Title: Honeynets Detecting Insider Threats
1Honeynets Detecting Insider Threats
- Kirby Kuehl
- kkuehl_at_honeynet.org
2Your Speaker
- Honeynet Project member since 1999.
- Honeynet application beta testing.
- Honeywall CD
- Sebek LKM
- Technical Review of
- Know Your Enemy 2nd Edition
- Cisco Systems since 2000.
- Internal Facing Information Security
- Intrusion Detection and Event correlation
- Internal Security Tools development
- Open Source developer
- http//winfingerprint.sourceforge.net
3Insider Definition
- insider n.
- An accepted member of a group.
- One who has special knowledge or access to
confidential information. - Network, System, and Database Administrators
- Employees and Contractors
- Business Partners
4How can being an accepted member of the group be
used by an insider?
- Leverage existing credentials on valuable
systems. - Sniff clear text protocols to obtain valid
credentials. - Use valid accounts to exploit unpatched local
vulnerabilities to escalate privileges. - System Administrators can obviously access any
sensitive information on the machines. - Companies typically focus on external threats.
- Less secure intranet web applications and
databases. - Ability to share internal data easily often more
important that to share data securely.
5How can an insider leverage existing knowledge?
- Insiders know the location of valuable resources
such as financial data and employee records. - Physical Access.
- Insiders may be aware of company security
weaknesses and defenses. - Familiar with the practices of the Security Team,
IDS Locations, log rotations, patch cycles,
access control lists. - Take advantage of unpatched remote
vulnerabilities and backdoors left open by worms.
6Possible Insider Motives
- Financial Gain
- Industrial Espionage
- Intellectual Property
- Sensitive Customer Information
- Sensitive Employee Information
- Identity Theft
- Sabotage
- Disgruntlement
- Employee may be quitting or know they are about
to be fired. - Damage another employees work.
7Should you run an Insider Honeypot?
- Consult your Legal Department.
- Need their support for prosecution and or
termination. - Company Acceptable Use Policy
- Data Privacy Expectations
- Security team has the authority to sniff traffic,
image hard drives, obtain backups, read user
email, etc. during an investigation. - What is considered abuse/misuse.
- Outline abuse of privileges, policy against
vulnerability scanning, running sniffers, sharing
passwords, etc. - How will misuse / abuse be handled?
- Employee Termination, Legal Action
8How will Forensic Data be handled?
- The Honeynet Project is interested in learning
the tools, tactics, and motives of the Blackhat
community and are not interested in prosecution. - How will your company handle forensic data?
- Evidence may have to be presented in a court of
law. - Ensure Evidence is not damaged, destroyed, or
tainted - Preserve Chain of Custody
9Defining an Internal Honeypot
- A Honeypot is an information system resource
whose value lies in unauthorized or illicit use
of that resource. - Key Honeypot components
- Data Capture
- Capture detailed information of host and network
events. - Data Control
- Ability to limit inbound and outbound connections
when a threshold is reached. - Alerting
- Ability to inform the honeypot administrators
when an event is occurring.
10Insider Honeypot Types
- Low Interaction
- High Interaction
- Honeynets using the Honeywall CD
- Hotzoning
- Honeytokens
11Low-Interaction Insider Honeypots
- Advantages
- Easy to deploy, minimal risk
- Disadvantages
- Emulated services provide limited interaction
which makes it difficult to determine the real
motives of the insider. - Internal low-interaction honeypots are probably
only useful for detecting worms or sweeping
vulnerability scans. - Examples
- Black hole routers advertising dark IP space.
- Arbor Networks Whitepaper on Sink holes
- Specter, KFSensor, Honeyd, and Labrea.
- Commercial HIDS Cisco Security Agent, McAfee
Entercept, ISS BlackIce.
12High-interaction Insider Honeypots
- Insider Honeypots should be deployed in the same
IP space as real resources such as development
web servers and cvs repositories. - Advantages
- Provide real operating systems and services, no
emulation. - Insider may interact with real services for a
long time capturing extensive information. - Any interaction should be considered malicious.
Does not have to match an attack signature from
an IDS. - Disadvantages
- Complex to deploy (easier with Honeywall CD),
greater risk. - Captures insiders less familiar with your
environment. - Examples include Symantec Decoy and Honeynets.
13Honeywall bootable CD-ROM
- Simplifies the deployment, maintenance, and
customization of a honeynet. - Layer 2 bridging firewall (iptables) used to
count and limit connections. - No IP Address
- Doesnt decrement TTL
- Snort-inline
- Modified version of Snort that accepts packets
from iptables instead of libpcap. It then tell
iptables whether the packet should be dropped,
rejected, modified, or allowed to pass based on a
snort rule set. - Also used for alerting
- Sebek_extract
- Server component of (kernel module based logger)
data capture
http//www.honeynet.org/tools/cdrom/
14Honeywall CD / Honeynet Diagram
15Hot Zoning Divert Traffic Destined for unused
services on production systems to an internal
honeypot.
16Honeytokens
- Resources used for detecting and tracking insider
interaction with legitimate resources. - Items that should not normally be accessed.
- Fake documents. Fake source code, Microsoft Word
and Excel documents. - Bogus SSN or CC numbers
- Emails
- Login and password. Example testtest
- Ability send notification when accessed.
17http//www.honeynet.org
Question and Answer Session
- Kirby Kuehl
- ltkkuehl_at_honeynet.orggt