the botnet expansion lifecycle
TRANSCRIPT
BITNINJA.IO
HONEYPOTS, THEY ARE NOT JUST
FOR WINNIE THE POOH ANYMORE!
George Egri
B i t N i n j a . I O
WHAT IS A HONEYPOT?
Attract CatchAnalyze
B i t N i n j a . I O
REAL WORLD EXAMPLE
B i t N i n j a . I O
SERVER HONEYPOT DESIGNS
Low interaction High interaction
Server
FAKE DAEMON
Interaction measures the amount of activity an attacker can have with a honeypot
HONEYPOT VM
Server
B i t N i n j a . I O
TYPES OF ATTACK
Automatic Manual
B i t N i n j a . I O
ATTACK CYCLE
B i t N i n j a . I O
1. SCAN
1. Scan for vulnerable services
DIRECT DISTRIBUTED
B i t N i n j a . I O
> DIRECT SCAN
B i t N i n j a . I O
> DISTRIBUTED SCAN
B i t N i n j a . I O
> PORT HONEYPOT
B i t N i n j a . I O
1. SCAN
PROTECTION:
> PORT HONEYPOTS
> WEB HONEYPOTS
> LOG ANALYSIS
> DISTRIBUTED LOG ANALYSIS
B i t N i n j a . I O
2. EXPLOIT
SQL injection
Code injection
Login after successful bruteforce
Etc.
PROTECTION:
> WEB APPLICATION FIREWALL
> IP REPUTATION
B i t N i n j a . I O
3. INFECT
PROTECTION:
> WEB APPLICATION FIREWALL
> VIRUS/MALWARE DETECTION… BUT
THE ATTACKER IS ALREADY IN!
B i t N i n j a . I O
4. REGISTER COMMAND AND CONTROL
PROTECTION:
> IP REPUTATION (LISTED C&C SERVERS)
> OUTGOING TRAFFIC ANALYSIS (LIKE WAF)
B i t N i n j a . I O
4. REGISTER COMMAND AND CONTROL
B i t N i n j a . I O
5. POST EXPLOIT HACKING
PROTECTION:
> WAF
> OUTGOING TRAFFIC ANALYSIS
> INFORMATION HONEYPOT
ATTACKEREXPLOITED
SERVER
FIRE
WAL
L
REAL TARGETSERVER
B i t N i n j a . I O
5. INFO HONEYPOT
Files on a server
readable for everyone
looks like a real mistake
contains address and credentials for other systems
watched for processes opening it
honeypot trap for the actual usage of the credentials
/backup.sh
#!/bin/bash
IP = 10.3.11.74
USER = backuppc
PASSWORD = 453fwTfGSDwe
lftp -e "mirror -R /etc /backup/server/etc; exit" -u $USER, $PASSWORD $IP
B i t N i n j a . I O
6. RESOURCE USE
B i t N i n j a . I O
6. RESOURCE USE
PROTECTION:
> OUTGOING WAF
> OUTGOING SPAM FILTER
> OUTGOING DOS MITIGATION RULES
> IP REPUTATION (LISTED C&C SERVERS)
B i t N i n j a . I O
7. EXPAND
B i t N i n j a . I O
7. EXPAND
PROTECTION:
> OUTGOING WAF
> IP REPUTATION (LISTED C&C SERVERS)
B i t N i n j a . I O
B i t N i n j a . I O
HONEYNETS, HONEYFARMS
B i t N i n j a . I O
REACT
Block/Drop disadvantages:
- Can’t collect further info for analysis
- Timing based restriction is easy to automate
- Lack of false positive management
IP Greylisting by BitNinja advantages:
- Distribute IP reputation info to all your servers within
2 seconds (general IP reputation use 1,2,4 hour or daily
lists)
- Dramatically reduce false positives by different Captcha
modules
- Managed automatically
- Gain advantages of the infos of the worldwide bitninja
honeyfarm community (all users and bn honeypots)