Presentation is loading. Please wait.

Presentation is loading. Please wait.

FORTH’s Honeypots CIPSEC workshop Frankfurt 16/10/2018

Published byAdelia Hancock Modified over 5 years ago

Similar presentations

Presentation on theme: "FORTH’s Honeypots CIPSEC workshop Frankfurt 16/10/2018"— Presentation transcript:

1 FORTH’s Honeypots CIPSEC workshop Frankfurt 16/10/2018
Manos Athanatos, FORTH Co-funded by the Horizon 2020 Framework Programme of the European Union

2 Honeypot - What is it? A non production computer resource whose task is to be probed, attacked, compromised or accessed in any other unauthorized way. It could be: A piece of information/data A service An application An entire system It has: No ordinary users No regular services Like an “undercover” computer which is built to be an “easy” target for the attacker and waits to be compromised! A trap for attackers So what is a honeypot? We can define a honeypot as a non production computer resource whose task is to be probed, attacked, compromised or accessed in any other unauthorized way. It could either be … It has …. So its more like a trap for attackers, an undercover computer …

3 Honeypot - How it works? Honeypots are deployed in the network
Mimic the behavior of a server Listen to an unused IP range A possible attacker probes the unused IPs for services Honeypots reply and interact with the entity Entities attempting to communicate with honeypots, are by default suspicious Activity between entities and honeypots is monitored: Commands executed Files downloaded Links visited Attacker IP is blacklisted to prevent potential attacks Firewalls can be updated to block traffic from this IP address Usually Honeypots are deployed in the network of an institution we want to protect and mimic the behavior of a real server. Honeypots are given an unused IP range (aka IP dark space) and listen to one or more ports for incoming connections. Attackers probe the unused IPs and scan for vulnerable services. Honeypots reply to the requests and interact with the possible attacker. By definition all entities communicating with honeypots are by default considered as suspicious. All activity between the honeypots and the possible attacker is monitored and stored, for example commands executed … With the assistance of Firewalls, the IP of the attacker is blacklisted and this particular traffic gets blocked in order to prevent potential attacks.

4 Honeypots Classification - Type of attacked resources
Server Side Honeypots Act like a real server Mimic network services Listen on their standard ports Monitor any connections initiated by remote clients Detect scanning worms or manual attack attempts Client Side Honeypots Employ a set of client applications (e.g. web browser) Connect to remote services Monitor the activity and the remote content Detect malicious behavior and content online Indicates whether the honeypot’s resources are exploited in server or client mode: The first criterion to categorize honeypots is by the type of the attacked resources. So whether the resources of the honeypot are exploited in server or client mode we have server side honeypots and client side honeypots.

5 Honeypots Classification - Level of interaction
Low Interaction Honeypots Resources are emulated Services (for server side honeypots) Applications (for client side honeypots) High Interaction Honeypots Provide real OS, services and applications Hybrid Honeypots Combine both low and high interaction honeypots Indicates whether the honeypot’s resource is a real one, an emulated one or of a mixed type: Another criterion to categorize honeypots is by the level of interaction with the attacker. Thus there are low interaction honeypots where the all resources are fully emulated. That includes emulated services for server side honeypots and emulated applications in the case of client side honeypots. On the other hand there are high interaction honeypots which provide real operating systems, services and applications. In this case the resources are real and not emulated by the system. Finally we have the hybrid honeypots that combine both low and high interaction honeypots for the detection of the attacks.

6 Honeypots VM tool - Components
Ubuntu VMs with pre-installed software Dionaea Honeypot DDOS tool ICS/SCADA honeypot Kippo SSH Honeypot REST API server for remote access Communication with the control panel over SSL Logs aggregator XMPP server Central PostgreSQL database Incidents stored in a unified format Web based control panel Remote administration of VMs Visualization of attacks Monitoring of honeypots’ VM performance Extra features include: LDAP authentication for users Delivery of personalized alerts via in PDF format Our tool which is used as a security solution in the CIPSEC framework is an Ubuntu VM with Dionaea and Kippo honeypots pre installed. The VM also Includes a custom REST API server used for remote access and communication through the control Panel over SSL. Additionally there is an XMPP protocol server which is used to aggregate logs from all Honeypots’ VMs and stores them in a central PostgreSQL database, in a unified format. Finally there is a web based control panel which is used for …

7 Dionaea Honeypot Dionaea is a low interaction honeypot
Uses Python to emulate well known services HTTP, HTTPs, FTP, TFTP, SMB, MSSQL, MySQL Accurate implementation of the Server Message Block (SMB) protocol Providing share access to printers and files (port 445) Popular target for worms and bots to spread Modular architecture New protocols can be emulated and added Supports IPv6 Good performance and stability Can monitor many IP addresses simultaneously The first honeypot used by our system is the Dionaea honeypot. is a multi purpose low interaction honeypot Which emulates all well known services such as the HTPP, … protocol by using the python scripting language. It provides an excellent implementation of the Server Message Block (SMB) protocol which is Used by worms and bots in order to spread. This service operates over port 445 and is used to provide shared access to files, printers and serial ports. Dionaea uses a modular architecture which enables new protocols to be emulated and added to the system by the user. So the user is able to emulate any protocol in Dionaea. It supports both ipv4 and ipv6 network protocols and from our experience it is very stable and demonstrates a good performance when monitoring many IPs at the same time.

8 Kippo Honeypot Kippo emulates the SSH service
Provides high level accuracy Implemented in Python Emulates a Debian filesystem Provides content for some files (e.g. /etc/password) Stores all files that are downloaded Simulates wget and curl commands Stores all commands executed Enables the analyst to replay the commands Good performance and stability Can monitor many IP addresses simultaneously The second honeypot which is currently used in our solution is the Kippo SSH honeypot. Kippo is implemented in Python and provides high level accuracy in emulating the SSH service. This honeypots also provide files and their content by emulating a real Debian filesystem. It stores all files that are downloaded by the attacker by simulating the wget and curl commands Enables the user to replay the attacker's commands by storing all the commands executed in an appropriate format for this reason. Like Dionaea, Kippo is very stable and performs very well when monitoring a large range of IP addresses.

9 ICS/SCADA Honeypot CONPOT emulates SCADA Services
Supports 12 known protocols including modbus, http, bacnet, ftp, enip, ipmi, s7comm and more Basic emulation capabilities Implemented in Python Modified for CIPSEC to provide logging via syslog Easy to configure/use Low logging capabilities

10 FORTH’s DDoS Tool Detects DoS amplification attack attempts
Able to monitor attacks targeting multiple protocols such as: DNS, NetBIOS, NTP, SNMP and more Provides syslog output to the ATOS XL-SIEM Visualisation of the detected events to the unified CIPSEC dashboard

11 Honeypots’ VM tool - Workflow
Security Administrator Initialize the Honeypots’ VM in the network that needs to be protected. It can choose which honeypots to enable( Dionaea Honeypot,DDOS tool,ICS/SCADA honeypot,Kippo SSH Honeypot ) Through the Control panel initializes the Honeypots’ VM Applies a unique ID to the sensor Configures the monitoring IP Dark Space Starts all services Automated updated and patching mechanism Honeypots monitor the network for attacks Attackers discover services and try to compromise them Honeypots track their activity Honeypots logs are sent to ATOS XL-SIEM and stored to a database CIPSEC Integrated Dashboard visualizes the attacks So the procedure for a critical infrastructure to protect its assets by using the Honeypots’ VM tool is the following: First the critical infrastructure administrator loads the Honeypots VM on a server inside the network that needs to be protected. Through the control panel the administrator initializes the Honeypots’ VM by applying a unique ID to the sensor, configure an IP dark space for monitoring and start all the appropriate services. After the successful registration, Dionaea and Kippo honeypots monitor the network for attacks. When attackers try to compromise the emulated services Honeypots track all their activity and send the logs to the XMPP log aggregation server. XMPP server feeds the database with logs and the Control panel visualizes the attack incidents and exports ACLs which can be imported to firewalls to prevent attacks

12 Honeypots VM tool - Architecture
We can now see in a graphic representation the whole architecture of the tool. . . .

13 CIPSEC Integrated Dashboard – Honeypots View
General statistics first.

14 CIPSEC Framework Reference Architecture

15 Critical Infrastructure Platform Compliance Management
Partners’ role in CIPSEC Reference Architecture Critical Infrastructure Platform CIPSEC Core Framework System manager User/System manager Layer Contingency plan Recommendations Presentation Layer Forensics Analysis Visualization tool Dashboard Data Processing Layer Anonymized Sensitive Data Historic anomalies DB Forensics service Data anonymization and Privacy Updating/Patching Detection Layer Compliance Management Anomaly detection reasoner Acquisition Layer External Security Services Future security services plugged Endpoint Detection and Response Vulnerability Assessment Identity Access Management Integrity Management Crypto services Network Security (DPI firewalls, routers with ACL, network segmentation, DMZ, NAC, etc.) Critical Infrastructure Components (sensors, computers, network, servers, routers, …) User Training

16 Thanks for your attention! Questions?
Contact: Project Coordinator Antonio Álvarez ATOS Technical Coordinator Sotiris Ioannidis FORTH @CIPSECproject CIPSEC Technical Review Meeting Barcelona 22/11/2017

Download ppt "FORTH’s Honeypots CIPSEC workshop Frankfurt 16/10/2018"

Similar presentations

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Department Of Computer Engineering

Department Of Computer Engineering
Security Guidelines and Management

Security Guidelines and Management
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.

HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.

Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.
Module 14: Configuring Server Security Compliance

Module 14: Configuring Server Security Compliance
OV 12 - 1 Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV 12 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Similar presentations

Ads by Google