0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/599 Thanks! 1 00:00:09,000 --> 00:00:10,519 And I have to make an announcement. 2 00:00:12,700 --> 00:00:14,949 This talk is just a honeypot. 3 00:00:16,350 --> 00:00:17,350 You can organo. 4 00:00:20,100 --> 00:00:21,149 They don't believe me, you see, 5 00:00:23,040 --> 00:00:25,109 OK, who have you has 6 00:00:25,110 --> 00:00:26,110 a honeypots. 7 00:00:27,910 --> 00:00:29,799 One, two, three can have a little bit 8 00:00:29,800 --> 00:00:32,139 more lights on the audience, 9 00:00:32,140 --> 00:00:34,179 please, so I can see some thank you. 10 00:00:34,180 --> 00:00:36,399 A couple 11 00:00:36,400 --> 00:00:38,559 of you have honeypots 12 00:00:38,560 --> 00:00:39,009 running. 13 00:00:39,010 --> 00:00:40,779 And do you think they are secure? 14 00:00:40,780 --> 00:00:43,149 Do you think they can't be used against 15 00:00:43,150 --> 00:00:44,229 you? 16 00:00:44,230 --> 00:00:45,419 Think again, 17 00:00:46,660 --> 00:00:48,819 Dean Sesemann and 18 00:00:48,820 --> 00:00:51,429 it mushier will 19 00:00:51,430 --> 00:00:53,889 now present you how 20 00:00:53,890 --> 00:00:55,989 honeypots can be deceived and 21 00:00:55,990 --> 00:00:58,749 actually be used against you. 22 00:00:58,750 --> 00:00:59,890 A one way accomplice. 23 00:01:07,430 --> 00:01:09,889 OK, hello, everyone. 24 00:01:09,890 --> 00:01:12,079 Unfortunately for us, Gutte 25 00:01:12,080 --> 00:01:14,329 had to miss this talk, so we all make do 26 00:01:14,330 --> 00:01:16,879 without him, even though he's a very 27 00:01:16,880 --> 00:01:19,219 you know, he brings a lot of weight to 28 00:01:19,220 --> 00:01:20,849 every talk. 29 00:01:20,850 --> 00:01:22,159 If he was here, you would realize it's 30 00:01:22,160 --> 00:01:23,059 funny because he's fat. 31 00:01:23,060 --> 00:01:24,060 But everyone. 32 00:01:27,330 --> 00:01:29,609 OK, so 33 00:01:29,610 --> 00:01:31,199 what essentially are we going to talk 34 00:01:31,200 --> 00:01:33,269 about, what we're going 35 00:01:33,270 --> 00:01:35,549 to do is show you how 36 00:01:35,550 --> 00:01:38,159 it's how a honeypot 37 00:01:38,160 --> 00:01:39,160 can be used 38 00:01:40,260 --> 00:01:42,389 for your advantage, 39 00:01:42,390 --> 00:01:44,729 but then how it's been used before 40 00:01:44,730 --> 00:01:46,919 and how we can improve on it 41 00:01:46,920 --> 00:01:48,749 and what disadvantages it brings when 42 00:01:48,750 --> 00:01:49,739 it's being used. 43 00:01:49,740 --> 00:01:50,740 Right. 44 00:01:51,300 --> 00:01:53,519 OK, so just a disclaimer. 45 00:01:53,520 --> 00:01:54,599 This is a technical talk. 46 00:01:54,600 --> 00:01:56,189 We're going to go into a lot of technical 47 00:01:56,190 --> 00:01:58,409 material. But as you will see, 48 00:01:58,410 --> 00:02:00,659 which is the surprising fact, there's 49 00:02:00,660 --> 00:02:03,059 very little knowledge required 50 00:02:03,060 --> 00:02:04,060 in order to, 51 00:02:05,130 --> 00:02:07,199 you know, circumvent a lot of the 52 00:02:07,200 --> 00:02:09,329 honeypots that's very popular 53 00:02:09,330 --> 00:02:11,309 today. So the technology here is going to 54 00:02:11,310 --> 00:02:13,649 be pretty basic and pretty fundamental. 55 00:02:16,070 --> 00:02:18,109 And this is about us. 56 00:02:18,110 --> 00:02:20,600 We all work together at some area, 57 00:02:21,950 --> 00:02:24,259 all pretty, you know, 58 00:02:24,260 --> 00:02:26,299 been doing this for many, many years and 59 00:02:26,300 --> 00:02:28,519 this is a big part of our of our lives 60 00:02:28,520 --> 00:02:30,860 and part of the community, obviously. 61 00:02:32,440 --> 00:02:34,239 Right, so first of all, I just like to 62 00:02:34,240 --> 00:02:36,579 talk about what the hell is a cyber 63 00:02:36,580 --> 00:02:38,799 deception? It's this weird buzz word that 64 00:02:38,800 --> 00:02:40,599 you would, you know, imagine like a 65 00:02:40,600 --> 00:02:42,159 lawyer using and not really understanding 66 00:02:42,160 --> 00:02:43,479 what it means. 67 00:02:43,480 --> 00:02:45,729 What we're talking about is we would like 68 00:02:45,730 --> 00:02:47,859 to be able to 69 00:02:47,860 --> 00:02:49,989 take the attackers behavior and his 70 00:02:49,990 --> 00:02:52,479 methodology and be able to impact 71 00:02:52,480 --> 00:02:55,059 it, because if we're able to impact 72 00:02:55,060 --> 00:02:57,129 that, we're able to 73 00:02:57,130 --> 00:02:59,860 gain detection, mitigation, 74 00:03:01,180 --> 00:03:03,129 you know, prevention. 75 00:03:03,130 --> 00:03:05,469 A lot of very interesting stuff that 76 00:03:05,470 --> 00:03:07,569 the Sipson gives us as soon as we're able 77 00:03:07,570 --> 00:03:09,879 to influence the attackers 78 00:03:09,880 --> 00:03:11,169 decision making process. 79 00:03:12,730 --> 00:03:14,739 Right, so a lot of people have been 80 00:03:14,740 --> 00:03:17,379 advancing this field a lot, 81 00:03:17,380 --> 00:03:18,610 even a lot of German people, 82 00:03:19,720 --> 00:03:21,189 Fred Cohen's deception talker was the 83 00:03:21,190 --> 00:03:22,719 first thing that ever came out that 84 00:03:22,720 --> 00:03:24,009 talked about deception. 85 00:03:24,010 --> 00:03:26,379 Less Spetznaz and 86 00:03:26,380 --> 00:03:28,419 Honeynet Project have been doing a very 87 00:03:28,420 --> 00:03:30,219 amazing work. And they've really advanced 88 00:03:30,220 --> 00:03:32,439 this field a lot over the last few 89 00:03:32,440 --> 00:03:33,440 decades. 90 00:03:34,090 --> 00:03:36,579 But what we will be talking about is how 91 00:03:36,580 --> 00:03:38,769 the perception of what honeypots can 92 00:03:38,770 --> 00:03:40,839 do for us today is very different than 93 00:03:40,840 --> 00:03:42,939 what people usually perceive that they 94 00:03:42,940 --> 00:03:43,940 do. 95 00:03:44,500 --> 00:03:46,479 So what's the difference between an 96 00:03:46,480 --> 00:03:47,949 attack and an attacker? 97 00:03:47,950 --> 00:03:50,049 Right. An attack is a specific piece 98 00:03:50,050 --> 00:03:52,299 of technology that changes very 99 00:03:52,300 --> 00:03:54,279 dynamically and is very hard to capture. 100 00:03:54,280 --> 00:03:56,229 And that's what a lot of the, you know, 101 00:03:56,230 --> 00:03:58,329 intrusion detection tools nowadays 102 00:03:58,330 --> 00:04:00,459 are trying to to figure out 103 00:04:00,460 --> 00:04:02,589 how to detect. And it's very difficult. 104 00:04:02,590 --> 00:04:04,349 Everybody knows about the false positive 105 00:04:04,350 --> 00:04:07,089 problem and everything, but the attackers 106 00:04:07,090 --> 00:04:09,459 usually have a very definitive 107 00:04:09,460 --> 00:04:11,019 method of how they work. 108 00:04:11,020 --> 00:04:13,119 Right. There's the first beachhead which 109 00:04:13,120 --> 00:04:14,589 gets through spearfishing. 110 00:04:14,590 --> 00:04:15,969 Then you do a lateral movement, the 111 00:04:15,970 --> 00:04:17,859 network. You gain domain or have 112 00:04:17,860 --> 00:04:19,958 credentials, and then you do you look for 113 00:04:19,959 --> 00:04:21,219 the intelligence you're looking for. 114 00:04:21,220 --> 00:04:23,259 Right. And this is very hard to change or 115 00:04:23,260 --> 00:04:26,229 very hard to, you know, dynamically 116 00:04:26,230 --> 00:04:27,230 do differently. 117 00:04:28,180 --> 00:04:30,729 And this is sort of how the attacker 118 00:04:30,730 --> 00:04:32,529 feels like when he's inside. 119 00:04:32,530 --> 00:04:34,809 You're not or there's this fog of war 120 00:04:34,810 --> 00:04:36,999 or I've infiltrated a network and 121 00:04:37,000 --> 00:04:38,919 now I want to get to the information I'm 122 00:04:38,920 --> 00:04:39,819 looking for. 123 00:04:39,820 --> 00:04:41,499 But I have no idea what's going on. 124 00:04:41,500 --> 00:04:43,869 And this is one of the only advantages 125 00:04:43,870 --> 00:04:46,029 the defenders have over an attacker, and 126 00:04:46,030 --> 00:04:47,439 that is that they know their network 127 00:04:47,440 --> 00:04:49,659 much, much better than the attacker does. 128 00:04:49,660 --> 00:04:52,059 So why not use that advantage 129 00:04:52,060 --> 00:04:52,959 for your own benefit? 130 00:04:52,960 --> 00:04:53,960 Right. 131 00:04:54,400 --> 00:04:56,049 And if we look at this in a more 132 00:04:56,050 --> 00:04:57,100 strategic way, 133 00:04:58,150 --> 00:05:00,279 in the U.S. Army, in the Air Force, 134 00:05:00,280 --> 00:05:01,600 they came up with this 135 00:05:02,710 --> 00:05:05,019 methodology called the Loop 136 00:05:05,020 --> 00:05:06,020 and other means, 137 00:05:07,360 --> 00:05:09,609 observe, orient, decide 138 00:05:09,610 --> 00:05:11,469 and act. And this is like a strategic 139 00:05:11,470 --> 00:05:13,659 algorithm for, you know, tactical 140 00:05:13,660 --> 00:05:14,739 situations. 141 00:05:14,740 --> 00:05:17,259 And if you can influence the observation 142 00:05:17,260 --> 00:05:19,479 period, then obviously you're able 143 00:05:19,480 --> 00:05:21,879 to to influence the entire behavior 144 00:05:21,880 --> 00:05:22,879 of the attacker. Right. 145 00:05:22,880 --> 00:05:25,089 So so 146 00:05:25,090 --> 00:05:27,309 what we basically want to do is 147 00:05:27,310 --> 00:05:29,379 this. Right. Even though this is a bad 148 00:05:29,380 --> 00:05:31,659 metaphor because the wily coyote usually 149 00:05:31,660 --> 00:05:33,669 loses to the roadrunner. 150 00:05:33,670 --> 00:05:35,739 But this is this is essentially what 151 00:05:35,740 --> 00:05:37,809 deception is and what honeypots 152 00:05:37,810 --> 00:05:39,099 have been trying to implement. 153 00:05:39,100 --> 00:05:40,359 Right. 154 00:05:40,360 --> 00:05:42,669 So this could actually 155 00:05:42,670 --> 00:05:45,039 be a very big change if we're able 156 00:05:45,040 --> 00:05:46,239 to deceive attackers. 157 00:05:46,240 --> 00:05:48,489 Right. Because the civilian attacker 158 00:05:48,490 --> 00:05:49,659 might be something that's very 159 00:05:49,660 --> 00:05:52,269 economically cheap but very expensive 160 00:05:52,270 --> 00:05:54,399 for the attacker, which is something 161 00:05:54,400 --> 00:05:55,929 we don't have today. 162 00:05:58,680 --> 00:05:59,680 And. 163 00:06:00,660 --> 00:06:02,099 When we're talking about what's the 164 00:06:02,100 --> 00:06:04,259 elements of doing cyber deception, 165 00:06:04,260 --> 00:06:05,609 it all comes down to something very 166 00:06:05,610 --> 00:06:07,739 basic, which is the decoy, which is this 167 00:06:07,740 --> 00:06:09,989 one unit of deception 168 00:06:09,990 --> 00:06:11,200 in a digital network. 169 00:06:14,530 --> 00:06:17,079 OK, so one of the advantages 170 00:06:17,080 --> 00:06:19,389 of doing this is that when an attacker 171 00:06:19,390 --> 00:06:21,549 gets to a decoy and attacks it, 172 00:06:21,550 --> 00:06:23,859 by definition, nobody knows about 173 00:06:23,860 --> 00:06:25,899 this decoy. Nobody should be accessing 174 00:06:25,900 --> 00:06:27,459 it. Nobody should be talking to it. 175 00:06:27,460 --> 00:06:29,589 We know that whoever is talking to it on 176 00:06:29,590 --> 00:06:31,749 our network is an attacker 177 00:06:31,750 --> 00:06:33,519 or some some sort of threat that's 178 00:06:33,520 --> 00:06:34,779 looking around and doing stuff he 179 00:06:34,780 --> 00:06:36,039 shouldn't be doing. 180 00:06:36,040 --> 00:06:38,289 And this gives you a very clear cut 181 00:06:38,290 --> 00:06:39,849 knowledge about what's going on in your 182 00:06:39,850 --> 00:06:41,679 network and who's trying to do stuff they 183 00:06:41,680 --> 00:06:43,489 shouldn't be doing. Right. 184 00:06:43,490 --> 00:06:45,729 And specifically, if you get 185 00:06:45,730 --> 00:06:48,189 any new code execution than 186 00:06:48,190 --> 00:06:50,319 being run on that decoy, 187 00:06:50,320 --> 00:06:52,659 you know, for 100 percent 188 00:06:52,660 --> 00:06:54,789 of that new code is an attack. 189 00:06:54,790 --> 00:06:55,790 Right. 190 00:06:57,000 --> 00:06:59,159 OK, so now we're going to go into 191 00:06:59,160 --> 00:07:01,919 some descriptions, 192 00:07:01,920 --> 00:07:03,689 the most popular honeypots out there are 193 00:07:03,690 --> 00:07:05,099 what people call a lone erection 194 00:07:05,100 --> 00:07:07,349 honeypots, and we'll go into defining 195 00:07:07,350 --> 00:07:09,149 what that is pretty soon. 196 00:07:09,150 --> 00:07:11,249 But what they're very useful for 197 00:07:11,250 --> 00:07:13,319 is malware, known malware, 198 00:07:13,320 --> 00:07:15,539 automatic exploitation, botnet 199 00:07:15,540 --> 00:07:17,609 scanning and all that sort of stuff. 200 00:07:17,610 --> 00:07:19,619 But they are very limited. 201 00:07:19,620 --> 00:07:21,209 And the reason for that is they do 202 00:07:21,210 --> 00:07:23,749 emulation of stuff on the network. 203 00:07:23,750 --> 00:07:25,319 They don't do the actual stuff. 204 00:07:25,320 --> 00:07:27,089 They just simulated. 205 00:07:27,090 --> 00:07:29,489 And then when an attacker reaches it, 206 00:07:29,490 --> 00:07:31,679 there's a risk for the defender. 207 00:07:31,680 --> 00:07:34,709 And that risk is that if the defender 208 00:07:34,710 --> 00:07:36,809 doesn't deceive the attacker 209 00:07:36,810 --> 00:07:39,029 in, you know, 100 percent, if an attacker 210 00:07:39,030 --> 00:07:41,189 is aware of being deceived, 211 00:07:41,190 --> 00:07:43,289 he can use that against the defender. 212 00:07:43,290 --> 00:07:45,299 Right. If you know where a honeypot is 213 00:07:45,300 --> 00:07:46,619 deployed in a network and you want to 214 00:07:46,620 --> 00:07:48,719 attack that network while you'll be doing 215 00:07:48,720 --> 00:07:50,879 is just, you know, dossing that honeypot 216 00:07:50,880 --> 00:07:53,159 because the alerts from that 217 00:07:53,160 --> 00:07:54,799 will take all the attention of the 218 00:07:54,800 --> 00:07:57,149 defender. And then you can go about it 219 00:07:57,150 --> 00:07:58,349 whichever way you want. 220 00:07:58,350 --> 00:07:59,350 Right. 221 00:08:00,840 --> 00:08:02,159 OK, so what's the difference between 222 00:08:02,160 --> 00:08:04,169 loaner action, nine direction honeypots, 223 00:08:04,170 --> 00:08:06,239 so low an erection is, like we said, is 224 00:08:06,240 --> 00:08:08,189 just a simulation of some network 225 00:08:08,190 --> 00:08:10,289 protocol. Hiner action honeypots are 226 00:08:10,290 --> 00:08:12,239 the actual machine themselves that the 227 00:08:12,240 --> 00:08:13,949 attacker can actually successfully 228 00:08:13,950 --> 00:08:15,959 attack. Right. Because we want him to be 229 00:08:15,960 --> 00:08:17,849 able to do whatever he's doing and feel 230 00:08:17,850 --> 00:08:18,870 like it's a real machine. 231 00:08:21,890 --> 00:08:23,690 And now for like a little 232 00:08:24,950 --> 00:08:27,019 understanding and terminology 233 00:08:27,020 --> 00:08:28,729 as being able to fingerprint a honeypot, 234 00:08:28,730 --> 00:08:30,079 is that a vulnerability? 235 00:08:30,080 --> 00:08:32,178 Well, it's it's an interesting 236 00:08:32,179 --> 00:08:34,489 question because, for example, 237 00:08:34,490 --> 00:08:37,219 TOR has a lot of code execution 238 00:08:37,220 --> 00:08:38,629 vulnerabilities. 239 00:08:38,630 --> 00:08:40,459 These are pretty obviously 240 00:08:40,460 --> 00:08:42,529 vulnerabilities. But in Tor, what we're 241 00:08:42,530 --> 00:08:44,599 actually interested in finding is 242 00:08:44,600 --> 00:08:46,789 the user's original IP. 243 00:08:46,790 --> 00:08:48,529 Right, because that's the objective of 244 00:08:48,530 --> 00:08:51,049 TOR. So, for example, if you could find 245 00:08:51,050 --> 00:08:53,149 the specific IP avatar user, is 246 00:08:53,150 --> 00:08:54,319 that considered a vulnerability? 247 00:08:54,320 --> 00:08:55,219 Well, we feel it is. 248 00:08:55,220 --> 00:08:57,409 But, you know, terminology here 249 00:08:57,410 --> 00:08:59,659 is pretty it's pretty gray 250 00:08:59,660 --> 00:09:00,660 area, right? 251 00:09:02,720 --> 00:09:04,909 OK, so when we're talking 252 00:09:04,910 --> 00:09:07,039 about Lunner honeypots, those are just 253 00:09:07,040 --> 00:09:09,109 simulations of network services, 254 00:09:09,110 --> 00:09:10,849 right, could be Sambi, assumptive 255 00:09:10,850 --> 00:09:12,919 stupidness, all the popular stuff 256 00:09:12,920 --> 00:09:14,899 that hackers are looking for and wanting 257 00:09:14,900 --> 00:09:16,549 to exploit. 258 00:09:16,550 --> 00:09:18,199 It's pretty easy. Just basically what 259 00:09:18,200 --> 00:09:19,579 happens is people write some sort of 260 00:09:19,580 --> 00:09:21,679 script that implements 261 00:09:21,680 --> 00:09:23,719 the protocols behavior and the way it 262 00:09:23,720 --> 00:09:25,339 answers queries and everything. 263 00:09:25,340 --> 00:09:27,649 And then we can see who's talking 264 00:09:27,650 --> 00:09:30,079 to us. And that way we can monitor 265 00:09:30,080 --> 00:09:32,479 what's and Tucker, what's not. 266 00:09:32,480 --> 00:09:34,489 High interaction honeypots are the actual 267 00:09:34,490 --> 00:09:35,479 systems themselves. 268 00:09:35,480 --> 00:09:37,669 So, for example, if I'm trying to show 269 00:09:37,670 --> 00:09:39,799 an S&P server, what I'll be 270 00:09:39,800 --> 00:09:41,989 doing is actually have a real 271 00:09:41,990 --> 00:09:43,399 assumptive server running. 272 00:09:43,400 --> 00:09:45,049 And the difference is that this is much 273 00:09:45,050 --> 00:09:47,119 harder to monitor. 274 00:09:47,120 --> 00:09:49,609 Right. For example, if you put a Windows 275 00:09:49,610 --> 00:09:51,469 machine and try to monitor all the SMB 276 00:09:51,470 --> 00:09:53,419 traffic to it on the network, it's 277 00:09:53,420 --> 00:09:55,609 insanity, right? Because the amount 278 00:09:55,610 --> 00:09:56,989 of noise is incredible. 279 00:09:56,990 --> 00:09:59,119 And then we again go back to 280 00:09:59,120 --> 00:10:01,489 the regular problem of, you know, false 281 00:10:01,490 --> 00:10:03,439 positives and how to differentiate noise 282 00:10:03,440 --> 00:10:05,029 from stuff that isn't noise. 283 00:10:06,730 --> 00:10:09,609 OK, so when we started the thing, 284 00:10:09,610 --> 00:10:11,679 we tried and found out who else 285 00:10:11,680 --> 00:10:13,839 knows how to find honeypots 286 00:10:13,840 --> 00:10:16,119 and networks and Shodan 287 00:10:16,120 --> 00:10:18,249 has this interesting website which 288 00:10:18,250 --> 00:10:20,169 is called Honey Score. 289 00:10:20,170 --> 00:10:22,359 And any score, you give it an IP and then 290 00:10:22,360 --> 00:10:24,399 it tells you if it's your part or not. 291 00:10:24,400 --> 00:10:26,289 And we started playing around with this 292 00:10:26,290 --> 00:10:28,299 and we couldn't get it to say something 293 00:10:28,300 --> 00:10:29,439 as a Hunniford. Right. 294 00:10:29,440 --> 00:10:31,779 So we actually created online 295 00:10:31,780 --> 00:10:34,089 public facing IP with honeypots 296 00:10:34,090 --> 00:10:36,309 and gave it the IP and it couldn't detect 297 00:10:36,310 --> 00:10:37,929 that it's a honeypot. 298 00:10:37,930 --> 00:10:39,549 So we tried to figure out what does it 299 00:10:39,550 --> 00:10:40,959 actually detect? 300 00:10:40,960 --> 00:10:43,059 And then we found out about 301 00:10:43,060 --> 00:10:45,189 something called comput. 302 00:10:45,190 --> 00:10:47,859 Right. So Kampot is a skater 303 00:10:47,860 --> 00:10:48,909 type honeypot. 304 00:10:48,910 --> 00:10:50,469 What it does is it looks like a skater 305 00:10:50,470 --> 00:10:52,029 machine, but it only implements a very 306 00:10:52,030 --> 00:10:54,189 small part of the protocol. 307 00:10:54,190 --> 00:10:55,929 And what happens, one of the showdown 308 00:10:55,930 --> 00:10:58,329 guys did some research 309 00:10:58,330 --> 00:11:00,609 into how it works. 310 00:11:00,610 --> 00:11:02,859 And he found out that every Canepa 311 00:11:02,860 --> 00:11:05,199 implementation out there has the same 312 00:11:05,200 --> 00:11:07,929 name, which is Mouser Factory. 313 00:11:07,930 --> 00:11:10,149 Right. Which is not very deceiving. 314 00:11:11,590 --> 00:11:13,449 But then somebody figured out that that's 315 00:11:13,450 --> 00:11:15,519 the default and people made it 316 00:11:15,520 --> 00:11:17,409 configurable. So you can change it to 317 00:11:17,410 --> 00:11:19,569 whatever you want. Then there was 318 00:11:19,570 --> 00:11:21,639 another guy online called 319 00:11:21,640 --> 00:11:23,349 Sean Murdunna, who found out that they 320 00:11:23,350 --> 00:11:24,519 all have the same serial number. 321 00:11:24,520 --> 00:11:26,709 And this is also not configurable. 322 00:11:26,710 --> 00:11:28,879 So if you go on Shodan online, 323 00:11:28,880 --> 00:11:30,070 you put in this number, 324 00:11:31,090 --> 00:11:34,089 you find a bunch of honeypots deployed 325 00:11:34,090 --> 00:11:36,219 around the world which are right. 326 00:11:36,220 --> 00:11:37,749 And then when we try it and took one of 327 00:11:37,750 --> 00:11:40,569 those ideas into show, then we finally 328 00:11:40,570 --> 00:11:43,059 got it to recognize that it's a honeypot. 329 00:11:43,060 --> 00:11:44,559 Right. So other people have been trying 330 00:11:44,560 --> 00:11:46,059 to attempt this because it gives a lot of 331 00:11:46,060 --> 00:11:48,159 value, but 332 00:11:48,160 --> 00:11:49,659 it doesn't really work for most of the 333 00:11:49,660 --> 00:11:50,940 honeypots out there. 334 00:11:53,100 --> 00:11:54,100 OK. 335 00:11:55,940 --> 00:11:57,829 OK, somebody in the audience asked me to 336 00:11:57,830 --> 00:11:59,029 talk slowly, so I'll try. 337 00:12:00,860 --> 00:12:02,179 Thank you. 338 00:12:02,180 --> 00:12:04,669 OK, so what we will be doing 339 00:12:04,670 --> 00:12:07,099 is going through each 340 00:12:07,100 --> 00:12:08,720 project of. 341 00:12:14,670 --> 00:12:17,309 What we'll be doing is going through 342 00:12:17,310 --> 00:12:20,009 a lot of the popular honeypot projects 343 00:12:20,010 --> 00:12:22,619 from the most simple 344 00:12:22,620 --> 00:12:24,989 implementor ones to the most complex ones 345 00:12:24,990 --> 00:12:27,389 and show how each gives 346 00:12:27,390 --> 00:12:29,609 you another layer of deception, 347 00:12:29,610 --> 00:12:31,679 but how we use 348 00:12:31,680 --> 00:12:34,079 that layer and, you know, circumvent 349 00:12:34,080 --> 00:12:35,909 it or use it to our advantage. 350 00:12:35,910 --> 00:12:37,979 Right. So we start with artillery 351 00:12:37,980 --> 00:12:40,229 or artillery is a pretty cool 352 00:12:40,230 --> 00:12:43,259 project. What it does, it's very popular. 353 00:12:43,260 --> 00:12:44,769 You just run it on a system. 354 00:12:44,770 --> 00:12:46,949 And what happens is it opens 355 00:12:46,950 --> 00:12:49,139 up all the ports that are closed that 356 00:12:49,140 --> 00:12:50,579 look like something that's interesting to 357 00:12:50,580 --> 00:12:51,629 an attacker. Right. 358 00:12:51,630 --> 00:12:53,879 So SMP, DNS, 359 00:12:53,880 --> 00:12:55,409 HTP, whatever. 360 00:12:55,410 --> 00:12:57,749 And whenever somebody is trying to access 361 00:12:57,750 --> 00:12:59,219 one of those ports, what happens? 362 00:12:59,220 --> 00:13:01,079 Is this right? 363 00:13:01,080 --> 00:13:03,299 So it just gives you random 364 00:13:03,300 --> 00:13:05,519 information when you're trying 365 00:13:05,520 --> 00:13:07,589 to access one of the ports that 366 00:13:07,590 --> 00:13:10,319 artillery set up and 367 00:13:10,320 --> 00:13:12,839 then it blocks you away the way it boxes 368 00:13:12,840 --> 00:13:15,059 by putting in a rule in the IP 369 00:13:15,060 --> 00:13:16,829 tables for your IP. 370 00:13:16,830 --> 00:13:19,349 Right. So the thinking is I'm defending 371 00:13:19,350 --> 00:13:20,669 in a network. Right. 372 00:13:20,670 --> 00:13:22,499 And I want to do a honeypot on all my 373 00:13:22,500 --> 00:13:24,269 machines. I run artillery. 374 00:13:24,270 --> 00:13:26,009 And then if somebody is trying to exploit 375 00:13:26,010 --> 00:13:27,959 stuff against, I don't know, assumptive 376 00:13:27,960 --> 00:13:30,689 servers, they'll hit one of my machines 377 00:13:30,690 --> 00:13:32,759 and then they'll get blocked because 378 00:13:32,760 --> 00:13:34,679 the IP tables are all blogsite. 379 00:13:34,680 --> 00:13:35,680 Right. 380 00:13:37,050 --> 00:13:39,149 Obviously, this doesn't look 381 00:13:39,150 --> 00:13:40,229 very deceiving. 382 00:13:40,230 --> 00:13:42,359 Right. If I'm in a network and 383 00:13:42,360 --> 00:13:45,119 I'm trying to talk to some sort of port, 384 00:13:45,120 --> 00:13:47,850 this doesn't look like SMPTE. 385 00:13:49,980 --> 00:13:52,319 And like I said, 386 00:13:52,320 --> 00:13:53,699 what it does, it just gives you random 387 00:13:53,700 --> 00:13:54,659 data. 388 00:13:54,660 --> 00:13:56,789 No real deception being employed, but 389 00:13:56,790 --> 00:13:58,589 it blocks the IP that it sees. 390 00:13:58,590 --> 00:14:00,750 Right. This is very dangerous. 391 00:14:01,950 --> 00:14:04,079 The reason for that is if the network 392 00:14:04,080 --> 00:14:05,459 doesn't have any protection against 393 00:14:05,460 --> 00:14:07,709 network spoofing, you can spoof 394 00:14:07,710 --> 00:14:10,169 any IP you want and artillery 395 00:14:10,170 --> 00:14:11,999 will block it. The reason being is you 396 00:14:12,000 --> 00:14:13,889 can just send it to packets with the 397 00:14:13,890 --> 00:14:16,109 source. IP changed 398 00:14:16,110 --> 00:14:18,089 and it doesn't try and connect back to 399 00:14:18,090 --> 00:14:20,309 the original source and see if they're 400 00:14:20,310 --> 00:14:21,529 true. Right. 401 00:14:21,530 --> 00:14:23,609 So just by sending two packets, 402 00:14:23,610 --> 00:14:25,119 you can make the machine that's running 403 00:14:25,120 --> 00:14:27,359 artillery block any IP one. 404 00:14:27,360 --> 00:14:29,249 And this even works for the gateway. 405 00:14:29,250 --> 00:14:31,529 Right? So you can just 406 00:14:31,530 --> 00:14:33,299 make it drop from the network completely 407 00:14:33,300 --> 00:14:34,980 and not have any network connectivity. 408 00:14:36,940 --> 00:14:38,819 All right, so what can we learn from 409 00:14:38,820 --> 00:14:41,069 artillery's work is that if 410 00:14:41,070 --> 00:14:42,929 there is a port and nobody should be 411 00:14:42,930 --> 00:14:45,119 touching it and 412 00:14:45,120 --> 00:14:46,649 somebody is touching it, then that's an 413 00:14:46,650 --> 00:14:48,740 indicator of attacker activity. 414 00:14:50,670 --> 00:14:52,739 And so how does so now let's 415 00:14:52,740 --> 00:14:55,289 switch our hats and fingers attackers, 416 00:14:55,290 --> 00:14:57,119 now that we know that artillery is out 417 00:14:57,120 --> 00:14:58,739 there. What do we do? 418 00:14:58,740 --> 00:15:01,019 So now we need to consider every 419 00:15:01,020 --> 00:15:02,069 place we're connecting to. 420 00:15:02,070 --> 00:15:04,499 Might be a trap and we need to check 421 00:15:04,500 --> 00:15:06,539 if it's actually real. 422 00:15:06,540 --> 00:15:07,540 Right. 423 00:15:08,350 --> 00:15:10,449 OK, and next, 424 00:15:10,450 --> 00:15:13,419 we go to Bear Trap, so 425 00:15:13,420 --> 00:15:15,609 bear trap actually 426 00:15:15,610 --> 00:15:17,739 implements some of the services 427 00:15:17,740 --> 00:15:20,079 it's broadcasting and tries to make sense 428 00:15:20,080 --> 00:15:21,159 of it. 429 00:15:21,160 --> 00:15:22,859 The biggest one is trying to implement is 430 00:15:22,860 --> 00:15:24,969 exactly right. 431 00:15:24,970 --> 00:15:26,769 And when you talk to Bear Trap on FTP, 432 00:15:26,770 --> 00:15:28,509 you get this banner. 433 00:15:28,510 --> 00:15:30,909 Now, if you know a bear trap 434 00:15:30,910 --> 00:15:33,129 is a honeypot getting the spanners 435 00:15:33,130 --> 00:15:35,289 sort of shooting yourself in 436 00:15:35,290 --> 00:15:36,879 the foot. Right. 437 00:15:36,880 --> 00:15:38,949 It should have just said, hi, this is a 438 00:15:38,950 --> 00:15:39,999 honeypot. 439 00:15:40,000 --> 00:15:41,000 Right. 440 00:15:42,520 --> 00:15:43,520 So this is bad, 441 00:15:44,920 --> 00:15:47,529 but actually the banner is configurable 442 00:15:47,530 --> 00:15:49,119 so you can change it to do anything you 443 00:15:49,120 --> 00:15:51,609 want. But getting 444 00:15:51,610 --> 00:15:53,679 this is the default is already pretty, 445 00:15:53,680 --> 00:15:56,079 you know, not considering how to actually 446 00:15:56,080 --> 00:15:57,440 really deceive an attacker. 447 00:15:58,810 --> 00:16:00,969 So another thing we tried to find 448 00:16:00,970 --> 00:16:02,379 out that isn't configurable and 449 00:16:02,380 --> 00:16:04,629 ultimately the bear trap 450 00:16:04,630 --> 00:16:06,699 is that anything you give is 451 00:16:06,700 --> 00:16:07,719 an FTP protocol. 452 00:16:07,720 --> 00:16:09,969 Command just returns five three 453 00:16:09,970 --> 00:16:10,990 zero. OK, 454 00:16:12,070 --> 00:16:14,049 this makes no sense in the definition of 455 00:16:14,050 --> 00:16:16,389 the protocol. So no 456 00:16:16,390 --> 00:16:18,129 other service in the world should be 457 00:16:18,130 --> 00:16:19,869 acting this way. And this is a clearcut 458 00:16:19,870 --> 00:16:22,209 way of detecting bear trap. 459 00:16:22,210 --> 00:16:23,210 Right. 460 00:16:25,320 --> 00:16:27,569 By definition, the protocol, when you 461 00:16:27,570 --> 00:16:30,419 give it a user command, it has to 462 00:16:30,420 --> 00:16:32,639 it has to return a 463 00:16:32,640 --> 00:16:34,919 specific answer and returning 464 00:16:34,920 --> 00:16:36,299 five three zero doesn't make any sense 465 00:16:36,300 --> 00:16:37,679 because it's not a specific answer that's 466 00:16:37,680 --> 00:16:38,909 expected. 467 00:16:38,910 --> 00:16:41,129 So this detects 468 00:16:41,130 --> 00:16:42,719 Birchgrove very effectively. 469 00:16:42,720 --> 00:16:44,819 Right. And if we look at 470 00:16:44,820 --> 00:16:47,159 other FTP servers like VSV DVD, 471 00:16:47,160 --> 00:16:49,409 which is very popular, what happens 472 00:16:49,410 --> 00:16:50,639 when you ask for certain stuff? 473 00:16:50,640 --> 00:16:53,069 It replies with a certain reply, 474 00:16:53,070 --> 00:16:54,070 right. 475 00:16:55,220 --> 00:16:56,299 Cool, so 476 00:16:57,560 --> 00:17:00,409 Birchip also suffers from the same 477 00:17:00,410 --> 00:17:02,569 problem with WiFi spoofing as 478 00:17:02,570 --> 00:17:04,979 artillery does the exact same thing 479 00:17:04,980 --> 00:17:06,799 as soon as it sees somebody connecting to 480 00:17:06,800 --> 00:17:09,379 it. It asks for the user and password. 481 00:17:09,380 --> 00:17:11,959 As soon as that is is passed on, 482 00:17:11,960 --> 00:17:14,419 it blocks you through an IP tables rule. 483 00:17:14,420 --> 00:17:16,279 And of course, it doesn't check anything. 484 00:17:16,280 --> 00:17:18,139 So if your IP spoof, you can also drop 485 00:17:18,140 --> 00:17:19,939 that machine completely from the network. 486 00:17:21,800 --> 00:17:23,789 All right, so what did we learn from bear 487 00:17:23,790 --> 00:17:25,649 traps work is that if you implement a 488 00:17:25,650 --> 00:17:27,899 service, it's much, much smarter, 489 00:17:27,900 --> 00:17:29,669 much more deceiving to an attacker. 490 00:17:29,670 --> 00:17:31,409 But now if we're looking at this from a 491 00:17:31,410 --> 00:17:33,329 terrorist perspective, I should be 492 00:17:33,330 --> 00:17:35,249 looking for indicators of deception. 493 00:17:35,250 --> 00:17:37,289 Right. So now attackers should be looking 494 00:17:37,290 --> 00:17:39,749 for the stuff that would make it obvious 495 00:17:39,750 --> 00:17:42,329 that this is a honeypot like that 496 00:17:42,330 --> 00:17:44,999 bear trap part and the banner. 497 00:17:45,000 --> 00:17:46,000 Right. 498 00:17:47,340 --> 00:17:48,510 OK, so now we get to honey, 499 00:17:49,590 --> 00:17:51,629 honey, this is probably the most 500 00:17:51,630 --> 00:17:54,539 well-known honeypot, 501 00:17:54,540 --> 00:17:56,219 what it is, actually, it's more, much 502 00:17:56,220 --> 00:17:58,529 more of a platform than an actual 503 00:17:58,530 --> 00:17:59,699 honeypot. 504 00:17:59,700 --> 00:18:01,799 And this is pretty cool because it 505 00:18:01,800 --> 00:18:04,469 makes you able to write different, 506 00:18:04,470 --> 00:18:06,389 different things into honey. 507 00:18:06,390 --> 00:18:08,579 So essentially, you can create different 508 00:18:08,580 --> 00:18:10,679 types of network services and for 509 00:18:10,680 --> 00:18:13,019 each network service you 510 00:18:13,020 --> 00:18:15,089 put in a script that implements that 511 00:18:15,090 --> 00:18:16,049 protocol. 512 00:18:16,050 --> 00:18:19,079 Right. But the problem is that, 513 00:18:19,080 --> 00:18:21,329 honey, this comes with a lot of 514 00:18:21,330 --> 00:18:23,549 default protocol scripts, 515 00:18:23,550 --> 00:18:24,989 which everybody use because you don't 516 00:18:24,990 --> 00:18:26,909 want to be, you know, replicating very 517 00:18:26,910 --> 00:18:29,339 well-known protocols like FTP 518 00:18:29,340 --> 00:18:31,619 or something for DNS or associates 519 00:18:31,620 --> 00:18:32,620 or whatever. 520 00:18:33,180 --> 00:18:34,889 And in these protocols, you can find a 521 00:18:34,890 --> 00:18:36,779 lot of very easy ways to fingerprint on 522 00:18:36,780 --> 00:18:37,829 it. Right. 523 00:18:37,830 --> 00:18:40,109 So first of all, when you use 524 00:18:40,110 --> 00:18:42,299 Honeydews for something that resembles 525 00:18:42,300 --> 00:18:44,519 a NIYA server, there's this 526 00:18:44,520 --> 00:18:47,459 command on the top that 527 00:18:47,460 --> 00:18:49,649 Hundy tries to implement because it's a 528 00:18:49,650 --> 00:18:52,049 way that a lot of automatic online 529 00:18:52,050 --> 00:18:54,209 scanning tools use to try 530 00:18:54,210 --> 00:18:56,549 and find ways of getting 531 00:18:56,550 --> 00:18:58,559 lists from IRS servers. 532 00:18:58,560 --> 00:19:00,089 This was an old vulnerability. 533 00:19:00,090 --> 00:19:02,459 And I guess what happens 534 00:19:02,460 --> 00:19:04,529 is it returns the exact same 535 00:19:04,530 --> 00:19:06,569 reply every time. 536 00:19:06,570 --> 00:19:09,089 And if you look at the modification time 537 00:19:09,090 --> 00:19:11,159 on those files, this is a server 538 00:19:11,160 --> 00:19:13,469 that nobody has been nobody has touched 539 00:19:13,470 --> 00:19:15,029 in over 15 years. 540 00:19:15,030 --> 00:19:17,099 Right. So first of all, this is not 541 00:19:17,100 --> 00:19:18,179 very believable. 542 00:19:18,180 --> 00:19:20,669 And secondly, very easy 543 00:19:20,670 --> 00:19:23,189 to fingerprint in order to to 544 00:19:23,190 --> 00:19:24,869 detect honeybees. 545 00:19:24,870 --> 00:19:25,870 Right. So 546 00:19:27,180 --> 00:19:28,979 if we look at the other sort of 547 00:19:28,980 --> 00:19:31,259 protocols, there's a lot of other 548 00:19:31,260 --> 00:19:32,339 ways to fingerprint. 549 00:19:32,340 --> 00:19:34,649 For example, the FCP doesn't 550 00:19:34,650 --> 00:19:36,989 support the deal eckermann which 551 00:19:36,990 --> 00:19:39,029 lets you delete files. 552 00:19:39,030 --> 00:19:40,799 I'm assuming they did this on purpose 553 00:19:40,800 --> 00:19:43,529 because it's very scary to enable 554 00:19:43,530 --> 00:19:45,149 deletion of files on a honeypot, because 555 00:19:45,150 --> 00:19:47,219 if you have any sort of bug in 556 00:19:47,220 --> 00:19:50,069 that, you're really risking your system. 557 00:19:50,070 --> 00:19:53,189 Secondly, DSH script for some reason 558 00:19:53,190 --> 00:19:54,119 doesn't do anything. 559 00:19:54,120 --> 00:19:55,649 It just opens up the port and doesn't 560 00:19:55,650 --> 00:19:57,869 reply at all. 561 00:19:57,870 --> 00:20:00,359 So that's another way of detecting it. 562 00:20:00,360 --> 00:20:02,249 And in any case, it will be very obvious 563 00:20:02,250 --> 00:20:04,349 to the attacker that this is an idea. 564 00:20:04,350 --> 00:20:05,350 Right. 565 00:20:05,910 --> 00:20:07,979 So how would I go about fixing that, 566 00:20:07,980 --> 00:20:09,779 for example? And I guess I would just 567 00:20:09,780 --> 00:20:11,849 return an empty duelist. 568 00:20:11,850 --> 00:20:14,009 And you have to really realize 569 00:20:14,010 --> 00:20:15,599 that there's a lot of information that 570 00:20:15,600 --> 00:20:17,729 you have to make it believable, both 571 00:20:17,730 --> 00:20:20,039 the timestamps, the byte counts and 572 00:20:20,040 --> 00:20:22,079 the volume serial number, you should 573 00:20:22,080 --> 00:20:24,029 randomize them periodically. 574 00:20:24,030 --> 00:20:25,559 That's the only way to make it look like 575 00:20:25,560 --> 00:20:26,489 it's actually real. 576 00:20:26,490 --> 00:20:27,490 Right. 577 00:20:28,680 --> 00:20:30,299 And what can we learn from honeydews work 578 00:20:30,300 --> 00:20:32,399 is that if we implement the 579 00:20:32,400 --> 00:20:34,469 service, we have to give no obvious 580 00:20:34,470 --> 00:20:35,879 indications. 581 00:20:35,880 --> 00:20:37,379 And as you realize, there's no place in 582 00:20:37,380 --> 00:20:38,939 the reply's of any that. 583 00:20:38,940 --> 00:20:39,899 Right. Hi. 584 00:20:39,900 --> 00:20:42,239 I'm a honeypot like Bartrop, which is 585 00:20:42,240 --> 00:20:43,529 a huge step forward, 586 00:20:44,580 --> 00:20:46,719 but not from an ethical perspective, is 587 00:20:46,720 --> 00:20:48,749 not every service that we're talking to. 588 00:20:48,750 --> 00:20:50,369 We should be looking if it's partially 589 00:20:50,370 --> 00:20:52,169 implemented or actually really 590 00:20:52,170 --> 00:20:53,170 implemented. 591 00:20:54,660 --> 00:20:57,569 Right, so next up is Nova 592 00:20:57,570 --> 00:20:59,819 Nova. It's pretty cool what 593 00:20:59,820 --> 00:21:02,999 it does is just essentially use honey 594 00:21:03,000 --> 00:21:05,129 in a more solution type 595 00:21:05,130 --> 00:21:07,259 perspective. So it takes it gives you 596 00:21:07,260 --> 00:21:09,899 this very cool user interface 597 00:21:09,900 --> 00:21:12,119 where you can create machines and look 598 00:21:12,120 --> 00:21:14,159 at the logs and they have pre 599 00:21:14,160 --> 00:21:15,059 configurations. 600 00:21:15,060 --> 00:21:17,519 You can instead of just running specific 601 00:21:17,520 --> 00:21:19,709 scripts for specific parts, it 602 00:21:19,710 --> 00:21:21,359 actually does a full blown machine so it 603 00:21:21,360 --> 00:21:23,159 can create a Windows machine, a Linux 604 00:21:23,160 --> 00:21:25,259 machine and whatever, and it 605 00:21:25,260 --> 00:21:26,639 looks like actual real machines on the 606 00:21:26,640 --> 00:21:27,640 network. 607 00:21:28,740 --> 00:21:30,449 The problem is when you create a Windows 608 00:21:30,450 --> 00:21:32,939 machine, the default windows config 609 00:21:32,940 --> 00:21:35,219 has no net by US service 610 00:21:35,220 --> 00:21:38,039 script now, not by us is a very 611 00:21:38,040 --> 00:21:40,289 old protocol which exists on every 612 00:21:40,290 --> 00:21:41,399 Windows machine. 613 00:21:41,400 --> 00:21:42,809 And there's a lot of usage in the 614 00:21:42,810 --> 00:21:45,449 networks for Windows machines 615 00:21:45,450 --> 00:21:47,879 using bios for network 616 00:21:47,880 --> 00:21:49,439 discovery. 617 00:21:49,440 --> 00:21:51,569 So what happens is what Nova does 618 00:21:51,570 --> 00:21:53,669 in its basic configurations default 619 00:21:53,670 --> 00:21:55,949 configuration is create an open 620 00:21:55,950 --> 00:21:58,019 port for net bias and allow 621 00:21:58,020 --> 00:21:59,789 connections to it, but it doesn't 622 00:21:59,790 --> 00:22:01,349 implement the service at all. 623 00:22:01,350 --> 00:22:03,299 So there's this open port which you can 624 00:22:03,300 --> 00:22:05,519 talk to, but it never gives 625 00:22:05,520 --> 00:22:06,520 you any answer. 626 00:22:07,620 --> 00:22:09,149 This is a situation that would never 627 00:22:09,150 --> 00:22:11,009 happen on a Windows machine. 628 00:22:11,010 --> 00:22:12,929 The only two options is either would talk 629 00:22:12,930 --> 00:22:15,179 to you or if it's firewalled off, 630 00:22:15,180 --> 00:22:17,039 then the port would seem closed. 631 00:22:17,040 --> 00:22:18,419 Right. So this is something that 632 00:22:18,420 --> 00:22:21,059 clearcuts shows that this is Enova 633 00:22:21,060 --> 00:22:22,160 Windows machine. Right. 634 00:22:23,710 --> 00:22:25,959 A possible fix for this is maybe 635 00:22:25,960 --> 00:22:27,279 including the latest version of 636 00:22:27,280 --> 00:22:29,439 Honeydews, which also has the Nebbiolo 637 00:22:29,440 --> 00:22:31,509 script implemented or just not 638 00:22:31,510 --> 00:22:33,129 opening it. So it looks like it's 639 00:22:33,130 --> 00:22:34,130 firewalled, right? 640 00:22:35,900 --> 00:22:37,969 So what can we learn from Novas work is 641 00:22:37,970 --> 00:22:39,559 that we should implement a service 642 00:22:39,560 --> 00:22:40,959 completely, right? 643 00:22:40,960 --> 00:22:42,829 Not from an attacker's perspective. 644 00:22:42,830 --> 00:22:44,909 We learn that we should look at the 645 00:22:44,910 --> 00:22:47,119 set of services completely. 646 00:22:47,120 --> 00:22:49,219 Right. Make it seem like it's 647 00:22:49,220 --> 00:22:51,619 one whole machine and then realize 648 00:22:51,620 --> 00:22:52,620 if it makes sense. 649 00:22:55,280 --> 00:22:57,529 OK, now for kippot, so keep 650 00:22:57,530 --> 00:22:59,629 it pretty cool, keep it was 651 00:22:59,630 --> 00:23:02,239 a medium interaction 652 00:23:02,240 --> 00:23:04,909 SSA pod, which means is it actually 653 00:23:04,910 --> 00:23:06,979 gives you an associate shell, 654 00:23:06,980 --> 00:23:08,359 which you can use. 655 00:23:08,360 --> 00:23:10,039 But this is only partially implemented, 656 00:23:10,040 --> 00:23:11,890 of course, because it's being monitored. 657 00:23:13,280 --> 00:23:15,229 So there's been a lot of research over 658 00:23:15,230 --> 00:23:17,569 the years and how to detect as S.H., 659 00:23:19,400 --> 00:23:21,170 one of the ways is that 660 00:23:22,310 --> 00:23:23,569 people have been talking about is 661 00:23:23,570 --> 00:23:25,339 obviously like we've been discussing, a 662 00:23:25,340 --> 00:23:28,519 lot of the commands aren't implemented. 663 00:23:28,520 --> 00:23:29,779 But one of the comments that is 664 00:23:29,780 --> 00:23:31,999 implemented is you get 665 00:23:32,000 --> 00:23:34,069 the reason you get is implemented 666 00:23:34,070 --> 00:23:36,349 is because when an attacker accesses 667 00:23:36,350 --> 00:23:38,479 that SSA honeypot, you want 668 00:23:38,480 --> 00:23:40,909 him to be able to download 669 00:23:40,910 --> 00:23:42,649 his tools, his malware and stuff. 670 00:23:42,650 --> 00:23:44,089 He wants to run the machine. 671 00:23:44,090 --> 00:23:45,799 So they're actually implementing W again. 672 00:23:45,800 --> 00:23:47,989 And this is a pretty big issue because 673 00:23:47,990 --> 00:23:50,119 this could be used for deducting 674 00:23:50,120 --> 00:23:52,399 other machines through the SSA 675 00:23:52,400 --> 00:23:54,589 Chani parts that could be used to scan 676 00:23:54,590 --> 00:23:55,969 other parts of the network. 677 00:23:55,970 --> 00:23:57,649 And basically you're getting your own 678 00:23:57,650 --> 00:23:59,779 relay against the 679 00:23:59,780 --> 00:24:01,969 Web for everything on 680 00:24:01,970 --> 00:24:05,049 HTP that you can use for yourself. 681 00:24:05,050 --> 00:24:07,159 So and this is a big problem, 682 00:24:07,160 --> 00:24:09,289 right? Another thing that people have 683 00:24:09,290 --> 00:24:11,449 done is they look at how kippot does 684 00:24:11,450 --> 00:24:13,009 DSH authentication. 685 00:24:13,010 --> 00:24:15,229 Right. And as it turns out, this 686 00:24:15,230 --> 00:24:18,169 is the part from kippot source code. 687 00:24:18,170 --> 00:24:20,779 This is a fingerprinting 688 00:24:20,780 --> 00:24:22,699 problem that's been fixed already. 689 00:24:22,700 --> 00:24:24,859 What it does is it gives 690 00:24:24,860 --> 00:24:26,749 you when you ask at which protocol do you 691 00:24:26,750 --> 00:24:28,909 want to use it, it just says, I 692 00:24:28,910 --> 00:24:29,839 support everything. 693 00:24:29,840 --> 00:24:31,699 Right. And this this doesn't work in the 694 00:24:31,700 --> 00:24:34,180 way that most or all of the SFH 695 00:24:35,810 --> 00:24:38,119 Kether key, you know, exchange 696 00:24:38,120 --> 00:24:39,199 mechanism works. 697 00:24:39,200 --> 00:24:41,329 Right. So this is very Clear-cut 698 00:24:41,330 --> 00:24:42,589 recognizing Cupo. 699 00:24:44,520 --> 00:24:46,499 And after all those fixes, we were 700 00:24:46,500 --> 00:24:48,719 interested in looking for something that, 701 00:24:48,720 --> 00:24:50,999 even after all that still 702 00:24:51,000 --> 00:24:52,109 identifies kippot. 703 00:24:52,110 --> 00:24:53,679 So we found a few things. 704 00:24:53,680 --> 00:24:55,829 One is that if you run the command, 705 00:24:55,830 --> 00:24:58,199 you name, it gives you the same thing 706 00:24:58,200 --> 00:25:00,419 all the time. The only difference that 707 00:25:00,420 --> 00:25:01,949 it does is it changes the name of the 708 00:25:01,950 --> 00:25:03,029 machine that you chose in your 709 00:25:03,030 --> 00:25:04,529 configuration. 710 00:25:04,530 --> 00:25:06,239 Now, this is pretty cool because it gives 711 00:25:06,240 --> 00:25:07,559 the compile time of the kernel. 712 00:25:07,560 --> 00:25:10,139 This is a pretty unique identifier. 713 00:25:10,140 --> 00:25:12,689 So if you use the string 714 00:25:12,690 --> 00:25:14,099 and look it up on Google, 715 00:25:15,210 --> 00:25:17,279 what you get is a lot of people 716 00:25:17,280 --> 00:25:18,209 who are I.T. 717 00:25:18,210 --> 00:25:20,159 admins who are connecting to stuff on 718 00:25:20,160 --> 00:25:21,989 their network and they're saying, guys, 719 00:25:21,990 --> 00:25:24,149 this is a necessary machine 720 00:25:24,150 --> 00:25:26,399 on my network and it's acting really 721 00:25:26,400 --> 00:25:29,189 weird. I have no idea what this is. 722 00:25:29,190 --> 00:25:30,509 Here's the other name. If you guys can 723 00:25:30,510 --> 00:25:32,579 figure out what's wrong with it, 724 00:25:32,580 --> 00:25:33,580 which is pretty funny. 725 00:25:35,800 --> 00:25:38,139 So a possible fix for this issue 726 00:25:38,140 --> 00:25:40,299 is either give the actual machines, 727 00:25:40,300 --> 00:25:42,669 colonel timestamp, which 728 00:25:42,670 --> 00:25:44,769 kippot is running on or just 729 00:25:44,770 --> 00:25:46,630 randomize it from a logical set. 730 00:25:48,400 --> 00:25:50,019 And what can we learn from people's work 731 00:25:50,020 --> 00:25:52,389 is that now the honeypot 732 00:25:52,390 --> 00:25:54,549 not only gives you indication of 733 00:25:54,550 --> 00:25:56,889 the attackers activity, it also tries 734 00:25:56,890 --> 00:25:58,809 to collect information from him. 735 00:25:58,810 --> 00:26:00,879 And this is pretty cool because the 736 00:26:00,880 --> 00:26:02,979 more information we get from the attacker 737 00:26:02,980 --> 00:26:04,989 that we can say this is the attackers 738 00:26:04,990 --> 00:26:07,209 toolset or the stuff he's doing, we 739 00:26:07,210 --> 00:26:08,929 can create stronger mitigation. 740 00:26:08,930 --> 00:26:10,749 Right. Because if there's an effort 741 00:26:10,750 --> 00:26:12,099 that's attacking us and they put the 742 00:26:12,100 --> 00:26:14,229 sample on that SNH 743 00:26:14,230 --> 00:26:16,329 kippot machine and we block that 744 00:26:16,330 --> 00:26:18,099 sample, now we gain some sort of 745 00:26:18,100 --> 00:26:19,100 mitigation. 746 00:26:20,670 --> 00:26:22,409 And if we look at an attacker's 747 00:26:22,410 --> 00:26:25,559 perspective now, not only are we 748 00:26:25,560 --> 00:26:27,479 in danger of being detected now, we're in 749 00:26:27,480 --> 00:26:29,699 danger of being caught right or 750 00:26:29,700 --> 00:26:31,769 mitigated against that network 751 00:26:31,770 --> 00:26:32,770 we're talking. 752 00:26:33,890 --> 00:26:36,029 OK, and the next step is now 753 00:26:36,030 --> 00:26:38,509 Deonna is a very impressive project, 754 00:26:38,510 --> 00:26:40,639 if I go ahead and read the description, 755 00:26:40,640 --> 00:26:42,829 the nails intention is to trap malware 756 00:26:42,830 --> 00:26:45,379 exploiting vulnerabilities exposed 757 00:26:45,380 --> 00:26:48,109 by services offered to a network. 758 00:26:48,110 --> 00:26:50,449 The ultimate goal is gaining a copy 759 00:26:50,450 --> 00:26:51,769 of the malware. 760 00:26:51,770 --> 00:26:53,419 And this is exactly what we talked about. 761 00:26:53,420 --> 00:26:55,699 The ultimate goal of of deception 762 00:26:55,700 --> 00:26:57,799 against attackers is gaining their 763 00:26:57,800 --> 00:26:59,239 tools, right? Gaining the malware, 764 00:26:59,240 --> 00:27:01,609 gaining the CMC server, gaining the 765 00:27:01,610 --> 00:27:03,349 exploit the credentials, whatever, 766 00:27:03,350 --> 00:27:04,350 whatever. Right. 767 00:27:05,780 --> 00:27:08,209 And this will 768 00:27:08,210 --> 00:27:10,309 in the end lead to effective 769 00:27:10,310 --> 00:27:11,630 mitigation, which is very, 770 00:27:12,830 --> 00:27:14,880 you know, the holy grail of security. 771 00:27:16,880 --> 00:27:19,159 So there used to be 772 00:27:19,160 --> 00:27:21,889 a very easy way of detecting Donia. 773 00:27:21,890 --> 00:27:23,869 If you would scan the idea with an EMAP, 774 00:27:23,870 --> 00:27:26,299 you would get an obscure server 775 00:27:26,300 --> 00:27:28,439 that says I'm a Adania honeypot 776 00:27:28,440 --> 00:27:29,440 mesoscale server. 777 00:27:31,820 --> 00:27:33,829 Again, this is a problem since it's 778 00:27:33,830 --> 00:27:35,989 obvious and this is not 779 00:27:35,990 --> 00:27:37,749 a very good way of deceiving attackers 780 00:27:38,810 --> 00:27:41,029 if and this 781 00:27:41,030 --> 00:27:43,009 is has been fixed in the past. 782 00:27:43,010 --> 00:27:44,690 It doesn't do that today. 783 00:27:46,130 --> 00:27:48,229 But something very interesting, we 784 00:27:48,230 --> 00:27:50,659 realized when we were researching Denia 785 00:27:50,660 --> 00:27:52,669 and we talked to Marcus, the maintainer 786 00:27:52,670 --> 00:27:54,799 of the project was a very awesome guy and 787 00:27:54,800 --> 00:27:57,049 they're doing a lot of very cool work. 788 00:27:57,050 --> 00:27:59,089 Somebody sent Marcus. 789 00:27:59,090 --> 00:28:01,309 He told them, when 790 00:28:01,310 --> 00:28:03,169 I'm working with Denia, there's a lot of 791 00:28:03,170 --> 00:28:05,509 stuff that doesn't behave like 792 00:28:05,510 --> 00:28:07,729 the usual thing I would think 793 00:28:07,730 --> 00:28:09,979 is behind the honeypot would behave. 794 00:28:09,980 --> 00:28:12,379 Right. There's a lot of stuff that behave 795 00:28:12,380 --> 00:28:14,269 weird and people could detect the 796 00:28:14,270 --> 00:28:15,649 honeypot through that. 797 00:28:15,650 --> 00:28:18,049 And then he says by the end, 798 00:28:19,250 --> 00:28:20,179 which is something interesting. 799 00:28:20,180 --> 00:28:22,069 Well, I'm totally aware of the problems 800 00:28:22,070 --> 00:28:23,149 you point out. 801 00:28:23,150 --> 00:28:25,279 But besides from these three are just the 802 00:28:25,280 --> 00:28:26,659 tip of the iceberg. 803 00:28:26,660 --> 00:28:28,789 There is very little I can do about 804 00:28:28,790 --> 00:28:31,009 it. And this basically means that 805 00:28:31,010 --> 00:28:32,989 all the people maintaining the honeypot 806 00:28:32,990 --> 00:28:35,179 different projects realize that 807 00:28:35,180 --> 00:28:37,279 this never will never be able to 808 00:28:37,280 --> 00:28:39,349 receive an advanced attacker. 809 00:28:39,350 --> 00:28:41,609 Somebody who's aware of 810 00:28:41,610 --> 00:28:43,969 he might be interacting with a honeypot. 811 00:28:43,970 --> 00:28:46,309 We'll always have ways of detecting 812 00:28:46,310 --> 00:28:48,289 lone Aarakshan type honeypots. 813 00:28:49,850 --> 00:28:53,059 Right. So, for example, in India, 814 00:28:53,060 --> 00:28:55,429 something new that we discovered 815 00:28:55,430 --> 00:28:57,829 is that when you run, the troops 816 00:28:57,830 --> 00:29:00,859 serve a service in Dianella, 817 00:29:00,860 --> 00:29:02,959 it's signed by a certificate 818 00:29:02,960 --> 00:29:05,179 and that certificates issuer 819 00:29:05,180 --> 00:29:07,520 is as you, Earl, 820 00:29:08,540 --> 00:29:11,029 which is not very deceiving. 821 00:29:11,030 --> 00:29:12,139 Right. 822 00:29:12,140 --> 00:29:14,539 Secondly, if you use the FCP service, 823 00:29:15,560 --> 00:29:17,539 it allows you to log in using any 824 00:29:17,540 --> 00:29:20,029 username and password combination. 825 00:29:20,030 --> 00:29:22,159 I have yet to see an authentication 826 00:29:22,160 --> 00:29:24,319 mechanism that allows two different 827 00:29:24,320 --> 00:29:26,419 passwords for the same user. 828 00:29:26,420 --> 00:29:28,159 So that's another way of detecting it. 829 00:29:28,160 --> 00:29:30,499 And obviously another way is that 830 00:29:30,500 --> 00:29:33,229 if it doesn't implement the Daehlie 831 00:29:33,230 --> 00:29:34,819 command, just like I do. 832 00:29:34,820 --> 00:29:36,469 Right. So there's a lot of way of 833 00:29:36,470 --> 00:29:38,699 detecting Donia. 834 00:29:38,700 --> 00:29:39,619 What can we learn from that? 835 00:29:39,620 --> 00:29:41,689 And yes, work is that they try and make 836 00:29:41,690 --> 00:29:43,969 their services exploitable 837 00:29:43,970 --> 00:29:44,979 to known exploits. 838 00:29:44,980 --> 00:29:46,189 So, for example, they have a way of 839 00:29:46,190 --> 00:29:48,289 capturing Conficker and Blaster and 840 00:29:48,290 --> 00:29:50,269 all these really popular worms that 841 00:29:50,270 --> 00:29:51,679 exploit different services. 842 00:29:51,680 --> 00:29:53,929 And what they do is as soon as the attack 843 00:29:53,930 --> 00:29:56,989 happens against the service, they capture 844 00:29:56,990 --> 00:29:58,759 whatever code is being executed. 845 00:30:00,740 --> 00:30:02,809 And now this affects an 846 00:30:02,810 --> 00:30:05,569 attacker by realizing if I'm exploiting 847 00:30:05,570 --> 00:30:06,920 a new machine on the network, 848 00:30:08,210 --> 00:30:10,309 my, you know, old 849 00:30:10,310 --> 00:30:12,499 mouse zero eight zero 850 00:30:12,500 --> 00:30:14,689 sixty seven Conficker exploit, 851 00:30:14,690 --> 00:30:16,999 which I'm running and then executing 852 00:30:17,000 --> 00:30:19,429 my own malware through, 853 00:30:19,430 --> 00:30:21,619 might cause me to lose my malware 854 00:30:21,620 --> 00:30:23,950 because they'll be captured by Dounia. 855 00:30:25,740 --> 00:30:28,139 Right, next stop is 856 00:30:28,140 --> 00:30:29,430 off, which is 857 00:30:30,510 --> 00:30:32,789 a Web 858 00:30:32,790 --> 00:30:34,449 app type honeypot, right? 859 00:30:34,450 --> 00:30:36,329 So what Glaslough tries to do is look 860 00:30:36,330 --> 00:30:37,590 like a Web application 861 00:30:39,030 --> 00:30:41,129 for different kinds of languages and 862 00:30:41,130 --> 00:30:43,289 just see whoever is trying to do 863 00:30:43,290 --> 00:30:45,509 web web type attacks against 864 00:30:45,510 --> 00:30:46,510 it. Right. 865 00:30:47,340 --> 00:30:49,229 When you set up Gless stuff and you look 866 00:30:49,230 --> 00:30:50,579 at the default page, this is what it 867 00:30:50,580 --> 00:30:52,649 looks like and 868 00:30:52,650 --> 00:30:53,849 it's actually Glaslough. 869 00:30:53,850 --> 00:30:55,679 It's very configurable and allows you to 870 00:30:55,680 --> 00:30:57,959 load in almost any 871 00:30:57,960 --> 00:31:00,089 type of file system or web application 872 00:31:00,090 --> 00:31:01,889 that you want. But if you were on a 873 00:31:01,890 --> 00:31:04,109 default li, it just gives you a very 874 00:31:04,110 --> 00:31:06,179 weird page that not a 875 00:31:06,180 --> 00:31:07,319 lot of people change. 876 00:31:07,320 --> 00:31:08,279 Right. 877 00:31:08,280 --> 00:31:09,959 And if we look at the bottom of it, 878 00:31:12,720 --> 00:31:14,399 there's this signature which doesn't 879 00:31:14,400 --> 00:31:16,379 change. Most of the text here is just 880 00:31:16,380 --> 00:31:18,479 random from a 881 00:31:18,480 --> 00:31:19,919 list of a dictionary. 882 00:31:19,920 --> 00:31:22,169 But if we look at the bottom, there is 883 00:31:22,170 --> 00:31:24,299 a Futer that says this is 884 00:31:24,300 --> 00:31:25,859 a really great entry. 885 00:31:25,860 --> 00:31:28,529 Right. And this this doesn't change 886 00:31:28,530 --> 00:31:29,429 across pages. 887 00:31:29,430 --> 00:31:31,319 So I just took that string and looked it 888 00:31:31,320 --> 00:31:32,320 up on Google 889 00:31:33,690 --> 00:31:35,519 and I found some some really interesting 890 00:31:35,520 --> 00:31:37,979 websites, which I won't I won't reveal 891 00:31:37,980 --> 00:31:39,149 here. 892 00:31:39,150 --> 00:31:41,789 But one of the top 500 websites 893 00:31:41,790 --> 00:31:43,829 had this in his subdomain. 894 00:31:43,830 --> 00:31:45,809 Right. So assuming it's like a really 895 00:31:45,810 --> 00:31:47,939 popular website, if I go to one 896 00:31:47,940 --> 00:31:50,069 of the subdomains DOT, really 897 00:31:50,070 --> 00:31:51,509 famous website Dotcom, 898 00:31:52,560 --> 00:31:53,939 this is the page you get. 899 00:31:53,940 --> 00:31:55,229 Right. 900 00:31:55,230 --> 00:31:57,479 Which is very interesting because 901 00:31:57,480 --> 00:31:59,309 they're deploying honeypots, but not in a 902 00:31:59,310 --> 00:32:01,019 very smart way. So they're very aware of 903 00:32:01,020 --> 00:32:03,059 security, but they're not aware that 904 00:32:03,060 --> 00:32:05,579 deploying those honeypots just creates 905 00:32:05,580 --> 00:32:07,379 less deception for the attacker, not 906 00:32:07,380 --> 00:32:08,380 more. 907 00:32:09,990 --> 00:32:11,669 So how does blastoff work? 908 00:32:11,670 --> 00:32:13,979 What it does is any sort of 909 00:32:13,980 --> 00:32:16,199 web interaction against it logs it 910 00:32:16,200 --> 00:32:18,869 and for specific stuff, it gives alerts 911 00:32:18,870 --> 00:32:20,969 and you can actually create any sort 912 00:32:20,970 --> 00:32:23,489 of file system within it because 913 00:32:23,490 --> 00:32:26,999 it implements directory traversal 914 00:32:27,000 --> 00:32:28,500 exploit. Right. So if you do, 915 00:32:30,180 --> 00:32:32,579 for example, if you go and type in 916 00:32:32,580 --> 00:32:34,889 the address for the glassed 917 00:32:34,890 --> 00:32:37,049 off and do slash and then 918 00:32:37,050 --> 00:32:39,159 dot, dot, dot, dot, dot, dot, slash, 919 00:32:39,160 --> 00:32:42,209 ATC shadow, it actually gives 920 00:32:42,210 --> 00:32:44,369 a file that you can configure and put 921 00:32:44,370 --> 00:32:46,229 in within its shadow. 922 00:32:46,230 --> 00:32:48,299 Right. And this is the default one. 923 00:32:48,300 --> 00:32:49,859 And I would say this is the way to 924 00:32:49,860 --> 00:32:52,139 fingerprint stuff 925 00:32:52,140 --> 00:32:53,999 because this is configurable. 926 00:32:54,000 --> 00:32:55,409 I don't want to be able to say that. 927 00:32:55,410 --> 00:32:56,969 And I want to try to find a way to 928 00:32:56,970 --> 00:32:59,220 fingerprint dust off without 929 00:33:00,330 --> 00:33:01,769 the user being able to change it. 930 00:33:01,770 --> 00:33:02,770 Right. So 931 00:33:04,680 --> 00:33:07,289 so something that you figure out is that 932 00:33:07,290 --> 00:33:09,059 if this is a Linux machine that gives you 933 00:33:09,060 --> 00:33:11,159 its shadow from the 934 00:33:11,160 --> 00:33:13,469 permissions that you get and how Linux 935 00:33:13,470 --> 00:33:15,929 is built, you should be also 936 00:33:15,930 --> 00:33:18,659 able to access proc. 937 00:33:18,660 --> 00:33:21,209 Right. And if you're able to access 938 00:33:21,210 --> 00:33:23,519 proc, this is something that's very hard 939 00:33:23,520 --> 00:33:24,520 to simulate 940 00:33:25,920 --> 00:33:28,409 for the people who are configuring 941 00:33:28,410 --> 00:33:30,899 that cluster of implementation. 942 00:33:30,900 --> 00:33:32,339 Right. Because first of all, you have to 943 00:33:32,340 --> 00:33:34,259 put something in the file system. 944 00:33:34,260 --> 00:33:36,479 The glass stuff will give as 945 00:33:36,480 --> 00:33:38,819 an answer for proc. 946 00:33:38,820 --> 00:33:41,279 And secondly, once people have realized 947 00:33:41,280 --> 00:33:43,349 that this gives the actual 948 00:33:43,350 --> 00:33:45,419 answer, it has to fit 949 00:33:45,420 --> 00:33:47,429 the actual process, running less stuff 950 00:33:47,430 --> 00:33:49,679 because that process is within 951 00:33:49,680 --> 00:33:51,779 proc. Right. So, for example, 952 00:33:51,780 --> 00:33:53,969 if I would go ahead and look at all 953 00:33:53,970 --> 00:33:56,159 flesh proc and all this lipids 954 00:33:56,160 --> 00:33:58,859 and flesh as maps, I could find 955 00:33:58,860 --> 00:34:00,479 glass stuffs, own 956 00:34:01,740 --> 00:34:03,929 memory statistics. 957 00:34:03,930 --> 00:34:05,939 Right. And I could use this to see if 958 00:34:05,940 --> 00:34:08,399 this is actually correlating to 959 00:34:08,400 --> 00:34:10,888 what I'm seeing on the website by 960 00:34:10,889 --> 00:34:12,988 doing more HTTP requests 961 00:34:12,989 --> 00:34:14,099 and stuff like that. 962 00:34:14,100 --> 00:34:16,468 So no matter what, I'm able 963 00:34:16,469 --> 00:34:19,079 to realize this is not a real server 964 00:34:19,080 --> 00:34:20,789 unless there's an actual real server 965 00:34:20,790 --> 00:34:22,019 behind us. 966 00:34:22,020 --> 00:34:24,638 So this is a way to always detect 967 00:34:24,639 --> 00:34:25,639 stuff without 968 00:34:26,880 --> 00:34:29,309 doing any any, you know, configurable 969 00:34:29,310 --> 00:34:30,310 stuff. 970 00:34:31,219 --> 00:34:33,678 And the way I would fix this is 971 00:34:33,679 --> 00:34:36,109 just return permission denied on. 972 00:34:36,110 --> 00:34:38,209 But this this, again, doesn't make 973 00:34:38,210 --> 00:34:40,609 sense in a Linux sort of way, so 974 00:34:40,610 --> 00:34:42,948 it's not an actual real fix. 975 00:34:42,949 --> 00:34:45,079 And what can we learn from Glaslough 976 00:34:45,080 --> 00:34:47,209 work is that Glaslough is the first one 977 00:34:47,210 --> 00:34:48,859 that lets you actually load the file 978 00:34:48,860 --> 00:34:50,539 system for that machine. 979 00:34:50,540 --> 00:34:52,939 So it's not only giving you network 980 00:34:52,940 --> 00:34:55,158 type services to deceive the 981 00:34:55,159 --> 00:34:57,138 attacker, also the actual machine's 982 00:34:57,139 --> 00:34:58,309 content. Right. 983 00:34:59,660 --> 00:35:02,149 And for an attacker, this 984 00:35:02,150 --> 00:35:04,549 risks you an attribution. 985 00:35:04,550 --> 00:35:05,839 Right, because you have an online 986 00:35:05,840 --> 00:35:07,939 connection against the machine and you're 987 00:35:07,940 --> 00:35:10,579 putting in stuff into the file system, 988 00:35:10,580 --> 00:35:11,729 which you are interested in. 989 00:35:11,730 --> 00:35:13,279 So, for example, the vendor could put 990 00:35:13,280 --> 00:35:15,259 different types of files and see which 991 00:35:15,260 --> 00:35:17,389 files are being taken and where 992 00:35:17,390 --> 00:35:18,390 they are taken to. 993 00:35:20,450 --> 00:35:22,969 Right. And the last one is calf senseor 994 00:35:22,970 --> 00:35:25,219 now calf sensor is interesting because 995 00:35:25,220 --> 00:35:26,839 it's a it's an actual product. 996 00:35:26,840 --> 00:35:28,939 It's a honeypot for Windows. 997 00:35:28,940 --> 00:35:29,989 It's not open source. 998 00:35:29,990 --> 00:35:31,759 It actually costs money. 999 00:35:31,760 --> 00:35:33,379 It's been around for I don't know, I 1000 00:35:33,380 --> 00:35:35,299 think like more than 10 years. 1001 00:35:35,300 --> 00:35:37,189 If you go to its website, it's it looks 1002 00:35:37,190 --> 00:35:40,099 like AOL in the year 2000. 1003 00:35:40,100 --> 00:35:42,229 But actually a lot 1004 00:35:42,230 --> 00:35:44,389 of people are actually buying and 1005 00:35:44,390 --> 00:35:47,299 using it and it works 1006 00:35:47,300 --> 00:35:49,609 somewhat well and gives you this 1007 00:35:49,610 --> 00:35:51,679 very large 1008 00:35:51,680 --> 00:35:53,839 graphical interface, which you can 1009 00:35:53,840 --> 00:35:56,269 use and configure 1010 00:35:56,270 --> 00:35:58,459 almost every single type of service on 1011 00:35:58,460 --> 00:35:59,810 a Windows machine that you'll want. 1012 00:36:01,640 --> 00:36:03,859 But it's pretty weird for for a lot 1013 00:36:03,860 --> 00:36:05,149 of reasons. 1014 00:36:05,150 --> 00:36:07,999 When you do the default configuration, 1015 00:36:08,000 --> 00:36:11,089 it gives you alerts on broadcast 1016 00:36:11,090 --> 00:36:12,559 requests. 1017 00:36:12,560 --> 00:36:15,109 So this is pretty bad because 1018 00:36:15,110 --> 00:36:16,729 essentially what it means is you'll be 1019 00:36:16,730 --> 00:36:18,919 getting alerts all the time automatically 1020 00:36:18,920 --> 00:36:20,809 as soon as you put it into the network. 1021 00:36:20,810 --> 00:36:22,909 And the default configuration for 1022 00:36:22,910 --> 00:36:25,519 the software also makes 1023 00:36:25,520 --> 00:36:27,649 this siren sound as soon 1024 00:36:27,650 --> 00:36:28,819 as there's an alert. 1025 00:36:28,820 --> 00:36:30,889 So whenever we were working 1026 00:36:30,890 --> 00:36:33,589 with it in our research, 1027 00:36:33,590 --> 00:36:35,659 you would just set it up and 1028 00:36:35,660 --> 00:36:36,679 you would just hear this 1029 00:36:38,210 --> 00:36:40,109 all the time going on. 1030 00:36:40,110 --> 00:36:42,459 So they gave us the last. Awful, awful. 1031 00:36:42,460 --> 00:36:43,759 It was horrible. 1032 00:36:43,760 --> 00:36:44,759 Yeah. 1033 00:36:44,760 --> 00:36:46,909 So give us a lot of humorous moments 1034 00:36:46,910 --> 00:36:48,559 during our research. 1035 00:36:48,560 --> 00:36:50,799 So how do you identify the 1036 00:36:50,800 --> 00:36:52,129 sensor? 1037 00:36:52,130 --> 00:36:54,529 So if you set up the HTP service, 1038 00:36:54,530 --> 00:36:57,169 it gives you this default website, 1039 00:36:57,170 --> 00:36:59,719 which you can just again Google up online 1040 00:36:59,720 --> 00:37:01,159 for the social code and then you find a 1041 00:37:01,160 --> 00:37:03,739 lot of different of sensor 1042 00:37:03,740 --> 00:37:05,239 deployments because this is the default 1043 00:37:05,240 --> 00:37:06,589 website that nobody else has 1044 00:37:07,940 --> 00:37:09,679 when enabling https. 1045 00:37:09,680 --> 00:37:11,299 The port is open, but it doesn't 1046 00:37:11,300 --> 00:37:13,249 implement the service at all. 1047 00:37:13,250 --> 00:37:15,379 This is similar to what happened in some 1048 00:37:15,380 --> 00:37:16,789 of the other examples we've said, 1049 00:37:18,020 --> 00:37:20,509 and it also has a configurable amount of 1050 00:37:20,510 --> 00:37:22,699 concurrent connections before it blocks 1051 00:37:22,700 --> 00:37:25,189 somebody and then it's vulnerable 1052 00:37:25,190 --> 00:37:26,269 to what we talked about. 1053 00:37:26,270 --> 00:37:27,709 That bear trap and artillery are 1054 00:37:27,710 --> 00:37:29,209 vulnerable for that. 1055 00:37:29,210 --> 00:37:31,009 If the network doesn't protect from IP, 1056 00:37:31,010 --> 00:37:33,109 spoofing just allows you 1057 00:37:33,110 --> 00:37:35,509 to drop machines from the network 1058 00:37:35,510 --> 00:37:36,510 as much as you want. 1059 00:37:38,330 --> 00:37:39,979 OK, so what can we learn from Kev, since 1060 00:37:39,980 --> 00:37:42,169 his work is that even outside the open 1061 00:37:42,170 --> 00:37:44,629 source ecosystem, 1062 00:37:44,630 --> 00:37:46,129 the issues are still the same. 1063 00:37:46,130 --> 00:37:47,749 So this is not something that just comes 1064 00:37:47,750 --> 00:37:49,519 from being open source projects. 1065 00:37:49,520 --> 00:37:51,409 This is from any type of Huntelaar 1066 00:37:51,410 --> 00:37:53,119 interaction. Honeypots is trying to be 1067 00:37:53,120 --> 00:37:54,120 implemented. 1068 00:37:55,480 --> 00:37:57,549 Cool, so now after we had 1069 00:37:57,550 --> 00:37:59,619 all these types of ways of figuring 1070 00:37:59,620 --> 00:38:01,869 out deployment and how to detect 1071 00:38:01,870 --> 00:38:04,029 honeypots, we said let's just look 1072 00:38:04,030 --> 00:38:05,739 everywhere in the world at honeypots are 1073 00:38:05,740 --> 00:38:08,409 deployed. Maybe it'll be interesting. 1074 00:38:08,410 --> 00:38:11,259 And what we did was we used 1075 00:38:11,260 --> 00:38:13,449 the Zema project, which is 1076 00:38:13,450 --> 00:38:15,699 a way of scanning all the Internet 1077 00:38:15,700 --> 00:38:17,769 very quickly, and we took one of their 1078 00:38:17,770 --> 00:38:21,369 scans, daily scans for HTTPS 1079 00:38:21,370 --> 00:38:23,529 certificate information, and 1080 00:38:23,530 --> 00:38:25,149 we did it for one day. 1081 00:38:25,150 --> 00:38:27,219 This was for the Fourth of July 1082 00:38:27,220 --> 00:38:29,289 in 2015. 1083 00:38:29,290 --> 00:38:31,659 And we looked at who would have 1084 00:38:31,660 --> 00:38:33,999 the Dionna certificate, 1085 00:38:34,000 --> 00:38:36,419 which is the remember, a dionysiac. 1086 00:38:36,420 --> 00:38:38,379 That carnivore done it. 1087 00:38:38,380 --> 00:38:40,479 Right. And every Web site that has that 1088 00:38:40,480 --> 00:38:43,899 as HTP is by definition Adania 1089 00:38:43,900 --> 00:38:44,409 honeypots. 1090 00:38:44,410 --> 00:38:45,410 Right. 1091 00:38:46,120 --> 00:38:47,409 So this is the results, 1092 00:38:48,820 --> 00:38:51,669 not very high resolution. 1093 00:38:51,670 --> 00:38:54,069 It's very obvious to see that the most 1094 00:38:54,070 --> 00:38:56,499 honeypots in the world for that day 1095 00:38:56,500 --> 00:38:58,779 that are Dianella is Taiyuan second 1096 00:38:58,780 --> 00:39:00,969 place, the United States and then all 1097 00:39:00,970 --> 00:39:03,159 the other countries are pretty, 1098 00:39:03,160 --> 00:39:05,499 you know, much 1099 00:39:05,500 --> 00:39:06,500 less significant. 1100 00:39:07,420 --> 00:39:09,579 This is the complete country, 1101 00:39:09,580 --> 00:39:10,809 no deployment 1102 00:39:12,610 --> 00:39:14,889 the way we figured out which 1103 00:39:14,890 --> 00:39:16,839 country belongs to which IP through 1104 00:39:16,840 --> 00:39:18,909 regular geolocation IP 1105 00:39:18,910 --> 00:39:21,459 methods. So this hinges on the 1106 00:39:21,460 --> 00:39:24,309 validity of those methods. 1107 00:39:24,310 --> 00:39:26,889 And there's a few interesting stuff here. 1108 00:39:26,890 --> 00:39:28,600 For example, you can see a lot of 1109 00:39:29,650 --> 00:39:31,239 countries you wouldn't expect to have 1110 00:39:31,240 --> 00:39:33,309 honeypots like Tanzania or 1111 00:39:33,310 --> 00:39:35,559 Zambia, which actually 1112 00:39:35,560 --> 00:39:37,599 have more than 90 percent in Russia, for 1113 00:39:37,600 --> 00:39:39,849 example, other countries, 1114 00:39:39,850 --> 00:39:41,319 which you would think are here, are not 1115 00:39:41,320 --> 00:39:43,149 like Israel, my own country, which does a 1116 00:39:43,150 --> 00:39:45,219 lot of cybersecurity 1117 00:39:45,220 --> 00:39:47,469 and some interesting countries like Iran, 1118 00:39:47,470 --> 00:39:49,599 for example, which we will go into 1119 00:39:49,600 --> 00:39:50,600 shortly. So 1120 00:39:51,670 --> 00:39:53,199 then we try and figure out which 1121 00:39:53,200 --> 00:39:55,359 organizations are hosting 1122 00:39:55,360 --> 00:39:56,619 these honeypots. 1123 00:39:56,620 --> 00:39:58,509 The biggest one was there is one 1124 00:39:58,510 --> 00:40:00,789 Taiwanese ISP that hosted 1125 00:40:02,500 --> 00:40:04,429 a huge amount of honeypots. 1126 00:40:04,430 --> 00:40:06,459 I'm thinking just the guy there really 1127 00:40:06,460 --> 00:40:08,529 loves Diana. He's like, oh my God, every 1128 00:40:08,530 --> 00:40:09,789 every spare IP I have. 1129 00:40:09,790 --> 00:40:11,859 I'll just forward to a digna 1130 00:40:11,860 --> 00:40:13,209 machine. 1131 00:40:13,210 --> 00:40:15,129 I think there's another guy just like him 1132 00:40:15,130 --> 00:40:16,869 in the United States and one of the 1133 00:40:16,870 --> 00:40:19,029 universities I'd love 1134 00:40:19,030 --> 00:40:20,379 to get those two guys to meet. 1135 00:40:20,380 --> 00:40:21,550 That would be an interesting meeting. 1136 00:40:23,510 --> 00:40:25,689 Another one in Taiwan, another 1137 00:40:25,690 --> 00:40:27,189 university there. 1138 00:40:27,190 --> 00:40:28,539 And one of the more interesting ones is 1139 00:40:28,540 --> 00:40:31,089 that there is one of the top cloud 1140 00:40:31,090 --> 00:40:33,639 providers had 1141 00:40:33,640 --> 00:40:35,859 80 honeypots in his network. 1142 00:40:35,860 --> 00:40:37,869 But what's interesting is they publish 1143 00:40:37,870 --> 00:40:39,519 what IP ranges 1144 00:40:40,660 --> 00:40:41,799 the cloud is then. 1145 00:40:41,800 --> 00:40:43,929 And there's the other IP ranges, which 1146 00:40:43,930 --> 00:40:46,239 are part of the organization that aren't 1147 00:40:46,240 --> 00:40:48,129 part of the cloud. And some of the APIs 1148 00:40:48,130 --> 00:40:50,259 we saw for honeypots were not in 1149 00:40:50,260 --> 00:40:53,139 the cloud range. So it's either hiding 1150 00:40:53,140 --> 00:40:55,239 what's the real cloud rangers' of it 1151 00:40:55,240 --> 00:40:56,949 or it's just honeypots within its 1152 00:40:56,950 --> 00:40:58,299 corporate network. 1153 00:40:58,300 --> 00:40:59,300 Right. 1154 00:41:00,310 --> 00:41:03,009 Some specific interesting organizations 1155 00:41:03,010 --> 00:41:05,619 which we've anonymized, 1156 00:41:05,620 --> 00:41:06,969 there's a ministry of defense here on the 1157 00:41:06,970 --> 00:41:09,039 European countries, an international 1158 00:41:09,040 --> 00:41:10,839 economic organization, one of the U.S. 1159 00:41:10,840 --> 00:41:12,939 municipal authorities, and a South 1160 00:41:12,940 --> 00:41:15,429 African financial services company, 1161 00:41:15,430 --> 00:41:17,499 which is a pretty random list. 1162 00:41:17,500 --> 00:41:19,629 I have no idea why, but it's 1163 00:41:19,630 --> 00:41:21,549 interesting to see some more 1164 00:41:21,550 --> 00:41:23,829 organizations, Taiwanese 1165 00:41:23,830 --> 00:41:25,329 government authority and the computer 1166 00:41:25,330 --> 00:41:28,149 manufacturer, a Japanese infrastructure 1167 00:41:28,150 --> 00:41:30,759 project, another Cambodian 1168 00:41:30,760 --> 00:41:32,169 government authority. 1169 00:41:32,170 --> 00:41:34,059 And there's actually a malware research 1170 00:41:34,060 --> 00:41:35,049 blog. 1171 00:41:35,050 --> 00:41:36,069 And this is an interesting story. 1172 00:41:36,070 --> 00:41:38,199 I go into the blog and it 1173 00:41:38,200 --> 00:41:40,509 hosts Emax Zero 1174 00:41:40,510 --> 00:41:43,029 Dot, the name of the blog as 1175 00:41:43,030 --> 00:41:45,129 Dianella, so it to look like one 1176 00:41:45,130 --> 00:41:48,399 of its mail servers as Dahaneh. 1177 00:41:48,400 --> 00:41:50,619 And then when I went into the blog 1178 00:41:50,620 --> 00:41:52,989 itself, the guy was talking about 1179 00:41:52,990 --> 00:41:55,539 how he was capturing malware samples, 1180 00:41:55,540 --> 00:41:57,849 using honeypots he was deploying. 1181 00:41:58,990 --> 00:42:00,099 So it's pretty funny. I 1182 00:42:01,150 --> 00:42:03,309 thought about doing something and then 1183 00:42:03,310 --> 00:42:04,809 seeing if I'll blog about it again, but 1184 00:42:04,810 --> 00:42:06,969 then I decided it's a little too much 1185 00:42:06,970 --> 00:42:08,650 into the blackhead territory. 1186 00:42:10,650 --> 00:42:12,839 And one of the the only organization 1187 00:42:12,840 --> 00:42:14,010 that we will reveal, 1188 00:42:15,090 --> 00:42:16,949 the Iranian oil company, 1189 00:42:18,690 --> 00:42:21,239 does deployment for Dounia, 1190 00:42:21,240 --> 00:42:23,609 it's actually one of the subdomains for 1191 00:42:23,610 --> 00:42:25,559 oil that I IRR. 1192 00:42:25,560 --> 00:42:27,719 So I guess the guy 1193 00:42:27,720 --> 00:42:29,939 running the Iranian National 1194 00:42:29,940 --> 00:42:32,520 Oil Company really likes cybersecurity 1195 00:42:33,630 --> 00:42:35,759 and he has Ninia 1196 00:42:35,760 --> 00:42:37,170 deployed in one of its subdomains. 1197 00:42:38,930 --> 00:42:41,089 So when I saw that oil 1198 00:42:41,090 --> 00:42:43,489 that our website has 1199 00:42:43,490 --> 00:42:45,619 Digna, I said, let's go into a 1200 00:42:45,620 --> 00:42:48,149 site that it also serves not only 1201 00:42:48,150 --> 00:42:50,419 tips. And then I, I was interested 1202 00:42:50,420 --> 00:42:52,579 in seeing what I'll get when I'll 1203 00:42:52,580 --> 00:42:54,109 log into it and guess what I got. 1204 00:42:57,080 --> 00:42:59,599 So this is the default website for 1205 00:42:59,600 --> 00:43:02,299 GLAST Off, and I said it has 1206 00:43:02,300 --> 00:43:04,459 on next steps and it has left off 1207 00:43:04,460 --> 00:43:06,709 and HTP maybe there 1208 00:43:06,710 --> 00:43:09,079 some sort of something that packages 1209 00:43:09,080 --> 00:43:10,519 a lot of honeypots together. 1210 00:43:10,520 --> 00:43:13,279 And then I came across something called 1211 00:43:13,280 --> 00:43:15,139 the modern Honi Network. 1212 00:43:15,140 --> 00:43:17,359 So the modern Honi Network is open source 1213 00:43:17,360 --> 00:43:19,219 project at a company called Threat 1214 00:43:19,220 --> 00:43:21,469 Stream. Does basically does is just 1215 00:43:21,470 --> 00:43:23,809 packages a lot of different honeypots 1216 00:43:23,810 --> 00:43:26,059 and scripts into one machine, 1217 00:43:26,060 --> 00:43:28,249 which you can just run, you know, 1218 00:43:28,250 --> 00:43:30,439 deploy honeypots and then you gain a lot 1219 00:43:30,440 --> 00:43:32,539 of the default type configurations 1220 00:43:32,540 --> 00:43:33,540 of a bunch of honeypots. 1221 00:43:36,250 --> 00:43:37,819 So lessons learned. 1222 00:43:37,820 --> 00:43:40,899 Right, so these flaws are really easy, 1223 00:43:40,900 --> 00:43:43,089 really simple to find 1224 00:43:43,090 --> 00:43:45,669 they are by design, so no low interaction 1225 00:43:45,670 --> 00:43:47,869 part can avoid having these type of 1226 00:43:47,870 --> 00:43:48,870 flaws. 1227 00:43:49,900 --> 00:43:52,029 And what we're realizing is if 1228 00:43:52,030 --> 00:43:53,979 an attacker is aware of deception and 1229 00:43:53,980 --> 00:43:56,779 he's looking for deception, specifically 1230 00:43:56,780 --> 00:43:58,269 loan rection honeypots will be able to 1231 00:43:58,270 --> 00:44:00,159 find them and detect them and use them 1232 00:44:00,160 --> 00:44:01,869 against the offender. 1233 00:44:01,870 --> 00:44:03,969 Right. So 1234 00:44:03,970 --> 00:44:06,309 what can we do to 1235 00:44:06,310 --> 00:44:07,719 do this better? 1236 00:44:07,720 --> 00:44:09,669 Right. What would a good way of doing 1237 00:44:09,670 --> 00:44:11,259 deception would look like? 1238 00:44:11,260 --> 00:44:13,449 So let's just go through 1239 00:44:13,450 --> 00:44:15,759 every single layer that we did and see 1240 00:44:15,760 --> 00:44:17,829 what was the cause of of 1241 00:44:17,830 --> 00:44:20,199 the problem. Right. So first 1242 00:44:20,200 --> 00:44:21,939 of all, we need to supply the service 1243 00:44:21,940 --> 00:44:22,940 itself. 1244 00:44:23,560 --> 00:44:25,659 Then we need to supply the 1245 00:44:25,660 --> 00:44:27,249 whole service. So implement the entire 1246 00:44:27,250 --> 00:44:28,250 protocol. 1247 00:44:29,110 --> 00:44:31,299 Then we need to make the set of services 1248 00:44:31,300 --> 00:44:33,520 make sense as a complete machine. 1249 00:44:35,040 --> 00:44:36,449 Then we need to make that service 1250 00:44:36,450 --> 00:44:38,849 exploitable for non exploits, 1251 00:44:38,850 --> 00:44:40,709 so the attacker will actually succeed and 1252 00:44:40,710 --> 00:44:42,809 will gain his his malware that's being 1253 00:44:42,810 --> 00:44:45,569 installed, then 1254 00:44:45,570 --> 00:44:47,759 hopefully what we would want to do is 1255 00:44:47,760 --> 00:44:49,499 make those services exploitable to 1256 00:44:49,500 --> 00:44:52,559 unknown exploits like days. 1257 00:44:52,560 --> 00:44:54,089 And the problem with that is that if you 1258 00:44:54,090 --> 00:44:56,249 don't know how the old works, how 1259 00:44:56,250 --> 00:44:58,649 do you simulate the way 1260 00:44:58,650 --> 00:45:00,869 of being exploitable to it? 1261 00:45:00,870 --> 00:45:01,870 Right. 1262 00:45:02,880 --> 00:45:04,679 And the future fantasy is that the 1263 00:45:04,680 --> 00:45:06,299 machine is an actual real machine in 1264 00:45:06,300 --> 00:45:08,219 every way and form for the attacker. 1265 00:45:08,220 --> 00:45:09,179 Right. 1266 00:45:09,180 --> 00:45:10,949 But this causes the problem of how do we 1267 00:45:10,950 --> 00:45:13,259 monitor the attacker going into 1268 00:45:13,260 --> 00:45:15,239 it and how do we avoid all the noise that 1269 00:45:15,240 --> 00:45:16,650 a real machine has. 1270 00:45:18,000 --> 00:45:20,129 And I made a pyramid of what 1271 00:45:20,130 --> 00:45:22,379 it looks like, all the stuff 1272 00:45:22,380 --> 00:45:24,269 of Relayer you need to implement in order 1273 00:45:24,270 --> 00:45:27,239 to have that, you know, optimistically, 1274 00:45:27,240 --> 00:45:29,849 best type of honeypot or deception 1275 00:45:29,850 --> 00:45:31,640 or decoy against an attacker. 1276 00:45:33,830 --> 00:45:35,389 We'll be releasing called when 1277 00:45:35,390 --> 00:45:37,759 responsible disclosure is concluded 1278 00:45:37,760 --> 00:45:39,889 and all the projects can fix all the 1279 00:45:39,890 --> 00:45:40,890 different issues, 1280 00:45:42,290 --> 00:45:44,389 and we really just want to thank 1281 00:45:44,390 --> 00:45:45,619 all the different people who have been 1282 00:45:45,620 --> 00:45:47,659 advancing honeypots over the years 1283 00:45:47,660 --> 00:45:50,179 because you gain a lot of value 1284 00:45:50,180 --> 00:45:52,429 from running those projects. 1285 00:45:52,430 --> 00:45:54,529 And they took a lot of work. 1286 00:45:54,530 --> 00:45:57,079 And what this talk was about is bringing 1287 00:45:57,080 --> 00:45:59,539 that view 1288 00:45:59,540 --> 00:46:01,699 that it helps against the low level 1289 00:46:01,700 --> 00:46:02,989 type of attacks. 1290 00:46:02,990 --> 00:46:05,119 But the high level type of empty 1291 00:46:05,120 --> 00:46:07,249 threats will not 1292 00:46:07,250 --> 00:46:09,319 only not be deceived by it, but can you 1293 00:46:09,320 --> 00:46:10,819 use it against the offender? 1294 00:46:10,820 --> 00:46:12,379 And that's what our talk was generally 1295 00:46:12,380 --> 00:46:13,380 about. 1296 00:46:13,790 --> 00:46:15,530 All these people helped us 1297 00:46:16,730 --> 00:46:18,829 in our research and we thank them a 1298 00:46:18,830 --> 00:46:20,899 lot. I won't read all the names because 1299 00:46:20,900 --> 00:46:21,919 it's just a huge list 1300 00:46:23,540 --> 00:46:24,540 and that's it. 1301 00:46:39,360 --> 00:46:40,679 So for any question, 1302 00:46:42,090 --> 00:46:43,949 please come in front of the microphones, 1303 00:46:43,950 --> 00:46:44,999 are you already did? 1304 00:46:45,000 --> 00:46:46,000 That's nice. 1305 00:46:47,760 --> 00:46:50,299 OK, let's start with the microphone one. 1306 00:46:50,300 --> 00:46:53,129 Yes, so hello, thank you. 1307 00:46:53,130 --> 00:46:55,409 Following your talk, there is a very 1308 00:46:55,410 --> 00:46:58,169 simple idea I had directly in my mind. 1309 00:46:58,170 --> 00:47:00,449 What I would do is I would copy 1310 00:47:00,450 --> 00:47:02,669 some of the mistakes of the honeypots in 1311 00:47:02,670 --> 00:47:05,279 my real system that is completely nice. 1312 00:47:05,280 --> 00:47:07,649 And I would fix some of the problems 1313 00:47:07,650 --> 00:47:09,659 you have discovered in the honeypots and 1314 00:47:09,660 --> 00:47:12,119 this mix I will present to the attacker. 1315 00:47:12,120 --> 00:47:13,330 I think this will be fun. 1316 00:47:14,640 --> 00:47:15,640 OK. 1317 00:47:18,320 --> 00:47:20,540 But I think the one thing that is worth 1318 00:47:22,100 --> 00:47:24,529 noting is that some of the honeypots 1319 00:47:24,530 --> 00:47:28,039 projects actually had a decent 1320 00:47:28,040 --> 00:47:30,709 they provided decent deception 1321 00:47:30,710 --> 00:47:31,669 tactics. 1322 00:47:31,670 --> 00:47:34,129 But if you just 1323 00:47:34,130 --> 00:47:36,289 deploy the default configuration 1324 00:47:36,290 --> 00:47:37,489 without thinking about it and just 1325 00:47:37,490 --> 00:47:39,589 thinking I'm secured, then this is 1326 00:47:39,590 --> 00:47:40,949 not the good thing to do. 1327 00:47:40,950 --> 00:47:43,249 So you just need to really 1328 00:47:43,250 --> 00:47:45,289 think about the consequences of what 1329 00:47:45,290 --> 00:47:46,249 you're doing when you're deploying and 1330 00:47:46,250 --> 00:47:48,529 how to put to a question 1331 00:47:48,530 --> 00:47:49,729 from the Internet. 1332 00:47:49,730 --> 00:47:51,559 Yeah. So it's more of a remark. 1333 00:47:51,560 --> 00:47:53,839 So using 1334 00:47:53,840 --> 00:47:56,629 a default configuration is not exactly 1335 00:47:56,630 --> 00:47:57,649 the software flaw. 1336 00:47:57,650 --> 00:48:00,359 So if you are too lazy to change or the 1337 00:48:00,360 --> 00:48:02,479 the better text and are 1338 00:48:02,480 --> 00:48:04,219 too lazy to change the file system and 1339 00:48:04,220 --> 00:48:05,719 kippot, for example, and just take the 1340 00:48:05,720 --> 00:48:08,029 default of everything, then yeah, 1341 00:48:08,030 --> 00:48:09,139 people identify you. 1342 00:48:09,140 --> 00:48:12,889 But changing these default configurations 1343 00:48:12,890 --> 00:48:15,199 would individualize 1344 00:48:15,200 --> 00:48:17,299 your honeypots. So 1345 00:48:17,300 --> 00:48:19,369 the fingerprinting probably wouldn't 1346 00:48:19,370 --> 00:48:20,729 work, right. 1347 00:48:20,730 --> 00:48:22,429 Yeah. So this is this is true. 1348 00:48:22,430 --> 00:48:25,459 Remarque for every project that we've 1349 00:48:25,460 --> 00:48:27,529 researched, we have a way of 1350 00:48:27,530 --> 00:48:29,509 detecting it, no matter which 1351 00:48:29,510 --> 00:48:31,279 configuration it has. 1352 00:48:31,280 --> 00:48:32,989 The reason we mentioned the default 1353 00:48:32,990 --> 00:48:35,059 configuration problems is that like 1354 00:48:35,060 --> 00:48:37,219 we saw, there's a huge amount 1355 00:48:37,220 --> 00:48:38,629 of people who deploy the default 1356 00:48:38,630 --> 00:48:41,359 configuration. So optimally, 1357 00:48:41,360 --> 00:48:43,189 you would want to default configuration 1358 00:48:43,190 --> 00:48:45,409 to not be that easily detectable. 1359 00:48:45,410 --> 00:48:47,239 But it's true that you should never count 1360 00:48:47,240 --> 00:48:49,699 on the default configuration being used 1361 00:48:49,700 --> 00:48:51,829 or, you know, change it to individualize 1362 00:48:51,830 --> 00:48:53,389 that. That's a very true Remarque. 1363 00:48:55,460 --> 00:48:57,619 Microphone two, please. 1364 00:48:57,620 --> 00:48:59,359 Wouldn't it be a good idea to use an 1365 00:48:59,360 --> 00:49:01,459 actual years of DVD and write 1366 00:49:01,460 --> 00:49:03,639 Amodeo for it to emulate the fire 1367 00:49:03,640 --> 00:49:05,329 system of something like that? 1368 00:49:05,330 --> 00:49:07,429 Yeah. So basically, this is this 1369 00:49:07,430 --> 00:49:09,139 is like a trade off, right? 1370 00:49:09,140 --> 00:49:11,689 If you do an emulation, you're exposing 1371 00:49:11,690 --> 00:49:14,359 yourself to the risk of being identified. 1372 00:49:14,360 --> 00:49:16,459 Like we said, by definition, when you're 1373 00:49:16,460 --> 00:49:18,589 doing emulation, for example, zero 1374 00:49:18,590 --> 00:49:20,719 day vulnerabilities will not work. 1375 00:49:20,720 --> 00:49:23,359 So there's always a way to identify you. 1376 00:49:23,360 --> 00:49:25,429 If you do the actual real machine, 1377 00:49:25,430 --> 00:49:26,929 then the problem is how do you 1378 00:49:26,930 --> 00:49:29,209 differentiate the noise and the 1379 00:49:29,210 --> 00:49:31,309 regular stuff going on from 1380 00:49:31,310 --> 00:49:32,839 what an attacker will do? 1381 00:49:32,840 --> 00:49:35,389 Or, for example, how do you even see 1382 00:49:35,390 --> 00:49:37,759 the attackers interaction if you don't 1383 00:49:37,760 --> 00:49:39,469 monitor every part of the protocol? 1384 00:49:39,470 --> 00:49:41,479 Right. So, for example, and kippot during 1385 00:49:41,480 --> 00:49:43,819 DSH key exchange, 1386 00:49:43,820 --> 00:49:45,859 you wouldn't be able to figure out what 1387 00:49:45,860 --> 00:49:47,929 he was doing or something malicious, 1388 00:49:47,930 --> 00:49:50,029 because it's something that you don't 1389 00:49:50,030 --> 00:49:52,099 know is an attacker's 1390 00:49:52,100 --> 00:49:54,019 interaction versus just, I don't know, 1391 00:49:54,020 --> 00:49:55,309 like something that's scanning the 1392 00:49:55,310 --> 00:49:56,659 network or something like that. 1393 00:49:56,660 --> 00:49:57,660 Right. 1394 00:49:58,410 --> 00:50:00,149 Microphone four, please. 1395 00:50:00,150 --> 00:50:02,279 OK, so what if I turn it around? 1396 00:50:02,280 --> 00:50:04,349 What if I make my real services 1397 00:50:04,350 --> 00:50:07,439 look like honeypots and like 1398 00:50:07,440 --> 00:50:10,199 make them give up before trying? 1399 00:50:10,200 --> 00:50:11,339 That's a very cool idea. 1400 00:50:11,340 --> 00:50:13,199 There's actually a friend of ours who 1401 00:50:13,200 --> 00:50:15,479 does a startup who does exactly that. 1402 00:50:15,480 --> 00:50:16,859 He makes the real machines look like 1403 00:50:16,860 --> 00:50:19,109 honeypots and that way he tries 1404 00:50:19,110 --> 00:50:21,059 to make it work or not attacked them. 1405 00:50:21,060 --> 00:50:22,060 Yeah, well, I do. 1406 00:50:26,900 --> 00:50:28,459 Microphone one, please. 1407 00:50:28,460 --> 00:50:31,009 Well, I didn't quite understood 1408 00:50:31,010 --> 00:50:33,289 how I got the attacker to attack 1409 00:50:33,290 --> 00:50:35,369 my honeypot on my real website. 1410 00:50:36,470 --> 00:50:38,539 Yeah, so you're talking 1411 00:50:38,540 --> 00:50:40,969 about what Wah 1412 00:50:40,970 --> 00:50:43,099 Honeypots is trying to solve is if an 1413 00:50:43,100 --> 00:50:45,049 attacker attacks a machine, you control, 1414 00:50:45,050 --> 00:50:47,209 how now you can detect him and, 1415 00:50:47,210 --> 00:50:48,619 you know, realize that he's an attacker. 1416 00:50:48,620 --> 00:50:50,599 But you're talking about a problem that's 1417 00:50:50,600 --> 00:50:52,279 underlying and it's very big. 1418 00:50:52,280 --> 00:50:53,479 But we didn't discuss it. 1419 00:50:53,480 --> 00:50:55,459 And that is how do we get the attacker to 1420 00:50:55,460 --> 00:50:57,439 actually attack that honeypot? 1421 00:50:57,440 --> 00:50:58,819 So you have to make it look like 1422 00:50:58,820 --> 00:51:00,169 something interesting. 1423 00:51:00,170 --> 00:51:02,509 One of the examples we gave, for 1424 00:51:02,510 --> 00:51:04,819 example, that malware researchers blog, 1425 00:51:04,820 --> 00:51:07,339 what he did was gave it an interesting 1426 00:51:07,340 --> 00:51:09,739 subdomain under his 1427 00:51:09,740 --> 00:51:11,629 domain to make it look like a mail 1428 00:51:11,630 --> 00:51:13,729 server, DMX zero of 1429 00:51:13,730 --> 00:51:15,889 his domain, which is the default name for 1430 00:51:15,890 --> 00:51:16,849 male servers. 1431 00:51:16,850 --> 00:51:19,039 But this is a whole other issue 1432 00:51:19,040 --> 00:51:20,509 that you have to solve when you're doing 1433 00:51:20,510 --> 00:51:22,369 deception, which is very true. 1434 00:51:24,490 --> 00:51:26,319 The question from the Internet, please, 1435 00:51:26,320 --> 00:51:29,019 so have you actually broken any 1436 00:51:29,020 --> 00:51:30,400 honeypots in your research? 1437 00:51:31,510 --> 00:51:33,729 So we weren't trying to look 1438 00:51:33,730 --> 00:51:36,099 for code execution 1439 00:51:36,100 --> 00:51:37,599 type vulnerabilities, 1440 00:51:39,490 --> 00:51:41,289 firstly, because it doesn't give you any 1441 00:51:41,290 --> 00:51:43,189 sort of any sort of value. 1442 00:51:43,190 --> 00:51:45,069 What we're trying to do more is more like 1443 00:51:45,070 --> 00:51:47,289 a methodological 1444 00:51:47,290 --> 00:51:48,519 type of conclusions. 1445 00:51:48,520 --> 00:51:49,879 So we didn't try. 1446 00:51:49,880 --> 00:51:52,029 And so we don't know if there are or 1447 00:51:52,030 --> 00:51:53,030 aren't. 1448 00:51:55,120 --> 00:51:57,249 Microphone number one, please 1449 00:51:57,250 --> 00:51:59,409 just answer to the question the other 1450 00:51:59,410 --> 00:52:00,759 gentleman asked and you said, how do you 1451 00:52:00,760 --> 00:52:02,349 tell if it's an attack? 1452 00:52:02,350 --> 00:52:04,539 One method I'm using is I 1453 00:52:04,540 --> 00:52:06,609 you say actual secure shell, 1454 00:52:06,610 --> 00:52:09,129 but use a pump module that 1455 00:52:09,130 --> 00:52:11,199 watches for standard, you know, 1456 00:52:11,200 --> 00:52:13,959 the top 10000 standard passwords 1457 00:52:13,960 --> 00:52:15,339 that people try when they're trying to 1458 00:52:15,340 --> 00:52:16,779 brute force. 1459 00:52:16,780 --> 00:52:19,089 OK, it doesn't you don't get to steal 1460 00:52:19,090 --> 00:52:20,409 the malware or anything. 1461 00:52:20,410 --> 00:52:22,449 But if you have that within your network 1462 00:52:22,450 --> 00:52:23,979 and you see someone trying to log onto 1463 00:52:23,980 --> 00:52:26,049 your S.H. 1464 00:52:26,050 --> 00:52:27,519 with those passwords, you know, you're 1465 00:52:27,520 --> 00:52:28,779 going to have a bad day, you know, 1466 00:52:28,780 --> 00:52:30,019 someone in your network. 1467 00:52:30,020 --> 00:52:31,959 So that's one method of you would know 1468 00:52:31,960 --> 00:52:34,029 that was an attack because it's 1469 00:52:34,030 --> 00:52:35,799 not someone mistyping their password. 1470 00:52:35,800 --> 00:52:37,929 It's an actual well known brute force 1471 00:52:37,930 --> 00:52:39,139 password. 1472 00:52:39,140 --> 00:52:40,419 Yeah, this is true. 1473 00:52:40,420 --> 00:52:42,319 This is one of the basic methods of doing 1474 00:52:42,320 --> 00:52:44,439 the interaction honeypots 1475 00:52:44,440 --> 00:52:46,809 which are actually real and believable. 1476 00:52:46,810 --> 00:52:47,810 No call. 1477 00:52:49,550 --> 00:52:52,129 And any more questions? 1478 00:52:52,130 --> 00:52:53,449 Yes, the Internet has some more 1479 00:52:53,450 --> 00:52:54,019 questions. 1480 00:52:54,020 --> 00:52:55,069 Just one short one. 1481 00:52:55,070 --> 00:52:57,379 So would it be a good configuration 1482 00:52:57,380 --> 00:52:59,779 to take one default 1483 00:52:59,780 --> 00:53:02,809 honeypot and then several individualized 1484 00:53:02,810 --> 00:53:05,029 ones to make the taker 1485 00:53:05,030 --> 00:53:07,159 believe that the individualized ones 1486 00:53:07,160 --> 00:53:08,939 are, you know, more real? 1487 00:53:10,790 --> 00:53:13,009 Well, the interesting thing 1488 00:53:13,010 --> 00:53:14,539 about deception is there's so many ways 1489 00:53:14,540 --> 00:53:16,759 to do it and there's so many ways of, 1490 00:53:16,760 --> 00:53:18,829 you know, thinking 1491 00:53:18,830 --> 00:53:20,659 about what's the perception of the 1492 00:53:20,660 --> 00:53:22,250 attacker and using it against them. 1493 00:53:23,540 --> 00:53:24,799 So, yeah, there's a lot of stuff you 1494 00:53:24,800 --> 00:53:25,249 could do. 1495 00:53:25,250 --> 00:53:27,229 And one of the basic things that you need 1496 00:53:27,230 --> 00:53:29,179 to take into account when you're talking 1497 00:53:29,180 --> 00:53:30,949 about deception, there is different 1498 00:53:30,950 --> 00:53:32,209 levels of deception. 1499 00:53:32,210 --> 00:53:34,399 If, for example, what you're trying 1500 00:53:34,400 --> 00:53:37,099 to dealing with is mainly script kiddies, 1501 00:53:37,100 --> 00:53:39,269 then you don't need to deploy interaction 1502 00:53:39,270 --> 00:53:41,419 any parts and real machines, which is 1503 00:53:41,420 --> 00:53:44,569 pretty costly. You can just deploy 1504 00:53:44,570 --> 00:53:46,039 the honeypot that we discussed about, 1505 00:53:46,040 --> 00:53:48,349 just not with the default 1506 00:53:48,350 --> 00:53:50,689 configuration that is obviously broken. 1507 00:53:52,620 --> 00:53:54,029 You have another question from the 1508 00:53:54,030 --> 00:53:56,189 Internet. No, any other questions 1509 00:53:56,190 --> 00:53:57,190 from the room? 1510 00:53:58,700 --> 00:54:00,769 No, I closed the talk now. 1511 00:54:00,770 --> 00:54:02,500 Thank you very much. Thank you very much.