bsa2016 - honeypots for network security monitoring
TRANSCRIPT
![Page 1: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/1.jpg)
Using Honeypots for Network SecurityMonitoring
Chris SandersBsides Augusta 2016
![Page 2: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/2.jpg)
Chris Sanders (@chrissanders88)
Find Evil @ FireEye Founder @ Rural Tech
Fund PhD Researcher GSE # 64 BBQ Pit Master Author:
Practical Packet Analysis Applied NSM
![Page 3: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/3.jpg)
Agenda Security Economics Traditional Honeypots NSM Honeypots Honeypot Applications
“Why honeypots are a cost effective strategy for enhancing your network security monitoring strategy.”
![Page 4: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/4.jpg)
Security Economics
![Page 5: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/5.jpg)
Economics of Security“If you want to understand the world of nature, master physics. If you want to understand the world of man, master economics.” - Taufiq Rashid
High Demand
for Security Expertise
Low Supply of Security
Practitioners
Expertise
Services
Software
![Page 6: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/6.jpg)
It’s not enough for security to be good, it has to be affordable to purchase, operate, and maintain.
![Page 7: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/7.jpg)
Cost Effective NSM
COST
EFFECTIVENESS
Analytics/ML
AntivirusNGFW
SIEM
EndpointIDS/IPS
Honeypots
Where do most security solutions rank in terms of cost effectiveness?
![Page 8: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/8.jpg)
History of Honeypots
![Page 9: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/9.jpg)
Seminal Work Large Orgs and Defense Many Academic Papers The Honeynet Project Honeyd Software
![Page 10: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/10.jpg)
Traditional Honeypots Designed to be
attacked Intentionally vulnerable Primarily used for
specific research Originally useful for
learning about attackers
Useful for tracking scanning and proliferation of worms
![Page 11: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/11.jpg)
Honeypot Architecture
![Page 12: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/12.jpg)
Hold Your Horses!1. Honeypots take a lot
of time to maintain.2. Honeypots introduce
tremendous risk.3. Attackers can use
honeypots as a foothold.
4. Honeypots are only for the most mature organizations.
![Page 13: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/13.jpg)
Honeypots for NSM
![Page 14: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/14.jpg)
NSM Honeypots Premise:
Nobody should ever talk to a honeypot
Attributes:1. Placed inside the
network2. Mimic existing systems3. Low interaction4. Extensive logging and
alerting5. Goal oriented
![Page 15: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/15.jpg)
![Page 16: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/16.jpg)
Your honeypot strategy should be an integrated component of your NSM strategy.
![Page 17: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/17.jpg)
Integrating NSM Honeypots
NSM Strate
gy
Honeypots
![Page 18: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/18.jpg)
Integrating NSM Honeypots
Honeypots
NSM Strategy
![Page 19: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/19.jpg)
Honeypot Applications
![Page 20: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/20.jpg)
Goal-Oriented Deception
Mimic Reality Capture Interaction
Generate an Alert
Systems
UsersData
![Page 21: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/21.jpg)
Protect the Systems
Mimic Reality Capture Interaction
Generate an Alert
Protect: Windows Systems using RDP1. Deploy an RDP Honeypot [Tom’s,
OpenCanary]2. Capture any connection attempt3. Generate an alert to your SIEM/SOC
![Page 22: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/22.jpg)
Protect the Data
Mimic Reality Capture Interaction
Generate an Alert
Protect: HR data in spreadsheets1. Deploy a HoneyDoc2. Embed web bug that phones home3. Configure OS file access monitoring 4. Generate an alerts when doc phones
home, or when file is accessed.
![Page 23: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/23.jpg)
Protect the Users
Mimic Reality Capture Interaction
Generate an Alert
Protect: Service account credentials1. Create limited access honeyusers
[DCEPT]2. Detect cleartext credentials in memory3. Generate an alert to your SIEM/SOC
![Page 24: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/24.jpg)
Call to Action
![Page 25: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/25.jpg)
Your NSM strategy is incomplete if you aren’t leveraging honeypot infrastructure for detection.
![Page 26: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/26.jpg)
The Challenge Analysts…
...start looking for implementation opportunities.
Managers… ...ensure this technique is part of your
analysts toolbelt. Vendors…
...develop affordable honeypot-based solutions.
Open Source Contributors… ...drive innovation in this space.
![Page 27: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/27.jpg)
Recommended Honeypot Software
HoneypotsOpenCanaryTom’s HoneypotCowrie (SSH)RDPY (RDP)CanaryTokens.org
Management
AnsibleDockerChef
AlertingSnortSuricataBroSIEM
![Page 28: BSA2016 - Honeypots for Network Security Monitoring](https://reader030.vdocuments.mx/reader030/viewer/2022033101/5878e2ef1a28abfa038b4dd5/html5/thumbnails/28.jpg)
Other Honeypot SoftwareConpotDioneaeEnsnareESPotGaspotGlastopfGridpotHoneydHoneyntpHoneyPotter
HoneyPressHoneyprintHoneyPyKippoNodepotNoSQLpotShadow DaemonTelnetHoneyThugWordpot
https://github.com/paralax/awesome-honeypots