Chapter 7 - 05 - Understand Different Types of Honeypots_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Module Flow Understand Different Types of Proxy Servers and their Benefits Discuss Security Benefits of Network Segmentation Discuss Fundamentals of VPN and its importance in Network Security & (AN (4 0 @ Discuss Essential Network Security Protocols Discuss Other Network Security Controls Understand Different Types of IDS/IPS and their Role Discuss Importance of Load Balancing in Network Security Understand Different Types of Honeypots Understand Various Antivirus/Anti-malware Software © 0 0 Understand Different Types of Firewalls and their Role Understand Different Types of Honeypots Honeypots allow security professionals to defend against attacks that even a firewall cannot prevent. Honeypots provide increased visibility and an additional layer of security against both internal and external attacks. This section provides an understanding of different types of honeypots and honeypot tools. Module 07 Page 868 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Honeypot A honeypot is an information system resource that is expressly attempt to penetrate an who iizati It has no authorized activity, does not have any production value, and any traffic to it is likely to be a ,, or or A honeypot can of a@ more concerted attack of attempts or monitor an DMZ. These could be early warnings Honeypot.........,.........?..............' Internal Network D D O @ },) Packet Filter Internet Attacker Web Server Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited Honeypot A honeypot is a computer system on the Internet intended to attract and trap those who attempt unauthorized or illicit utilization of the host system to penetrate an organization’s network. It is a fake proxy run to frame attackers by logging traffic through it and then sending complaints to the victims’ ISPs. It has no authorized activity or production value, and any traffic to it is likely a probe, attack, or compromise. Whenever there is any interaction with a honeypot, it is most likely to be malicious. Honeypots are unique; they do not solve a specific problem. Instead, they are a highly flexible tools with many different security applications. Honeypots help in preventing attacks, detecting attacks, and information gathering and research. A honeypot can log port access attempts or monitor an attacker's keystrokes; these could be early warnings of a more concerted attack. It requires a considerable amount of effort to maintain a honeypot. DMZ ek Internal Internal Network D Firewall Honeypot " : ? < a \@ }..... Packet Filter. Internet Attacker Web Server Figure 7.84: Example of Honeypot Module 07 Page 869 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Types of Honeypots Classification of Honeypots based on their design criteria Low-interaction HHoneypotst Low-interaction S QO O These These only a honeypots simulate honeypots simulate limited number of i Wil services and applications of a target system or network High-interaction Honeypots Q e e services and applications of a target network Medium-interaction Honeypots QO These honeypots simulate a real operating system, read.o pe'ratlng svstem‘, applications, and services of a target network o These honeypots simulate all. N -. & @ @ Copyright © byby EEC- Pure Honeypots O Q These honeypots emulate These honeypots emulate the real production network off § tariek crmmiiizibion of a target [ [ organization I All All Rights Rights Reserved. Reserved. Reproduction Reproduction isis Strictly Strictly Prohibited Prohibited. Types of Honeypots (Cont’d) Classification of honeypots based on their deployment strategy A Production Honeypots Research Honeypots O Are deployed inside the production network of the QO organization along with other production servers QO As they are deployed internally, they also help to find out internal flaws and attackers within an organization > QQO Are high-interaction honeypots primarily deployed by research institutes, governments, or military organizations to gain detailed knowledge rr:)lhtatr:lhorga:lzatlo?? ttc: g:u: REed Momg about the actions of intruder SIS ST IESSCHES U5 it > Copyright Module 07 Page 870 © by E Al Rights Reserved. All Prohibited Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls ©) Exam 212-82 Classification of honeypots based on their deception technology e Malware Honeypots Database Honeypots QO Are used to trap malware campaigns or malware attempts over the network infrastructure Q Employ fake databases that are vulnerable to perform databaserelated attacks such as SQL injection Specifically target spammers who abuse vulnerable resources such as open mail relays and open proxies © Email Honeypots Q Q and database enumeration @ @ Spider Honeypots Fake email addresses that are Q specifically used to attract fake and O Spam Honeypots Honeynets Specifically designed to trap O web crawlers and spiders malicious emails from adversaries Networks of honeypots which are very effective in determining the entire capabilities of the adversaries Copyright © by All Rights Reserved. Reproduction Is Strictly Prohibited. Types of Honeypots Honeypots are classified into the following types based on their design criteria: ®= Low-interaction Honeypots Low-interaction honeypots emulate only a limited number of services and applications of a target system or network. If the attacker does something that the emulation does not expect, the honeypot will simply generate an error. They capture limited amounts of information, i.e., mainly transactional data, and some limited interactions. These honeypots cannot be compromised completely. They are set to collect higher-level information about attack vectors such as network probes and worm activities. Some examples are KFSensor, and Honeytrap. = Medium-interaction Honeypots Medium-interaction honeypots simulate a real OS as well as applications and services of a target network. They provide greater misconception of an OS than low-interaction honeypots. Therefore, it is possible to log and analyze more complex attacks. These honeypots capture more useful data than low-interaction honeypots. They can only respond to preconfigured commands; therefore, the risk of intrusion increases. The main disadvantage of medium-interaction honeypots is that the attacker can quickly discover that the system behavior is abnormal. Some examples of medium-interaction honeypots include HoneyPy, Kojoney2, and Cowrie. = High-Interaction Honeypots Unlike their low- and medium-interaction counterparts, high-interaction honeypots do not emulate anything; they run actual vulnerable services or software on production systems with real OS and applications. These honeypots simulate all services and Module 07 Page 871 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 applications of a target network. They can be completely compromised by attackers to gain full access to the system in a controlled area. They capture complete information about an attack vector such as attack techniques, tools, and intent. The honeypotized system is more prone production systems. to infection, as attack attempts can be carried out on real A honeynet is a prime example of a high-interaction honeypot. It is neither a product nor a software solution that a user installs. Instead, it is an architecture—an entire network of computers designed to attack. The idea is to have an architecture that creates a highly controlled network with real computers running real applications, in which all activities are monitored and logged. “Bad guys” find, attack, and break into these systems through their own initiative. When they do, they do not realize that they are in a honeynet. Without the knowledge of the attackers, all their activities and actions, from encrypted SSH sessions to email and file uploads, are captured by inserting kernel modules into their systems. At the same time, the honeynet controls the attacker's activity. Honeynets do this by using a honeywall gateway, which allows inbound traffic to the victim’s systems but controls the outbound traffic using intrusion prevention technologies. This gives the attacker the flexibility to interact with the victim’s systems but prevents the attacker from harming other non-honeynet computers. Pure Honeypots Pure honeypots emulate the real production network of a target organization. They cause attackers to devote their time and resources toward attacking the critical production system of the company. Attackers uncover and discover the vulnerabilities and trigger alerts that help network administrators to provide early warnings of attacks and hence reduce the risk of an intrusion. Honeypots are classified into the following types based on their deployment strategy: Production Honeypots Production honeypots are deployed inside the production network of the organization along with other production servers. Although such honeypots improve the overall state of security of the organization, they effectively capture only a limited amount of information related to the adversaries. Such honeypots fall under the low-interaction honeypot category and are extensively employed by large organizations and corporations. As production honeypots are deployed internally, they also help to find out internal flaws and attackers within an organization. Research Honeypots Research honeypots are high-interaction honeypots primarily deployed by research institutes, governments, or military organizations to gain detailed knowledge about the actions of intruders. By using such honeypots, security analysts can obtain in-depth information about how an attack is performed, vulnerabilities are exploited, and attack techniques and methods are used by the attackers. This analysis, in turn, can help an Module 07 Page 872 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls organization to improve Exam 212-82 attack prevention, develop a more secure network infrastructure. detection, and security mechanisms and The main drawback of research honeypots is that they do not contribute to the direct security of the company. If a company is looking to improve its production infrastructure, it should opt for production honeypots. Honeypots are classified into the following types based on their deception technology: Malware Honeypots Malware honeypots are used to trap malware campaigns or malware attempts over the network infrastructure. These honeypots are simulated with known vulnerabilities such as outdated APIs, vulnerable SMBv1 protocols, etc., and they also emulate different Trojans, viruses, and backdoors that encourage adversaries to perform exploitation activities. These honeypots lure the attacker or malware into performing attacks, from which the attack pattern, malware signatures, and malware threat actors can be identified effectively. Database Honeypots Database honeypots employ fake databases that are vulnerable to perform databaserelated attacks such as SQL injection and database enumeration. These fake databases trick the attackers by making them think that these databases contain crucial sensitive information such as credit card details of all the customers and employee databases. However, all the information present in the database is fake and simulated. Such databases lure the attacker to perform attacks, with their vulnerabilities; from the attacks, the attack pattern and the threat actor’s TTP’s towards database attacks can be identified effectively. Spam Honeypots Spam honeypots specifically target spammers who abuse vulnerable resources such as open mail relays and open proxies. Basically, spam honeypots consist of mail servers that deliberately accept emails from any random source from the Internet. They provide crucial information about spammers and their activities. Email Honeypots Email honeypots are also called email traps. They are nothing but fake email addresses that are specifically used to attract fake and malicious emails from adversaries. These fake email IDs will be distributed across the open Internet and dark web to lure threat actors into performing various malicious activities to exploit the organization. By constantly monitoring the incoming emails, the adversary’s deception techniques can be identified by the administrators and internal employees can be warned to avoid falling into such email traps. Spider Honeypots Spider honeypots are also called spider traps. These honeypots are specifically designed to trap Module 07 Page 873 web crawlers and spiders. Many threat actors perform web crawling and Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls spidering to extract important Exam 212-82 information from web applications. Such crucial information includes URLs, contact details, directory details, etc. Spider honeypots are employed to trap such adversaries. A fake website will be emulated and presented as a legitimate one. Threat actors attempting to perform web crawling on such traps will be identified and blacklisted. = Honeynets Honeynets are networks of honeypots. They are very effective in determining the entire capabilities of the adversaries. Honeynets are mostly deployed in an isolated virtual environment along with a combination of vulnerable servers. The various TTPs employed by different attackers to enumerate and exploit networks will be recorded, and this information can be very effective in determining the complete capabilities of the adversary. Module 07 Page 874 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Honeypot Tools. Y- HoneyBOT is a medium interaction honeypot for windows. It is an easy-to-use solution that is ideal for network security research £ Packet Log (ftp) - Lt Packet Log (ftp) o - Connection Details: Details: Connection [w] X KFSensor X KFSensor http://www.keyfocus.net http:, nkeyfocus.net R——— w// I Packet History History Packet DDate: ate: 2/20/2020 Time: 1234 56 AM Tme Time Direction Diection SourceIP.IP: 10101013 1010.10.13 123456AM T 123050AM - LTX e Hikiecond 853 Source Poit Port 45260 ServerIP. Server IP. 10101016 10101016 gervm;o;IE gl (ftp) | Bytes a1 0 Data Dala 220 PUBLICO3 FTP Service (Version 5.0 MongoDB-HoneyProxy iAN https://github.com 1ctoc 1ctocs ,\ e i ytes Sent 41 Byte: Reconved: Reconed. 0 Bytes "o > ESPot https://github.com Packet Data: Viewas Modern Honey Network https://github.com https://github.com & lest " hex hex w< | ¢e > | o» HoneyPy https://github.com https://s iesof! icsof! ions.com Copyright © by. All Rights Reserved. Reproductionis Strictly Prohibited. Honeypot Tools Honeypots are security tools that allow the security community to monitor attackers’ tricks and exploits by logging all their activity so that it can respond to such exploits quickly before the attacker can misuse or compromise the system. ®= HoneyBOT Source: https://www.atomicsoftwaresolutions.com HoneyBOT is a medium interaction honeypot for windows. A honeypot creates a safe environment to capture and interact with unsolicited traffic on a network. HoneyBOT is an easy-to-use solution that is ideal for network security research or as part of an earlywarning IDS. Module 07 Page 875 Certified Cybersecurity Technician Copyright © by EG-Council Exam 212-82 Certified Cybersecurity Technician Network Security Controls — Technical Controls £¥ Packet Log (ftp) LY Connection Details: Packet History Date: 2/20/2020 Time: 12:34:56 AM Milisecond: 853 Time Zone: -8:00 Source IP: 10.10.10.13 Source Port: 45260 Server IP: 10.10.10.16 Server Port: 21 (ftp) Protocol: TCP 12:34:56 AM 12.3456 123456AMAM 12:3850AM 123850AM 1% XTX XTX I1 441 0 Data SYN 220 PUBLICO8 FTP Service (Version [Version 5.0). FIN Bytes Sent: 41 Bytes Received: 0 < > Packet Data: Viewasas View (¢ text " hex )| (|>>| Figure 7.85: Screenshot of HoneyBOT Some additional honeypot tools are listed below: =» KFSensor (http.//www.keyfocus.net) (http://www.keyfocus.net) * MongoDB-HoneyProxy (https://github.com) * Modern Honey Network (https.//github.com) (https://github.com) = ESPot (https://github.com) (https.//github.com) * HoneyPy (https.//github.com) (https://github.com) Module 07 Page 876 Certified Cybersecurity Technician Copyright © by EG-Council EC-Council