the botnet expansion lifecycle

BITNINJA.IO

HONEYPOTS, THEY ARE NOT JUST

FOR WINNIE THE POOH ANYMORE!

George Egri

B i t N i n j a . I O

WHAT IS A HONEYPOT?

Attract CatchAnalyze


REAL WORLD EXAMPLE


SERVER HONEYPOT DESIGNS

Low interaction High interaction

Server

FAKE DAEMON

Interaction measures the amount of activity an attacker can have with a honeypot

HONEYPOT VM

Server


TYPES OF ATTACK

Automatic Manual


ATTACK CYCLE


1. SCAN

1. Scan for vulnerable services

DIRECT DISTRIBUTED


> DIRECT SCAN


> DISTRIBUTED SCAN


> PORT HONEYPOT


1. SCAN

PROTECTION:

> PORT HONEYPOTS

> WEB HONEYPOTS

> LOG ANALYSIS

> DISTRIBUTED LOG ANALYSIS


2. EXPLOIT

SQL injection

Code injection

Login after successful bruteforce

Etc.

PROTECTION:

> WEB APPLICATION FIREWALL

> IP REPUTATION


3. INFECT

PROTECTION:

> WEB APPLICATION FIREWALL

> VIRUS/MALWARE DETECTION… BUT

THE ATTACKER IS ALREADY IN!


4. REGISTER COMMAND AND CONTROL

PROTECTION:

> IP REPUTATION (LISTED C&C SERVERS)

> OUTGOING TRAFFIC ANALYSIS (LIKE WAF)


4. REGISTER COMMAND AND CONTROL


5. POST EXPLOIT HACKING

PROTECTION:

> WAF

> OUTGOING TRAFFIC ANALYSIS

> INFORMATION HONEYPOT

ATTACKEREXPLOITED

SERVER

FIRE

WAL

L

REAL TARGETSERVER


5. INFO HONEYPOT

Files on a server

readable for everyone

looks like a real mistake

contains address and credentials for other systems

watched for processes opening it

honeypot trap for the actual usage of the credentials

/backup.sh

#!/bin/bash

IP = 10.3.11.74

USER = backuppc

PASSWORD = 453fwTfGSDwe

lftp -e "mirror -R /etc /backup/server/etc; exit" -u $USER, $PASSWORD $IP


6. RESOURCE USE


6. RESOURCE USE

PROTECTION:

> OUTGOING WAF

> OUTGOING SPAM FILTER

> OUTGOING DOS MITIGATION RULES



7. EXPAND


7. EXPAND

PROTECTION:

> OUTGOING WAF



HONEYNETS, HONEYFARMS


REACT

Block/Drop disadvantages:

- Can’t collect further info for analysis

- Timing based restriction is easy to automate

- Lack of false positive management

IP Greylisting by BitNinja advantages:

- Distribute IP reputation info to all your servers within

2 seconds (general IP reputation use 1,2,4 hour or daily

lists)

- Dramatically reduce false positives by different Captcha

modules

- Managed automatically

- Gain advantages of the infos of the worldwide bitninja

honeyfarm community (all users and bn honeypots)

Q & A

BITNINJA.IOGeorge Egri

[email protected]

+1 805-628-4196

/zsoltegri

/bitninjaio

the botnet expansion lifecycle

Software