Embed Size (px)
Citation preview
Finding the Sweet SpotCounter Honeypot Operations (CHOps)
Intro
Jon CreekmoreIndependent Security Researcher
www.LinkedIn.com/in/MrCreekmore
Executive Director – Cyber Discovery Groupwww.DiscoverCyber.org
Vice President – Augusta Locksportswww.AugustaLocksports.org
def Jon()• Recent vet from the DOD and CYBERCOM…• Bunch o’ certs…• CSRA Chapter President - ISC2• Loves to help people, a lot…• Lifelong learner and PhD candidate from a Cyber
Center of Excellence…• Still no idea of what to do with NOPS...
Agenda• CHOps Overview• Why CHOps?• Honeypots• The Defenders• Detection• Collection• Active Defense• Counter-Intel• Deception Methodology
• ROE• Init RedTeam()• Evaluating Success• Owning the Chain• Counter-Deception• Import CHOps.win• Summary• Questions
CHOps Overview• Counter Honeypot Operations (CHOps) Framework
• Designed to be a community driven open source methodology framework to establish the best techniques for engaging and defeating honeypots
• Also backing the push for a common methodology in deception as a domain of security
Why CHOps• As deterrence strategies evolve, so will the need to
overcome the deception controls
• CHOps is focused to be useful for red team personnel, penetration testers, auditing teams, and other lawful parties
• Counter-Deception skills are being greatly developed by the real bad guys and white hats need to come together and share info on these skills to out-pace the threat
Why CHOps• As deterrence strategies evolve, so will the need to
overcome the deception controls
• CHOps is focused to be useful for red team personnel, penetration testers, auditing teams, and other lawful parties
• Counter-Deception skills are being greatly developed by the real bad guys and white hats need to come together and share info on these skills to out-pace the threat
Honeypots• Deception devices used to help prevent, deter,
detect, or mitigate the adverse effects to a system or environment
• Commonly designed to look like real systems and services to fool attackers
• Great source of both technical protection and also intelligence for security personnel
Honeypots• Commonly come in four categories:
• No Interaction:-Simulates an open port, but not much more
• Low Interaction:Port with some level of working service
• Mid Interaction:Port, service, and at least a reasonable level of function
• High Interaction:Fully working platform which can be compromised and operate with complex actions
The Defenders• Security personnel who deploy and use honeypots
• They have the “high ground”
• Well versed in the environment and their intent is pre-identified
• Anticipating attacks
The Defenders• Assume they control you
• Deployment flaws
• Downstream Liability
• Likelihood of Harm x Gravity of Result / Burden to Avoid
The Defenders• Some common pots:
• Honeyd• Kippo• Cybercop Sting• ManTrap• Deception Toolkit• Tripwire• BearTrap• Nova• Artillery• Conpot• Dionea• Glastoph• KFSensor
The Defenders• What a good pot must have…
• Emulated Service• Full Service• Logical Service Patterns• Working Known Exploits• Zero-Day Exploitable
Detection• Some honeypots are deployed for detection purposes
to simply know when harm is near
• Most commonly no, low, and mid interaction
• Setup with common services in order to look real
• Connected to back-end SIEM, NetMon, and more to be able to alert or at least record when interaction has occurred
Collection• These honeypots are often mid and high level
• Can collect behaviors, inputs, activities, intent, and much more on an attacker
• Used to support intelligence operations
• Can lend aid to developing advanced protection controls and aid in attribution
Active Defense• The practice of developing response actions to an attacker
in order to protect the assets and to acquire evidence
• Very ethically concerning at times due to rights
• Can also lead to excessive compromise and collateral damage
• Requires a great amount of skill/resources to effectively deploy
Counter-Intel• The art of controlling, manipulating, and
presenting information to mislead or falsify information to an adversary
• Used in an advanced strategy to provide an additional layer of protection to the mission
• Requires constant evolution and refinement to work best and with confidence
Deception MethodologyFirst, the kill chain…
• Recon• Weaponization• Delivery• Exploitation• Infiltration• Command and Control (C2)• Actions and Objectives
Deception MethodologyFirst, the kill chain…
• Delivery and Exploitation are where honeypots are most utilized
• Knowing this framework can give an advantage to the defense in anticipating the actions of attackers
Deception MethodologyWhat they believe:
• Attacker has the advantage• Attacker has flexibility, is agile• Need to focus on the attacker, not the attack• We know where the attacker can be• Honeypots are not just tech, but a methodology• Dynamic Defense is maneuverable • Deception Oriented Architecture is Key
Deception MethodologyHow they perceive attacker methods:
OODA
Deception MethodologySome of what they will be doing:
• Attractive Naming• Inaccessibility on the LAN• Stealthy Layered Logging• Cryptic Logging• Network Sniffing• Baselining• It is economic!
Rules of Engagement• DEFENDERS NORMALLY HAVE SOME KIND OF ROE
• Knowing this can greatly aid in counter-deception efforts and CHOps
• Many organizations follow ROE guidance from laws/regs/policies/etc.
Init RedTeam()• The Red Team is an authorized, ethical, and legal
party provided offensive security services to help improve security operations
• There are a great deal of healthy offsec skills, tools, services, and more out there today
• Access to effective counter-deception solutions are limited and often expensive to develop
Evaluating Success• As a framework, there needs to be clear milestones
for success and evaluation
• It is okay to assume that some degree of compromise for a red team will occur
• The end goals of a counter-deception campaign is to prove that there is room to more effectively conduct deception efforts, in this case…... Honeypot Operations ;-)
Owning the Chain• Breaking it down a bit more, CHOps can also use the kill
chain to also develop, supervise, and evaluate, which is pretty neat!
• Developing great honeypots is an art, so is overcoming them, it is not all technical flaws in the solutions, think about the behavior of the people
• Defense knows the prevention is ideal, but detection is a must today, get in and leave with more than they realize you came for…
Owning the Chain• Understanding the deception chain is key to
developing effective counter-deception strategies and building out the CHOps Framework
• Gadi Evron demonstrated this at Honeynet2014 very well and framed what the metrics and factors are surrounding attacks in an environment
• Similar to the OSI, but focused more on the next layer of security; deception
Owning the Chain• Deception Chain OSI (Evron, 2014)
OSI Model/ Attack Stages
Penetration Lateral Movement
Command and
Control
Actions on
ObjectiveData
ExfiltrationCovering
Tracks
Intelligence
Data
Application
Host
Domain
Network
Physical
Brute Force on FTP• Deception Chain OSI (Evron, 2014)
OSI Model/ Attack Stages
Penetration Lateral Movement
Command and
Control
Actions on
ObjectiveData
ExfiltrationCovering
Tracks
Intelligence
Data
Application x x x
Host x x x
Domain ? ?
Network x x
Physical
Owning the Chain• Scenario Example:
• A pen tester has discovered an FTP server in the environment.
• He has decided to attempt to run a brute-force tool to attempt to penetrate into the service and host.
• After success, he enumerates a list of files, retrieves two of them, and uploads one file named evil.php for later testing through the web app service on the box
Counter-Deception• Defense assumes that attackers will have modeled behavior
patterns which provide precursors to their intention and courses of action in the network, let them think they are right
• Like attackers, defenders also have a great deal of known common modeled behaviors, we know they are logging, watching, manipulating, but the key is simply cost/effectiveness
• Target their Total Cost of Ownership (TCO) and work just over it, or look at where the “tipping point” in their procedures might be…
Counter-Deception• Now let’s look at the scenario from the CHOps point-
of-view…
• The attacker did brute force the FTP service• He knew this was going to be logged, and there are often log
file based local attacks, he crafted a word list for his tool which will also create suspicious payload-like entries for deception to the defenders to redirect attention away from the evil.php
• Or, he knew defenders often use the words used for passwords in brute-force attempts to develop word lists for defense, the attacker used specially encoded passwords which some tools will have issues parsing
Import CHOps.WIN• At the core, CHOps is (as of the current version), a
framework which will guide offsec professionals with a guide on the best way to go step-by-step, piece-by-piece, into getting a better ROI for engaging with honeypots
• It is essentially designed to be a decision model, but will also extend to be a multi-faceted tool to help build intel on defensive deception capabilities
Import CHOps.WINWe have some things we know:
Detect – Deny – Disrupt – Degrade – Destroy(JP 3-13, Joint Doctrine for Information Ops)
These are the objectives of the defense.
By using our own intel and recon we can predict and possibly even defeat the defense.
Import CHOps.WINStart here…
• Detect:• Single to Few Ports, Connection Based, Easy Access
• Deny:• Excessive Ports, No Banners, RST Packets
• Disrupt:• Broken File Transfers, Locked Down Files, Restricted Commands
• Degrade:• False Banners, Erroneous Error Codes, Broken Configs
• Destroy:• IP Bans, File Encryptions, Account Revocation
Import CHOps.WINOnce the deception objectives are determined, we can know
develop an effective counter-deception…
Scenario: A pen tester has been contracted for a company to black box test its main office. After a little OSINT, the attacker knows the company has some DNS records to some web servers. She sees that there are two web servers for the company and scans both. After several route scans, she notices that one web server has not returned the same routing scheme once and the last few hops seem to keep rotating similar IP addresses, but the last address is the same…
Import CHOps.WINSome possible options…
1. The defense has setup a honeypot that switches up routing schemes based on certain scan attempts and the defense is attempting to degrade the reliability of the intel gathered from the honeypot web server
2. The defense has setup a honeypot routing device which load balances certain traffic based on indicators which send possibly malicious traffic through an appliance
3. 3.14159265359… possibilities, but that’s the point ;-)
Import CHOps.WINSome CHOps Techniques
• Default Response Identification• Application Error Handling• OS Fingerprinting• TCP Sequence Analysis (see also Red Pill)• ARP Addresses• Much more…
Import CHOps.WIN• CHOps is still in early development
• There is a need to come together and share not only the data on honeypot engagements, but also to develop metrics to help effectively identify, detect, assess, and overcome honeypot technologies to accomplish better offsec services
• Many professionals keep their effective counter-deception techniques and strategies to themselves, but by information sharing, the good guys can make leaps ahead of the bad guys and grow the field
Summary• CHOps is still in early development
• There is a need to come together and share not only the data on honeypot engagements, but also to develop metrics to help effectively identify, detect, assess, and overcome honeypot technologies to accomplish better offsec services
• Many professionals keep their effective counter-deception techniques and strategies to themselves, but by information sharing, the good guys can make leaps ahead of the bad guys and grow the field
References• Evron, G. (2014). #Honeynet2014 - Gadi Evron - Cyber Counter
Intelligence: An attacker-based approach. • Martin, W. (2001, May 25). Honey Pots and Honey Nets - Security
Through Deception. Meer, H., & Slaviero, M. (2015). Bring Back the Honeypots. Retrieved from https://www.youtube.com/watch?v=W7U2u-qLAB8
• Rowe, N. C., Custy, E. J., & Duong, B. T. (2007). Defending Cyberspace with Fake Honeypots.JCP, 2(2). doi:10.4304/jcp.2.2.25-36
• Sochor, T. (2016). Low-Interaction Honeypots and High-Interaction Honeypots. Internet Threat Detection Using Honeypots, 1172-2183. doi:10.4018/978-1-4666-9597-9.les2
• Spitzner, L. (2003, December). Honeypots: Catching the Insider Threat. Sysman, D., Evron, G., & Sher, I. (2015). Breaking Honeypots For Fun And Profit.
Additional Resources• Honeypot Hunter:
• http://www.send-safe.com/honeypot-hunter.html
Additional ResourcesAnd of course, the Honeyhuman…
• Brian Krebs:
Questions?
