Presentation is loading. Please wait.

Presentation is loading. Please wait.

Εμμανουήλ Βασιλομανωλάκης Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED)

Published byConrad Monk Modified over 9 years ago

Similar presentations

Presentation on theme: "Εμμανουήλ Βασιλομανωλάκης Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED)"— Presentation transcript:

1 Εμμανουήλ Βασιλομανωλάκης Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED) Συνεργάτης Εργ. Δικτύων ISLAB, ΙΠΤ, ΔΗΜΟΚΡΙΤΟΣ manolis@cased.de A short introduction to honeypots

2 Outline 4/21/2013Telecooperation Group | CASED  Introduction  Classifications  Deployment Architectures  Open source vs. nothing  2 Honeypots  SURFcert IDS & experiences from Demokritos  Future work - ideas

3 Introduction (1/2) 4/21/2013Telecooperation Group | CASED  Axiom: Attackers are always (at least) one step forward  Attacks are getting overwhelming, targeted and also more sophisticated  Intrusion Detection Systems (IDSs): produce a significant large number of false positive/negative alerts.  More proactive solutions, and more information regarding the attacks are needed.

4 Introduction 4/21/2013Telecooperation Group | CASED  Definition: “A security resource who's value lies in being probed, attacked or compromised”  Doesn’t have to be a system: Honeytokens  We want to get compromised!  Certainly not a standalone security mechanism.  Why? FUN! No false-positives! Research: Malware analysis/reverse engineering Reducing available attack surface/early warning system

5 Honeypot Classifications 4/21/2013Telecooperation Group | CASED  Low interaction: simulate network operations (usually at the tcp/ip stack)  [Medium interaction: simulate network operations (with more “sophisticated” ways)]  High interaction: real systems (e.g., VMs)  Other classifications: Purpose: Generic, Malware collectors, SSH, etc. Production – Research (not really useful)

6 Honeypot Deployment Architectures 4/21/2013Telecooperation Group | CASED

7 Open Source vs. nothing (really!) 4/21/2013Telecooperation Group | CASED HoneypotTypeOSLanguageGUILicense HoneydGenericLINUXCNGNU NepenthesMalwareLINUXCNGNU DionaeaMalwareLINUXPYTHONNGNU HoneytrapGenericLINUXCNGNU LaBreaGenericLINUXCNGNU Tiny HPGenericLINUXPERLNGNU HoneyBotMalwareWINDOWS-YCLOSED Google Hack HP WEB-PHPYGNU MultipotMalwareWINDOWSVB 6YGNU GlastopfWEB-PYTHONYGNU KojoneySSHLINUXPYTHONNGNU KippoSSHLINUXPYTHONNBSD AmunMalwareLINUXPYTHONNGNU OmnirovaMalwareWINDOWSBorland DelphiYGNU BillyGoatMalware-??CLOSED ArtemisaVOIP-PYTHONNGNU GHOSTUSBWINDOWSCYGNU

8 Dionaea 4/21/2013Telecooperation Group | CASED  Low Interaction honeypot for collecting malware  Nepenthes successor  Basic protocol simulated: SMB (port 445)  Others: HTTP, HTTPS, FTP, TFTP, MSSQL and SIP (VOIP)  Also supports IPv6 and TLS  Malware files: stored locally or/and sent to 3 rd party entities (CWSandbox, Norman Sandbox, Anubis, VirusTotal)

9 Kippo (1/2) 4/21/2013Telecooperation Group | CASED  Low interaction SSH honeypot  Features: Presenting a fake (but “functional”) system to the attacker (resembling a Debian 5.0 installation) Attacker can download his tools through wget, and we save them for later inspection (cool!) Session logs are stored in an UML- compatible format for easy replay with original timings (even cooler!)  Easy to install, but hard to get hackers!

10 SURFcert IDS 4/21/2013Telecooperation Group | CASED  An open source (GPLv2) distributed intrusion detection system based on honeypots  Sensors, act as proxies, forwarding network traffic from the monitored network to the system’s center using OpenVPN  Supported Honeypots: Nepenthes, Dionaea, Argos, Kippo Three parts: Tunnel – honeypot server Web – Logging server Sensors

11 SURFcert IDS 4/21/2013Telecooperation Group | CASED  Also: Supports p0f for attackers’ OS detection Statistics, nice web-GUI, sensor status, geographical visualizations, and more…

12 SURFcert IDS @ Demokritos 4/21/2013Telecooperation Group | CASED  Some stats: 21.000 attacks on 3 different sensors (1 month) 1500 malware files downloaded Main target: port 445  Successfully detected infected systems, inside our network (mostly with a Conficker Worm variant)  Automatic malware analysis can give us valuable information on Botnets (and their C&C IRC servers)  Possible to find zero-date exploits / new malware (or different variants)

13 Future Work - Ideas 4/21/2013Telecooperation Group | CASED Features:  Better visualization  Anti-evasion techniques  Cheap & easy mobile sensors: Raspberry Pi  Advertising honeypots Honeypots:  Mobile honeypots (e.g., Android)  SCADA – Industrial Control Systems (ICS) Attacker scans our system Attacker trying to connect to our “ftp” server

14 Thank You Questions? Telecooperation Group | CASED

15 Backup slides Telecooperation Group | CASED

16 Useful Links 4/21/2013Telecooperation Group | CASED  Interesting stuff: http://www.islab.demokritos.gr – Many honeypot-related theses available http://www.islab.demokritos.gr https://www.enisa.europa.eu/activities/cert/support/proactive- detection/proactive-detection-of-security-incidents-II-honeypots - Report from ENISA regarding honeypots https://www.enisa.europa.eu/activities/cert/support/proactive- detection/proactive-detection-of-security-incidents-II-honeypots http://publicids.surfnet.nl:8080/surfnetids/login.php - Demo version of SURFcert IDS http://publicids.surfnet.nl:8080/surfnetids/login.php  Honeypots: http://www.honeynet.org – General information on honeypots http://www.honeynet.org http://dionaea.carnivore.it – Dionaea honeypot http://dionaea.carnivore.it http://amunhoney.sourceforge.net – Amun honeypot http://amunhoney.sourceforge.net http://map.honeynet.org – Honeypots visualization http://map.honeynet.org

17 SURFcert IDS @ Demokritos 4/21/2013Telecooperation Group | CASED [outside main firewall] [inside main firewall]

Download ppt "Εμμανουήλ Βασιλομανωλάκης Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED)"

Similar presentations

Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Honeynet Introduction Tang Chin Hooi APAN Secretariat.
Intrusion Detection/Prevention Systems Charles Poff Bearing Point.

Intrusion Detection/Prevention Systems Charles Poff Bearing Point.
The National Plateforme for Tracking Cyber Attacks :

The National Plateforme for Tracking Cyber Attacks :
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
12-1 Last time Security in Networks Threats in Networks.

12-1 Last time Security in Networks Threats in Networks.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Similar presentations

Ads by Google