Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

BSA2016 - Honeypots for Network Security Monitoring

3.172 visualizaciones

Publicado el

At the BSides Augusta 2016 conference, I presented the economic challenges of defensive security and how honeypots can be used for cost effective network security monitoring.

Publicado en: Tecnología
  • Inicia sesión para ver los comentarios

BSA2016 - Honeypots for Network Security Monitoring

  1. 1. Chris Sanders (@chrissanders88)  Find Evil @ FireEye  Founder @ Rural Tech Fund  PhD Researcher  GSE # 64  BBQ Pit Master  Author:  Practical Packet Analysis  Applied NSM
  2. 2. Agenda  Security Economics  Traditional Honeypots  NSM Honeypots  Honeypot Applications “Why honeypots are a cost effective strategy for enhancing your network security monitoring strategy.”
  3. 3. Economics of Security “If you want to understand the world of nature, master physics. If you want to understand the world of man, master economics.” - Taufiq Rashid High Demand for Security Expertise Low Supply of Security Practitioners Expertise Services Software
  4. 4. Cost Effective NSM C O S T EFFECTIVENESS Analytics/ML Antivirus NGFW SIEM Endpoint IDS/IPS Honeypot s Where do most security solutions rank in terms of cost effectiveness?
  5. 5. Seminal Work  Large Orgs and Defense  Many Academic Papers  The Honeynet Project  Honeyd Software
  6. 6. Traditional Honeypots  Designed to be attacked  Intentionally vulnerable  Primarily used for specific research  Originally useful for learning about attackers  Useful for tracking scanning and proliferation of worms
  7. 7. Honeypot Architecture
  8. 8. Hold Your Horses! 1. Honeypots take a lot of time to maintain. 2. Honeypots introduce tremendous risk. 3. Attackers can use honeypots as a foothold. 4. Honeypots are only for the most mature
  9. 9. NSM Honeypots  Premise:  Nobody should ever talk to a honeypot  Attributes: 1. Placed inside the network 2. Mimic existing systems 3. Low interaction 4. Extensive logging and alerting 5. Goal oriented
  10. 10. Integrating NSM Honeypots NSM Strateg y Honeypot s
  11. 11. Integrating NSM Honeypots Honeypots
  12. 12. Goal-Oriented Deception Mimic Reality Capture Interaction Generate an Alert Systems UsersData
  13. 13. Protect the Systems Mimic Reality Capture Interaction Generate an Alert Protect: Windows Systems using RDP 1. Deploy an RDP Honeypot [Tom’s, OpenCanary] 2. Capture any connection attempt 3. Generate an alert to your SIEM/SOC
  14. 14. Protect the Data Mimic Reality Capture Interaction Generate an Alert Protect: HR data in spreadsheets 1. Deploy a HoneyDoc 2. Embed web bug that phones home 3. Configure OS file access monitoring 4. Generate an alerts when doc phones home, or when file is accessed.
  15. 15. Protect the Users Mimic Reality Capture Interaction Generate an Alert Protect: Service account credentials 1. Create limited access honeyusers [DCEPT] 2. Detect cleartext credentials in memory 3. Generate an alert to your SIEM/SOC
  16. 16. The Challenge  Analysts…  ...start looking for implementation opportunities.  Managers…  ...ensure this technique is part of your analysts toolbelt.  Vendors…  ...develop affordable honeypot-based solutions.  Open Source Contributors…  innovation in this space.
  17. 17. Recommended Honeypot Software Honeypots OpenCanary Tom’s Honeypot Cowrie (SSH) RDPY (RDP) Management Ansible Docker Chef Alerting Snort Suricata Bro SIEM
  18. 18. Other Honeypot Software Conpot Dioneae Ensnare ESPot Gaspot Glastopf Gridpot Honeyd Honeyntp HoneyPotter HoneyPress Honeyprint HoneyPy Kippo Nodepot NoSQLpot Shadow Daemon TelnetHoney Thug Wordpot