the botnet expansion lifecycle

Report

Post on 10-Feb-2017

271 Views

Category:

Software

1 Downloads

Preview:

Click to see full reader

TRANSCRIPT

BITNINJA.IO

HONEYPOTS, THEY ARE NOT JUST

FOR WINNIE THE POOH ANYMORE!

George Egri

B i t N i n j a . I O

WHAT IS A HONEYPOT?

Attract CatchAnalyze

B i t N i n j a . I O

REAL WORLD EXAMPLE

B i t N i n j a . I O

SERVER HONEYPOT DESIGNS

Low interaction High interaction

Server

FAKE DAEMON

Interaction measures the amount of activity an attacker can have with a honeypot

HONEYPOT VM

Server

B i t N i n j a . I O

TYPES OF ATTACK

Automatic Manual

B i t N i n j a . I O

ATTACK CYCLE

B i t N i n j a . I O

1. SCAN

1. Scan for vulnerable services

DIRECT DISTRIBUTED

B i t N i n j a . I O

> DIRECT SCAN

B i t N i n j a . I O

> DISTRIBUTED SCAN

B i t N i n j a . I O

> PORT HONEYPOT

B i t N i n j a . I O

1. SCAN

PROTECTION:

> PORT HONEYPOTS

> WEB HONEYPOTS

> LOG ANALYSIS

> DISTRIBUTED LOG ANALYSIS

B i t N i n j a . I O

2. EXPLOIT

SQL injection

Code injection

Login after successful bruteforce

Etc.

PROTECTION:

> WEB APPLICATION FIREWALL

> IP REPUTATION

B i t N i n j a . I O

3. INFECT

PROTECTION:

> WEB APPLICATION FIREWALL

> VIRUS/MALWARE DETECTION… BUT

THE ATTACKER IS ALREADY IN!

B i t N i n j a . I O

4. REGISTER COMMAND AND CONTROL

PROTECTION:

> IP REPUTATION (LISTED C&C SERVERS)

> OUTGOING TRAFFIC ANALYSIS (LIKE WAF)

B i t N i n j a . I O

4. REGISTER COMMAND AND CONTROL

B i t N i n j a . I O

5. POST EXPLOIT HACKING

PROTECTION:

> WAF

> OUTGOING TRAFFIC ANALYSIS

> INFORMATION HONEYPOT

ATTACKEREXPLOITED

SERVER

FIRE

WAL

L

REAL TARGETSERVER

B i t N i n j a . I O

5. INFO HONEYPOT

Files on a server

readable for everyone

looks like a real mistake

contains address and credentials for other systems

watched for processes opening it

honeypot trap for the actual usage of the credentials

/backup.sh

#!/bin/bash

IP = 10.3.11.74

USER = backuppc

PASSWORD = 453fwTfGSDwe

lftp -e "mirror -R /etc /backup/server/etc; exit" -u $USER, $PASSWORD $IP

B i t N i n j a . I O

6. RESOURCE USE

B i t N i n j a . I O

6. RESOURCE USE

PROTECTION:

> OUTGOING WAF

> OUTGOING SPAM FILTER

> OUTGOING DOS MITIGATION RULES

> IP REPUTATION (LISTED C&C SERVERS)

B i t N i n j a . I O

7. EXPAND

B i t N i n j a . I O

7. EXPAND

PROTECTION:

> OUTGOING WAF

> IP REPUTATION (LISTED C&C SERVERS)

B i t N i n j a . I O

B i t N i n j a . I O

HONEYNETS, HONEYFARMS

B i t N i n j a . I O

REACT

Block/Drop disadvantages:

- Can’t collect further info for analysis

- Timing based restriction is easy to automate

- Lack of false positive management

IP Greylisting by BitNinja advantages:

- Distribute IP reputation info to all your servers within

2 seconds (general IP reputation use 1,2,4 hour or daily

lists)

- Dramatically reduce false positives by different Captcha

modules

- Managed automatically

- Gain advantages of the infos of the worldwide bitninja

honeyfarm community (all users and bn honeypots)

Q & A

BITNINJA.IOGeorge Egri

george@bitninja.io

+1 805-628-4196

/zsoltegri

/bitninjaio

top related

botnet hálózatok jellemzői, a zeus botnet valós...
Documents
botnet ppt
Documents
your botnet is my botnet: analysis of a botnet takeoverwhile...
Documents
blackiot: iot botnet of high wattage devices can disrupt...
Documents
analytical lifecycle modeling and threat analysis of...
Documents
anatomy of a botnet - تواناanatomy of a botnet 1...
Documents
your botnet is my botnet: analysis of a botnet takeover
Internet
botnetler ve tehdit gözetleme...
Documents
botnet slide
Education
your botnet is my botnet : analysis of a botnet ...
Documents
botnet zombies
Technology
botnet analysis - i
Documents
botnet infiltration
Documents
spamhaus botnet threat report 2019 - amazon web...
Documents
beyond the botnet
Documents
shuabang botnet
Technology
רשתות botnet
Internet
million browser botnet
Technology
botnet dection system
Documents
paper presentation - "your botnet is my botnet : analysis of...
Software