Honeynets Detecting Insider Threats - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Honeynets Detecting Insider Threats

Description:

How will Forensic Data be handled? ... How will your company handle forensic data? Evidence may have to be presented in a court of law. ... – PowerPoint PPT presentation

Number of Views:83
Avg rating:3.0/5.0
Slides: 18
Provided by: Christin574
Category:

less

Transcript and Presenter's Notes

Title: Honeynets Detecting Insider Threats


1
Honeynets Detecting Insider Threats
  • Kirby Kuehl
  • kkuehl_at_honeynet.org

2
Your Speaker
  • Honeynet Project member since 1999.
  • Honeynet application beta testing.
  • Honeywall CD
  • Sebek LKM
  • Technical Review of
  • Know Your Enemy 2nd Edition
  • Cisco Systems since 2000.
  • Internal Facing Information Security
  • Intrusion Detection and Event correlation
  • Internal Security Tools development
  • Open Source developer
  • http//winfingerprint.sourceforge.net

3
Insider Definition
  • insider n.
  • An accepted member of a group.
  • One who has special knowledge or access to
    confidential information.
  • Network, System, and Database Administrators
  • Employees and Contractors
  • Business Partners

4
How can being an accepted member of the group be
used by an insider?
  • Leverage existing credentials on valuable
    systems.
  • Sniff clear text protocols to obtain valid
    credentials.
  • Use valid accounts to exploit unpatched local
    vulnerabilities to escalate privileges.
  • System Administrators can obviously access any
    sensitive information on the machines.
  • Companies typically focus on external threats.
  • Less secure intranet web applications and
    databases.
  • Ability to share internal data easily often more
    important that to share data securely.

5
How can an insider leverage existing knowledge?
  • Insiders know the location of valuable resources
    such as financial data and employee records.
  • Physical Access.
  • Insiders may be aware of company security
    weaknesses and defenses.
  • Familiar with the practices of the Security Team,
    IDS Locations, log rotations, patch cycles,
    access control lists.
  • Take advantage of unpatched remote
    vulnerabilities and backdoors left open by worms.

6
Possible Insider Motives
  • Financial Gain
  • Industrial Espionage
  • Intellectual Property
  • Sensitive Customer Information
  • Sensitive Employee Information
  • Identity Theft
  • Sabotage
  • Disgruntlement
  • Employee may be quitting or know they are about
    to be fired.
  • Damage another employees work.

7
Should you run an Insider Honeypot?
  • Consult your Legal Department.
  • Need their support for prosecution and or
    termination.
  • Company Acceptable Use Policy
  • Data Privacy Expectations
  • Security team has the authority to sniff traffic,
    image hard drives, obtain backups, read user
    email, etc. during an investigation.
  • What is considered abuse/misuse.
  • Outline abuse of privileges, policy against
    vulnerability scanning, running sniffers, sharing
    passwords, etc.
  • How will misuse / abuse be handled?
  • Employee Termination, Legal Action

8
How will Forensic Data be handled?
  • The Honeynet Project is interested in learning
    the tools, tactics, and motives of the Blackhat
    community and are not interested in prosecution.
  • How will your company handle forensic data?
  • Evidence may have to be presented in a court of
    law.
  • Ensure Evidence is not damaged, destroyed, or
    tainted
  • Preserve Chain of Custody

9
Defining an Internal Honeypot
  • A Honeypot is an information system resource
    whose value lies in unauthorized or illicit use
    of that resource.
  • Key Honeypot components
  • Data Capture
  • Capture detailed information of host and network
    events.
  • Data Control
  • Ability to limit inbound and outbound connections
    when a threshold is reached.
  • Alerting
  • Ability to inform the honeypot administrators
    when an event is occurring.

10
Insider Honeypot Types
  • Low Interaction
  • High Interaction
  • Honeynets using the Honeywall CD
  • Hotzoning
  • Honeytokens

11
Low-Interaction Insider Honeypots
  • Advantages
  • Easy to deploy, minimal risk
  • Disadvantages
  • Emulated services provide limited interaction
    which makes it difficult to determine the real
    motives of the insider.
  • Internal low-interaction honeypots are probably
    only useful for detecting worms or sweeping
    vulnerability scans.
  • Examples
  • Black hole routers advertising dark IP space.
  • Arbor Networks Whitepaper on Sink holes
  • Specter, KFSensor, Honeyd, and Labrea.
  • Commercial HIDS Cisco Security Agent, McAfee
    Entercept, ISS BlackIce.

12
High-interaction Insider Honeypots
  • Insider Honeypots should be deployed in the same
    IP space as real resources such as development
    web servers and cvs repositories.
  • Advantages
  • Provide real operating systems and services, no
    emulation.
  • Insider may interact with real services for a
    long time capturing extensive information.
  • Any interaction should be considered malicious.
    Does not have to match an attack signature from
    an IDS.
  • Disadvantages
  • Complex to deploy (easier with Honeywall CD),
    greater risk.
  • Captures insiders less familiar with your
    environment.
  • Examples include Symantec Decoy and Honeynets.

13
Honeywall bootable CD-ROM
  • Simplifies the deployment, maintenance, and
    customization of a honeynet.
  • Layer 2 bridging firewall (iptables) used to
    count and limit connections.
  • No IP Address
  • Doesnt decrement TTL
  • Snort-inline
  • Modified version of Snort that accepts packets
    from iptables instead of libpcap. It then tell
    iptables whether the packet should be dropped,
    rejected, modified, or allowed to pass based on a
    snort rule set. 
  • Also used for alerting
  • Sebek_extract
  • Server component of (kernel module based logger)
    data capture

http//www.honeynet.org/tools/cdrom/
14
Honeywall CD / Honeynet Diagram
15
Hot Zoning Divert Traffic Destined for unused
services on production systems to an internal
honeypot.
16
Honeytokens
  • Resources used for detecting and tracking insider
    interaction with legitimate resources.
  • Items that should not normally be accessed.
  • Fake documents. Fake source code, Microsoft Word
    and Excel documents.
  • Bogus SSN or CC numbers
  • Emails
  • Login and password. Example testtest
  • Ability send notification when accessed.

17
http//www.honeynet.org
Question and Answer Session
  • Kirby Kuehl
  • ltkkuehl_at_honeynet.orggt
Write a Comment
User Comments (0)
About PowerShow.com