modeling malware driven honeypots
play

Modeling Malware-driven Honeypots Gerardo Fernndez, Ana Nieto and - PowerPoint PPT Presentation

Oct 16, 2022 •150 likes •500 views

TRUSTBUS 2017 Modeling Malware-driven Honeypots Gerardo Fernndez, Ana Nieto and Javier Lopez {gerardo,nieto,jlm}@lcc.uma.es Network, Information and Computer Security (NICS) Lab University of Malaga, Spain TrustBus 2017, August 30 th 2017

  1. TRUSTBUS 2017 Modeling Malware-driven Honeypots Gerardo Fernández, Ana Nieto and Javier Lopez {gerardo,nieto,jlm}@lcc.uma.es Network, Information and Computer Security (NICS) Lab University of Malaga, Spain TrustBus 2017, August 30 th 2017

  2. Content 1 1. Honeypots, objectives and limitations 2. Malware Intelligence 3. Hogney Architecture 4. Study Case: Mirai 5. Conclusions Lyon, August 30th, 2017 TRUSTBUS 2017

  3. Honeypots 2 § Honeypots: what are they used for ? – All traffic received in them are considered suspicious. – Replicate live services of the production environment: showing a footprint similar to that of the services offered in the production network. – Research environments: showing a configuration of honeypots that enables attacks to be captured, to later analyse new techniques used. Lyon, August 30th, 2017 TRUSTBUS 2017

  4. Honeypots 3 § Honeypots: what are they used for ? – All traffic received in them are considered suspicious. – Replicate live services of the production environment: showing a footprint similar to that of the services offered in the production network. – Research environments: showing a configuration of honeypots that enables attacks to be captured, to later analyse new techniques used. § Limitations : – General purpose: hard to unleashed all stages of malware behaviour – Specific to protocols/applications: + reduced visibility – Specialized in predetermined attacks: + reduced visibility – Adaptive honeypots: usually combine previous techniques inheriting these problems Lyon, August 30th, 2017 TRUSTBUS 2017

  5. Honeypots 4 § Honeypots: what are they used for ? – All traffic received in them are considered suspicious. – Replicate live services of the production environment: showing a footprint similar to that of the services offered in the production network. – Research environments: showing a configuration of honeypots that enables attacks to be captured, to later analyse new techniques used. § Limitations : – General purpose: hard to unleashed all stages of malware behaviour – Specific to protocols/applications: + reduced visibility – Specialized in predetermined attacks: + reduced visibility – Adaptive honeypots: usually combine previous techniques inheriting these problems Lyon, August 30th, 2017 TRUSTBUS 2017

  6. Honeypots 5 § Nowadays, there are myriad of honeypots available... Nepenthes HoneyBOT Cowrie Dionaea HoneyTrap Kippo Conpot LaBrea Lyon, August 30th, 2017 TRUSTBUS 2017

  7. Honeypots 6 § Nowadays, there are myriad of honeypots available... Nepenthes HoneyBOT Cowrie Dionaea IoTPOT Glastopf H o elastichoney n e y S i n k HoneyTrap Kippo Conpot LaBrea Lyon, August 30th, 2017 TRUSTBUS 2017

  8. Honeypots 7 § Nowadays, there are myriad of honeypots available... Nepenthes HoneyBOT Cowrie Dionaea IoTPOT Why not offer them... Glastopf H “à la carte” ? o elastichoney n e y S i n k HoneyTrap Kippo Conpot LaBrea Lyon, August 30th, 2017 TRUSTBUS 2017

  9. Malware Intelligence 8 We use the term malware intelligence to refer to information § regarding the behaviour and propagation of malware. – Which OS is targeted ? – What components are attacked? – Who communicates with? – What activity is performed? – Who created and launched ? Lyon, August 30th, 2017 TRUSTBUS 2017

  10. Malware Intelligence 9 We use the term malware intelligence to refer to information § regarding the behaviour and propagation of malware. – Which OS is targeted ? – What components are attacked? – Who communicates with? – What activity is performed? – Who created and launched ? Depending on the information requested, different types of malware § intelligence services can be used. We classify them in three levels : – L1 : information about IP and URLs – L2 : information about files: processor, O.S., applications affected, etc. – L3 : intelligence information sharing services (files, URLs, domains, C2 nodes, etc.) Lyon, August 30th, 2017 TRUSTBUS 2017

  11. Malware Intelligence 10 L1 Lyon, August 30th, 2017 TRUSTBUS 2017

  12. Malware Intelligence 11 L2 Lyon, August 30th, 2017 TRUSTBUS 2017

  13. Malware Intelligence 12 L2 Lyon, August 30th, 2017 TRUSTBUS 2017

  14. Malware Intelligence 13 < response > L3 < Event > < date >2016-12-07</ date > < info >Locky 2016-12-07 : "Card Receipt" - "CARD123 456789.docm"</ info > < published >1</ published > < Attribute > < type >ip-dst</ type > < category >Network activity</ category > < value >91.142.90.46</ value > < RelatedAttribute > < Attribute > < info >"Emailing: MX62EDO 08.12.2016" - "MX62EDO 08.12.2016.docm"</ info > < value >91.142.90.46</ value > </ Attribute > </ RelatedAttribute > </ Attribute > < Attribute > < type >url</ type > < category >Payload delivery</ category > < value >http://wahanaputrayudha.com/hfycn33</ value > </ Attribute > < Attribute > < type >md5</ type > < category >Payload delivery</ category > < value >b923db309a973d7229a1e77352e89486</ value > </ Attribute > < Tag >< name >misp-galaxy:ransomware=”Locky"</ name ></ Tag > </ Event > </ response > Lyon, August 30th, 2017 TRUSTBUS 2017

  15. Malware Intelligence 14 < response > L3 < Event > < date >2016-12-07</ date > < info >Locky 2016-12-07 : "Card Receipt" - "CARD123 456789.docm"</ info > < published >1</ published > < Attribute > < type >ip-dst</ type > < category >Network activity</ category > < value >91.142.90.46</ value > < RelatedAttribute > < Attribute > < info >"Emailing: MX62EDO 08.12.2016" - "MX62EDO 08.12.2016.docm"</ info > < value >91.142.90.46</ value > </ Attribute > </ RelatedAttribute > </ Attribute > < Attribute > < type >url</ type > < category >Payload delivery</ category > < value >http://wahanaputrayudha.com/hfycn33</ value > </ Attribute > < Attribute > < type >md5</ type > < category >Payload delivery</ category > < value >b923db309a973d7229a1e77352e89486</ value > </ Attribute > < Tag >< name >misp-galaxy:ransomware=”Locky"</ name ></ Tag > </ Event > </ response > Lyon, August 30th, 2017 TRUSTBUS 2017

  16. Malware Intelligence 15 < response > L3 < Event > < date >2016-12-07</ date > < info >Locky 2016-12-07 : "Card Receipt" - "CARD123 456789.docm"</ info > < published >1</ published > < Attribute > < type >ip-dst</ type > < category >Network activity</ category > < value >91.142.90.46</ value > < RelatedAttribute > < Attribute > < info >"Emailing: MX62EDO 08.12.2016" - "MX62EDO 08.12.2016.docm"</ info > < value >91.142.90.46</ value > </ Attribute > </ RelatedAttribute > </ Attribute > < Attribute > < type >url</ type > < category >Payload delivery</ category > < value >http://wahanaputrayudha.com/hfycn33</ value > </ Attribute > < Attribute > < type >md5</ type > < category >Payload delivery</ category > < value >b923db309a973d7229a1e77352e89486</ value > </ Attribute > < Tag >< name >misp-galaxy:ransomware=”Locky"</ name ></ Tag > </ Event > </ response > Lyon, August 30th, 2017 TRUSTBUS 2017

  17. Hogney Architecture 16 Objective : to facilitate the analysis of the three stages of malware: § exploration, infection and execution of the payload. – Focusing on auto-propagated malware – Obtaining information before offering a honeypot – Integrating tools to capture evidence – Adapting services for unleashing all stages of malware Lyon, August 30th, 2017 TRUSTBUS 2017

  18. Hogney Architecture 17 Objective : to facilitate the analysis of the three stages of malware: § exploration, infection and execution of the payload. – Focusing on auto-propagated malware – Obtaining information before offering a honeypot – Integrating tools to capture evidence – Adapting services for unleashing all stages of malware 3 main modules: § – Interception of connections – Configuration of trap services – Evidence monitoring Lyon, August 30th, 2017 TRUSTBUS 2017

  19. Hogney Architecture 18 Objective : to facilitate the analysis of the three stages of malware: § exploration, infection and execution of the payload. – Focusing on auto-propagated malware – Obtaining information before offering a honeypot – Integrating tools to capture evidence – Adapting services for unleashing all stages of malware 3 main modules: § – Interception of connections – Configuration of trap services – Evidence monitoring Using… § – Low and medium interaction honeypot templates – Execution environments (real and virtual) for high interaction honeypots Lyon, August 30th, 2017 TRUSTBUS 2017

  20. Hogney Architecture 19 Lyon, August 30th, 2017 TRUSTBUS 2017

  21. Hogney Architecture 20 Lyon, August 30th, 2017 TRUSTBUS 2017

Recommend

Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Overview Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots What can you do with them? Claire OShea Problems with honeypots COMP 290 Spring 2005 Overview Motivation Examples of

645 views • 15 slides
Data-driven COVID-19 modeling Data-driven COVID-19 modeling 1 Cyprien Neverov th August 28 ,

Data-driven COVID-19 modeling Data-driven COVID-19 modeling 1 Cyprien Neverov th August 28 ,

Data-driven COVID-19 modeling Data-driven COVID-19 modeling 1 Cyprien Neverov th August 28 , 2020 1 Student at IMT Mines Ales and intern at FAU Erlangen-Nurnberg under the supervision of Prof. Enrique Zuazua. Table of Contents Table of

790 views • 43 slides
Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and Collin Mulliner Security in Telecommunications Technische Universit at Berlin, Germany { steffen,mlange } @sec.t-labs.tu-berlin.de Northeastern

713 views • 11 slides
Hacking Attacks The power of IPv6 driven malware m-r Mane Piperevski IT Security Researcher

Hacking Attacks The power of IPv6 driven malware m-r Mane Piperevski IT Security Researcher

Hacking Attacks The power of IPv6 driven malware m-r Mane Piperevski IT Security Researcher Ethical Hacker mane@piperevski.com Piperevski &amp; Associates Skopje, Macedonia What's your favorite Malware? Who we are? A. Popup

297 views • 13 slides
Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland

Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland

Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland National Cybersecurity and Communications Integration Center Security whoami Cyber Threat Analyst at Northrop Grumman Performed wide range of

550 views • 20 slides
INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS JOSH PYORRE Security Researcher Threat Analyst at NASA Threat Analyst at Mandiant @joshpyorre HONEYPOTS CURRENTLY IN USE

1.25k views • 96 slides
Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 1 / 28 Outline Introduction 1 History 2 Types of honeypots 3 Deception techniques using Honeypots

632 views • 61 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. ! Founder, Honeynet Project &amp; Moderator, honeypot mailing list ! Author, Honeypots: Tracking Hackers &amp; Co- author, Know Your Enemy ! Work

676 views • 52 slides
Overview Information-driven modeling of biomolecular complexes ! Introduction ! Information

Overview Information-driven modeling of biomolecular complexes ! Introduction ! Information

Overview Information-driven modeling of biomolecular complexes ! Introduction ! Information sources ! General aspects of docking ! Information-driven docking with HADDOCK ! Protein-DNA HADDOCKing ! HADDOCKs adventures in CAPRI ! Small molecule

675 views • 28 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Modeling Dynamics of and on Networks Simultaneously Theory-Driven and Data-Driven Approaches

Modeling Dynamics of and on Networks Simultaneously Theory-Driven and Data-Driven Approaches

Modeling Dynamics of and on Networks Simultaneously Theory-Driven and Data-Driven Approaches Hiroki Sayama Binghamton University, SUNY sayama@binghamton.edu 2 6/3/2014 Sayama -- HONS @ NetSci 2014 Complex Systems Modeled as Networks 3

347 views • 33 slides
Modeling metamorphism by abstract interpretation Roberto Giacobazzi 16.09.2010 - SAS2010

Modeling metamorphism by abstract interpretation Roberto Giacobazzi 16.09.2010 - SAS2010

Mila Giaco Saumya Kevin Gregg Modeling metamorphism by abstract interpretation Roberto Giacobazzi 16.09.2010 - SAS2010 Thursday, September 16, 2010 The problem Thursday, September 16, 2010 Malware analysis: signature checking Malware

458 views • 35 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
Data-driven Photometric 3D Modeling for Complex Reflectances Boxin Shi (Peking University)

Data-driven Photometric 3D Modeling for Complex Reflectances Boxin Shi (Peking University)

Data-driven Photometric 3D Modeling for Complex Reflectances Boxin Shi (Peking University) http://ci.idm.pku.edu.cn | shiboxin@pku.edu.cn 1 Photometric Stereo Basics 2 3D imaging 3 3 3D modeling methods Laser range scanning Bayon

1.23k views • 99 slides
Natural Convec.on-Driven Propulsion MODELING AND SIMULATION OF

Natural Convec.on-Driven Propulsion MODELING AND SIMULATION OF

Natural Convec.on-Driven Propulsion MODELING AND SIMULATION OF HEAT TRANSFER BY MIXED CONVECTION Overview Experimental data taken from Mercier, et al.

607 views • 17 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

CPS-SPC 16 @ Vienna AU Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O. T IPPENHAUER daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box 1 Overview In this

922 views • 25 slides
Test%Driven+Data+Modeling+With+Graphs + Twi7er:+@ianSrobinson+ #neo4j+ + Outline+

Test%Driven+Data+Modeling+With+Graphs + Twi7er:+@ianSrobinson+ #neo4j+ + Outline+

Test%Driven+Data+Modeling+With+Graphs + Twi7er:+@ianSrobinson+ #neo4j+ + Outline+ Data+modeling+with+graphs+ Neo4j+applicaDon+architecture+opDons+ TesDng+your+data+model++ Graph+data+modeling+ Labeled+Property+Graph+ Models+

876 views • 64 slides

More recommend