© 2007 The MITRE Corporation. All rights reserved OWASP Conference 06 Sep 2007 Information Assurance Using Honeyclients for Detection and Response Against.

Slides:



Advertisements
Similar presentations
Thank you to IT Training at Indiana University Computer Malware.
Advertisements

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.
LittleOrange Internet Security an Endpoint Security Appliance.
Computer Security and Penetration Testing
Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.
Your technology solution partner.™ Security Enterprise Protection Gener C. Tongco Product Manager CT Link Systems Inc.
Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
Data Security.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Detrick Robinson & Amris Treadwell.  Computer viruses- are pieces of programs that are purposely made up to infect your computer.  Examples: › Internet.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
How STERIS is using Cloud Technology to Protect Web Access Presented By: Ed Pollock, CISSP-ISSMP, CISM CISO STERIS Corporation “Enabling Business”
Hacker Zombie Computer Reflectors Target.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Windows Vista Security Center Chapter 5(WV): Protecting Your Computer 9/17/20151Instructor: Shilpa Phanse.
Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.
Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project 9/17/2008RAID 2008.
CERN’s Computer Security Challenge
A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07.
Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.
WHAT IS VIRUS? NAE GRAND CHALLENGE SECURE CYBERSPACE.
Supplied on \web site. on January 10 th, 2008 Reducing Risk Through Incremental Malware Detection January 2008.
September 29, 2009Computer Security Awareness Day1 Fermilab.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.
© Copyright 2011 Elitecore Technologies Pvt. Ltd. All Rights Reserved. Securing You Centralized Security Management with Cyberoam Central.
Determina DARPA PI meeting Page 2Confidential © Determina, Inc. Agenda LiveShield –Product and Technology –Current Status Applications to Application.
Virus and anti virus. Intro too anti virus Microsoft Anti-Virus (MSAV) was an antivirus program introduced by Microsoft for its MS-DOS operating system.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
Topic 5: Basic Security.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
1 Computer Maintenance Software Configuration: Evaluating Software Packages, Software Licensing, and Computer Protection through the Installation and Maintenance.
W elcome to our Presentation. Presentation Topic Virus.
Virus Assignment JESS D. How viruses affect people and businesses  What is a virus? A computer virus is a code or a program that is loaded onto your.
IS3220 Information Technology Infrastructure Security
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.
PCs ENVIRONMENT and PERIPHERALS Lecture 10. Computer Threats: - Computer threats: - It means anything that has the potential to cause serious harm to.
Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.
Computer Security Keeping you and your computer safe in the digital world.
Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.
Final Project: Advanced Security Blade IPS and DLP blades.
Computer Maintenance Software Configuration: Evaluating Software Packages, Software Licensing, and Computer Protection through the Installation and Maintenance.
Managing Windows Security
Panda Cloud Antivirus Pedro Bustamante
Call AVG Antivirus Support | Fix Your PC
Computer Maintenance Software Configuration: Evaluating Software Packages, Software Licensing, and Computer Protection through the Installation and Maintenance.
Information Security Session October 24, 2005
CHAPTER 2: OPERATING SYSTEMS (Part 2) COMPUTER SKILLS.
Secure once, run anywhere Simplify your security with Sophos
Presentation transcript:

© 2007 The MITRE Corporation. All rights reserved OWASP Conference 06 Sep 2007 Information Assurance Using Honeyclients for Detection and Response Against New Attacks Kathy Wang MITRE Corporation

© 2007 The MITRE Corporation. All rights reserved 2 Problem n Client-side exploits are a growing threat –Lots of client-side vulnerabilities n Microsoft Internet Explorer has more than 50 serious vulnerabilities in last 6 months (SecurityFocus database) –Lots of client-side exploits n 90% of all PCs harbor spyware (Webroot, 2006) n We need to be able to proactively detect and characterize client- side attacks before we get hit We lack a proactive detection technology for client-side attacks

© 2007 The MITRE Corporation. All rights reserved 3 Example of an Emerging Threat n Contagion worm-like attacks –Paxson, et al, How to 0wn the Internet in Your Spare Time –Wheel-and-spoke client-server infection model –Requires two exploits, one for client, one for server Vulnerable Client Contagion Worm Loaded Server Vulnerable Server Vulnerable Server Vulnerable Server Infected InfectedInfected Infected

© 2007 The MITRE Corporation. All rights reserved 4 Contagion Worm Model Assumptions n Assume: –1M vulnerable clients in the world –1M vulnerable web servers in the world n Out of 10M web servers –1K popular servers –Clients surf one server per minute –Clients have 90% chance of visiting popular server, 10% chance of visiting unpopular server –Contagion worm begins on one unpopular server

© 2007 The MITRE Corporation. All rights reserved 5 Possible Contagion Worm Propagation Vulnerable Web Clients Popular Web Servers Unpopular Web Servers

© 2007 The MITRE Corporation. All rights reserved 6 A New ‘Business’ Model

© 2007 The MITRE Corporation. All rights reserved 7 Another Business Model

© 2007 The MITRE Corporation. All rights reserved 8 Current Situation n Current coverage of client-side exploits is inadequate –Over 50% of recent vulnerabilities are client-based (SecurityFocus) –Only 1.5% of Snort Intrusion Detection System signatures are based on client-side attacks ( n Honeypots –Detect server-side attacks –Passive devices n Current methods of client-side exploit detection are reactive –Anti-virus –Anti-spyware –Clueful users

© 2007 The MITRE Corporation. All rights reserved 9 Background - Honeyclients n Honeyclients provide capability to proactively detect client-side exploits –A honeyclient is a system that drives a client application to potentially malicious servers –Any changes made on honeyclient system are unauthorized – no false positives! –We detect exploits even without prior signatures

© 2007 The MITRE Corporation. All rights reserved 10 Basic Honeyclient Package Client-side Exploit Database Malicious Server RequestResponse Linux Host Traffic logs Windows VM Honeyclient Prototype Capabilities Baseline integrity Drive IE Extract URLs Recurse (Internal) Integrity checks Recurse (External) Virtual host Protective firewall Exploit DB Image rotation Modular clients Traffic history Secure logging Memory checks Dedicated DSL Internet

© 2007 The MITRE Corporation. All rights reserved 11 Current Situation n Attackers are starting to include honeyclient avoidance technologies on malicious servers –Repeated visits from identical IPs result in blocked access to some malicious sites (SANS Internet Storm Center) –Detection of spidering from honeyclients led to redirection to benign sites (Robert Danford)

© 2007 The MITRE Corporation. All rights reserved 12 Technical Approach: Add Advanced Capabilities to Counter Attackers n Honeyclients should be able to: – Detect kernel modifying rootkits n Improve our integrity checks further n Analyze virtual hard drives outside of VM environment –Thwart exploits that detect virtual machine environments n Add honeyclient capability for physical sandbox environment n PXE boot image may allow us to network boot images quickly on real hardware –Handle active content sites n Be able to access and download content from these sites n Automated mouse clicking technology is available –Be difficult to distinguish from human activity n Attackers now recognize, and will actively counter honeyclients n Develop human-like web crawling algorithms

© 2007 The MITRE Corporation. All rights reserved 13 Human-like Honeyclient Prototype n Link scoring (good vs bad words, link location) n Browsing order for links (breadth vs depth) n Bandwidth footprint (humans do not access links at the same speeds)

© 2007 The MITRE Corporation. All rights reserved 14 Current Situation n Each honeyclient can only cover so many sites –Need to coordinate efforts to improve coverage –No capability exists for distributed scanning n Individual honeyclients can scan redundant servers n There is no central reporting mechanism –The above restrictions limit the depth and breadth that we can effectively cover the Internet

© 2007 The MITRE Corporation. All rights reserved 15 Technical Approach: Increase Our Coverage of Servers n Design and deploy distributed honeyclients –Sponsors are asking for this in order to coordinate efforts –Berkeley Open Infrastructure for Network Computing (BOINC) Project has framework for distributed computing –This will result in much better coverage of the servers on the Internet

© 2007 The MITRE Corporation. All rights reserved 16 Distributed Honeyclient Prototype Virtual Host Honeyclient Internet Virtual Host Report Virtual Host Honeyclient Virtual Host Honeyclient Central Repository Honeyclient Report = Bad server = Good server

© 2007 The MITRE Corporation. All rights reserved 17 Technical Approach: Gather and Correlate Honeyclient Data n Trend spotting of collected data and statistical correlation –What percentage of all servers are malicious? –How do exploits spread from one server to another? –Are there clusters of servers that become malicious around the same time? (i.e., can we infer the control structure of the malicious server community?) n Expand existing exploit database n Share results of correlation with community

© 2007 The MITRE Corporation. All rights reserved 18 Future Application for Honeyclients Virtual Host Honeyclient Server server sends URLs and attachments to honeyclient for processing Honeyclient runs checks and notifies server of bad URLs and/or attachments Only s that pass checks are forwarded to recipient = Non-malicious = Malicious Using Honeyclients to Detect Malicious s

© 2007 The MITRE Corporation. All rights reserved 19 Impact and Technology Transition n We plan to pilot honeyclient technology for several sponsors n Industry plans to run honeyclients –Verizon –Google –Symantec n Products and standards – Contact vendors about new vulnerabilities in client applications

© 2007 The MITRE Corporation. All rights reserved 20 Why Should You Run Honeyclients? n Operational benefits –Increase your visibility of emerging client-side threats –Malware collection and analysis –Share your results, and obtain other organizations’ results n Networking benefits –Group forum meetings –Government, industry, academic participation –Discussion on latest trends in client-side exploits

© 2007 The MITRE Corporation. All rights reserved 21 Why Should You Run Honeyclients? n Cost benefits –HoneyClient package and Linux OSes are open-sourced –VMWare Server is free –Your costs: hardware, Internet connection, Windows license, analysts n Other factors to consider –Your private data will not be leaked –Opportunity to provide public service through data sharing

© 2007 The MITRE Corporation. All rights reserved 22 Demonstration

© 2007 The MITRE Corporation. All rights reserved 23 Some Honeyclient Case Examples Please DO NOT go to any of the sites on the following slides unless you REALLY know what you’re doing!!!)

© 2007 The MITRE Corporation. All rights reserved 24 (Changes) Suspicious file

© 2007 The MITRE Corporation. All rights reserved 25 (Changes) Where’s /etc/hosts file??? Definitely suspicious

© 2007 The MITRE Corporation. All rights reserved 26 (Scans)

© 2007 The MITRE Corporation. All rights reserved 27 (Changes) Suspicious behavior, let’s check it out further!

© 2007 The MITRE Corporation. All rights reserved 28 (Changes) This definitely doesn’t look good…

© 2007 The MITRE Corporation. All rights reserved 29 (Scan) Poor results on scans…

© 2007 The MITRE Corporation. All rights reserved 30 (Changes) OK. Let’s check this out.

© 2007 The MITRE Corporation. All rights reserved 31 (Changes) Definitely not normal…

© 2007 The MITRE Corporation. All rights reserved 32 (Changes) More badness…

© 2007 The MITRE Corporation. All rights reserved 33 (Scans) Note that this binary is very poorly identified…

© 2007 The MITRE Corporation. All rights reserved 34 (Changes) So many bad sites, so little time…

© 2007 The MITRE Corporation. All rights reserved 35 (Changes) What is this ’46W9GLCI.htm’ file anyway??? Trying to add a printer???

© 2007 The MITRE Corporation. All rights reserved 36 (Changes) Here it is again…

© 2007 The MITRE Corporation. All rights reserved 37 Clearly, a hacker with a political agenda!

© 2007 The MITRE Corporation. All rights reserved 38 ns1.hosting101.biz Yikes! Very, very bad sign…

© 2007 The MITRE Corporation. All rights reserved 39 Additional Project Information n Our project website n Send us , and we will add you to the mailing list n We need beta testers! n Developers are welcome too! SVN repository is available, let us know if you’d like access

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.