NoSEBrEaK - Attacking Honeynets

It is usually assumed that Honeynets are hard to detect and that attempts to detect or disable them can be unconditionally monitored. We scrutinize this assumption and demonstrate a method how a host in a honeynet can be completely controlled by an attacker without any substantial logging taking place

Modelling the costs and benefits of Honeynets

For many IT-security measures exact costs and benefits are not known. This makes it difficult to allocate resources optimally to different security measures. We present a model for costs and benefits of so called Honeynets. This can foster informed reasoning about the deployment of honeynet technology.Comment: was presented at the "Third Annual Workshop on Economics and Information Security" 2004 (WEIS04

Profiling Behavior of Intruders on Enterprise Honeynet: Deployment and Analysis

Network and information security continues to be one of the largest areas that require greater attention and improvement over the current state of infrastructure within enterprise information systems. Intruders to enterprise networks are no longer just hacking for fun or to show off their programming skills; rather they are now doing it for profit-making motives. As a result, developing profiles for the behavior of intruders, trespassing upon business information systems within an enterprise networking environment, has become a primary focus of cyber-security research recently. In the proposed on-going project, we deploy a novel honeynet system using advanced virtualization technologies, in order to collect the forensic evidence of an attack, by allowing attackers to interact with compromised computers in a real enterprise network. We then analyze the behavior of intruders in order to investigate and compare their hidden linkages as compared with enterprise networks, and the attacker(s)’ potential group structures, including attributes such as geographic distribution and service communities, thus providing strategies for enterprise-network administrators to stay protected against malicious attacks from external intruders. Preliminary results on the proposed research is very promising, showing intruders’ behaviors over one month were distributed across over 60 different countries, and our work demonstrated that the most popular service intruders like use to interact with is the very HTTP Web itself

Методи та засоби аналізу системи-приманки в процесі зламу

Методи та засоби аналізу системи-приманки в процесі злам

Исследование криптографических средств защиты информации в платежных системах банков Украины

Исследование криптографических средств защиты информации в платежных системах банков Украин

Deep Down the Rabbit Hole: On References in Networks of Decoy Elements

Deception technology has proven to be a sound approach against threats to information systems. Aside from well-established honeypots, decoy elements, also known as honeytokens, are an excellent method to address various types of threats. Decoy elements are causing distraction and uncertainty to an attacker and help detecting malicious activity. Deception is meant to be complementing firewalls and intrusion detection systems. Particularly insider threats may be mitigated with deception methods. While current approaches consider the use of multiple decoy elements as well as context-sensitivity, they do not sufficiently describe a relationship between individual elements. In this work, inter-referencing decoy elements are introduced as a plausible extension to existing deception frameworks, leading attackers along a path of decoy elements. A theoretical foundation is introduced, as well as a stochastic model and a reference implementation. It was found that the proposed system is suitable to enhance current decoy frameworks by adding a further dimension of inter-connectivity and therefore improve intrusion detection and prevention

Web attack risk awareness with lessons learned from high interaction honeypots

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2009Com a evolução da web 2.0, a maioria das empresas elabora negócios através da Internet usando aplicações web. Estas aplicações detêm dados importantes com requisitos cruciais como confidencialidade, integridade e disponibilidade. A perda destas propriedades influencia directamente o negócio colocando-o em risco. A percepção de risco providencia o necessário conhecimento de modo a agir para a sua mitigação. Nesta tese foi concretizada uma colecção de honeypots web de alta interacção utilizando diversas aplicações e sistemas operativos para analisar o comportamento do atacante. A utilização de ambientes de virtualização assim como ferramentas de monitorização de honeypots amplamente utilizadas providencia a informação forense necessária para ajudar a comunidade de investigação no estudo do modus operandi do atacante, armazenando os últimos exploits e ferramentas maliciosas, e a desenvolver as necessárias medidas de protecção que lidam com a maioria das técnicas de ataque. Utilizando a informação detalhada de ataque obtida com os honeypots web, o comportamento do atacante é classificado entre diferentes perfis de ataque para poderem ser analisadas as medidas de mitigação de risco que lidam com as perdas de negócio. Diferentes frameworks de segurança são analisadas para avaliar os benefícios que os conceitos básicos de segurança dos honeypots podem trazer na resposta aos requisitos de cada uma e a consequente mitigação de risco.With the evolution of web 2.0, the majority of enterprises deploy their business over the Internet using web applications. These applications carry important data with crucial requirements such as confidentiality, integrity and availability. The loss of those properties influences directly the business putting it at risk. Risk awareness provides the necessary know-how on how to act to achieve its mitigation. In this thesis a collection of high interaction web honeypots is deployed using multiple applications and diverse operating systems in order to analyse the attacker behaviour. The use of virtualization environments along with widely used honeypot monitoring tools provide the necessary forensic information that helps the research community to study the modus operandi of the attacker gathering the latest exploits and malicious tools and to develop adequate safeguards that deal with the majority of attacking techniques. Using the detailed attacking information gathered with the web honeypots, the attacking behaviour will be classified across different attacking profiles to analyse the necessary risk mitigation safeguards to deal with business losses. Different security frameworks commonly used by enterprises are analysed to evaluate the benefits of the honeypots security concepts in responding to each framework’s requirements and consequently mitigating the risk

Provenance-Aware Tracing of Worm Break-in and Contaminations: A Process Coloring Approach

To investigate the exploitation and contamination by self-propagating Internet worms, a provenanceaware tracing mechanism is highly desirable. Provenance unawareness causes difficulties in fast and accurate identification of a worm’s break-in point (namely, a remotely-accessible vulnerable service running in the infected host), and incurs significant log data inspection overhead. This paper presents the design, implementation, and evaluation of process coloring, an efficient provenance-aware approach to worm breakin and contamination tracing. More specifically, process coloring assigns a “color”, a unique system-wide identifier, to each remotely-accessible server or process. The color will then be either inherited by spawned child processes or diffused indirectly through process actions (e.g., read or write operations). Process coloring brings two major advantages: (1) It enables fast color-based identification of the break-in point exploited by a worm even before detailed log analysis; (2) It naturally partitions log data according to their associated colors, effectively reducing the volume of log data that need to be examined and correspondingly, log processing overhead for worm investigation. A tamper-resistant log collection method is developed based on the virtual machine introspection technique. Our experiments with a number of real-world worms demonstrate the advantages of processing coloring. For example, to reveal detaile