lecture 5 iot honeypots
play

Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, - PowerPoint PPT Presentation

Mar 26, 2023 •534 likes •926 views

Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan University of Twente | May 20, 2020 Lab assignment MUD descriptions: youll need to generate them yourselves, tools are available IoT

  1. Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan University of Twente | May 20, 2020

  2. Lab assignment • MUD descriptions: you’ll need to generate them yourselves, tools are available • IoT devices: you’ll need to work with the actual hardware, no emulations (unless as an extra) • Use IoT devices without a browser-like interface, such as light bulbs, audio speakers, doorbells • Do not use multi-purpose devices like tablets, phones, laptops • At least 2 IoT devices per group of 3 and at least 3 devices per group of 4 • Etienne Khan available for assistance

  3. Paper summaries • You must have handed in your two summaries BEFORE this lecture • You can use the summaries during the oral exam (“open book”) • You cannot complete SSI without submitting 12 paper summaries!

  4. Interactive Lecture • Goal: enable you to learn from each other and further increase your understanding of the papers (contributes to preparing yourself for the oral exam) • Format: 1. We’ll ask someone to provide their verbal summary of the paper 2. 5-slide(-ish) summary by teachers (put any questions in the chat) 3. Questions: discussion starters and fact questions 4. Discussion (use your mic) 5. We may ask someone specific to start the discussion • Experimental format resulting from Corona pandemic, please provide feedback!

  5. Today’s papers Are about measuring IoT botnets • [IoTPOT ] Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, Christian Rossow. “IoTPOT: Analysing the Rise of IoT Compromises”. 9th USENIX Workshop on Offensive Technologies (co-located with USENIX Sec ’15), WOOT ’15, Washington, DC, https://christian-rossow.de/publications/iotpot-woot2015.pdf • [ Honware ] Vetterl, Alexander, and Richard Clayton. “Honware: A virtual honeypot framework for capturing CPE and IoT zero days.” Symposium on Electronic Crime Research (eCrime). IEEE. 2019. https://www.cl.cam.ac.uk/~amv42/papers/vetterl-clayton-honware-virtual- honeypot-framework-ecrime-19.pdf

  6. “IoTPOT: Analysing the Rise of IoT Compromises”, 9th USENIX Workshop on Offensive Technologies (WOOT), 2015

  7. Darknet monitoring 270.000 IP’s Connect back 23/80 TCP & collect banners.

  8. Darknet monitoring (2)

  9. Darknet monitoring (2)

  10. Quiz Why is a darknet useful for IoT malware research? A: Malware runs better, because it’s from the dark side B: No legitimate traffic C: No legal problems because a darknet is not managed by any company D: It has residual trust from previous use

  11. IoT POT Running on 165 IP addresses 5 weeks running time Telnet attack stages: (1) Intrusion; (2) Infection; (3) Monetization. Remember Mirai? Credentials in Fixed/Random order (1) 6 patterns of commands (2) distinguished

  12. ‘Coordinated intrusion’

  13. IoTPOT & IoTBOX

  14. Quiz What would an operator of an IoTPOT honeypot need to do to support Hajime? A: Add support for MIPS CPU architecture B: Track DHT (P2P) communications C: Expose many vulnerabilities D: Run the honeypot in different subnets

  15. IoTBOX Sandbox with 8 CPU architectures Limit outgoing to DNS/HTTP 5ppm Telnet to Dummy server

  16. Results

  17. Results

  18. Quiz Most important next-step A: More CPU architectures B: Passthrough and monitor C&C traffic C: Standardized botnet profiles for sharing between organizations D: Running on real (IoT) hardware

  19. Key takeaways IoT world heterogeneous => honeypots more complex High-interaction needed to get useful results Require many (!) IP addresses to catch scans

  20. Discussion Þ What is IoT about IoTPOT? Þ Ethical considerations in running a honeypot? Þ How would you improve IoTPOT? Þ Others means to achieve the same?

  21. Honware: A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days Vetterl, A., & Clayton, R. (2019, November). Honware: A virtual honeypot framework for capturing CPE and IoT zero days. In Symposium on Electronic Crime Research (eCrime). IEEE .

  22. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days ● We’ve seen IoTPOT as a generic example, can we improve on that model? Specialized honeypots can be built for known malware (leaked Mirai sourcecode) ○ But this might not capture attack traffic of unknown derivates (e.g. Yowai/Hakai) ○ ● Malware engineers can easily scan the whole IPv4 Internet to look for vulnerable devices and quickly infect them. ● This means defenders need to scale fast too IoTPOT à Hardcoded answers (and limited sandbox), Firmadyne à Not setup for ○ network traffic, SIPHON à physical devices ● Using original firmware as a basis for honeypots

  23. Quiz 1 How long does it take to scan the whole IPv4 space? Around 5 minutes A. Around 60 minutes B. Around 1 day C. Around 7 days D.

  24. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days ● Using original firmware as a honeypot basis Automated firmware extraction with Binwalk ○ Customizing the kernel to allow logging & emulating proprietary hardware ○ Signal interception (signals are a form of inter-process communication (IPC)) ○ Module loading disabled ○ NVRAM is not available and thus has to be emulated ○ Network configuration (adding interfaces) ○ Emulation self-check (am I reachable via ping?) ○

  25. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days

  26. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days ● Not required, but fun: ● Reverse engineering my router's firmware with binwalk ● https://embeddedbits.org/reverse-engineering-router-firmware-with-binwalk/ ● Playing with signals ● http://www.it.uu.se/education/course/homepage/os/vt18/module- 2/signals/

  27. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days ● How does this system compare to the alternative (Firmadyne)? ● Out of 8387 available firmwares, 4650 could be successfully extracted (55.4%) Possibly due to having weaker constraints on the size of the extracted image ○ ● From the 4650 extracted firmware images, 1903 responded to ICMP traffic (40.9%). Firmadyne only achieved this for 460 firmware images (15.8%) Likely due to the kernel customizations, and handling of crashes ○

  28. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days

  29. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days

  30. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days ● How does this system compare to the real deal (hardware in the wild)? ● Fingerprinting of honeypots is an ongoing concern

  31. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days

  32. Quiz 2 Hosting the honeypots in the cloud can aid attackers in the fingerprinting process A. True False B.

  33. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days ● Real world results: fast UPnPHunter took a research team 1 month to reverse engineer, Honware 1. detected the complete attack within 24 hours DNS hijack, a previously unknown attack 2. UPnPProxy 3. Mirai variants, target port 80 (HTTP) instead of 23 (Telnet) 4. Detected malware samples were unknown to the wider community (Virustotal) ●

  34. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days

  35. A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days ● At the beginning we were not able to capture a valid sample as the honeypot needs to be able to simulate the above scenarios. We had to tweak and customize our honeypot quite a few times, then finally in Oct, we got it right and successfully tricked the botnet to send us the sample (we call it BCMUPnP_Hunter). ● https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home- routers-to-email-spammers-en/ ● Original slides by the authors of the paper: ● https://www.cl.cam.ac.uk/~amv42/papers/vetterl-clayton-honware-virtual- honeypot-framework-ecrime-19-slides.pdf

  36. Conclusion Honware uses real services/applications which are shipped with the device ● In addition to that, the native configuration files are loaded ○ Better than existing emulation strategies in all areas ● Extraction, network reachability, listening services ○ Capable of detecting vulnerabilities at scale ● Rapid emulation cuts the attackers’ ability to exploit vulnerabilities for considerable time ○

  37. Discussion of honeypot frameworks What do you think of the proposed frameworks today? Would you change 1. something and why? Let’s link this back to the lecture of governance and regulation: 2. Should governments only allow the sale of an IoT device, if they can run the firmware on a testbench?

  38. Volg ons SIDN.nl Discussion & feedback @SIDN SIDN Next lecture: Wed May 27, 10:45-12:30 Topic: IoT edge security systems

Recommend

Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Overview Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots What can you do with them? Claire OShea Problems with honeypots COMP 290 Spring 2005 Overview Motivation Examples of

645 views • 15 slides
Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and Collin Mulliner Security in Telecommunications Technische Universit at Berlin, Germany { steffen,mlange } @sec.t-labs.tu-berlin.de Northeastern

713 views • 11 slides
INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS JOSH PYORRE Security Researcher Threat Analyst at NASA Threat Analyst at Mandiant @joshpyorre HONEYPOTS CURRENTLY IN USE

1.25k views • 96 slides
Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 1 / 28 Outline Introduction 1 History 2 Types of honeypots 3 Deception techniques using Honeypots

632 views • 61 slides
Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. ! Founder, Honeynet Project & Moderator, honeypot mailing list ! Author, Honeypots: Tracking Hackers & Co- author, Know Your Enemy ! Work

676 views • 52 slides
Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

CPS-SPC 16 @ Vienna AU Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O. T IPPENHAUER daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box 1 Overview In this

922 views • 25 slides
Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti

Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti

Monitoring, Attack Detection and Mitigation Monitoring, Attack Detection and Mitigation MonAM 2006 MonAM 2006 Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti Authors: merson Virti, Liane

474 views • 16 slides
Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter

Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter

Metasploit- able Honeypots Wouter Katz Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter Katz Results wouter.katz@os3.nl Conclusions References University of Amsterdam July 4th 2013 Wouter

623 views • 30 slides
Bitter Harvest: S ystematically Fingerprinting Low- and Medium- interaction Honeypots at

Bitter Harvest: S ystematically Fingerprinting Low- and Medium- interaction Honeypots at

Bitter Harvest: S ystematically Fingerprinting Low- and Medium- interaction Honeypots at Internet S cale Alexander Vet t erl and Richard Clayt on University of Cambridge 12th USENIX Workshop on Offensive Technologies August 13-14, 2018

481 views • 21 slides
Honeypots against Worms 101 Honeypots against Worms 101 Black Hat Asia 2003 oudot at oudot at

Honeypots against Worms 101 Honeypots against Worms 101 Black Hat Asia 2003 oudot at oudot at

Honeypots against Worms 101 Honeypots against Worms 101 Black Hat Asia 2003 oudot at oudot at rstack rstack.org .org http://www.rstack http://www. rstack.org/ .org/oudot oudot team rstack.org Overview Overview 1. About Worms

733 views • 51 slides
Io IoT Ho T Hone neyBot yBot Haris emi and Saa Mrdovi Cryptacus: Workshop and MC

Io IoT Ho T Hone neyBot yBot Haris emi and Saa Mrdovi Cryptacus: Workshop and MC

Io IoT Ho T Hone neyBot yBot Haris emi and Saa Mrdovi Cryptacus: Workshop and MC meeting Nijmegen, Netherlands, 2017 Honeypots Honeypots Emulation of a network resource Built to be discovered, attacked and compromised

497 views • 18 slides
We know where you live Systematically Fingerprinting Low- and Medium-interaction Honeypots at

We know where you live Systematically Fingerprinting Low- and Medium-interaction Honeypots at

We know where you live Systematically Fingerprinting Low- and Medium-interaction Honeypots at Internet Scale Alexander Vetterl University of Cambridge alexander.vetterl@cl.cam.ac.uk Introduction Honeypot s: A resource whose value is

477 views • 19 slides
Counting Outdated Honeypots: Legal and Useful Alexander Vetterl * , Richard Clayton * and Ian

Counting Outdated Honeypots: Legal and Useful Alexander Vetterl * , Richard Clayton * and Ian

Counting Outdated Honeypots: Legal and Useful Alexander Vetterl * , Richard Clayton * and Ian Walden *University of Cambridge, Queen Mary University of London 4th International Workshop on Traffic Measurements for Cybersecurity May 23,

423 views • 17 slides
Securing networks with Honeypots Motivation Scenario : Web server Internet SSH How to

Securing networks with Honeypots Motivation Scenario : Web server Internet SSH How to

Benjamin Braun, Klemens Mang Securing networks with Honeypots Motivation Scenario : Web server Internet SSH How to detect attackers accessing your service? How to analyze attack patterns? How to detect yet unknown attack

246 views • 13 slides
Honeypot technologies 2006 First Conference / tutorial Junes 2006

Honeypot technologies 2006 First Conference / tutorial Junes 2006

Honeypot technologies 2006 First Conference / tutorial Junes 2006 {Franck.Veysset,Laurent.Butti}@orange-ft.com D1 -June 2006 Agenda s Origins and background s Different kinds of honeypot Q High interaction honeypots Q Low interaction honeypots

1.5k views • 112 slides
Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche

Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche

Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche 1 , E. Alata 1 , V.Nicomette 1 , Y. Deswarte 1 , M. Dacier 2 LAAS-CNRS 1 , Eurecom 2 Mohamed.Kaaniche@laas.fr ACI Scurit &

409 views • 17 slides
) tra ffi c lights smart grid Honeypots in ICS Environments space station steel mill ( power

) tra ffi c lights smart grid Honeypots in ICS Environments space station steel mill ( power

) tra ffi c lights smart grid Honeypots in ICS Environments space station steel mill ( power plant supertanker death star gas pipeline sewage plant wind turbine ) cypherpunk chaotic neutral privacy activist researcher DI Daniel

656 views • 27 slides
A visual analytic approach for analyzing SSH honeypots Jop van der Lelie Rory Breuk National

A visual analytic approach for analyzing SSH honeypots Jop van der Lelie Rory Breuk National

A visual analytic approach for analyzing SSH honeypots Jop van der Lelie Rory Breuk National Cyber Security Centre (NCSC-NL) Center for expertise on cyber security and incident response of the Dutch government Preventing ICT and

946 views • 37 slides
Peer-to-Peer bots Investigation using Distributed Honeypots Karun Dambiec u4462988 Australian

Peer-to-Peer bots Investigation using Distributed Honeypots Karun Dambiec u4462988 Australian

Overview Peer-to-Peer Bots LeurreCom.org Honeypot Project Goals Timetable References Acknowledgements Peer-to-Peer bots Investigation using Distributed Honeypots Karun Dambiec u4462988 Australian National University COMP8760 Computer

1.17k views • 11 slides
THE WOMBAT API handling incidents by querying a world-wide network of advanced honeypots Piotr

THE WOMBAT API handling incidents by querying a world-wide network of advanced honeypots Piotr

THE WOMBAT API handling incidents by querying a world-wide network of advanced honeypots Piotr Kijewski, Adam Kozakiewicz 15th June 2010 22nd Annual FIRST Conference, Miami WOMBAT Project EU 7th FRAMEWORK PROGRAMME (2008-2010)

518 views • 13 slides
Using Honeypots for Security Operations Jim Barlow <jbarlow@ncsa.uiuc.edu> Head of

Using Honeypots for Security Operations Jim Barlow <jbarlow@ncsa.uiuc.edu> Head of

Using Honeypots for Security Operations Jim Barlow <jbarlow@ncsa.uiuc.edu> Head of Security Operations and Incident Response National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign National

229 views • 20 slides
Controls: Benefits of Honeypots to Companies Srgio Nunes & Miguel Correia Lisboa, December

Controls: Benefits of Honeypots to Companies Srgio Nunes & Miguel Correia Lisboa, December

IBWAS 2010 From Risk Awareness to Security Controls: Benefits of Honeypots to Companies Srgio Nunes & Miguel Correia Lisboa, December 2010 About me Senior Information Security Consultant / Auditor University Professor: Security,

447 views • 23 slides
Modeling Malware-driven Honeypots Gerardo Fernndez, Ana Nieto and Javier Lopez

Modeling Malware-driven Honeypots Gerardo Fernndez, Ana Nieto and Javier Lopez

TRUSTBUS 2017 Modeling Malware-driven Honeypots Gerardo Fernndez, Ana Nieto and Javier Lopez {gerardo,nieto,jlm}@lcc.uma.es Network, Information and Computer Security (NICS) Lab University of Malaga, Spain TrustBus 2017, August 30 th 2017

500 views • 34 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

585 views • 30 slides

More recommend