Embed Size (px)
Citation preview
Using Honeypots for Network SecurityMonitoring
Chris SandersBsides Augusta 2016
Chris Sanders (@chrissanders88)
Find Evil @ FireEye Founder @ Rural Tech
Fund PhD Researcher GSE # 64 BBQ Pit Master Author:
Practical Packet Analysis Applied NSM
Agenda Security Economics Traditional Honeypots NSM Honeypots Honeypot Applications
“Why honeypots are a cost effective strategy for enhancing your network security monitoring strategy.”
Security Economics
Economics of Security“If you want to understand the world of nature, master physics. If you want to understand the world of man, master economics.” - Taufiq Rashid
High Demand
for Security Expertise
Low Supply of Security
Practitioners
Expertise
Services
Software
It’s not enough for security to be good, it has to be affordable to purchase, operate, and maintain.
Cost Effective NSM
COST
EFFECTIVENESS
Analytics/ML
AntivirusNGFW
SIEM
EndpointIDS/IPS
Honeypots
Where do most security solutions rank in terms of cost effectiveness?
History of Honeypots
Seminal Work Large Orgs and Defense Many Academic Papers The Honeynet Project Honeyd Software
Traditional Honeypots Designed to be
attacked Intentionally vulnerable Primarily used for
specific research Originally useful for
learning about attackers
Useful for tracking scanning and proliferation of worms
Honeypot Architecture
Hold Your Horses!1. Honeypots take a lot
of time to maintain.2. Honeypots introduce
tremendous risk.3. Attackers can use
honeypots as a foothold.
4. Honeypots are only for the most mature organizations.
Honeypots for NSM
NSM Honeypots Premise:
Nobody should ever talk to a honeypot
Attributes:1. Placed inside the
network2. Mimic existing systems3. Low interaction4. Extensive logging and
alerting5. Goal oriented
Your honeypot strategy should be an integrated component of your NSM strategy.
Integrating NSM Honeypots
NSM Strate
gy
Honeypots
Integrating NSM Honeypots
Honeypots
NSM Strategy
Honeypot Applications
Goal-Oriented Deception
Mimic Reality Capture Interaction
Generate an Alert
Systems
UsersData
Protect the Systems
Mimic Reality Capture Interaction
Generate an Alert
Protect: Windows Systems using RDP1. Deploy an RDP Honeypot [Tom’s,
OpenCanary]2. Capture any connection attempt3. Generate an alert to your SIEM/SOC
Protect the Data
Mimic Reality Capture Interaction
Generate an Alert
Protect: HR data in spreadsheets1. Deploy a HoneyDoc2. Embed web bug that phones home3. Configure OS file access monitoring 4. Generate an alerts when doc phones
home, or when file is accessed.
Protect the Users
Mimic Reality Capture Interaction
Generate an Alert
Protect: Service account credentials1. Create limited access honeyusers
[DCEPT]2. Detect cleartext credentials in memory3. Generate an alert to your SIEM/SOC
Call to Action
Your NSM strategy is incomplete if you aren’t leveraging honeypot infrastructure for detection.
The Challenge Analysts…
...start looking for implementation opportunities.
Managers… ...ensure this technique is part of your
analysts toolbelt. Vendors…
...develop affordable honeypot-based solutions.
Open Source Contributors… ...drive innovation in this space.
Recommended Honeypot Software
HoneypotsOpenCanaryTom’s HoneypotCowrie (SSH)RDPY (RDP)CanaryTokens.org
Management
AnsibleDockerChef
AlertingSnortSuricataBroSIEM
Other Honeypot SoftwareConpotDioneaeEnsnareESPotGaspotGlastopfGridpotHoneydHoneyntpHoneyPotter
HoneyPressHoneyprintHoneyPyKippoNodepotNoSQLpotShadow DaemonTelnetHoneyThugWordpot
https://github.com/paralax/awesome-honeypots
