How to Make a Honeypot Stickier (SSH*)
Download as PPTX, PDF0 likes245 views
The document discusses the implementation of honeypots for capturing attacker techniques and behavior using the Cowrie framework, particularly in a simulated Ubuntu 14.04 environment. It highlights the methodologies used for analyzing rare files dropped during attacks, including cross-referencing with VirusTotal and other sources. Key takeaways emphasize the importance of high interaction honeypots and timely analysis to gather valuable data for security insights.
How to Make a Honeypot Stickier (SSH*)
- 1. How to Make a Honeypot Stickier (SSH*) lessons learned by Splunk Security Research
- 3. Agenda ● Introduction ● The data challenge ● First experiment ● Analysis methodology ● Next steps - KLAPP
- 4. whoami ● Former Prolexic/Akamai Architect ● Co-founded Zenedge, which was acquired by Oracle ● Long time Splunker, recently returned to do research
- 5. The Data Challenge ● Discover and characterize techniques used in the exploitation of “vulnerability X” in the wild. ● Determine what’s *actually* targeting our environment. ● Gives us attacker context
- 6. Threat Intel does NOT address the data challenge
- 7. Why Splunk Security Research Uses Honeypots 1. Lure would-be attackers to a faux system and then capture data regarding their movements and attack techniques 2. Programmatically produce Splunk Enterprise Security Content (ESCU) 3. Cover relevant attacks happening in the wild (especially those without POC exploit code)
- 8. Our Goals ● Collect downloads, payloads, connections, and behaviors ● Emulate and manipulate common system parameters ● Ensure that our system was easy to deploy/distribute/build ● Include (plus) sane logging, ideally populating Splunk We selected Cowrie, a fork of Kippo.
- 10. Countries
- 11. Just Connections vs Interaction
- 12. Files Dropped
- 14. Our Response
- 15. GIF of Attacker Here
- 16. Change Cowrie to emulate a Ubuntu 14.04 instance running on AWS by updating the configurations in /home/cowrie/cowrie/etc/cowrie.cfg ● hostname: defaults to svr04, which is a dead giveaway of the fact that this is a Cowrie instance. You will want to change this ● interactive_timeout: defaults to 180, increase it to 300 to make sure we do not disconnect potential attackers from a bad connection early ● kernel_version: critical that this is an update reflecting the kernel you want to emulate. In our case, the default kernel installed with Ubuntu 14.04 is 3.13.0- 158-generic ● kernel_build_string: same as above. Each OS is slightly different. In our case, it was ##208-Ubuntu SMP Fri Aug 24 17:07:38 UTC 2018 ● version - SSH banner version to display for a connecting client. Make sure this matches your OS’s. In our case, for a default install this is is: SSH-2.0- OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10
- 17. Change Cowrie to emulate a Ubuntu 14.04 instance running on AWS /home/cowrie/cowrie/etc/userdb.txt ● Add new user names that failed authentication ● Exclude admin user, as it was creating lots of noise
- 18. Change Cowrie to emulate a Ubuntu 14.04 Instance running on AWS by: Updating /home/cowrie/cowrie/share/cowrie/fs.pickle ● Update file system to match whom you want to emulate ● Cowrie ships with a great tool for this ~/cowrie/bin/createfs -l /. -o ~/cowrie/share/cowrie/ubuntu14.04.pickle -p
- 19. Change Cowrie to emulate a Ubuntu 14.04 Instance running on AWS by: Changing in /home/cowrie/cowrie/share/cowrie/txtcmds ● Update common commands prebuilt outputs ● We saw attackers commonly use: ○ bin/dmesg ○ bin/mount ○ bin/lscpu ○ bin/df ○ usr/bin/lscpu
- 22. Analysis methodology 1. What rare files were dropped?
- 23. Analysis methodology 1. What rare files were dropped? 2. Does VirusTotal flag them as bad? If not can we find in public domain? ~/virustotal$ hashes=$(ls /home/Cowrie/Cowrie/var/lib/Cowrie/downloads/ | grep -v tmp | grep -v .sh | grep -v Evlon); for h in $hashes; do python vt_driver.py file-report $h | jq; sleep 25; done Use VT CLI tool (from Github) List downloaded hashes Filter out the crud Slow down VT rate limits 4/rpm
- 24. Analysis methodology 1. What rare files were dropped? 2. Does VirusTotal flag them as bad? If not can we find in public domain? 3. Is it known by GreyNoise?
- 25. Analysis methodology 1. What rare files were dropped? 2. Does VirusTotal flag them as bad? If not can we find in public domain? 3. Is it known by GreyNoise? 4. Is there POC code out there exploit-db, metasploit modules?
- 26. Analysis methodology 1. What rare files were dropped? 2. Does VirusTotal flag them as bad? If not can we find in public domain? 3. Is it known by GreyNoise? 4. Is there POC code out there exploit-db, metasploit modules? 5. Get IOCs -> Yara -> Set up a hunting rule in VirusTotal
- 27. What We Learned
- 28. What we learned ● Some actors knew they were in Cowrie ● Analysis timing is key ● Not Application-specific
- 29. Kernel Log APPlication (KLAPP) Real Operating System not emulating one, better at supporting attacks Sysdig used to capture level kernel information from the operating system Falco used as an early alert system when a honeypot has been tampered with Application collected logs from the vulnerable application being monitored S3 bucket Sync tool to offload sysdig binary files, as well as application and system logs to S3
- 30. Diagram here
- 31. Sysdig chisel’s FTW Give me all system logs $> sysdig -c spy_logs -r <sysdig capture file>.gz2 Show me TCP connections sorted $> sysdig -c topconns -r <sysdig capture file>.gz2 Show me HTTP events $> sysdig -c httplog -r <sysdig capture file>.gz2 Show opened shells $> sysdig -c list_login_shells -r <sysdig capture file>.gz2 Give me all traffic for port $> sysdig -c spy_port 22 -r <sysdig capture file>.gz2
- 33. DEMO
- 34. Key Takeaways 1. High interaction honeypots provides the best data 2. Honeypot data can be as valuable as Threat Intel 3. If you are going to mimic an environment it pays off to make modifications 4. Infrastructure as code makes it very easy to operate large scale honeypot deployments 5. Analysis timing of honeypot data is critical
- 35. How to get started git clone https://github.com/d1vious/klapp-example.git
Editor's Notes
- #2: How many of you believe honeypot do not work, or are ineffective as a defensive tool! Raise your hands! Now GET OUT YOUR WRONG!
- #3: Like many of you I am sure I have had my phone number for many year's and at this point in time would not change it. I had a bad spam problem, constantly getting calls, decided to fight back. Here is a recording from one of my battles with telemarketers. Here you see a perfect example of a human being tricked by one, this is prove that honeypots work!
- #6: Threat intel does not tell me two key things, what does exploitation of vulnerabilities X looks like on the wild, and what’s really targeting me (signal versus noise).
- #7: Analysis of Practical Value of Threat intel, these are the parting thoughts Charl van der Walt and Sid Pillarisetty
- #8: Find badness to study it for our customers (explain purpose of research team at Splunk) We also produce ESCU which is basically (our content packs) that detect malware behavior
- #12: Inputs and connected, we saw a spike in interaction over all
- #13: Which ones do you think is the before and after?
- #16: We had great success with our changes, but before hand let me show you what what the attackers were doing
- #17: Configuration ◦ Changing hostname - defaults to svr04, a dead give away this is a Cowrie instance, you want to change this ◦ interactive_timeout - defaults to 180, I increase it to 300 to make sure we do not disconnect potential attackers from a bad connection early. ◦ kernel_version - critical that this is update to reflect the kernel you want to emulate, in our case the default one installed with Ubuntu 14.04 is 3.13.0-158-generic ◦ kernel_build_string - same as above, each OS is slightly different, in our case ##208-Ubuntu SMP Fri Aug 24 17:07:38 UTC 2018 ◦ version - SSH banner version to display for a connecting client, make sure this matches your OS’s, in our case for a default install is: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10
- #19: It even emulates things like /procs, but it does not emulate /dev unfortunately
- #20: It even emulates things like /procs, but it does not emulate /dev unfortunately
- #23: It is not perfect but this is ours
- #25: Should be a flow chart ideally or build up slides
- #26: Should be a flow chart ideally or build up slides
- #27: Should be a flow chart ideally or build up slides
- #28: Should be a flow chart ideally or build up slides
- #30: Lets eliminate anything that is emulation of a platform Lets collect everything in a preset data set we know what to expect (binaries)/logs Deploy an application on top with logging Analysis timing is key and hence have an early warning system
- #31: Addressed having specific commands mocked Shipping data Having it ready to be analysed strace,bro,lsof
- #33: To me this was beautiful!
- #36: Addressed having specific commands mocked Shipping data Having it ready to be analysed strace,bro,lsof
- #37: So lets recap we know that in many ways honeypots > threat intel It is easy to deploy a honeypot not extremely valuable without some modification Here is a tool that will automatically: