Download presentation
Presentation is loading. Please wait.
Published byGervais Craig Modified over 9 years ago
1
Near Term Tools: Using honeynet tools and techniques for post intrusion intelligence gathering Edward G. Balas Indiana University Advanced Network Management Lab 6/15/2004
2
2 About the Author Edward G. Balas –Security Researcher at Indiana University’s Advanced Network Management Lab. –Honeynet Project Member Sebek lead Honeywall User Interface lead Research Sponsorship This materials based on research sponsored by the Air Force Research Laboratory under agreement number F30602-02-2-0221. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon.
3
3 Roadmap Honeynets are an idealized forensic testbed Latest developments –Sebek version 2.2.x –Hflow data fusion tool –Honeynet Data Analysis interface –Bootable CDROM honeywall. Near-term goal, improve honeynet data analysis Long-term goal, provide system to support realtime forensics and post intrusion intelligence gathering.
4
4 Honeynets A network containing information system resources who’s value lies in unauthorized or illicit use of those resources No production value All traffic is suspicious Primary value is the information gained.
5
5
6
6 Want to support the Project?
7
7 Sebek version 2.2.x kernel “module”, acts as a host level blackbox or flight recorder. Designed to be invisible to all users. Circumvents encryption. Can be installed post intrusion. Captures: –Process Tree information –Names of files opened by a process –Data read by a process, including keystrokes –all socket activity http://www.honeynet.org/tools/sebek/
8
8 Sebek Illustrations top left shows general architecture bottom left provides illustration of how Sebek gains access to sys_read data.
9
9 Data Analysis Honeynet data analysis and traditional incident response are similar. Multiple Data types examined –Network traffic logs –IDS / Event logs –Disk Analysis –Sebek or other keystroke logs Time consuming and error prone.
10
10 How it is done today Each data type has its own analysis tool –causing a stovepipe effect. –each data set is examined in isolation. Switching data sources causes wetware context switch. Relations manually discovered and expressed to each tool for screening by analyst. No automatic way to track interesting sequences across data sources.
11
11 Where we want to be Shift the Screening and Coalescing burden to the computer. Focus human effort on tasks best suited to the human. Provide an interface that supports the analyst’s workflow. Provide a system that may have use in production networks.
12
12 Improving Data Analysis The new data coming from sebek allows us to automatically relate network and sebek data. To automate coalescing we developed a backend daemon called Hflow. To demonstrate the impact of these capabilities on reporting, we developed a web based user interface named Walleye.
13
13 The challenge facing Hflow
14
14 Hflow Overview Fancy perl daemon, which consumes multiple data streams. Automates the process of data fusion. Inputs: –Argus data –Snort IDS events. –Sebek socket records. –p0f OS fingerprints. Outputs: –normalized honeynet network data uploaded into relational database.
15
15 Hflow Illustration
16
16 What this gives us. –Automatic identification Type of OS initiating a network connection IDS events related to a network connection IDS evens related to a process and user on a host. Point where non root user gained root access. List of files associated with an intrusion Sense of Attribution between 2 related flows on a monitored box. –Operate at higher lever where we can scale to support operational networks Using Argus, central theme of an event sequence can be identified without having to examining packet traces. When packet traces needed, argus info helps facilitate retrieval.
17
17 Reporting with Walleye Web interface provides unified view of all network data –Network “flow” records –IDS events –OS Fingerprints –system level socket records. Allows user to jump from network to host data. Visualizes multiple data types together. reduced stove-pipe effect
18
18
19
19
20
20 Looking closely host x.x.x.31 attacked x.x.x.25 on its https port. x.x.x.31 was a linux host. The attack matched the OpenSSL worm signature and and triggered 2 additional alerts that indicate the attacker gained www and then root access. If we click on Proc View, we jump to a high level view of related process activity.
21
21
22
22 What you are seeing Display shows a process tree and its associated IDS events. –created by querying on a single IDS event. –Yellow Boxes are root processes –Cyan Boxes are non-root processes –Red Boxes are IDS events –Red Arrow represents direction of flow associated with event Only displaying IDS related flows. Graph automatically generated from DB, rendered with the graphviz tool from ATT. Notice anything odd about the graph?
23
23
24
24 Honeywall bootable CDROM CDROM makes deployment –faster –less error prone –more consistent Provides Data –capture –control –analysis
25
25 Honeywall Bootable Linux Distro Contains all tools needed to rapidly roll out a local or distributed honeynet Provides: –Layer 2 bridging firewall –Snort IDS sensor –Inline Snort with drop capability –traffic accounting via Argus –Full archive of all packets –traffic rate limiting. –hflow and the walleye UI (comming soon) Strong support for customization. Effort lead by Dave Dittrich @ UW.
26
26 Status of components Everything will be release grade within 9 months Sebek –Linux client stable, internal beta –compatible win32, xBSD and Solaris on the way Hflow –internal beta Walleye interface –internal alpha Honeywall CDROM –public beta
27
27 Next Steps Flesh out UI Testing, Lots of testing development of new analysis techniques –intruder identification –intruder classification Take tools and techniques and use in production networks as part of incident response.
28
28 How these tools might be used in the field. 1.Intrusion occurs, and incident response begins. 2.Bootable cdrom throw into spare pc with 3 nics 3.Honeywall is configured 4.Honeywall placed upstream of the compromised host 5.Sebek is installed on the host 6.intruder is now fully monitored.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.