BSidesSF 2018 - Honeypots 2.0: A New ‘Twist’ on Defending Enterprise Networks (Lane Thames)

[Music]

all right hello everyone my name is Lane Tim's and as he said I'm gonna be talking about honey pots a new twist on defending enterprise and networks with dynamic deception at scale so a few pieces of information to keep in mind here as I go through is a few key words honey pots a twist because we're gonna be talking about twisted which is a python-based networking framework dynamic deception and scale so before I get started just a little bit about me I actually don't work with honey pots on a day-to-day basis this was just a little bitty tinker project that I started working on and with anyway on my day to day activities I work in vulnerability

management on the vulnerability and exposure research team for tripwire I have a PhD from Georgia Tech and 15 years experience across IT software engineering and cybersecurity so as I said I'm talking about enterprise scale systems and in my previous some previous work I've done I've worked with some advanced manufacturing projects and I've become a little bit focused on new new types of technology called like industrial internet or industrial internet of things and so it's a it's a good way to start motivating the subject is you know our enterprise networks of today aren't like they were 10 years ago obviously but more and more nowadays because of advancing technologies many of our enterprise networks especially within certain sectors like critical

infrastructure and advanced manufacturing those networks are becoming much more complex and very interesting and as an engineer it's really a cool time to be an engineer for example I don't know if you've ever heard of a digital twin but a digital twin refers to a digital replica of a physical asset is essentially how we are now able to interface physical systems with computing and communication devices and to do such a thing as this thing like a digital twin it requires a very sophisticated computing and communication infrastructure but as you know one of the reasons we're all here is that to to really gain the few the true potential of where we're going with technology nowadays cyber security is

actually the limiting factor we can't really do what we could do in terms of technology and technology development because of security and unfortunately in security time is always against us so one of the things that I'm talking about here today in terms of dynamic deception and using honey pots in kind of a new way what we want to do is we want to decrease the amount of time it takes us on the good side to detect attacks and then respond to those attacks but at the same time we'd like to be able to increase the amount of time and well as the amount of the cost for cyber attackers so that's one of the goals of this project that I had so

let's talk about deception by definition it's is to call someone or in our case deal with technology and computing it could be something like automated software but we want to deceive it we want it to believe something that's that's not true so that we can actually get something that we can gain something out of it so that's why we use deception when we talk about certain types of technologies like honey pots but before we get into cyber defense everybody you know in terms of using the word deception some of the words that we hear on a day-to-day basis that we all familiar with social engineering fishing spam these are all types of deception attacks when we get into some of these

industrial internet environments that I was mentioning earlier there's other types of deception based attacks and this is done via what we call signal injection so attackers when they gain a foothold inside of a large industrial internet type of network they can spoof sensor measurements control inputs timestamps identity information and such so these are the types of deception based cyberattacks when we talk about deception based cybersecurity that a traditional technology has been a honey pot and a honey pot is basically a computing asset used for detecting deflecting or counteracting unauthorized use of information they've traditionally been used as a mechanism to detect something that's going on within a network to fool the attacker but once once that honeypot is accessed

you know the IT department or the security department knows hey something's going wrong because that system shouldn't be accessed right now but nowadays we have technology on our side that lets us take it to a new level well now not only can we use it for detection but we can also also use it to create massive amounts of confusion and if we can do this correctly we can actually induce a time delay on the attack sources but that also gives us more time to counteract appropriately we can use this to increase the cost of attack and thereby in certain cases reduce attack motivation so I kind of say that honey pots were a little bit of

ahead of their time ten years ago I never would have thought I'd be given a presentation on honey pots but now scale is no longer an issue ant it let me clarify that a little bit in the early days of honey pots you'd have to go by a single device to deploy a single honeypot so if you had a network of say dodge or thousands of nodes and you had one or two or three honey pots they were kind of statistically insignificant you might get a little bit of out of them from detection but statistically they were instantly fit especially in the form of confusion so one of the goals of this word are the

goals of this work or to use honey pots at scale to do the traditional mechanism of detecting real time attacks but also to create lots of confusion and nowadays because of all of the threat intelligence technology we have we can actually take the detection part of honey pots to a new level to where we can actually spread this information to our partners using threat intelligence feeds and such and lastly we want to be able to implement real-time controls when we detect using the traps of a honeypot to stop attackers inside now just to go back to this original image I had here one of the things if you thing is I wanted to point out one is insider

threat and we talked about honey pots unless you're just doing some particular type of research you don't really care about putting a honeypot on internet facing networks or directly connected to the Internet you're not going to gain a lot of information other than observing how a particular attacker might interact with a given honeypot what we're interested in is when the inevitable happens and an attacker gets gains a foothold on the inside of your network what we would call an insider threat that's where these devices can really or this this technology could really make a big difference and the second point I want to make is going back to the diagram and this is one example of many

types of examples I could come up with but this is this image illustrates a modern enterprise network that has been integrated with their industrial system in this case it's oh it's a it's a water utility facility but it could be any type of other what second once again critical infrastructure advanced manufacturing environment you name it so this is what we call an integrated and operational technology network but also with our modern technology we also are going to have private clouds and public clouds that we're using within our networks and that's kind of a key observation here is that nowadays we have virtualization technology micro service architectures containers cloud computing so we have on average a large number of

resources and with ipv6 coming along we have lots of IP space at our hands and so that's kind of what I'm trying to talk about here with scale we can deploy mini honey pots using traditional or not traditional but new technologies DevOps tool change and such so we can deploy many nodes and create a lot of confusion that technology is now available for us but another aspect of confusion is what I call honeypot dynamics and this was inspired by how container micro architect micro service architectures are behaving in particular with container technology and this is actually what spurred my thought process here is that we have the capability to spin up say a container to serve as a

given request and then spin it back down so we have this idea of short little services and so that's made me start thinking is that what if we just put a twist on how honey pots work and not only do we have our traditional static honey pots but what if we were to create dynamic honey pots by dammit dynamic I'm talking about port based dynamics and IP based dynamics so not only can you not only can we deploy lots of nodes we can make we can move them around we can move them across IP addresses we can move them across TCP ports so if you have a web server or some type of a with a web

server based app a honeypot application you don't have to listen on port 80 you can listen on any kind of a port you want and how this works in terms of creating time delays is that we start impacting the attackers cycle particular their map and attack portion of the cycle so when they're mapping their networks they see one thing when they come back at a certain amount of time later and try to attack there's a totally different scenario and so if you can imagine the frustration of the attacker doing going through this cycle and I've actually seen it they just keep coming to keep government cuz they can't figure out what's going on and so a

particular attacks or stays there I've watched on my own next are oh oh I'm sorry research environments you know stay for an hour trying to figure out what's going on so it's it's it's kind of cool and so are you probably can't see the code here very well but a few things I wanted to point out here this is just a basic server implementation written in Python using sockets and what I'm doing here at the top you'll see this response variable that is simply just a basic HTTP header and the goal here is that any time a client connects to this server the server sends back the response header and kills the connection so if it's someone that's once again

just in this example that's probing this server it'll think that it's some type of a webserver in this example I'm using connection oriented dynamics where anytime at any time the server receives a connection request it just sends back that basic header and then kills it and then starts back up on a different port is this a different port yes but the rest of the examples I'm gonna have well I'm sorry I'm just getting ahead of myself here's in the output of that process it starts up listening on port 81 it gets a connection request sends back to the header comes up on a different port and so on and so on but that's a very basic

process so what if we wanted to do multiple servers of any type but in this case once again just as an example it's http-based but what if I wanted to run multiple servers on multiple ports well we can add some threading use some various libraries and in this example there's a on the right side there is simple wild loop where we're spinning up a bunch of servers we're letting them run for a certain amount of time in this case 15 seconds and then we spit them down and so these servers are just constantly going off on some random ports but there's a problem with this approach one is code complexity I mean there's no need to reinvent the wheel

also if you noticed and I pointed out I'm just sending back a basic HTTP header so in terms of honey pots this would be called a lightweight interaction honeypot nothing really interesting about it and the attack source would would not probe it very long before they move on but there turns out to be an interesting Python based framework out there called twisted that can help us solve this some of these problems and so twisted it's an it's an event-driven networking engine that's written in Python it's based on what's called a reactive programming model and essentially lets you work with highly asynchronous applications and as a lot of people say they twist it comes with batteries and that's one interesting

piece in terms of creating honey pots is that there's already a lot of built-in server applications available in there there's web servers mail servers SSH servers you name it and twisted it lets the programmer focus on the actual application protocol and twisted takes care of everything else for you and in terms of developing an open source based honeypot project there's a lot of existing open source projects out there that are based on twisted that fit very well in projects that are enterprise class IOT based in industrial Internet of Things based and such and so in this example I'm just illustrating a few little things about twisted first of all this is a full-fledged web server and it really

only takes two line three lines of code to bring up a full-fledged web server now in this case it assumes that there is a web directory called web and the current working directory that contains all of your website files but in terms of serving there's really only three is really only two lines of code and one to kick off the three actor one of the things I wanted to point out here in this example as well is how I had to figure out how to spin up servers and work with the underlying reactor and I found this function called call later it's basically a way to schedule tasks or whatever inside of twisted the reactor manages it but what we can do

and it looks I call it our run because of it looks a little recursive it's not recursive but what I do is I make my first call to this function called our run I tell the reactor to remove everything that might exist I create a random port create the web server which turns out to be a composition of a file object and a side object that becomes what we call or what normally would be called a factory and then I once again and call that called later function pointing to this same function so it just kind of keeps calling itself and so I'm also telling it to do it every 25 seconds in this example with what this

is meaning is that this server is going to come up this full fledged web server is going to come up twenty five six seconds later it's going to die and it's going to come back up on a different port now obviously things like time duration that's just a parameter you might want to tweak I'm just using these numbers for examples here and if you look on the right side you can actually see it in action and you can actually see it a full web-based you know response with regular headers as well as the index file that it that it served in this example and so because it's Python base we can actually take it a step further

and so in this example I select okay well we want to have multiple servers right so what I did is I just packed all of the basic functionality and to this class I called simple web and then this example right here just shows that you know we spin up four of them until it to run and and this is the output now this would be a static this right here didn't have any of the dynamics involved but what I wanted to point out is in lesson 19 less than 20 lines of code we're spending up for full-fledged web servers it's pretty impressive now this is an example where I actually extended it and made it dynamic so there's a little bit

more code I introduced you know I bring in my our run function again and have a simple loop where I spin up a set of servers and then they run for a certain amount of time in this case 20 seconds and then they come back down so we can take this to the extreme you can actually you're only limited to your computing resources and the types of servers that you bring up and they don't all have to be with I'm just keeping it simple for this example so your possibilities are limited here plus their full heavyweight servers and this is just an example of of it running if you look in towards the the back side

you can see that a certain number of servers will come up they'll listen for a little short a certain amount of time and then they die and on the right side you can see that it does you know just like the last image we're getting back to full makes you know a complete set of HTTP headers as well as the web page now I mentioned earlier that I had been tinkering with some of this inside of industrial internet technologies and that other projects are out there that are built on top of twisted and this is just one example of a project called Modbus Modbus is a certain type of industrial control system protocol and there turns out to be a Python project

out there that implements bond bus so in this example here I'm actually spitting up an industrial internet honeypot based off our that's you know for Modbus and most of the code here is just code needed to start up the Modbus server the twisted part for doing the dynamic is just that that same are run function so what I've shown here is just some examples on how you can actually implement some very heavyweight honey pots with twisted because of their built-in functionality with very little bit of code you can do this fast and as I mentioned in terms of trying to crawl you know one of the goals is creating confusion and to do that we need to do

it at scale and I didn't get into the you know the the other side of how do we implement it in scale but you know we have technologies like kubernetes and all these other cloud environments that let us orchestrate large numbers of devices so when we can couple this together we can actually really create a lot of confusion and increase the cost on attackers so just in closing as I mentioned the goals of this project was to come up with a way to you know help us as defenders shrink the amount of time we need to do our work but increase the amount of time it takes for an attacker to get to do what they're doing

we're trying to protect from both insider threats and external threats and as I mentioned we do have the technology to do this honey pots I believe they're actually there's a lot of new companies coming online that provide honeypot technology so it's a new kid on the block and the the the code that I'm illustrating here is on my github account on there a photo called DDT I called the dynamic deception toolkit and so feel free to look at that code and extend it whatever and that's it thank you [Applause]