honeynets detecting insider threats kirby kuehl [email protected]
TRANSCRIPT
Honeynet Project member since 1999. Honeynet application beta testing.
Honeywall CD Sebek LKM
Technical Review of Know Your Enemy 2nd Edition
Cisco Systems since 2000. Internal Facing Information Security
Intrusion Detection and Event correlation Internal Security Tools development
Open Source developer http://winfingerprint.sourceforge.net
Your Speaker
Insider Definition
in·sid·er n. An accepted member of a group. One who has special knowledge or access
to confidential information.
Network, System, and Database Administrators Employees and Contractors Business Partners
How can being an accepted member of the group be used by an insider? Leverage existing credentials on valuable
systems. Sniff clear text protocols to obtain valid credentials. Use valid accounts to exploit unpatched local
vulnerabilities to escalate privileges. System Administrators can obviously access any
sensitive information on the machines.
Companies typically focus on external threats. Less secure intranet web applications and
databases. Ability to share internal data easily often more
important that to share data securely.
How can an insider leverage existing knowledge?
Insiders know the location of valuable resources such as financial data and employee records. Physical Access.
Insiders may be aware of company security weaknesses and defenses. Familiar with the practices of the Security Team, IDS
Locations, log rotations, patch cycles, access control lists.
Take advantage of unpatched remote vulnerabilities and backdoors left open by worms.
Possible Insider Motives
Financial Gain Industrial Espionage
Intellectual Property
Sensitive Customer Information Sensitive Employee Information
Identity Theft
Sabotage Disgruntlement
Employee may be quitting or know they are about to be fired.
Damage another employee’s work.
Should you run an Insider Honeypot?
Consult your Legal Department. Need their support for prosecution and or termination.
Company Acceptable Use Policy Data Privacy Expectations
Security team has the authority to sniff traffic, image hard drives, obtain backups, read user email, etc. during an investigation.
What is considered abuse/misuse. Outline abuse of privileges, policy against vulnerability scanning, running sniffers, sharing passwords, etc.
How will misuse / abuse be handled? Employee Termination, Legal Action
How will Forensic Data be handled?
The Honeynet Project is interested in learning the tools, tactics, and motives of the Blackhat community and are not interested in prosecution.
How will your company handle forensic data?
Evidence may have to be presented in a court of law. Ensure Evidence is not damaged, destroyed, or
tainted Preserve Chain of Custody
Defining an Internal Honeypot
A Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.
Key Honeypot components: Data Capture
Capture detailed information of host and network events. Data Control
Ability to limit inbound and outbound connections when a threshold is reached.
Alerting Ability to inform the honeypot administrators when an event is
occurring.
Insider Honeypot Types Low Interaction High Interaction
Honeynets using the Honeywall CD Hotzoning Honeytokens
Low-Interaction Insider HoneypotsAdvantages:
Easy to deploy, minimal riskDisadvantages:
Emulated services provide limited interaction which makes it difficult to determine the real motives of the insider.
Internal low-interaction honeypots are probably only useful for detecting worms or sweeping vulnerability scans.
Examples: Black hole routers advertising dark IP space.
Arbor Networks Whitepaper on Sink holes Specter, KFSensor, Honeyd, and Labrea. Commercial HIDS: Cisco Security Agent, McAfee Entercept,
ISS BlackIce.
High-interaction Insider Honeypots Insider Honeypots should be deployed in the same IP space as
real resources such as development web servers and cvs repositories.
Advantages: Provide real operating systems and services, no emulation. Insider may interact with real services for a long time capturing
extensive information. Any interaction should be considered malicious. Does not have
to match an attack signature from an IDS.Disadvantages:
Complex to deploy (easier with Honeywall CD), greater risk. Captures insiders less familiar with your environment.
Examples include Symantec Decoy and Honeynets.
Honeywall bootable CD-ROMSimplifies the deployment, maintenance, and customization of a
honeynet.
Layer 2 bridging firewall (iptables) used to count and limit connections. No IP Address Doesn’t decrement TTL
Snort-inline Modified version of Snort that accepts packets from iptables instead
of libpcap. It then tell iptables whether the packet should be dropped, rejected, modified, or allowed to pass based on a snort rule set.
Also used for alerting Sebek_extract
Server component of (kernel module based logger) data capture
http://www.honeynet.org/tools/cdrom/
Honeywall CD / Honeynet Diagram
Hot Zoning – Divert Traffic Destined for unused services on production systems
to an internal honeypot.
Honeytokens Resources used for detecting and tracking insider
interaction with legitimate resources. Items that should not normally be accessed.
Fake documents. Fake source code, Microsoft Word and Excel documents.
Bogus SSN or CC numbers Emails Login and password. Example test:test Ability send notification when accessed.
