Web attack risk awareness with lessons learned from high interaction honeypots

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2009Com a evolução da web 2.0, a maioria das empresas elabora negócios através da Internet usando aplicações web. Estas aplicações detêm dados importantes com requisitos cruciais como confidencialidade, integridade e disponibilidade. A perda destas propriedades influencia directamente o negócio colocando-o em risco. A percepção de risco providencia o necessário conhecimento de modo a agir para a sua mitigação. Nesta tese foi concretizada uma colecção de honeypots web de alta interacção utilizando diversas aplicações e sistemas operativos para analisar o comportamento do atacante. A utilização de ambientes de virtualização assim como ferramentas de monitorização de honeypots amplamente utilizadas providencia a informação forense necessária para ajudar a comunidade de investigação no estudo do modus operandi do atacante, armazenando os últimos exploits e ferramentas maliciosas, e a desenvolver as necessárias medidas de protecção que lidam com a maioria das técnicas de ataque. Utilizando a informação detalhada de ataque obtida com os honeypots web, o comportamento do atacante é classificado entre diferentes perfis de ataque para poderem ser analisadas as medidas de mitigação de risco que lidam com as perdas de negócio. Diferentes frameworks de segurança são analisadas para avaliar os benefícios que os conceitos básicos de segurança dos honeypots podem trazer na resposta aos requisitos de cada uma e a consequente mitigação de risco.With the evolution of web 2.0, the majority of enterprises deploy their business over the Internet using web applications. These applications carry important data with crucial requirements such as confidentiality, integrity and availability. The loss of those properties influences directly the business putting it at risk. Risk awareness provides the necessary know-how on how to act to achieve its mitigation. In this thesis a collection of high interaction web honeypots is deployed using multiple applications and diverse operating systems in order to analyse the attacker behaviour. The use of virtualization environments along with widely used honeypot monitoring tools provide the necessary forensic information that helps the research community to study the modus operandi of the attacker gathering the latest exploits and malicious tools and to develop adequate safeguards that deal with the majority of attacking techniques. Using the detailed attacking information gathered with the web honeypots, the attacking behaviour will be classified across different attacking profiles to analyse the necessary risk mitigation safeguards to deal with business losses. Different security frameworks commonly used by enterprises are analysed to evaluate the benefits of the honeypots security concepts in responding to each framework’s requirements and consequently mitigating the risk

Citrus:Orchestrating Security Mechanisms via Adversarial Deception

Despite the Internet being an apex of human achievement for many years, sophisticated targeted attacks are becoming more prevalent than ever before. Large scale data collection using threat sources such as honeypots have recently been employed to gather information relating to these attacks. While this data naturally details attack properties, there exists challenges in extracting the relevant information from vast data sets to provide valuable insight and a standard description of the attack. Traditionally, threats are identified through the use of signatures that are crafted manually through the composition of IOCs (Indicators of Compromise) extracted from telemetry captured during an attack process, which is often administered by an experienced engineer. These signatures have been proven effective in their use by IDSs (Intrusion Detection Systems) to detect emerging threats. However, little research has been made in automating the extraction of emerging IOCs and the generation of corresponding signatures which incorporate host artefacts. In this paper we present Citrus: a novel approach to the generation of signatures by incorporating host based telemetry extracted from honeypot endpoints. Leveraging this visibility at an endpoint grants a detailed understanding of bleeding edge attack tactics, techniques, and procedures gathered from host logs

BEHAVIORAL CHARACTERIZATION OF ATTACKS ON THE REMOTE DESKTOP PROTOCOL

The Remote Desktop Protocol (RDP) is popular for enabling remote access and administration of Windows systems; however, attackers can take advantage of RDP to cause harm to critical systems using it. Detection and classification of RDP attacks is a challenge because most RDP traffic is encrypted, and it is not always clear which connections to a system are malicious after manual decryption of RDP traffic. In this research, we used open-source tools to generate and analyze RDP attack data using a power-grid honeypot under our control. We developed methods for detecting and characterizing RDP attacks through malicious signatures, Windows event log entries, and network traffic metadata. Testing and evaluation of our characterization methods on actual attack data collected by four instances of our honeypot showed that we could effectively delineate benign and malicious RDP traffic and classify the severity of RDP attacks on unprotected or misconfigured Windows systems. The classification of attack patterns and severity levels can inform defenders of adversarial behavior in RDP attacks. Our results can also help protect national critical infrastructure, including Department of Defense systems.DOE, Washington DC 20805Civilian, SFSApproved for public release. Distribution is unlimited

An Automated Methodology for Validating Web Related Cyber Threat Intelligence by Implementing a Honeyclient

Loodud töö panustab küberkaitse valdkonda pakkudes alternatiivse viisi, kuidas hoida ohuteadmus andmebaas uuendatuna. Veebilehti kasutatakse ära viisina toimetada pahatahtlik kood ohvrini. Peale veebilehe klassifitseerimist pahaloomuliseks lisatakse see ohuteadmus andmebaasi kui pahaloomulise indikaatorina. Lõppkokkuvõtteks muutuvad sellised andmebaasid mahukaks ja sisaldavad aegunud kirjeid. Lahendus on automatiseerida aegunud kirjete kontrollimist klient-meepott tarkvaraga ning kogu protsess on täielikult automatiseeritav eesmärgiga hoida kokku aega. Jahtides kontrollitud ja kinnitatud indikaatoreid aitab see vältida valedel alustel küberturbe intsidentide menetlemist.This paper is contributing to the open source cybersecurity community by providing an alternative methodology for analyzing web related cyber threat intelligence. Websites are used commonly as an attack vector to spread malicious content crafted by any malicious party. These websites become threat intelligence which can be stored and collected into corresponding databases. Eventually these cyber threat databases become obsolete and can lead to false positive investigations in cyber incident response. The solution is to keep the threat indicator entries valid by verifying their content and this process can be fully automated to keep the process less time consuming. The proposed technical solution is a low interaction honeyclient regularly tasked to verify the content of the web based threat indicators. Due to the huge amount of database entries, this way most of the web based threat indicators can be automatically validated with less time consumption and they can be kept relevant for monitoring purposes and eventually can lead to avoiding false positives in an incident response processes

A traffic classification method using machine learning algorithm

Applying concepts of attack investigation in IT industry, this idea has been developed to design a Traffic Classification Method using Data Mining techniques at the intersection of Machine Learning Algorithm, Which will classify the normal and malicious traffic. This classification will help to learn about the unknown attacks faced by IT industry. The notion of traffic classification is not a new concept; plenty of work has been done to classify the network traffic for heterogeneous application nowadays. Existing techniques such as (payload based, port based and statistical based) have their own pros and cons which will be discussed in this literature later, but classification using Machine Learning techniques is still an open field to explore and has provided very promising results up till now

Securing Distributed Computer Systems Using an Advanced Sophisticated Hybrid Honeypot Technology

Computer system security is the fastest developing segment in information technology. The conventional approach to system security is mostly aimed at protecting the system, while current trends are focusing on more aggressive forms of protection against potential attackers and intruders. One of the forms of protection is also the application of advanced technology based on the principle of baits - honeypots. Honeypots are specialized devices aimed at slowing down or diverting the attention of attackers from the critical system resources to allow future examination of the methods and tools used by the attackers. Currently, most honeypots are being configured and managed statically. This paper deals with the design of a sophisticated hybrid honeypot and its properties having in mind enhancing computer system security. The architecture of a sophisticated hybrid honeypot is represented by a single device capable of adapting to a constantly changing environment by using active and passive scanning techniques, which mitigate the disadvantages of low-interaction and high-interaction honeypots. The low-interaction honeypot serves as a proxy for multiple IP addresses and filters out traffic beyond concern, while the high-interaction honeypot provides an optimum level of interaction. The proposed architecture employing the prototype of a hybrid honeypot featuring autonomous operation should represent a security mechanism minimizing the disadvantages of intrusion detection systems and can be used as a solution to increase the security of a distributed computer system rapidly, both autonomously and in real-time

Determining the effectiveness of deceptive honeynets

Over the last few years, incidents of network based intrusions have rapidly increased, due to the increase and popularity of various attack tools easily available for download from the Internet. Due to this increase in intrusions, the concept of a network defence known as Honeypots developed. These honeypots are designed to ensnare attackers and monitor their activities. Honeypots use the principles of deception such as masking, mimicry, decoying, inventing, repackaging and dazzling to deceive attackers. Deception exists in various forms. It is a tactic to survive and defeat the motives of attackers. Due to its presence in the nature, deception has been widely used during wars and now in Information Systems. This thesis considers the current state of honeypot technology as well as describes the framework of how to improve the effectiveness of honeypots through the effective use of deception. In this research, a legitimate corporate deceptive network is created using Honeyd (a type of honeypot) which is attacked and improved using empirical learning approach. The data collected during the attacking exercise were analysed, using various measures, to determine the effectiveness of the deception in the honeypot network created using honeyd. The results indicate that the attackers were deceived into believing the honeynet was a real network which instead was a deceptive network

Honeypots: Why We Need A Dynamics Honeypots?

Honeypots has emerged to become a great tool for administrator to track down the intruder, prevent attack by intruder and log all the activity done by the intruder