Download - The Botnet Expansion Lifecycle
![Page 1: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/1.jpg)
BITNINJA.IO
HONEYPOTS, THEY ARE NOT JUST
FOR WINNIE THE POOH ANYMORE!
George Egri
![Page 2: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/2.jpg)
B i t N i n j a . I O
WHAT IS A HONEYPOT?
Attract CatchAnalyze
![Page 3: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/3.jpg)
B i t N i n j a . I O
REAL WORLD EXAMPLE
![Page 4: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/4.jpg)
B i t N i n j a . I O
SERVER HONEYPOT DESIGNS
Low interaction High interaction
Server
FAKE DAEMON
Interaction measures the amount of activity an attacker can have with a honeypot
HONEYPOT VM
Server
![Page 5: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/5.jpg)
B i t N i n j a . I O
TYPES OF ATTACK
Automatic Manual
![Page 6: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/6.jpg)
B i t N i n j a . I O
ATTACK CYCLE
![Page 7: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/7.jpg)
B i t N i n j a . I O
1. SCAN
1. Scan for vulnerable services
DIRECT DISTRIBUTED
![Page 8: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/8.jpg)
B i t N i n j a . I O
> DIRECT SCAN
![Page 9: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/9.jpg)
B i t N i n j a . I O
> DISTRIBUTED SCAN
![Page 10: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/10.jpg)
B i t N i n j a . I O
> PORT HONEYPOT
![Page 11: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/11.jpg)
B i t N i n j a . I O
1. SCAN
PROTECTION:
> PORT HONEYPOTS
> WEB HONEYPOTS
> LOG ANALYSIS
> DISTRIBUTED LOG ANALYSIS
![Page 12: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/12.jpg)
B i t N i n j a . I O
2. EXPLOIT
SQL injection
Code injection
Login after successful bruteforce
Etc.
PROTECTION:
> WEB APPLICATION FIREWALL
> IP REPUTATION
![Page 13: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/13.jpg)
B i t N i n j a . I O
3. INFECT
PROTECTION:
> WEB APPLICATION FIREWALL
> VIRUS/MALWARE DETECTION… BUT
THE ATTACKER IS ALREADY IN!
![Page 14: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/14.jpg)
B i t N i n j a . I O
4. REGISTER COMMAND AND CONTROL
PROTECTION:
> IP REPUTATION (LISTED C&C SERVERS)
> OUTGOING TRAFFIC ANALYSIS (LIKE WAF)
![Page 15: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/15.jpg)
B i t N i n j a . I O
4. REGISTER COMMAND AND CONTROL
![Page 16: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/16.jpg)
B i t N i n j a . I O
5. POST EXPLOIT HACKING
PROTECTION:
> WAF
> OUTGOING TRAFFIC ANALYSIS
> INFORMATION HONEYPOT
ATTACKEREXPLOITED
SERVER
FIRE
WAL
L
REAL TARGETSERVER
![Page 17: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/17.jpg)
B i t N i n j a . I O
5. INFO HONEYPOT
Files on a server
readable for everyone
looks like a real mistake
contains address and credentials for other systems
watched for processes opening it
honeypot trap for the actual usage of the credentials
/backup.sh
#!/bin/bash
IP = 10.3.11.74
USER = backuppc
PASSWORD = 453fwTfGSDwe
lftp -e "mirror -R /etc /backup/server/etc; exit" -u $USER, $PASSWORD $IP
![Page 18: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/18.jpg)
B i t N i n j a . I O
6. RESOURCE USE
![Page 19: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/19.jpg)
B i t N i n j a . I O
6. RESOURCE USE
PROTECTION:
> OUTGOING WAF
> OUTGOING SPAM FILTER
> OUTGOING DOS MITIGATION RULES
> IP REPUTATION (LISTED C&C SERVERS)
![Page 20: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/20.jpg)
B i t N i n j a . I O
7. EXPAND
![Page 21: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/21.jpg)
B i t N i n j a . I O
7. EXPAND
PROTECTION:
> OUTGOING WAF
> IP REPUTATION (LISTED C&C SERVERS)
![Page 22: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/22.jpg)
B i t N i n j a . I O
![Page 23: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/23.jpg)
B i t N i n j a . I O
HONEYNETS, HONEYFARMS
![Page 24: The Botnet Expansion Lifecycle](https://reader033.vdocuments.mx/reader033/viewer/2022042618/589d91841a28abfb088b738b/html5/thumbnails/24.jpg)
B i t N i n j a . I O
REACT
Block/Drop disadvantages:
- Can’t collect further info for analysis
- Timing based restriction is easy to automate
- Lack of false positive management
IP Greylisting by BitNinja advantages:
- Distribute IP reputation info to all your servers within
2 seconds (general IP reputation use 1,2,4 hour or daily
lists)
- Dramatically reduce false positives by different Captcha
modules
- Managed automatically
- Gain advantages of the infos of the worldwide bitninja
honeyfarm community (all users and bn honeypots)