Breaking Honeypots for Fun and Profit

More documents

Recommendations

Info

No False Positives • However the attackers found the decoy (which is a science by itself, beyond the scope of this talk) • … Once they do, if any code runs on it, a machine you completely control – It’s an attacker. © 2015 Cymmetria Inc. 14
State of decoy technology • Low interaction honeypots are useful <strong>for</strong> malware <strong>and</strong> scanning detection • They are limited by definition, which is a recognized fact … They emulate, which can be easily fingerprinted. And they try to lure in the attacker. © 2015 Cymmetria Inc. 15
Page 1 and 2: Breaking Honeypots for Fun and Prof
Page 3 and 4: What this talk isn’t about No ker
Page 5 and 6: Introducing Intrusion Deception
Page 7 and 8: We sit on the shoulders of giants
Page 9 and 10: Why does it work? © 2015 Cymmetria
Page 11 and 12: © 2015 Cymmetria Inc. 11
Page 13: Elements of Cyber Deception • Reg
Page 17 and 18: Fingerprinting • Is fingerprintin
Page 19 and 20: Low interaction honeypots • Simul
Page 21 and 22: Previous Work
Page 23 and 24: What is Conpot “Conpot is a low i
Page 25 and 26: Previous Work © 2015 Cymmetria Inc
Page 27 and 28: Artillery
Page 29 and 30: Artillery © 2015 Cymmetria Inc. 29
Page 31 and 32: Artillery • Detection is trivial
Page 33 and 34: Artillery How does this affect an a
Page 35 and 36: What is BearTrap “BearTrap is mea
Page 37 and 38: BearTrap • Waits for user command
Page 39 and 40: BearTrap 220 (vsFTPd 3.0.2) CWD 530
Page 41 and 42: BearTrap What can we learn from Bea
Page 43 and 44: honeyd
Page 45 and 46: honeyd • Very configurable - fing
Page 47 and 48: honeyd • Linux/FTP - Doesn’t su
Page 49 and 50: honeyd What can we learn from honey
Page 51 and 52: Nova
Page 53 and 54: Nova © 2015 Cymmetria Inc. 53
Page 55 and 56: Nova • POSSIBLE FIX • include t
Page 57 and 58: Nova How does this affect an attack
Page 59 and 60: What is Kippo “Kippo is a medium
Page 61 and 62: More Kippo Issues https://prezi.com
Page 63 and 64: Kippo • POSSIBLE FIX • Either g
Page 65 and 66:
Kippo How does this affect an attac
Page 67 and 68:
What is Dionaea “Dionaea intentio
Page 69 and 70:
Previous Work • http://blog.sbarb
Page 71 and 72:
Dionaea • https: certificate issu
Page 73 and 74:
Dionaea How does this affect an att
Page 75 and 76:
What is Glastopf “Glastopf is a H
Page 77 and 78:
Glastopf • Web app honeypot • E
Page 79 and 80:
Glastopf • Google lookup: "This i
Page 81 and 82:
Glastopf • This might already giv
Page 83 and 84:
Glastopf • What we can learn from
Page 85 and 86:
KFSensor
Page 87 and 88:
KFSensor • When alerting also mak
Page 89 and 90:
KFSensor What can we learn from KFS
Page 91 and 92:
World honeypot deployment (Dionaea)
Page 93 and 94:
World honeypot deployments © 2015
Page 95 and 96:
Organizations 375 - Taiwanese ISP 3
Page 97 and 98:
Organizations • Taiwanese Compute
Page 99 and 100:
Organizations And… • National I
Page 101 and 102:
Guess what the regular HTTP serves
Page 103 and 104:
Lessons Learned
Page 105 and 106:
Where do we take it from here? •
Page 107 and 108:
Lessons learned How should we be bu
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Real Machine Services Exploitable f
Page 115 and 116:
Thanks • We’d like to thanks al
Page 117:
Questions? @Cymmetria on Twitter
show all

Breaking Honeypots for Fun and Profit

Create successful ePaper yourself

Delete template?

Save as template?