Professional Documents
Culture Documents
Honeypots - Diversion, Distraction, Deception PDF
Honeypots - Diversion, Distraction, Deception PDF
Brian O’Neill
Product Management
Rapid7
2
© 2017 ISACA. All Rights Reserved
AGENDA
1. Honeypots, briefly.
3. Types of honeypots.
4. Honeypot examples.
6. Wrap up.
6. Wrap up.
Passive Defense
Active Defense
• Divert
Passive Defense
• Distract Active Defense
• Delay
• Alert
• Gather Intel
Passive Defense
To Divert
Turn your adversary’s
attention away from critical
components.
10
Passive Defense
To Distract
11
Passive Defense
To Distract
I’VE TURNED
Focus attention on your chosen deployments MYSELF INTO A
PICKLE,
MORTY!!! I’M
PICKLE
RIIIIIICK!!!
12
Passive Defense
To Distract
13
Passive Defense
To Delay
Amma get
chu!
Slow attackers down
14
Passive Defense
Waste Time
15
Passive Defense
Wasting time is wasting
money
• Technical talent is expensive
Passive Defense
Annoy
Make your deployment less attractive
and more of a pain to investigate.
17
Passive Defense
18
Passive Defense
Active Defense
Gather Intel
• Attacker Profiles
20
Active Defense
Gather Intel
• Attacker Profiles
• Attack Methods
21
Active Defense
Gather Intel
• Attacker Profiles
• Attack Methods
• Targeted Assets
22
Active Defense
The ”Cyber Kill Chain”
Active Defense
• Delay
24
Active Defense
• Delay
• Distract
25
Active Defense
• Delay
• Distract
• Detect
26
Active Defense
• Delay
• Distract
• Detect
• Alert
27
Active Defense
• Delay
• Distract
• Detect
• Alert
• Gather Intel
28
Active Defense
• Delay
• Distract
• Detect
• Alert
• Gather Intel NOPE!
29
30
Production Research
VS.
31
Production
32
33
34
Levels of Interaction
• Pure
• High
• Mid
• No (Low)
Levels of Interaction
Mimic full system
• Pure
Capture Malware
• High
Listen Only
• No (Low)
Kippo
https://github.com/desaster/kippo
Cowrie
https://github.com/micheloosterhof/cowrie
Conpot
https://github.com/mushorg/conpot
Conpot
https://github.com/mushorg/conpot
Artillery
https://github.com/BinaryDefense/artillery
Glastopf
https://github.com/mushorg/glastopf
Glastopf
https://github.com/mushorg/glastopf
Service Email/Web
• HoneyNTP • WordPot
• HoneyPerl • HoneyPotter
• Vnclow • HoneyPress
• Portlurker • PHPMyAdmin
• Arctic-swallow • Snare
Database Other
• MongoDB-HoneyProxy • ConPot - Industrial Control Systems
• Elastic Honey • SCADA honeynet
• MySql • gridpot
• NoSQLPot • TelNetHoney
• MSQL HoneyPots • HonTel
45
Service
• HoneyNTP
• HoneyPerl
• Vnclow
• Portlurker
• Arctic-swallow
Database
• MongoDB-HoneyProxy
• Elastic Honey
• MySql
• NoSQLPot
• MSQL HoneyPots
46
Caution:
• Forcefully segment
• Actively monitor
• Don’t 100% copy real systems
• Never use real credentials
• Malware Analysis
• Logging / Reporting
ADHD
BLACKHILLS Information Security
https://github.com/adhdproject
https://www.blackhillsinfosec.com/projects/adhd/
BeEF,
WebBugs,
Honey Badger,
Honey Ports,
Cowrie,
..and many, many more.
T-Pot
T-Mobile Open Source Project
https://github.com/dtag-dev-sec/tpotce
Conpot, Cowrie,
Dionaea, Glastoph,
HoneyTrap, and more
+ ELK Stack,
Suricatta, Spiderfoot,
and more
Other Options
Honey Users
• Email Addresses
Honey Users
• Email Addresses
• Credentials
Honey Users
• Email Addresses
• Credentials
• Hashes
Honey Items
Plant, then watch…
• Docs
Honey Tokens
Used in combination with
IPS/IDS
• Database Records
Honey Tokens
Used in combination with
IPS/IDS
• Database Records
• Strings
• Names
• Files
• Etc
61
62
Honey Tokens
Used in combination with
IPS/IDS
• Database Records
• Strings
• Names
• Files
• Etc
ZipBombs
Endless Directories
Location Awareness
Location Awareness
70
71
• Globally Deployed
• Observes attacker
behavior in real time
72
73
Sharing is caring
Wanna …
Wanna …
Improvements
Improvments
Improvments
CVEs Targeted
After a Hit?
• Log Management
• SIEM
• IPS/IDS
• Snort/Bro/Suricata
• Sandboxes
After a Hit?
• Log Management
• SIEM
• IPS/IDS
• Snort/Bro/Suricata
• Sandboxes
After a Hit?
• Log Management
• SIEM
• IPS/IDS
• Snort/Bro/Suricata
• Sandboxes
After a Hit?
• Log Management
• SIEM
• IPS/IDS
• Snort/Bro/Suricata
• Sandboxes
External-Facing
• Can be noisy
• Forcefully segment
• Don’t use real creds
• Incredible valuable when used with multi-
stage rules
External-Facing
• Can be noisy
• Forcefully segment
• Don’t use real creds
• Incredible valuable when used with multi-
stage rules
Alert: External Honeypot Access Followed by Local File Access
Alert: External Honeypot Access Followed by Multiple Login Failures
Internal-Facing
• Go bonkers, Honeypots: EVERYWHERE
• Use test deployments to tune IDS/IPS/SIEM
Open-Source Effort
1. Download Project
2. Fork
3. Comment/Commit!
4. Profit!
90
Copyright © 2017 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This
webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or
transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
91
92
© 2017 ISACA. All Rights Reserved