honeyspider network 2 0
play

HoneySpider Network 2.0 detecting client-side attacks the easy way - PowerPoint PPT Presentation

HoneySpider Network 2.0 detecting client-side attacks the easy way Pawe Pawli nski CERT Polska / NASK 24th Annual FIRST Conference 21 June 2012 Pawe Pawli nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 1 / 23


  1. HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawli´ nski CERT Polska / NASK 24th Annual FIRST Conference 21 June 2012 Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 1 / 23

  2. Outline Introduction 1 Architecture 2 Services 3 4 Demonstration Future plans 5 Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 2 / 23

  3. Introduction Outline Introduction 1 Architecture 2 Services 3 4 Demonstration Future plans 5 Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 3 / 23

  4. Introduction Origins of HSN 2.0 Joint project CERT Polska NCSC-NL (GOVCERT.NL) Started in 2011 Successor to HoneySpider Network version 1.x used in production by CERTs we gained experience in scanning web pages automatically Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 4 / 23

  5. Introduction Project goals Detect attacks on client applications web pages files Apply multiple analyses PDF, SWF, JavaScript, . . . low and high interaction honeypots Configurable (processing details) Scalable (crawling) Open architecture Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 5 / 23

  6. Introduction Project goals Detect attacks on client applications web pages files Apply multiple analyses PDF, SWF, JavaScript, . . . version 1 low and high interaction honeypots Configurable (processing details) Scalable (crawling) Open architecture Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 5 / 23

  7. Architecture Outline Introduction 1 Architecture 2 Services 3 4 Demonstration Future plans 5 Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 6 / 23

  8. Architecture Overview HSN: 1.x vs 2.0 1.x 2.0 Framework Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 7 / 23

  9. Architecture Overview Architecture overview Operational Reporting Job Web GUI Job Report DB Alerts Framework export Job CLI Job Monitoring Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 8 / 23

  10. Architecture Overview Technical foundations Network communication Advanced Message Queueing Protocol Google Protocol Buffers Storage CouchDB JSON documents operational data + flexible mapping → persistent reports Programming languages Java Python (C++) Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 9 / 23

  11. Architecture Configurability Sample workflow Job start accepted yes no parameter A = "some value" rejected ... Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 10 / 23

  12. Architecture Configurability Sample workflow Job start accepted Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 10 / 23

  13. Architecture Configurability Sample workflow accepted yes no parameter A = "some value" rejected ... Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 10 / 23

  14. Services Outline Introduction 1 Architecture 2 Services 3 4 Demonstration Future plans 5 Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 11 / 23

  15. Services Implemented services Web client emulators HtmlUnit-based custom browser emulator implemented in Java uses Rhino engine complete control over all behaviors (requests, redirects, frames) link extraction Thug (low interaction honeypot) implemented in Python uses V8 engine less control detects common attacks These are not crawlers! Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 12 / 23

  16. Services Implemented services Analyzers Static JavaScript analyzer port from version 1 n-grams + Bayes classifier SWF analyzer (NASK) Shellcode detection (scdbg) Cuckoo Sandbox Capture-HPC high-interaction honeypot used in HSN 1.x new features and stability fixes Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 13 / 23

  17. Services Implemented services Utilities Feeder file with URLs search engine results . . . URL normalizer Reporter (persistent data) Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 14 / 23

  18. Services Razorback integration Razorback: short introduction Modular IDS Data acquisition decoupled from offline analyses Dispatcher: routes data Nuggets (services) collection (Snort, SMTP , . . . ) analyzers enrichment (DNS, . . . ) SQL database GUI Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 15 / 23

  19. Services Razorback integration Razorback: short introduction Modular IDS Data acquisition decoupled from offline analyses Dispatcher: routes data Nuggets (services) collection (Snort, SMTP , . . . ) analyzers enrichment (DNS, . . . ) SQL database GUI Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 15 / 23

  20. Services Razorback integration Razorback analyzers Universal Razorback-to-HSN 2.0 adapter Only recompilation required, no changes to source code Tested nuggets: swfScanner pdfFox clamavNugget officeCat virusTotal archiveInflate Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 16 / 23

  21. Services Extensibility Extensibility Open communication protocol Well-defined data contract for each service Open technologies: AMQP , protobuf, REST, JSON Libraries provided for Java and Python Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 17 / 23

  22. Demonstration Outline Introduction 1 Architecture 2 Services 3 4 Demonstration Future plans 5 Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 18 / 23

  23. Demonstration Demonstration . . . Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 19 / 23

  24. Future plans Outline Introduction 1 Architecture 2 Services 3 4 Demonstration Future plans 5 Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 20 / 23

  25. Future plans Current state of HSN 2.0 All essential components implemented framework storage web client Growing set of analyzers Functional web interface More tests and stabilization needed Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 21 / 23

  26. Future plans Future plans Release as open source (soon!) Improve management of the whole system More analyzers integrate existing tools analysis of sandbox data alternative web clients (high-interactive?) looking for more ideas! Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 22 / 23

  27. Thank you for your attention. Questions? Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 23 / 23

Recommend


More recommend