Wednesday, August 5, 2015

BHUSA15: Bring Back the Honey Pots

Haroon Meer is the founder of Thinkst, and Marco Slaviero is the lead researcher at Thinkst.

Honey pots are not a new concept - there are many previous talks on this. This is basic deception in warfare, another old concept. Check out : Dectpion for the cyber Defender: To Err is Humn; to Deceive, Divine.

Honey pots really got started in 1989 and 1991. In Bill Cheswick's 1989 paper wrote about effectively tracking down an attacker who had broken into his network. This was really one of the first deep dive documents for this. Next was the Cuckoo's Egg by Clifford Stoll (wait, also 1989?), which hit on the themes of vulnerability disclosure ethics and what the NSA is up to. Mr. Stoll also talked about the concept of honey pots.

In 2000, Lance Spitzner launched the Honeynet Project, where we all gained valuable information from the "Know Your Enemy" series.

Think about big recent attacks like at Target, where the hackers lurked for months, before actively attacking. How could that be, if we've had the concepts of honey pots for years to help folks discover when they were being attacked?

Looking at the mailing list traffic on the Honey Pot mailing list - very active in 2003, nearly dying off starting in 2007. Honey pots are just not sexy - how do you demo this?  "Um, it only makes noise when there's a problem, so it mostly does ... nothing" It's easier to sell other technology.

Honey pots have been traditionally pitched badly. They are overrepresented in academic work, doesn't seem like an industry solution.

Studying the attack after it happened doesn't seem interesting or relevant. Honey pots were looking for what was happening, but not focused on finding new attacks.

We need these, though. We can't wait to find out that our network has been exploited when the press contacts them. Verizon noted that 95% (?) of companies only find out about attacks when a 3rd party tells them. That's simply not acceptable.

As a defender - you MUST defend ALL the time. Attackers can come and go

There are a lot of arguments against honey pots:

Isn't this just an arms race?  No, an arms race is like what we saw between the US and USSR, not what we're seeing today between US and North Korea. You have to be at the table, making the attacker work for this.f

Will honey pots just introduce new risk to our organization? No, you can run python on a hardened server, support only minimal protocols. If you get even just one alert, you're better off than you were yesterday.

And, really, come on - we know you have an NT4 server floating around still on your network.  You've already got the risk there, but this is something that you can manage.

"These are painful to deploy! I already have to manage so many things!"  The speakers have solved this with Open Canary (https://canary.tools/) which can deploy in 3 minutes.

The speakers introduced their Open Canary project:
  • Mixed (low + high + ?) interaction honeypot
  • written in python
  • produces high quality signals
  • it's a sensor
  • trivial to deploy and update
OpenCanary can be configured to send you lots, or a few alerts - you can control the noise level.

Watches various protocols, watching for login attempts, NTP, SIP, and Samba.

As the name implies, the code is open source. You can configure and deploy multiple feeds across the network.

You do have to worry about discoverability. You want to make sure they are referenced (like in naming service) and also deploy multiple honey pots so they are more likely to be found.


Of course, there is a problem that hackers might be able to fingerprint the honey pot.  The speakers thinks this is misguided effort. There are ways to detect when the honey pot software running on the system - look for how this system is different than it should be. Is it running a strange service or kernel module?  But we need to draw the distinction: we should not confuse what methods are successful in a lab versus what works in the real world.

Canary Tokens are not new concepts - Spafford & Kim (1994) and Spitzner (2003). People do this for map making, but putting fake cities or points of interest on maps so you can tell when someone has copied it.

Canary tokens are simple unique tags that can be embedded in a  wide number of places, like in a DNS channel.

You can learn more at canarytokens.com

How can tokens help us spot attackers on the network? You can watch a particular README file, and when it gets read - that will trigger the canary token that will send the alert.

You can even deploy a canary token into databases! You can tell if someone is querying on a table or a view. Same with PDF files.

Interesting use of bing ads, etc.  Cool talk!

(sorry if these notes are spotty, the speakers flashed through their slides REALLY fast, it was hard to catch everything).