HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side...
Transcript of HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side...
![Page 1: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/1.jpg)
HoneySpider Network 2.0detecting client-side attacks the easy way
Paweł Pawlinski
CERT Polska / NASK
24th Annual FIRST Conference21 June 2012
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 1 / 23
![Page 2: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/2.jpg)
Outline
1 Introduction
2 Architecture
3 Services
4 Demonstration
5 Future plans
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 2 / 23
![Page 3: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/3.jpg)
Introduction
Outline
1 Introduction
2 Architecture
3 Services
4 Demonstration
5 Future plans
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 3 / 23
![Page 4: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/4.jpg)
Introduction
Origins of HSN 2.0
Joint projectCERT PolskaNCSC-NL (GOVCERT.NL)
Started in 2011Successor to HoneySpider Network version 1.x
used in production by CERTswe gained experience in scanning web pages automatically
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 4 / 23
![Page 5: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/5.jpg)
Introduction
Project goals
Detect attacks on client applicationsweb pagesfiles
Apply multiple analysesPDF, SWF, JavaScript, . . .low and high interaction honeypots
Configurable (processing details)Scalable (crawling)Open architecture
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 5 / 23
![Page 6: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/6.jpg)
Introduction
Project goals
Detect attacks on client applicationsweb pagesfiles
Apply multiple analysesPDF, SWF, JavaScript, . . .low and high interaction honeypots
Configurable (processing details)Scalable (crawling)Open architecture
version 1
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 5 / 23
![Page 7: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/7.jpg)
Architecture
Outline
1 Introduction
2 Architecture
3 Services
4 Demonstration
5 Future plans
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 6 / 23
![Page 8: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/8.jpg)
Architecture Overview
HSN: 1.x vs 2.0
Framework
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 7 / 23
1.x 2.0
![Page 9: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/9.jpg)
Architecture Overview
Architecture overview
Reporting
Web GUI
Alerts
CLI
Report DB
Operational
Framework
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 8 / 23
![Page 10: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/10.jpg)
Architecture Overview
Technical foundations
Network communicationAdvanced Message Queueing ProtocolGoogle Protocol Buffers
StorageCouchDBJSON documentsoperational data + flexible mapping → persistent reports
Programming languagesJavaPython(C++)
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 9 / 23
![Page 11: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/11.jpg)
Architecture Configurability
Sample workflow
Jobstart
parameter A= "some value"
...
accepted
rejected
yesno
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 10 / 23
![Page 12: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/12.jpg)
Architecture Configurability
Sample workflow
Jobstart
parameter A= "some value"
...
accepted
rejected
yesno
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 10 / 23
![Page 13: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/13.jpg)
Architecture Configurability
Sample workflow
Jobstart
parameter A= "some value"
...
accepted
rejected
yesno
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 10 / 23
![Page 14: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/14.jpg)
Services
Outline
1 Introduction
2 Architecture
3 Services
4 Demonstration
5 Future plans
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 11 / 23
![Page 15: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/15.jpg)
Services Implemented services
Web client emulators
HtmlUnit-based custom browser emulatorimplemented in Javauses Rhino enginecomplete control over all behaviors(requests, redirects, frames)link extraction
Thug (low interaction honeypot)implemented in Pythonuses V8 engineless controldetects common attacks
These are not crawlers!
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 12 / 23
![Page 16: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/16.jpg)
Services Implemented services
Analyzers
Static JavaScript analyzerport from version 1n-grams + Bayes classifier
SWF analyzer (NASK)Shellcode detection (scdbg)Cuckoo SandboxCapture-HPC
high-interaction honeypotused in HSN 1.xnew features and stability fixes
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 13 / 23
![Page 17: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/17.jpg)
Services Implemented services
Utilities
Feederfile with URLssearch engine results. . .
URL normalizerReporter (persistent data)
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 14 / 23
![Page 18: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/18.jpg)
Services Razorback integration
Razorback: short introduction
Modular IDSData acquisition decoupled from offline analysesDispatcher: routes dataNuggets (services)
collection (Snort, SMTP, . . . )analyzersenrichment (DNS, . . . )
SQL databaseGUI
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 15 / 23
![Page 19: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/19.jpg)
Services Razorback integration
Razorback: short introduction
Modular IDSData acquisition decoupled from offline analysesDispatcher: routes dataNuggets (services)
collection (Snort, SMTP, . . . )analyzersenrichment (DNS, . . . )
SQL databaseGUI
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 15 / 23
![Page 20: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/20.jpg)
Services Razorback integration
Razorback analyzers
Universal Razorback-to-HSN 2.0 adapterOnly recompilation required, no changes to source codeTested nuggets:
swfScannerpdfFoxclamavNuggetofficeCatvirusTotalarchiveInflate
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 16 / 23
![Page 21: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/21.jpg)
Services Extensibility
Extensibility
Open communication protocolWell-defined data contract for each serviceOpen technologies: AMQP, protobuf, REST, JSONLibraries provided for Java and Python
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 17 / 23
![Page 22: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/22.jpg)
Demonstration
Outline
1 Introduction
2 Architecture
3 Services
4 Demonstration
5 Future plans
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 18 / 23
![Page 23: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/23.jpg)
Demonstration
Demonstration
. . .
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 19 / 23
![Page 24: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/24.jpg)
Future plans
Outline
1 Introduction
2 Architecture
3 Services
4 Demonstration
5 Future plans
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 20 / 23
![Page 25: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/25.jpg)
Future plans
Current state of HSN 2.0
All essential components implementedframeworkstorageweb client
Growing set of analyzersFunctional web interfaceMore tests and stabilization needed
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 21 / 23
![Page 26: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/26.jpg)
Future plans
Future plans
Release as open source (soon!)Improve management of the whole systemMore analyzers
integrate existing toolsanalysis of sandbox dataalternative web clients (high-interactive?)looking for more ideas!
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 22 / 23
![Page 27: HoneySpider Network 2 - FIRST · 2012. 7. 9. · HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawlinski´ CERT Polska / NASK 24th Annual FIRST Conference](https://reader033.fdocuments.in/reader033/viewer/2022052002/60147511bd558d5998652cf0/html5/thumbnails/27.jpg)
Thank you for your attention.
Questions?
Paweł Pawlinski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 23 / 23