1. Honeynets Detecting Insider Threats Kirby Kuehl kkuehl@honeynet.org

2.  Honeynet Project member since 1999.  Honeynet application beta testing.  Honeywall CD  Sebek LKM  Technical Review of Know Your Enemy 2 nd Edition  Cisco Systems since 2000.  Internal Facing Information Security  Intrusion Detection and Event correlation  Internal Security Tools development  Open Source developer  http://winfingerprint.sourceforge.net http://winfingerprint.sourceforge.net Your Speaker

3. Insider Definition in·sid·er n.  An accepted member of a group.  One who has special knowledge or access to confidential information.  Network, System, and Database Administrators  Employees and Contractors  Business Partners

4. How can being a n accepted member of the group be used by an insider?  Leverage existing credentials on valuable systems.  Sniff clear text protocols to obtain valid credentials.  Use valid accounts to exploit unpatched local vulnerabilities to escalate privileges.  System Administrators can obviously access any sensitive information on the machines.  Companies typically focus on external threats.  Less secure intranet web applications and databases.  Ability to share internal data easily often more important that to share data securely.

5. How can an insider leverage existing knowledge?  Insiders know the location of valuable resources such as financial data and employee records.  Physical Access.  Insiders may be aware of company security weaknesses and defenses.  Familiar with the practices of the Security Team, IDS Locations, log rotations, patch cycles, access control lists.  Take advantage of unpatched remote vulnerabilities and backdoors left open by worms.

6. Possible Insider Motives Financial Gain  Industrial Espionage  Intellectual Property  Sensitive Customer Information  Sensitive Employee Information  Identity Theft Sabotage  Disgruntlement  Employee may be quitting or know they are about to be fired.  Damage another employee’s work.

7. Should you run an Insider Honeypot?  Consult your Legal Department.  Need their support for prosecution and or termination.  Company Acceptable Use Policy  Data Privacy Expectations  Security team has the authority to sniff traffic, image hard drives, obtain backups, read user email, etc. during an investigation.  What is considered abuse/misuse.  Outline abuse of privileges, policy against vulnerability scanning, running sniffers, sharing passwords, etc.  How will misuse / abuse be handled?  Employee Termination, Legal Action

8. How will Forensic Data be handled?  The Honeynet Project is interested in learning the tools, tactics, and motives of the Blackhat community and are not interested in prosecution.  How will your company handle forensic data? Evidence may have to be presented in a court of law.  Ensure Evidence is not damaged, destroyed, or tainted  Preserve Chain of Custody

9. Defining an Internal Honeypot  A Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. Key Honeypot components:  Data Capture  Capture detailed information of host and network events.  Data Control  Ability to limit inbound and outbound connections when a threshold is reached.  Alerting  Ability to inform the honeypot administrators when an event is occurring.

10. Insider Honeypot Types  Low Interaction  High Interaction  Honeynets using the Honeywall CD  Hotzoning  Honeytokens

11. Low-Interaction Insider Honeypots Advantages:  Easy to deploy, minimal risk Disadvantages:  Emulated services provide limited interaction which makes it difficult to determine the real motives of the insider.  Internal low-interaction honeypots are probably only useful for detecting worms or sweeping vulnerability scans. Examples:  Black hole routers advertising dark IP space. Arbor Networks Whitepaper on Sink holes  Specter, KFSensor, Honeyd, and Labrea. SpecterKFSensorHoneydLabrea  Commercial HIDS: Cisco Security Agent, McAfee Entercept, ISS BlackIce.

12. High-interaction Insider Honeypots  Insider Honeypots should be deployed in the same IP space as real resources such as development web servers and cvs repositories.  Advantages:  Provide real operating systems and services, no emulation.  Insider may interact with real services for a long time capturing extensive information.  Any interaction should be considered malicious. Does not have to match an attack signature from an IDS. Disadvantages:  Complex to deploy (easier with Honeywall CD), greater risk.  Captures insiders less familiar with your environment.  Examples include Symantec Decoy and Honeynets.Symantec Decoy

13. Honeywall bootable CD-ROM Simplifies the deployment, maintenance, and customization of a honeynet. Layer 2 bridging firewall (iptables) used to count and limit connections.  No IP Address  Doesn’t decrement TTL Snort-inline  Modified version of Snort that accepts packets from iptables instead of libpcap. It then tell iptables whether the packet should be dropped, rejected, modified, or allowed to pass based on a snort rule set. Snortiptableslibpcap  Also used for alerting Sebek_extract  Server component of (kernel module based logger) data capture http://www.honeynet.org/tools/cdrom/

14. Honeywall CD / Honeynet Diagram

15. Hot Zoning – Divert Traffic Destined for unused services on production systems to an internal honeypot.

16. Honeytokens  Resources used for detecting and tracking insider interaction with legitimate resources.  Items that should not normally be accessed.  Fake documents. Fake source code, Microsoft Word and Excel documents.  Bogus SSN or CC numbers  Emails  Login and password. Example test:test  Ability send notification when accessed.

17. http://www.honeynet.org Kirby Kuehl Question and Answer Session