8. Worms hit 10,000 networks at once…
  • 9. What we need is early warning
  • 10. Hide in the open: Big freakin’ haystack  Virtual honeynets + Intrusion Management  Create server that emulates address range: 10.x.x.x  Open tons of ports: 20, 21, 23, 25, 37, 42, 43, 49, 67, 68, 69, 80, 109, 110, 137-139, 389, 443, 666, 6667  Emulate good hosts: MS-Exchange, Solaris/Oracle, MS- SQL, RedHat/Apache/Tomcat, WinXP Pro  Emulate bad boxes: botnet servers, Warez server, trojaned workstations, Win95 workstation, backdoor  Honeyd likely tool, or at least a starting point
  • 11.  Convert unused address space into decoy tripwire nets - 16,320,000 decoys to 200 "real" servers  Stop swallowing packets: route unreachable hosts to the virtual honeynet  190,000 decoys per “real” server = 99.9995% detection  Any hits are malicious – route to IDS / IPS • Research attack profile. • Throttle attack / drop packets • Block attackers for 1 hour, 2 hours, 24 hours, 1 week.  You’ve gained breathing room to respond to real attacks Hide in the open: Big freakin’ haystack
  • 12. Router Real Network BFH Emulator IDS Config IPS Hide in the Open: Big Freakin’ Haystack
  • 14. Hide in the open
  • 15. The fun has just begun… LaBrea: SYN/ACK, TCP Window size = 0 (wait) • Use Tarpit to freeze a scan, run on random port • Freezes Windows-based scanners up to 4 minutes • Change window size to vary randomly, 0-15 • Scanning 10,000 hosts takes 27 days. • Detecting 100 unpublished hosts in Class B network would take approximately 110 days • Detecting 100 unpublished hosts in Class A would take approximately 112 years
  • 16. Storm Surge Mode: active re-configuration • Suppose your “standard” BFH net emulates: 25% Apache/Tomcat on RedHat 7 25% Win2003 / SQL-Server 25% Lotus Notes/Domino on Win2k Server 25% Oracle 9i on Solaris • IDS telemetry reports spike in Win2k attacks • BFH configuration changes: 30% Win2000 / SQL 6.5 30% Win2000 / Exchange 30% Win2000 / IIS 10% Allocated among 30 other server/workstation images The fun has just begun…
  • 17. • Virtual honeynets: Make legitimate servers look like bogus servers. • Make all servers (fake & real) look identical • BFH in your internal network  Malware outbreaks see your network with 16 million hosts  Ability to detect worms while slowing spread by 600x • Simulate sendmail open relays – Death to Spam!! • If all Class A, B & C networks ran BFH:  Emulation of 12,493,209,429,306 bogus hosts  Port scans & profiling a thing of the past • Worms and script kiddies would be economically infeasible. The fun has just begun…
  • 18. Where do we go from here? Tactical changes Strategic changes Open source vs. commercial Platform Network changes? • Firewall, router, switch, smart-switch, blades Unintended consequences: little guys get beat up Interactive, collaborative BFHnet Do we even NEED a firewall anymore, with BFH?
  • 19. Summary Stop script kiddies for $30k, seems like reasonable ROI Imagine if every class A, B & C network ran BFH • Emulation of 12,493,209,429,306 bogus hosts • Port scanning infeasible, profiling a moot point
  • 20. Q&A
  • 21. Contact Information Contact info: guru@xota.net Further info: “Submarine Warfare”, August 2003 issue of InformationSecurity Magazine: http://infosecuritymag.techtarget.com Big Freakin’ Haystack Initiative: http://sourceforge.net/projects/bfhi Some images courtesy of The Weather Channel, NASA. Trogdor the BURNiNATOR image courtesy homestarrunner.com