ncsc one iot honeypot
play

NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the - PowerPoint PPT Presentation

NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the agenda: 1. Introduction 2. SBIR 3. Cuckoo Sandbox 4. Project 5. Architecture 6. Offline demo 7. Roadmap Introduction Pieter Jansen - CEO @ Cybersprint -


  1. NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer

  2. On the agenda: 1. Introduction 2. SBIR 3. Cuckoo Sandbox 4. Project 5. Architecture 6. Offline demo 7. Roadmap

  3. Introduction

  4. Pieter Jansen - CEO @ Cybersprint - https://cybersprint.com - Team of 25 enthusiasts - Since 2015 - 100% Dutch - Digital Risk Protection services

  5. Jurriaan Bremer - CEO, Hatching - https://hatching.io/ - Lead Developer, Cuckoo Sandbox - https://cuckoosandbox.org/ - 6+ years development on Cuckoo - Growing R&D team

  6. Balancing Security and Mobility SBIR This SBIR project is co-funded by the Internal Security Fund of the European Union

  7. SBIR - EU co-funded Project - SBIR stage 1 (feasibility) You are here - SBIR stage 2 (realisation) - SBIR stage 3 (valorisation) - https://www.rvo.nl/subsidies-regelingen/sbir

  8. Cuckoo Sandbox

  9. Cuckoo Sandbox - Leading open source automated malware analysis project - https://cuckoosandbox.org/ - Widely used throughout the security community - Hatching is the driving force behind the majority of Cuckoo innovations - Cuckoo forms basis of the IoT Honeypot project

  10. Project

  11. Project [1/2] - Goal: develop a firmware-based, open source Internet of Things (IoT) honeypot framework - Consumer network devices, e.g., those used by NCSC.NL personnel at home - IP camera’s, smart devices, etc - Reason: Mirai, Haijime, etc..

  12. Hajime Botnet Makes a Comeback With Massive Scan for MikroTik Routers

  13. Project overview - replication vs emulation

  14. Replication-approach 1. Connect to an IoT device 2. Store the conversation (example: HTML files) 3. Spin up a service on the same port/protocol 4. Playback the earlier captured conversation

  15. Replication-approach - conclusions Easy to set up fake environments Did not go past login screen Was not convincing enough for attackers Would only capture attempts, not infections

  16. Project [2/2] - Replication alternative did not work - Goal: create open source IoT Honeypotting framework - Goal: detect large-scale IoT compromise campaigns - Goal: detect new threats, generate new IoCs - Default credentials, exploits, etc - Scales: run dozens of IoT devices using a single server - Without requiring the original hardware - Relatively low cost & maintenance effort

  17. Existing projects - pyREbox, PANDA, DECAF, ISP RAS. - x86-only (pyREbox) and x86/ARM (PANDA, different use-case) - IoT firmware often ARM/MIPS/etc

  18. High-level project overview - Emulate IoT firmware using QEMU - Expose listening network services - Either to internal networks or public IPv4 / IPv6 addresses - Instrument behavioral aspects of running firmware - … - Wait for device to be compromised!

  19. Goal of the project? - Once a device is compromised, investigate :-) - Got system call traces and PCAPs - Reconstruct traffic to isolate exploit and/or payload - Alternative use-case: honey tokens - Intentionally vulnerable devices with interesting names (eg FREDERIKSKAZERNE CAM51 ) - Notifies owners if attackers abuse it

  20. Architecture

  21. IoT Honeypot Architecture

  22. QEMU Loading of firmware non-trivial: - In practice most firmware is non-x86: ARM & MIPS - Needs specific QEMU command-line parameters etc Instrumentation of QEMU interesting: - Not so much existing research on non-x86 QEMU VMI - Virtual Machine Introspection - Instrumentation required to learn what device is doing - E.g., logging system calls such as execve(2)

  23. Gathering results - We obtain network traffic from the outside - We obtain system calls from the device - Realtime data processing - Results stored for later research - Alerts emitted to custom Dashboard - Known vulnerability was used - ...

  24. QEMU Command-line usage MIPS image /home/jbr/git/quailbox-qemu/build/mips-softmmu/ qemu-system-mips -kernel /home/jbr/.quailbox/kernels/ vmlinux-3.18.120-4kc-malta-cuckoo -nographic -netdev tap,id= net0 ,ifname= tap_qemu ,script=no,downscript=no -M malta -m 512 -hda /home/jbr/.quailbox/images/ ext2fs-for-netgear-wnap210.image -device e1000,netdev=net0 -display none -append console=ttyS0 rw root=/dev/sda init=/sbin/init

  25. QEMU Tiny Code Generator (“TCG”) - Efficient engine for translating ARM/MIPS/etc into an IL - Intermediate Language - IL translated into the native Host code, e.g., x86 - Needs customization to add our VMI - Syscall capturing for ARM+MIPS - Linux Kernel modifications & tracing WIP - Memory tracking & dumping logic - Additional changes required for new bug classes - Instrumentation for specific applications etc

  26. Realtime tcpdump processing - Log & process HTTP(s) requests from the outside - Present network traffic to ruling engines - Suricata / Snort - Cuckoo / Proprietary Signatures

  27. Offline Demo

  28. X X

  29. Roadmap

  30. Roadmap - Create web interface for managing virtual IoT environments - “Load” support for many more firmware images - Tailored QEMU VMI support for: - Different CPU architectures - Different known versions of Linux kernel for allowing in-depth VMI - E.g., through Volatility / Rekall integration - Documentation of more relevant bug classes - Capability for identifying said bug classes - Protection against QEMU breakouts.. - Interaction through simulation of peripherals like camera/files/sensors - OT/SCADA/ICS applications (virtual Borssele) - So much more.. ;-)

  31. Valorization

  32. Valorization: Commercial Applications - Fuzzing as a Service - Provide security testing services for hardware providers, allowing large scale/automated testing for any firmware - Commercial / open source bespoke additions for specific use-cases - OT-applications, applications for non-standard firmware - Hosting of virtual IoT Environments - Creating virtual 'digital twin' of sensitive IoT environments for research purposes - Collect threat intelligence to support adversary attribution research

  33. How you can help 1. Share your firmware 2. Provide testing grounds 3. Spread the word!

  34. Credits The HoneyNED project team Andrei Costin (ancostin@jyu.fi) Assistant Professor in Cybersecurity/IoT - welcomes research and collaboration opportunities

  35. Questions? Want to know more? Get in touch! pj@cybersprint.com | jbr@hatching.io

Recommend


More recommend