Towards a Virtual Machine Introspection Based Multi-Service, Multi-Architecture, High-Interaction Honeypot for IOT Devices

Internet of Things (IoT) devices are quickly growing in adoption. The use case for IoT devices runs the gamut from household applications (such as toasters, lighting, and thermostats) to medical, battlefield, or Industrial Control System (ICS) applications that are used in life or death situations. A disturbing trend for IoT devices is that they are not developed with security in mind. This lack of security has led to the creation of massive botnets that are used for nefarious acts. To address these issues, it’s important to have a good understanding of the threat landscape that IoT devices face. A commonly used security control to monitor and gain insight into threats is a honeypot. This research explores the creation of a VMI-based high-interaction honeypot for IoT devices that is capable of monitoring multiple services simultaneously

Wide spectrum attribution: Using deception for attribution intelligence in cyber attacks

Modern cyber attacks have evolved considerably. The skill level required to conduct a cyber attack is low. Computing power is cheap, targets are diverse and plentiful. Point-and-click crimeware kits are widely circulated in the underground economy, while source code for sophisticated malware such as Stuxnet is available for all to download and repurpose. Despite decades of research into defensive techniques, such as firewalls, intrusion detection systems, anti-virus, code auditing, etc, the quantity of successful cyber attacks continues to increase, as does the number of vulnerabilities identified. Measures to identify perpetrators, known as attribution, have existed for as long as there have been cyber attacks. The most actively researched technical attribution techniques involve the marking and logging of network packets. These techniques are performed by network devices along the packet journey, which most often requires modification of existing router hardware and/or software, or the inclusion of additional devices. These modifications require wide-scale infrastructure changes that are not only complex and costly, but invoke legal, ethical and governance issues. The usefulness of these techniques is also often questioned, as attack actors use multiple stepping stones, often innocent systems that have been compromised, to mask the true source. As such, this thesis identifies that no publicly known previous work has been deployed on a wide-scale basis in the Internet infrastructure. This research investigates the use of an often overlooked tool for attribution: cyber de- ception. The main contribution of this work is a significant advancement in the field of deception and honeypots as technical attribution techniques. Specifically, the design and implementation of two novel honeypot approaches; i) Deception Inside Credential Engine (DICE), that uses policy and honeytokens to identify adversaries returning from different origins and ii) Adaptive Honeynet Framework (AHFW), an introspection and adaptive honeynet framework that uses actor-dependent triggers to modify the honeynet envi- ronment, to engage the adversary, increasing the quantity and diversity of interactions. The two approaches are based on a systematic review of the technical attribution litera- ture that was used to derive a set of requirements for honeypots as technical attribution techniques. Both approaches lead the way for further research in this field

Evolving IoT honeypots

The Internet of Things (IoT) is the emerging world where arbitrary objects from our everyday lives gain basic computational and networking capabilities to become part of the Internet. Researchers are estimating between 25 and 35 billion devices will be part of Internet by 2022. Unlike conventional computers where one hardware platform (Intel x86) and three operating systems (Windows, Linux and OS X) dominate the market, the IoT landscape is far more heterogeneous. To meet the growth demand the number of The System-on-Chip (SoC) manufacturers has seen a corresponding exponential growth making embedded platforms based on ARM, MIPS or SH4 processors abundant. The pursuit for market share is further leading to a price war and cost-cutting ultimately resulting in cheap systems with limited hardware resources and capabilities. The frugality of IoT hardware has a domino effect. Due to resource constraints vendors are packaging devices with custom, stripped-down Linux-based firmwares optimized for performing the device’s primary function. Device management, monitoring and security features are by and far absent from IoT devices. This created an asymmetry favouring attackers and disadvantaging defenders. This research sets out to reduce the opacity and identify a viable strategy, tactics and tooling for gaining insight into the IoT threat landscape by leveraging honeypots to build and deploy an evolving world-wide Observatory, based on cloud platforms, to help with studying attacker behaviour and collecting IoT malware samples. The research produces useful tools and techniques for identifying behavioural differences between Medium-Interaction honeypots and real devices by replaying interactive attacker sessions collected from the Honeypot Network. The behavioural delta is used to evolve the Honeypot Network and improve its collection capabilities. Positive results are obtained with respect to effectiveness of the above technique. Findings by other researchers in the field are also replicated. The complete dataset and source code used for this research is made publicly available on the Open Science Framework website at https://osf.io/vkcrn/.Thesis (MSc) -- Faculty of Science, Computer Science, 202

Insider Threat Detection on the Windows Operating System using Virtual Machine Introspection

Existing insider threat defensive technologies focus on monitoring network traffic or events generated by activities on a user\u27s workstation. This research develops a methodology for signaling potentially malicious insider behavior using virtual machine introspection (VMI). VMI provides a novel means to detect potential malicious insiders because the introspection tools remain transparent and inaccessible to the guest and are extremely difficult to subvert. This research develops a four step methodology for development and validation of malicious insider threat alerting using VMI. Six core use cases are developed along with eighteen supporting scenarios. A malicious attacker taxonomy is used to decompose each scenario to aid identification of observables for monitoring for potentially malicious actions. The effectiveness of the identified observables is validated through the use of two data sets, one containing simulated normal and malicious insider user behavior and the second from a computer network operations exercise. Compiled Memory Analysis Tool - Virtual (CMAT-V) and Xen hypervisor capabilities are leveraged to perform VMI and insider threat detection. Results of the research show the developed methodology is effective in detecting all defined malicious insider scenarios used in this research on Windows guests

A Novel SDN based Stealthy TCP Connection Handover Mechanism for Hybrid Honeypot Systems

Honeypots have been largely used to capture and investigate malicious behavior through deliberately sacrificing their own resources in order to be attacked. Hybrid honeypot architectures consisting of frontends and backends are widely used in the research area, specially due to the benefits of their high scalability and fidelity for detailed attacking data collection. A hybrid honeypot system often needs a facility aimed to tightly control the network traffic, for purposes such as redirecting the traffic from the frontends to the backends for in-depth attack analysis. However, the current traffic redirection approaches, particularly the TCP connection handover mechanisms, are not stealthy and they can be easily detected by attackers.This paper proposes an SDN based network data controller for hybrid honeypot systems that uses a transparent TCP connection handover mechanism and provides a traffic filtering approach based on the Snort alert functionality. The controller is implemented as an application based on the open-source Ryu SDN framework. It allows the users to configure their own network data control rules, which based on the Snort alert messages will forward or redirect the traffic to the corresponding honeypots. The experiments validate the proposed mechanism and the testing results show that the controller can efficiently perform the stealthy TCP connection handover as well

Enabling an Anatomic View to Investigate Honeypot Systems: A Survey

A honeypot is a type of security facility deliberately created to be probed, attacked, and compromised. It is often used for protecting production systems by detecting and deflecting unauthorized accesses. It is also useful for investigating the behavior of attackers, and in particular, unknown attacks. For the past 17 years plenty of effort has been invested in the research and development of honeypot techniques, and they have evolved to be an increasingly powerful means of defending against the creations of the blackhat community. In this paper, by studying a wide set of honeypots, the two essential elements of honeypots—the decoy and the captor—are captured and presented, together with two abstract organizational forms—independent and cooperative—where these two elements can be integrated. A novel decoy and captor (D-C) based taxonomy is proposed for the purpose of studying and classifying the various honeypot techniques. An extensive set of independent and cooperative honeypot projects and research that cover these techniques is surveyed under the taxonomy framework. Furthermore, two subsets of features from the taxonomy are identified, which can greatly influence the honeypot performances. These two subsets of features are applied to a number of typical independent and cooperative honeypots separately in order to validate the taxonomy and predict the honeypot development trends

High-Fidelity Provenance:Exploring the Intersection of Provenance and Security

In the past 25 years, the World Wide Web has disrupted the way news are disseminated and consumed. However, the euphoria for the democratization of news publishing was soon followed by scepticism, as a new phenomenon emerged: fake news. With no gatekeepers to vouch for it, the veracity of the information served over the World Wide Web became a major public concern. The Reuters Digital News Report 2020 cites that in at least half of the EU member countries, 50% or more of the population is concerned about online fake news. To help address the problem of trust on information communi- cated over the World Wide Web, it has been proposed to also make available the provenance metadata of the information. Similar to artwork provenance, this would include a detailed track of how the information was created, updated and propagated to produce the result we read, as well as what agents—human or software—were involved in the process. However, keeping track of provenance information is a non-trivial task. Current approaches, are often of limited scope and may require modifying existing applications to also generate provenance information along with thei regular output. This thesis explores how provenance can be automatically tracked in an application-agnostic manner, without having to modify the individual applications. We frame provenance capture as a data flow analysis problem and explore the use of dynamic taint analysis in this context. Our work shows that this appoach improves on the quality of provenance captured compared to traditonal approaches, yielding what we term as high-fidelity provenance. We explore the performance cost of this approach and use deterministic record and replay to bring it down to a more practical level. Furthermore, we create and present the tooling necessary for the expanding the use of using deterministic record and replay for provenance analysis. The thesis concludes with an application of high-fidelity provenance as a tool for state-of-the art offensive security analysis, based on the intuition that software too can be misguided by "fake news". This demonstrates that the potential uses of high-fidelity provenance for security extend beyond traditional forensics analysis

Honeypots in the age of universal attacks and the Internet of Things

Today's Internet connects billions of physical devices. These devices are often immature and insecure, and share common vulnerabilities. The predominant form of attacks relies on recent advances in Internet-wide scanning and device discovery. The speed at which (vulnerable) devices can be discovered, and the device monoculture, mean that a single exploit, potentially trivial, can affect millions of devices across brands and continents. In an attempt to detect and profile the growing threat of autonomous and Internet-scale attacks against the Internet of Things, we revisit honeypots, resources that appear to be legitimate systems. We show that this endeavour was previously limited by a fundamentally flawed generation of honeypots and associated misconceptions. We show with two one-year-long studies that the display of warning messages has no deterrent effect in an attacked computer system. Previous research assumed that they would measure individual behaviour, but we find that the number of human attackers is orders of magnitude lower than previously assumed. Turning to the current generation of low- and medium-interaction honeypots, we demonstrate that their architecture is fatally flawed. The use of off-the-shelf libraries to provide the transport layer means that the protocols are implemented subtly differently from the systems being impersonated. We developed a generic technique which can find any such honeypot at Internet scale with just one packet for an established TCP connection. We then applied our technique and conducted several Internet-wide scans over a one-year period. By logging in to two SSH honeypots and sending specific commands, we not only revealed their configuration and patch status, but also found that many of them were not up to date. As we were the first to knowingly authenticate to honeypots, we provide a detailed legal analysis and an extended ethical justification for our research to show why we did not infringe computer-misuse laws. Lastly, we present honware, a honeypot framework for rapid implementation and deployment of high-interaction honeypots. Honware automatically processes a standard firmware image and can emulate a wide range of devices without any access to the manufacturers' hardware. We believe that honware is a major contribution towards re-balancing the economics of attackers and defenders by reducing the period in which attackers can exploit vulnerabilities at Internet scale in a world of ubiquitous networked `things'.Premium Research Studentship, Department of Computer Science and Technology, University of Cambridg

Leveraging Software-Defined Networking and Virtualization for a One-to-One Client-Server Model

Modern computer networks allow server resources to be shared. While this multiplexing is the unsung hero of scalability and performance, the fact that clients are sharing resources and each client’s network traffic is transmitted in a larger pool of the total network traffic, poses distinct challenges for security. By adopting multiplexing so broadly, the networking and systems communities have implicitly favored performance over security. When servers multiplexing clients are compromised, the attack is able to spread by exploiting unsuspecting clients sharing the resource. Drive-by-downloads are an example of an attack where a Web server is compromised and begins distributing malware to connecting clients. As a result of using today’s many-to-one client-server network model, current approaches are inadequate at protecting the network and its resources. We propose a redesign of the modern network infrastructure. Our approach involves moving from the current many-to-one client-server model to a one-to-one client-server model. In redesigning the network, we provide a means of better accountability for traffic between clients and servers. With accountability, we enable the ability to quickly determine which client is responsible for an attack. This allows us to quickly repair the affected entities. To accomplish this accountability, we separate each client’s communication into separate flows. A flow is identified by various network features, such as IP addresses and ports. Further, instead of allowing multiple clients to be multiplexed at the same server, we use a technique that allows each client to communicate with a server that is logically separate from all other clients. Accordingly, a server compromise only effects a single client. We create a one-to-one client-server model using virtualization techniques and OpenFlow, a software-defined network (SDN) protocol. We complete our model in three phases. In the first, we deploy a physical SDN using physical machines and a commodity network switch that supports OpenFlow to gain an initial understanding of SDNs. The next phase involves implementation of Choreographer, a DNS access control mechanism, in a virtualized SDN environment for better scalability over our physical configuration. Finally, we leverage Choreographer to dynamically instantiate a server for each client and create network flows that allow a client to reach the requested server