O honeynet Project Lognitive.com Disclaimer This is a technical session that contain non- technical content. Get relaxed so to get ready for some details. We will have fun because we will take seriously

O honeynet Project Lognitive.com O honeynet Project Lognitive.com Build a Security Intelligence Center (SiC) Know your enemy tactics and motives Ahmed A. Selim Information Security Consultant

O honeynet Project Lognitive.com Bottom Line How to boost your SoC activity efficiency by introducing a set of intelligence techniques That’s All

O honeynet Project Lognitive.com Overview Offensive Defensive Sword Shield Analyst Attacker Proactive Reactive

O honeynet Project Lognitive.com Good must win!

O honeynet Project Lognitive.com May the force be with you What we really need….. We need a move SoC SiC Security operation Center Security intelligence Center

O honeynet Project Lognitive.com The Answer ? Be bad - Poison the Honey

O honeynet Project Lognitive.com Honeypots “ Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource ” KYE- Know Your Enemy “Honeypot a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.” Wiki “Honeypot is system that through lot of log, that need us to analyze for predicting attacker action, analyze malware or preforming attack …!” The speaker

O honeynet Project Lognitive.com Types of Honeypots Low-interaction – Emulates services, applications, and OS’s – Low risk and easy to deploy/maintain – But capture limited information – attackers’ activities are contained to what the emulated systems allow High-interaction – Real services, applications, and OS’s – Capture extensive information, but high risk and time intensive to maintain – Can capture new, unknown, or unexpected behavior

O honeynet Project Lognitive.com Uses of Honeypots Preventing attacks – Automated attacks – (e.g. worms) “Sticky honeypots” monitor unused IP spaces, and slows down the attacker when probed – Human attacks Confuse the attackers, making them waste their time and resources Detecting attacks – Traditional IDSs generate too much logs, large percentage of false positives and false negatives – Traditional IDSs may be ineffective in IPv6 or encrypted environment – Honeypots generate small data, reduce both false positives and false negatives

O honeynet Project Lognitive.com Uses of Honeypots Responding to attacks – Responding to a failure/attack requires in-depth information about the attacker – If a production system is hacked (e.g. mail server) it can’t be brought offline to analyze – Honeypots can be easily brought offline for analysis, while production not. Research purposes – Research honeypots collect information on threats. Attacking purposes – Simulating legal service for legal users

O honeynet Project Lognitive.com Data Control Mitigate risk of honeynet being used to harm non-honeynet systems Tradeoff need to provide freedom to attacker to learn about him More freedom – greater risk that the system will be compromised Some controlling mechanisms Restrict outbound connections (e.g. limit to 1) IDS (Snort-Inline) Bandwidth Throttling

O honeynet Project Lognitive.com No Data Control Data Control

O honeynet Project Lognitive.com Honeypot Theory Control & Capture

O honeynet Project Lognitive.com Data Capture Capture all activity at a variety of levels. – Network activity. – Application activity. – System activity. Issues – No captured data should be stored locally on the honeypot – No data pollution should contaminate – Admin should be able to remotely view honeynet activity in real time – Must use unified time zone

O honeynet Project Lognitive.com Data Control Mitigate risk of honeynet being used to harm non-honeynet systems Tradeoff need to provide freedom to attacker to learn about him More freedom – greater risk that the system will be compromised Some controlling mechanisms Restrict outbound connections (e.g. limit to 1) IDS (Snort-Inline) Bandwidth Throttling

O honeynet Project Lognitive.com How It Works A highly controlled network – where every packet entering or leaving is monitored, captured, and analyzed. Should satisfy two critical requirements: – Data Control: defines how activity is contained within the honeynet, without an attacker knowing it – Data Capture: logging all of the attacker’s activity without the attacker knowing it Data control has priority over data capture

O honeynet Project Lognitive.com Types of Deployments Gen-I (1999): – served as a proof of concept and were very simple to deploy. – basic mechanisms for fulfilling data control and capture requirements. – Data Control through reveres firewall – Data Collection through IDS

O honeynet Project Lognitive.com Types of Deployments Gen-II (2002): – improved a lot of honeypot features where it provide a high level of interaction with a malicious user – Data Control replace reveres firewall with honeywall – Data Collection using different techniques

O honeynet Project Lognitive.com Do The Right!

O honeynet Project Lognitive.com Control, Capture, Analysis & Act Control – Honeywall/IPTables Capture – User-Mode Linux – UML – Honeyd Analysis – PicViz – Hflaw2 Act – Honey snap – Honeysink – Nebula/Honeycomb

O honeynet Project Lognitive.com Capture: User-Mode Linux - UML Opensource virtualization solution Limited to Linux only Sandbox Self contained virtual honeypot Can be used with image of existing Filesystem Need tool to capture traffic (ex: Snort,system logs)

O honeynet Project Lognitive.com Capture: User-Mode Linux - UML Booting Halting

O honeynet Project Lognitive.com Capture: Honeyd Opensoure low-interactive honeypot. One of the active projects. Simulate wide range of systems & service: – Read Nmap os figureprint format /usr/share/nmap/nmap-os-db  /usr/share/honeyd/nmap.print – Emulate multi-vendor service: /usr/share/honeyd/scripts/ Let’s Configure….

O honeynet Project Lognitive.com Capture: generator.sh Generator.sh, is part of Ohoneynet project. Simple tool to create a low-interagtion Honeynet (upto 254 node) in seconds. Distributed under opensource license

O honeynet Project Lognitive.com Analysis

O honeynet Project Lognitive.com Logs…Logs…Logs Info Sec = logs  Need a way to visualize logs instead of analyzing raw logs Logs dimensions…? Answer Parallel Coordinate

O honeynet Project Lognitive.com Analysis: PicViz The simplest visualization method No need for excessive data processing Only need to know PGDL (PicViz Graphic Description Language) sudo pcv -Tpngcairo apache.log -r -a -o apache.png Lets Check it.....

O honeynet Project Lognitive.com The web server is being used all the time, no difference between daytime and nighttime Only two protocols are being used (that are HTTP/1.1 and HTTP/1.0) Six request types were used. While GET is the main one, there are other interesting requests that we could investigate One request type (actually GET) covers fully the URL axis while other request types seems to cover only a subset.

O honeynet Project Lognitive.com Act: Honeycomb Automated IDS signature generator Plugin integrates with Honeyd Signatures are generated /tmp/honeycomb.log Lets generate.....

O honeynet Project Lognitive.com Raping Up SoC is good idea but we need intelligence for fast response Being a good guy doesn’t mean you don’t think badly Honeypot is a good technique but need good care

O honeynet Project Lognitive.com Ohoneynet Project sponsored by Lognitive.com Create a honeypot framework Framework: offer Control, Capture & analysis Finally with User friendly GUI

O honeynet Project Lognitive.com Ahmed A. Selim Ohoneynet Project Lognitive.net