# Risk Management The Big Picture – Part V

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:17

0
58
lượt xem
5

## Risk Management The Big Picture – Part V

Mô tả tài liệu

Welcome, let’s take a minute and revisit what we have learned so far. We started out with an example attack and then focused on one tool that would have given a lot of bang for the buck, a firewall. If you reflect back carefully on the firewalls and ways to avoid firewalls then you realize we introduced the concepts of threats and countermeasures. We covered the history of the threat as far back as 1995 to the most recent type of attacks.

Chủ đề:

Bình luận(0)

Lưu

## Nội dung Text: Risk Management The Big Picture – Part V

1. Risk Management The Big Picture – Part V Honeynets and Honeypots Information Risk Management - SANS ©2001 1 Welcome, let’s take a minute and revisit what we have learned so far. We started out with an example attack and then focused on one tool that would have given a lot of bang for the buck, a firewall. If you reflect back carefully on the firewalls and ways to avoid firewalls then you realize we introduced the concepts of threats and countermeasures. We covered the history of the threat as far back as 1995 to the most recent type of attacks. Then we began to explore detection, covering sensors and logging for both host and network-based platforms. Along the way you were introduced to a number of commands and tools. Have you started working with those? Do you now have TCPdump, Windump, or Ethereal running on your system? SANS Security Essentials teaches a lot of theory and teaches you about a lot of things, but that is not the focus of the course. The course is designed to equip you to face the threat and we cannot achieve that if you do not put the lessons into practice. You are going to need these tools as we progress to networking, so if not, perhaps it would be better to go do that, and begin this lesson later. This segment of risk management, the big picture will deal with honeypots. They are critical to find and analyze new attacks. 5-1
2. Honeypots • What are they? • Why you might need a honeypot • Example honeypots: – DTK – Honeynet Information Risk Management - SANS ©2001 2 There are a number of technologies that can be used for a honeypot and everyone has a strong opinion about their approach. Obviously the more sophisticated attackers are only going to be fooled by an operating system that exactly mirrors what they expect and this includes when they “compromise” it, the system must fail correctly. The only honeypot that will work at that level of fidelity is an operating system itself; this is the approach Lance uses. This is a very advanced and dangerous technique, since the system can easily be used to attack others. To make his system work, he relies on multiple layers of monitoring and has modified the syslog facility to do a lot of logging, but not in a way attackers will notice. He has also modified the operating system shell to log commands to the syslog facility and then monitors everything with a Snort IDS. Still, when he published his work, the attackers figured out they had been had and laid waste to the system. This is evidence a few more safety measures would be a good thing! 5-2
3. Honeypots (2) • What are they? – A host trap - they run real services on a sacrificial computer or simulated instrumented services, (or fake a core dump) – A network trap – the intruder thinks they found a vulnerable organization Information Risk Management - SANS ©2001 3 Are there safer alternatives? We will talk about DTK in some depth. 5-3
4. What are They? • A decoy - if a machine becomes “hot”, change the IP address and name and put in a honeypot • DNS, Mail, Web servers make great honeypots on their unused ports Information Risk Management - SANS ©2001 4 Attackers will not succeed in being able to crack it to attack other systems. Of course, smap is not sendmail and just changing the banner from “smap” to “sendmail” will not fool the wise attacker. The higher the fidelity of the honeypot, the greater the risk. Where do you put a honeypot? How do you make it effective? Well to be sure, every IP address gets attacked - ask any cable modem user. However, there are things you can do to optimize performance. Perhaps the most effective honeypots are machines that have become “hot”. In such a case, it is a good idea to move that machine to a new name and IP address, (think “witness protection program”), and deploy a honeypot on that system’s address. Domain name servers, mail servers and web servers’ non-service ports make a great place to put honeypot code. 5-4
5. Why you Need a Honeypot Firewall 143 The firewall, properly configured, stops this attack. That’s good. But, you can’t learn anything about the attack, (if it is TCP), and that might be bad. Information Risk Management - SANS ©2001 5 Firewalls impact network traffic. In the slide above, the packet is addressed to TCP port 143, the IMAP service. If the site does not allow IMAP through the firewall, then there will never be a SYN/ACK response, the TCP three-way handshake will not complete, and we never know the attacker’s precise technique or intentions. If we place a honeypot outside the firewall or allow the traffic through the firewall to the honeypot on an isolated network, we can collect information as to what the attacker is trying to do. 5-5
6. TCP Three-way Handshake • A -- SYN B • A SYN/ACK -- B • A -- ACK B No valuable content gets sent until the handshake is complete. Filtering routers and firewalls block on at least the SYN packet, ergo no content. Can you name a situation where you might really want to know the content of the TCP conversation? Information Risk Management - SANS ©2001 6 In this slide we see the steps that are required to complete a TCP connection. Take a minute and think about the question on the bottom of the slide. Many times we just want to block the traffic and not even think about it. However there might be situations where you would really want to see what the traffic is. They include: • The example we discussed when an actual userid or login and password is being used. In this case we want to know the attacker’s intentions and how much they know. • When we see a particular system is the focus of lots of probes. This can happen for a number of reasons. We had a researcher give out the name and IP address of a research system when I worked for the Navy, and for the next three years probes came from all over the world trying to find this system. I moved it and put a honeypot in its place. • When we think a new attack or technique is being used. This would allow us to gain information about what is being done. 5-6
7. Deception Tool Kit (DTK) • What is it? • A Perl script that executes state machine scripts on specified ports, C binaries for telnetd, web – Includes state machine scripts for ports: • 0, systat(11), qotd(17), chargen(19), ftp (21), telnet(23), smtp(25), time(37), domain(53), 65, 66, tftp(69), finger (79), http (80), pop-3(110), 365, 507, 508, exec (512), login (513), shell (514), 893, nfs (2049), 5999, 6001, 8000, 10000, 12000, 12345, 12346, 14000, 28000, 31337 Information Risk Management - SANS ©2001 7 The Deception Tool Kit (DTK) was created by Fred Cohen, one of the most brilliant and well-loved individuals on the Internet (one out of two ain’t bad), and was available for free with a funky license at www.all.net/dtk/. There are DTK groupies that can make this code sing, but we want to learn from the architecture of this tool to understand the processes a honeypot needs to go through. On the next slide we see that DTK makes use of port 365. If you query a DTK on port 365, it will tell you it is a DTK. If a substantial number of people ran honeypots such as DTK, and a substantial number of people who DIDN’T run the port 365 service, it would increase the price of hacking. I am sorry to report that after extensive study of thousands upon thousands of network traces, I have not seen this in action. 5-7
8. DTK • What can it do? (cont.) – Port 365 • Reports that DTK is running on this machine. Can be run on machines without DTK on other ports. • May confuse the hackers in the short term. • Can also be used to access /dtk/log with password. – Can time-tag and log every typed command. – Can email notification of break in. • Example detect in notes pages Information Risk Management - SANS ©2001 8 In the notes pages of this slide, take a minute to look over the logs. This is nice high fidelity information about what the attackers are attempting. JUNE 1999. Also from the latest DTK logs... '198.143.200.52', '13392', '10752', '1999/06/24 17:37:35', '18023', '275', '1', 'listen.pl', 'S0', 'R-Peace', 'Init' '198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275', '1', 'listen.pl', 'S', 'RPeace-Peace', 'trap '' SIGALRM SIGTRAP' '198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275', '1', 'listen.pl', 'S', 'RPeace-Peace', 'PATH=/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin;export PATH' '198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275', '1', 'listen.pl', 'S', 'RPeace-Peace', '/usr/sbin/rpc.mountd >/etc/passwd;rm -rf /etc/securetty;exit;' 5-8
9. DTK (2) • Sample state machine script: # State Input NexStat Exit lf/file output/filename # initial prompt 0 START 1 1 2 @23.login # 2 user IDs 1 guest 2 1 4 Password: 1 root 2 1 4 Password: # 2 passwords 2 toor 3 1 0 $2 tseug 3 1 0$ # some commands 3 ls 3 1 2 @23.ls 3 df 3 1 2 @23.df 3 pwd 3 1 2 @23.pwd # Exceptions 0 NIL 0 1 0 borge login: 0 ERROR 0 1 0 borge login: 1 NIL 1 1 0 borge login: 1 ERROR 1 1 0 borge login: 2 NIL 1 1 0 borge login: 2 ERROR 1 1 0 borge login: 3 NIL 1 0 0 core dumped 3 ERROR 1 0 0 core dumped Information Risk Management - SANS ©2001 9 What is a state machine? If you meet the condition at the first state, you can transition to the next. Please take a minute to read this slide. State 0 is initiated when someone makes contact with the system on TCP port 23, telnet with an active open, or the SYN flag is set. The system responds with “login”. If the answer is either guest or root, the system moves to State 1. In State 1 it offers “Password” and if the password matches the list with root or guest spelled backwards, the system “logs them in” and gives them a prompt. We move to State 2. Here we are looking for one of the operating system commands off the list: ls, df, or pwd. As you can see, an attacker will quickly discover this is not a real system. However, it is fine to collect information about script-based attacks. 5-9
10. DTK (3) • Sample log output: 256.160.234.245 13067 110 1998/07/12 12:03:03 27017 176:1 listen.pl S0 Init 256.160.234.245 13067 110 1998/07/12 12:03:03 27017 176:1 listen.pl S0 NoInput 128.38.330.25 1063 110 1998/07/13 11:00:36 31394 176:2 listen.pl S0 Init 128.38.330.25 1063 110 1998/07/13 11:00:40 31394 176:2 listen.pl S0 PASS^M 128.38.330.25 1063 110 1998/07/13 11:00:46 31394 176:2 listen.pl S0 USER taldric^M 128.38.330.25 1063 110 1998/07/13 11:00:53 31394 176:2 listen.pl S0 PASS taldric^M 128.38.330.25 1063 110 1998/07/13 11:01:02 31394 176:2 listen.pl S0 USER taldric^M 128.38.330.25 1063 110 1998/07/13 11:01:09 31394 176:2 listen.pl S0 PASS toor^M 128.38.330.25 1063 110 1998/07/13 11:01:11 31394 176:2 listen.pl S0 ^M 128.38.330.25 1063 110 1998/07/13 11:01:13 31394 176:2 listen.pl S0 ^M 128.38.330.25 1063 110 1998/07/13 11:01:15 31394 176:2 listen.pl S0 QUIT^M 128.38.330.25 1063 110 1998/07/13 11:01:15 31394 176:2 listen.pl S0 WeClose Information Risk Management - SANS ©2001 10 This slide shows the result of running DTK. This serves as a sensor and has a lot of value. If someone has sniffed a password or obtained it by other measures, the honeypot allows you to see that it is in use. Most organizations have no or minimal logging internally, so this is one way you can know something is wrong. 5 - 10
11. DTK (4) • Able to simulate all/any services – Looks and acts like the real thing initially – Smart attackers will notice simulation – Low CPU/disk overhead • Will not provide any “real” services – As it becomes more complex, risk increases • Customized for each machine Information Risk Management - SANS ©2001 11 The bottom line on DTK is that it is in use and organizations are getting good results from it. On Unix computers, the Internet Daemon, or inetd, listens for incoming connections and “wakes up” the appropriate daemon if the system offers that service. For instance, the telnet daemon is not always running. Instead, when the system receives a packet with the SYN flag set and destination port 23 (the well-known address for telnet), inetd wakes up telnetd to service the connection. DTK prefers to run all the time, which is a shade wasteful of CPU and memory, but not too bad. The bigger problems are shown below. DTK can be a bear to configure, and nobody on the mailing list has proven to be too friendly. In addition, the issue of checking another log is not minor. The approach used by Lance to modify the Unix System Logger (syslog) facility allows him to collect a lot of data in a single place and as busy as we all are, this has a lot of advantages. The telnetd and the web daemon are “real”. They are compiled C code. They simply simulate the services. This could be important, since they might be vulnerable to a buffer overflow or similar attack. That said, the main DTK is unlikely to be compromised and then the honeypot would be used to attack other people. 5 - 11
12. Large Scale Deception Rig DTK to listen to all of the IP addresses in the class C address range. Add 253 entries to the /etc/sysconfig/network-scripts directory - here's a script to do it: CLASSC="10.0.0" for i in 1 2 3 4 5 6 7 8 9 10 ... 250 251 252 253 254 do echo "DEVICE=eth0:${i} IPADDR=${CLASSC}.${i} NETMASK=255.255.255.0 NETWORK=${CLASSC}.0 BROADCAST=${CLASSC}.255 ONBOOT=yes" > /etc/sysconfig/network-scripts/ifcfg-eth0:${i} echo -n "\${i} " done echo "Done" Information Risk Management - SANS ©2001 12 A number of the emerging honeypot technologies can simulate a number of systems. In this case, DTK is being configured as an entire network. A firewall product (Raptor) does this in an interesting way. If it receives a SYN packet to an IP address it is protecting, it can forge the proper response, a SYN/ACK, even if the protected host does not exist or exists and doesn’t offer that service. The attacker will then complete the connection and begin the attack, which can be recorded. That is the end of the show however - at this point the firewall aborts the connection. However, I have managed to collect a lot of useful information from just these few packets. 5 - 12
13. Why you Want Others to run Them • Remember port 365? • Name servers, mail servers, and web servers draw the most fire on the Internet. What if they had their non- service ports instrumented? • The end result could be to slow down the pace of attacks and increase arrests. Information Risk Management - SANS ©2001 13 There are a number of reasons that you might want others to run honeypots! When we discussed port 365, think about the implications if everyone ran a tag on port 365. This would make life harder for attackers, honeypots would answer and say they were honeypots and non-honeypots would answer and they would say they were honeypots. This example illustrates why honeypots, if widely deployed, improve security. Currently, the paradigm in general is when the attackers break into a system, it really is a compromised system. They are very bold and free with what they do. The honeypots deployed by Lance illustrate just how effective this is, because the attackers assume no one can monitor them. If there were another couple hundred honeypots, then the attackers would have to start slowing down and being more careful and several of them would end up being arrested. 5 - 13
14. Other Honeypot Products • Recourse’s Mantrap • Honeynet Mantrap description in notes pages Information Risk Management - SANS ©2001 14 http://www.recourse.com/products/mantrap/trap.html ManTrap® extends the honeypot concept by creating an entire network of deception hosts that lure the attacker away from production systems and into the confines of the ManTrap cage. Deceptive mechanisms provide organizations with an additional layer of defense that augments the abilities of current security solutions, such as firewalls or intrusion detection systems. Deception enables the organization to discover the method and motives of the attacker. Since the attacker believes that they are attacking a production system, they will open up their bag of tricks and reveal their intentions--be they to extract proprietary information, hack the external Web site, add another zombie to their distributed denial of service network, or other motivations. ManTrap also affords an organization time during an attack. Time is extremely important when determining the extent of the attack as well as the appropriate response. The time and information provided by ManTrap are extremely useful in the defense against attacks from both internal and external sources. 5 - 14
15. IDS Reports Content of Attack on NT box NetBIOS Wildcard Request 04/06-20:49:14.457168 24.65.232.175:137 -> my.honey.pot.ip:137 UDP TTL:114 TOS:0x0 ID:44829 Len: 58 07 3A 00 10 00 01 00 00 00 00 00 00 20 43 4B 41 .:.......... CKA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..! 00 01 .. Of course, no discussion on honeypots is complete without mentioning Lance Spitzner and the honeynet team. They have taken this to a new level. For more reading you might try: http://project.honeynet.org/papers/honeynet/ The diagram on the slide is from this paper. We have added a typical network trace. This is from a Windows worm. Step 1 is to look for unprotected shares. The hex characters 43 48 41 41 are the string that indicates a wildcard request. A wildcard request tells the target computer to talk about itself, they say who is logged in and the name of the workgroup and any resources that are registered. On a Windows system you can share printers and files. This request would detect any shares and then the attack code can plant itself in the part of the filesystem that is shared. 5 - 15
16. Honeypot Summary • Advanced Technique – do everything else first • Best way to capture new worms for analysis • Risk of having attacker use the honeypot if they break the controls Information Risk Management - SANS ©2001 16 This page intentionally left blank. 5 - 16
17. Course Revision History Information Risk Management - SANS ©2001 17 v1.0 – S. Northcutt – Jul 2000 v1.1 – edited by J. Kolde – Aug 2000 v1.2 – edited by J. Kolde, format grayscale for b/w printing – 23 Nov 2000 v1.3 - edited by S. Northcutt; cleanup and formatting by F. Kerby - 08 May 2001 v1.4 – edited/formatted by J. Kolde – 9 May 2001 v1.4a – edited/revised by D. Tuttle – 24 July 2001 v1.5 – updated E. Cole – 1 Nov 2001 V 1.6 – edited and audio recorded by C. Wendt – 16 Jan 2002 5 - 17