Distributed Honeynet System Data Capture and Analysis C-DAC Mohali

Overview Honeynet/Honeypot Technology Data Collection Data Control Honeypot/Honeynet Backgroud Type of Honeypots Deployment of Honeypots Data Collection Data Control Data Analysis

Honeypot/Honeynet concepts A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise A highly controlled network where every packet entering or leaving the honeypot system and related system activities are monitored, captured and analyzed. Primary value to most organizations is information”

Advantages Fidelity – Information of high value Reduced false positives Reduced false negatives Simple concept Not resource intensive

Attack Detection Techniques Proactive Techniques Defensive Techniques Honeynets Anomaly-based Signature-based 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 5

CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" How it works Monitor Detect Response 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 6

Honeynet Requirements & Standards Data Control: Contain the attack activity and ensure that the compromised honeypots do not further harm other systems.Out bound control without blackhats detecting control activities. Data Capture: Capture all activity within the Honeynet and the information that enters and leaves the Honeynet, without blackhats knowing they are being watched. Data Collection: captured data is to be Securely forwarded to a centralized data collection point for analysis and archiving. Attacker Luring: Generating interest of attacker to attack the honeynet Static : web server deployment, making it vulnerable Dynamic : IRC, Chat servers,Hackers forums 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 7

CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" Classification By level of interaction High Low Middle? By Implementation Virtual Physical By purpose Production Research 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 8

Types of Honeypots Low-interaction High Interaction Emulates services and operating systems. Easy to deploy, minimal risk Captures limited information High Interaction Provide real operating systems and services, no emulation. Complex to deploy, greater risk. Capture extensive information.

Virtual Honeynet

What Honeynet Achieves Diverts attacker’s attention from the real network in a way that the main information resources are not compromised. Captures samples of new viruses and worms for future study Helps to build attacker’s profile in order to identify their preferred attack targets, methods. 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 11

What value Honeynet adds Prevention of attacks through deception and deterrence Detection of attacks By acting as a alarm Response of attacks By collecting data and evidence of an attacker’s activity 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 12

CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" GEN III A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed. Data Capture Data Control Data Analysis 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 13

CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" Honeynet Gen III 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 14

Data Capture Mechanism ETH0 APP LOGS IPTABLES HIDS AISD ARGUS SNORT HFLOW DB HFLOWD POF CONVERT INTO UNIFIED FORMAT SEBEKD WALLEYE ETH2 SYS LOGS GUI WEB INTERFACE (192.168.2.2) TCPDUMP PCAP DATA ETH1 (0.0.0.0) SEBEK CLIENT 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" HONEYPOT (203.100.79.122) 15

HONEYWALL HONEYPOT DATA CAPTURE TOOLS IN GEN 3 HONEYNET Network Level Data Capture System Level Data Capture HONEYWALL HONEYPOT Raw Packet Capture Analyzed Packet Capture System Logs Kernel Level Logs Tcpdump Argus Syslogd Sebek Client-Server P0F Snort DATA CAPTURE TOOLS IN GEN 3 HONEYNET 16

CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" Data Control 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 17

DATA CONTROL PURPOSE: Mitigate risk of COMPROMISED Honeypot being used to harm non- honeynet systems Count outbound connections (Reverse Firewall) IPS (Snort-Inline) Bandwidth Throttling (Reverse Firewall) 18

IPTABLES packet handling

Data Control ### Set the connection outbound limits for different protocols. SCALE="day" TCPRATE=“20" UDPRATE="20" ICMPRATE="50" OTHERRATE="5“ iptables -A FORWARD -p tcp -i $LAN_IFACE -m state --state NEW -m limit --limit ${TCPRATE}/${SCALE} --limit-burst ${TCPRATE} -s ${host} -j tcpHandler -m limit --limit 1/${SCALE} --limit-burst 1 -s ${host} -j LOG --log-prefix "Drop TCP after ${TCPRATE} attempts“ -s ${host} -j DROP

Distributed Honeynet System Distributed sensor Honeynet Configuration/ reconfiguration Central Logging & Alerting Honeypot management & analysis (forensics take time!)

Network Diagram of Distributed Honeynet System Central Database Server Router Honeywall Virtual Switch Honeypot1 Nepenthes Software Bridge Honeypot2 Host machine Network Diagram of Distributed Honeynet System BSNL N/W /28 CONNECT N/W /27 STPI N/W /28 Airtel N/W /29 Large Enterprise Network (STPI) /27 Broadband Providers (BSNL,CONNECT,AIRTEL) /28,/28/29

Life Cycle of Distributed HoneyNet System

Remote Node Architecture

Malware Analysis

Malware Analysis Module Malware Collection Module Botnet Tracking 2 3 1 Malware Analysis Module Malware Collection Module Botnet Tracking Remote Node of DHS Bot Detection Engine Anti virus Bot hunter Botnet Tracking engine Low-Interaction Honeypot High Interaction Honeynet Sandbox (Bot Execution) Malware collection Data Base Bot Binary database Botnet Tracking database Central server 27

The Central Site of DHS

Main Functions

CONVERT INTO UNIFIED FORMAT DATA ANALYSIS STEPS HONEYWALL REVERSE FIREWALL RULES (CONTROL OUTBOUND TRAFFIC) ETH0 IPTABLES Collect & Merge ARGUS SNORT HFLOW DB HFLOWD POF CONVERT INTO UNIFIED FORMAT SEBEKD WALLEYE ETH2 ETH1 (0.0.0.0) TCPDUMP PCAP DATA GUI WEB INTERFACE SEBEK CLIENT HONEYPOT 30

Walleye Web Interface “Eye on the Honeywall” is a web based interface for Honeywall Configuration, Administration and Data analysis

Honeywall Roo Logical Design

Walleye Analysis Interface

Botnet Detection

Introduction Botnet Problem Typical Botnet Life Cycle How Botnet Grows Challenges for Botnet detection Roadmap to Detection system Botnet Detection Approaches Our Implemented Approach Experiments and results 36 36

What Is a Bot/Botnet? Bot A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent Profit-driven, professionally written, widely propagated Botnet (Bot Army): network of bots controlled by criminals Definition: “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel” Architecture: centralized (e.g., IRC,HTTP), distributed (e.g., P2P) 37

Botnets are used for … All DDoS attacks Spam Click fraud Information theft Phishing attacks Distributing other malware, e.g., spywarePCs are part of a botnet!” 38

Typical Botnet Life Cycle 39

How the Botnet Grows 40

How the Botnet Grows 41

How the Botnet Grows 42

How the Botnet Grows 43

IRC Botnet Life Cycle 44

Challenges for Botnet Detection Bots are stealthy on the infected machines –We focus on a network-based solution Bot infection is usually a multi-faceted and multiphase process – Only looking at one specific aspect likely to fail Bots are dynamically evolving Botnets can have very flexible design of C&C channels –A solution very specific to a botnet instance is not desirable 45

Related Work Network Level G. Gu, J. Zhang, andW. Lee. BotSniffer: Detecting botnet command and control channels in network traffic J. R. Binkley and S. Singh. An algorithm for anomaly- based botnet detection J. Goebel and T. Holz. Rishi: Identify bot contaminated hosts by irc nickname evaluation C. Livadas, R. Walsh, D. Lapsley, and W. Strayer. Using machine learning technliques to identify botnet traffic

Related Work Host Level E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer. Behavior-based spyware detection R. Sekar, M. Bendre, P. Bollineni, and D. Dhurjati. A fast automaton-based method for detecting anomalous program behaviors. Hybrid BotMiner: Clustering analysis of network traffic for protocol- and structure independent botnet detection

Botnet Detection Approaches Setting up Honeynets (Honeynet Based Solutions) Network Traffic Monitoring: – Signature Based – Anomaly Based – DNS Based – Mining Based 48

Honeynet Based Solution It enable us to isolate the bot from network and monitor its traffic in more controlled way, instead of waiting to be infected and then monitor the t traffic Bot execution in Honeynet test bed Monitor the traffic generated by bots Open Analysis : Provides connection to Internet More flexible than closed analysis. l 49

Our Implemented Approach Honeynet Based Solution Achievements Approach Implemented Honeynet Based Bot Analysis Architecture Payload Parser Web GUI and report generation 50

Flowchart

52

Features Systematically collect and analyze bot traffic over internet Provides controlled connection to Internet: rate limit the outbound connections. It uses network-based anomaly detection to identify C & C command sequences 53

Principal Mechanism for Botnet Detection Bot Execution - Bot Execution in Honeynet Based Environment - Collection of Execution traces to extract C & C server information. - Complete payload sent to central server. Payload Parser - Extraction of IRC,HTTP command signatures Botnet Observation - extraction of attack,propagation scan or other attack commands - extraction of specific network patterns,secondary injections attempts Output - List of unique C & C server - Command exchanged between bot client & bot server 54

Botname : B14 , MD5 : a4dde6f9e4feb8a539974022cff5f92c Experimental Result Botname : B14 , MD5 : a4dde6f9e4feb8a539974022cff5f92c Symantec : W32.IRCBot, Microsoft : Backdoor:Win32/Poebot PASS 146751dhzx :ftpelite.mine.nu NICK kcrbhf8wlzo USER XPUSA6059014236 0 0 :o4dfmj2ctyc PING :AE645AF3 PONG AE645AF3 :ftpelite.mine.nu 332 kcrbhf8wlzo #100+ :| .vscan netapi 50 5 9999 216.x.x.x | .sbk windows-krb.exe | .sbk crscs.exe | .sbk msdrive32.exe | .sbk woot.exe | .sbk dn.exe | .sbk Zsnkstm.exe | .sbk cndrive32.exe | PRIVMSG #100+ :.4[SC]: Random Port Scan started on 216.x.x.x:445 with a delay of 5 seconds for 9999 minutes using 50 threads.

Experimental Results: IRC 56

Top IRC Bot Families Captured at Distributed Honeynet System Bot Family Number of Samples Percentage Rbot 70 6.28% Poebot.gen 32 2.87 Rbot.gen 30 2.69 IRCbot.genK 22 1.99 Poebot.BT 12 1.08 IRCbot 8 0.71 Poebot.BI 6 0.54 IRCbot.genS 4 0.35 Poebot Poebot.T

IRC Based Botnet Measurement In total we could identify 99 IRC-based bot binaries ,a rate of 8.25% of the overall binaries in 12 months

Botnet Command and Control Server Distribution Botnet C&C Server Info

Top Source IP and Ports Tejpur University Assam Sno Source IP count 1 2 3 4 5 6 7 8 9 10 122.160.115.76 122.160.76.92 122.160.42.85 122.160.1.248 122.160.74.180 61.142.12.86 122.160.136.220 122.160.154.222 122.161.16.82 122.160.75.115 191 91 79 66 60 54 49 48 Sno Ports count 1 2 3 4 5 6 7 8 9 445 135 1434 139 80 25 3306 705 161 2571 111 42 35 12

Thank You