FORTH’s Honeypots CIPSEC workshop Frankfurt 16/10/2018

Slides:



Advertisements
Similar presentations
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Advertisements

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
COEN 252: Computer Forensics Router Investigation.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Department Of Computer Engineering
Security Guidelines and Management
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Introduction to Honeypot, Botnet, and Security Measurement
INTRODUCTION TO WEB DATABASE PROGRAMMING
Penetration Testing Security Analysis and Advanced Tools: Snort.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Honeypot and Intrusion Detection System
Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.
Module 14: Configuring Server Security Compliance
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
Computer Emergency Notification System (CENS)
Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Module 7: Advanced Application and Web Filtering.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
1 Securing Network Services. 2 How TCP Works Set up connection between port on source host to port on destination host Each connection consists of sequence.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
CNIT 125: Honeypot and Malware Presentation Alan Wennersten Jeffrey Tom.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Get Full Protection on Microsoft Azure with Symantec™ Endpoint Protection 12.1 MICROSOFT AZURE ISV PROFILE: SYMANTEC Symantec™ Endpoint Protection is an.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.
SIEM Rotem Mesika System security engineering
WHY VIDEO SURVELLIANCE
BUILD SECURE PRODUCTS AND SERVICES
CompTIA Security+ Study Guide (SY0-401)
BEST CLOUD COMPUTING PLATFORM Skype : mukesh.k.bansal.
Working at a Small-to-Medium Business or ISP – Chapter 8
Linux Security Presenter: Dolev Farhi |
HP ProCurve Alliance + Dr Carl Windsor CISSP Major Account Manager
Netscape Application Server
Real-time protection for web sites and web apps against ATTACKS
Domain 4 – Communication and Network Security
Securing the Network Perimeter with ISA 2004
Click to edit Master subtitle style
CHAPTER 3 Architectures for Distributed Systems
NAT , Device Discovery Chapter 9 , chapter 10.
NERC CIP Implementation – Lessons Learned and Path Forward
CompTIA Security+ Study Guide (SY0-401)
2018 Real Cisco Dumps IT-Dumps
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Ilias Spais AEGIS IT RESEARCH LTD H2020 Project Clustering Workshop
Intrusion Prevention Systems
Contact Center Security Strategies
Chapter 4: Protecting the Organization
Web Servers / Deployment
CIPSEC architecture CIPSEC workshop Frankfurt 16/10/2018
Denial-of-Service Jammer Detector Training Course Worldsensing
CIPSEC Framework components: XL-SIEM
Topic 5: Communication and the Internet
WHY VIDEO SURVELLIANCE
Experiences from testing security solutions in the railway use-case
Designing IIS Security (IIS – Internet Information Service)
Test 3 review FTP & Cybersecurity
Comodo Dome Data Protection
Presentation transcript:

FORTH’s Honeypots CIPSEC workshop Frankfurt 16/10/2018 Manos Athanatos, FORTH Co-funded by the Horizon 2020 Framework Programme of the European Union

Honeypot - What is it? A non production computer resource whose task is to be probed, attacked, compromised or accessed in any other unauthorized way. It could be: A piece of information/data A service An application An entire system It has: No ordinary users No regular services Like an “undercover” computer which is built to be an “easy” target for the attacker and waits to be compromised! A trap for attackers So what is a honeypot? We can define a honeypot as a non production computer resource whose task is to be probed, attacked, compromised or accessed in any other unauthorized way. It could either be … It has …. So its more like a trap for attackers, an undercover computer …

Honeypot - How it works? Honeypots are deployed in the network Mimic the behavior of a server Listen to an unused IP range A possible attacker probes the unused IPs for services Honeypots reply and interact with the entity Entities attempting to communicate with honeypots, are by default suspicious Activity between entities and honeypots is monitored: Commands executed Files downloaded Links visited Attacker IP is blacklisted to prevent potential attacks Firewalls can be updated to block traffic from this IP address Usually Honeypots are deployed in the network of an institution we want to protect and mimic the behavior of a real server. Honeypots are given an unused IP range (aka IP dark space) and listen to one or more ports for incoming connections. Attackers probe the unused IPs and scan for vulnerable services. Honeypots reply to the requests and interact with the possible attacker. By definition all entities communicating with honeypots are by default considered as suspicious. All activity between the honeypots and the possible attacker is monitored and stored, for example commands executed … With the assistance of Firewalls, the IP of the attacker is blacklisted and this particular traffic gets blocked in order to prevent potential attacks.

Honeypots Classification - Type of attacked resources Server Side Honeypots Act like a real server Mimic network services Listen on their standard ports Monitor any connections initiated by remote clients Detect scanning worms or manual attack attempts Client Side Honeypots Employ a set of client applications (e.g. web browser) Connect to remote services Monitor the activity and the remote content Detect malicious behavior and content online Indicates whether the honeypot’s resources are exploited in server or client mode: The first criterion to categorize honeypots is by the type of the attacked resources. So whether the resources of the honeypot are exploited in server or client mode we have server side honeypots and client side honeypots. …

Honeypots Classification - Level of interaction Low Interaction Honeypots Resources are emulated Services (for server side honeypots) Applications (for client side honeypots) High Interaction Honeypots Provide real OS, services and applications Hybrid Honeypots Combine both low and high interaction honeypots Indicates whether the honeypot’s resource is a real one, an emulated one or of a mixed type: Another criterion to categorize honeypots is by the level of interaction with the attacker. Thus there are low interaction honeypots where the all resources are fully emulated. That includes emulated services for server side honeypots and emulated applications in the case of client side honeypots. On the other hand there are high interaction honeypots which provide real operating systems, services and applications. In this case the resources are real and not emulated by the system. Finally we have the hybrid honeypots that combine both low and high interaction honeypots for the detection of the attacks.

Honeypots VM tool - Components Ubuntu VMs with pre-installed software Dionaea Honeypot DDOS tool ICS/SCADA honeypot Kippo SSH Honeypot REST API server for remote access Communication with the control panel over SSL Logs aggregator XMPP server Central PostgreSQL database Incidents stored in a unified format Web based control panel Remote administration of VMs Visualization of attacks Monitoring of honeypots’ VM performance Extra features include: LDAP authentication for users Delivery of personalized alerts via email in PDF format Our tool which is used as a security solution in the CIPSEC framework is an Ubuntu 12.04 VM with Dionaea and Kippo honeypots pre installed. The VM also Includes a custom REST API server used for remote access and communication through the control Panel over SSL. Additionally there is an XMPP protocol server which is used to aggregate logs from all Honeypots’ VMs and stores them in a central PostgreSQL database, in a unified format. Finally there is a web based control panel which is used for …

Dionaea Honeypot Dionaea is a low interaction honeypot Uses Python to emulate well known services HTTP, HTTPs, FTP, TFTP, SMB, MSSQL, MySQL Accurate implementation of the Server Message Block (SMB) protocol Providing share access to printers and files (port 445) Popular target for worms and bots to spread Modular architecture New protocols can be emulated and added Supports IPv6 Good performance and stability Can monitor many IP addresses simultaneously The first honeypot used by our system is the Dionaea honeypot. is a multi purpose low interaction honeypot Which emulates all well known services such as the HTPP, … protocol by using the python scripting language. It provides an excellent implementation of the Server Message Block (SMB) protocol which is Used by worms and bots in order to spread. This service operates over port 445 and is used to provide shared access to files, printers and serial ports. Dionaea uses a modular architecture which enables new protocols to be emulated and added to the system by the user. So the user is able to emulate any protocol in Dionaea. It supports both ipv4 and ipv6 network protocols and from our experience it is very stable and demonstrates a good performance when monitoring many IPs at the same time.

Kippo Honeypot Kippo emulates the SSH service Provides high level accuracy Implemented in Python Emulates a Debian filesystem Provides content for some files (e.g. /etc/password) Stores all files that are downloaded Simulates wget and curl commands Stores all commands executed Enables the analyst to replay the commands Good performance and stability Can monitor many IP addresses simultaneously The second honeypot which is currently used in our solution is the Kippo SSH honeypot. Kippo is implemented in Python and provides high level accuracy in emulating the SSH service. This honeypots also provide files and their content by emulating a real Debian filesystem. It stores all files that are downloaded by the attacker by simulating the wget and curl commands Enables the user to replay the attacker's commands by storing all the commands executed in an appropriate format for this reason. Like Dionaea, Kippo is very stable and performs very well when monitoring a large range of IP addresses.

ICS/SCADA Honeypot CONPOT emulates SCADA Services Supports 12 known protocols including modbus, http, bacnet, ftp, enip, ipmi, s7comm and more Basic emulation capabilities Implemented in Python Modified for CIPSEC to provide logging via syslog Easy to configure/use Low logging capabilities

FORTH’s DDoS Tool Detects DoS amplification attack attempts Able to monitor attacks targeting multiple protocols such as: DNS, NetBIOS, NTP, SNMP and more Provides syslog output to the ATOS XL-SIEM Visualisation of the detected events to the unified CIPSEC dashboard

Honeypots’ VM tool - Workflow Security Administrator Initialize the Honeypots’ VM in the network that needs to be protected. It can choose which honeypots to enable( Dionaea Honeypot,DDOS tool,ICS/SCADA honeypot,Kippo SSH Honeypot ) Through the Control panel initializes the Honeypots’ VM Applies a unique ID to the sensor Configures the monitoring IP Dark Space Starts all services Automated updated and patching mechanism Honeypots monitor the network for attacks Attackers discover services and try to compromise them Honeypots track their activity Honeypots logs are sent to ATOS XL-SIEM and stored to a database CIPSEC Integrated Dashboard visualizes the attacks So the procedure for a critical infrastructure to protect its assets by using the Honeypots’ VM tool is the following: First the critical infrastructure administrator loads the Honeypots VM on a server inside the network that needs to be protected. Through the control panel the administrator initializes the Honeypots’ VM by applying a unique ID to the sensor, configure an IP dark space for monitoring and start all the appropriate services. After the successful registration, Dionaea and Kippo honeypots monitor the network for attacks. When attackers try to compromise the emulated services Honeypots track all their activity and send the logs to the XMPP log aggregation server. XMPP server feeds the database with logs and the Control panel visualizes the attack incidents and exports ACLs which can be imported to firewalls to prevent attacks

Honeypots VM tool - Architecture We can now see in a graphic representation the whole architecture of the tool. . . .

CIPSEC Integrated Dashboard – Honeypots View General statistics first.

CIPSEC Framework Reference Architecture

Critical Infrastructure Platform Compliance Management Partners’ role in CIPSEC Reference Architecture Critical Infrastructure Platform CIPSEC Core Framework System manager User/System manager Layer Contingency plan Recommendations Presentation Layer Forensics Analysis Visualization tool Dashboard Data Processing Layer Anonymized Sensitive Data Historic anomalies DB Forensics service Data anonymization and Privacy Updating/Patching Detection Layer Compliance Management Anomaly detection reasoner Acquisition Layer External Security Services Future security services plugged Endpoint Detection and Response Vulnerability Assessment Identity Access Management Integrity Management Crypto services Network Security (DPI firewalls, routers with ACL, network segmentation, DMZ, NAC, etc.) Critical Infrastructure Components (sensors, computers, network, servers, routers, …) User Training

Thanks for your attention! Questions? Contact: Project Coordinator Antonio Álvarez ATOS antonio.alvarez@atos.net Technical Coordinator Sotiris Ioannidis FORTH sotiris@ics.forth.gr www.cipsec.eu @CIPSECproject https://www.linkedin.com/in/cipsec-project/ https://www.youtube.com/channel/UCekxicSFAwZdIPAV3iLHttg CIPSEC Technical Review Meeting Barcelona 22/11/2017

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.