Redes Sociales

martes, 24 de octubre de 2017

Design and implementation of a honeynet for an ICS environment (Part 2/2)

I a previous post we introduced what a Honeypot and honeynet were, and the different types of honeypots. The different implantation phases were also discussed. In this post we'll talk about the different open honeynet solutions available.

Open Honeynet solutions

A list of open honeynet solution is discussed next:


Modern Honey Network (MHN)

This is a tool for easily creating honeynet in a visual way. It allows the creation of high and low interaction deployments. It has a REST API to send information to external services. One of the cons of this tool is the number of false positives that show.

URL: https://github.com/threatstream/mhn


Dockpot

Dockpot is a honeypot system defined by SSH. Basically is a NAT device with capacity to act as a SSH proxy between the attacker and the honeypot itself, performing monitorign and logging tasks of the network activities that occur against the honeypot. One of the characteristicas of this tool is that dockpot runs the honeypot system (using docker technology) when it detects a new connection, and destroys the container when it detects there are no connections against the system. This allows to mount a high interaction network and no longer have to worry about the machines.

URL: https://github.com/docker/global-hack-day-3/tree/master/dockpot


Conpot

Conpot is a low-interation honeypot server focused on industrial control. It has capabilities to operate as a honeypot of both types, low and high interaction. It's designed to be easy to implement, modify and extend. By providing a range of common OT protocols, this system has the bases to emulate complex infrastructures, capable of convincing an adversary that he has in his hands a large industrial complex. To improve the ability to mislead, it also provides the possibility of a HMI server to increase surface honeypots attack.

This is OK for a first pilot. It's one of the tools that currently have a more active community.

As a low interaction honeypot, by default Conpot simulates to be an S7-200 device, although it has configuration parameters to simulate practically any device. As a high-interaction honeypot, Conpot can be used as a gateway to a physical device, so the attacker actually accesses this device, making it difficult to detect the honeypot itself.

URL: https://github.com/mushorg/conpot


Honeytokens

Honeytokens are artificial elements that emulate data which are deliberately placed in a real resource or system in order to detect unauthorized attempts to use this information. Honeytokens are characterized by properties that make them look like data. These elements must be accessible to potential attackers who intend to violate the security of an organization in an attempt to extract information in a malicious manner. One of the main challenges in honeytokens generation is the creation of data that simulate real values ​​and are difficult to distinguish from false data. At this point it is recommended to follow the guidelines for the generation of an automatic value generation system. As an initial phase in the creation of a HoneyNet, we can use Open Canary to perform a series of tests provided they are not under OT protocols.

URL: https://github.com/thinkst/opencanary


GNS3

GNS3 is a graphical network simulator that allows to design complex network topologies and start simulations about them. This type of tools are very useful to be able to deploy and modify the different topologies of the honeynet network. GNS3 should be combined with this series of applications in order to obtain the expected performance in the project at hand:

  • Dynamips, an IOS emulator that allows users execute binary images of Cisco Systems.
  • Dynagen, a text front-end for Dynamips
  • Qemu and VirtualBox, that allow to use virtual machines as a PIX firewall.
  • VPCS, a PC emulator with basic networking functions
  • IOU (IOS on Unix), special compilations of IOS provided by Cisco to run directly on UNIX Systems.

GNS3 is an excellent complementary tool to real labs for Cisco network administrators or people who want to pass their CCNA, CCNP, CCIE DAC or certifications.

URL: https://www.gns3.com/


Gridpot

honeypot for the electrical sector, uses conpot for its deployment, the specification has been added to have communications using the IEC 61850 protocol.

URL: https://github.com/sk4ld/gridpot


ScadaHoneynet

It's a software-based framework to simulate a variety of industrial networks such as SCADA, DCS, and PLC architectures. With this tool a single Linux host can simulate multiple industrial devices and complex network topologies. Given the variety of deployments and the lack of standard, well-defined architectures for industrial networks, it attempts to create the building blocks so that users can simulate their own networks.

URL: scadahoneynet.sourceforge.net


GasPot

GasPot is a honeypot that has been designed to simulate an AST Veeder Root Gaurdian.

These tank meters are common in the oil and gas industry for gas station tanks to assist with the fuel inventory. GasPot has been designed to generate different series of values in each use, which allows to make it more invisible to the experience of the attacker simulating with more precision a real system.

URL: https://github.com/sjhilt/GasPot

HoneyComb

System that automatically generates signatures for NIDS Systems. The system applies protocol analysis techniques and the detection pattern of captured traffic in trap systems. The use of traffic within the honeypot has the advantage of concentrating the traffic that in our opinion would be considered malicious by definition. The idea would be to be able to do something similar in the part exposed to the services subcontracted like System of intelligence.

The system is an extension of the trap system honeyd, it is specified for the inspection of the traffic inside the honeypot; Currently the system works by examining protocol headers as well as payload data. The integration of this system with honeyd has several advantages over an external probe approach, directly placed at the network level; It avoids duplication of effort, as it uses libpcap to capture relevant packets, it avoids common cold boot problems such as NIDSs, as it is integrated in the honeyd not only passively listens to traffic, but emulates consistent responses to respond to incoming requests. (Not for OT protocols, or so I think), with this mechanism we can determine exactly when a new connection is started or terminated.

URL: http://www.icir.org/christian/honeycomb/


IOThoneypot

python telnet server trying to act as a honeypot for IoT Malware which spreads over horribly insecure default passwords on telnet servers on the internet

URL: https://www.usenix.org/system/files/conference/woot15/woot15-paper-pa.pdf


PlanetLab

Set of distributed servers through the academic networks of the world. Forming a computational laboratory on a planetary scale, allowing to develop, install and execute applications in a test environment deployed over the network with real world conditions.

It Provides a platform for researchers to experiment with network services on a global scale with real workloads, being able to withstand short or long duration experiments, being able to execute at the same time in isolation and not to affect each other. What we are trying to achieve is to catalyze the evolution of the Internet towards a service-oriented architecture.

URL: https://www.planet-lab.org/

lunes, 23 de octubre de 2017

Design and implementation of a honeynet for an ICS environment (Part 1/2)

Industrial Control Systems (ICS) are becoming attack objectives more a more often. This is caused mainly because of the impact that the compromise of an ICS can cause. At the same time, these systems have a very long lifetime and initially were not designed with security in mind.

Traditionally, ICS systems are not bound to the IT world and use their own (sometimes proprietary) protocols different from th IT standards. For these reasons it's not really well-known how to exploit these systems and what the implications of and exploitation mean. A good way to know the attack vectors and attackers objectives is to use honeypots to obtain the maximum information about the movements these attackers perform during the attack phase.

Honeypots and Honeynets

A honeypot, or trap system, is a software or combination of systems whose intention is to attract attackers, simulating to be vulnerable or weak systems. It's a computer tool used to gather information about the attackers and their techniques. Honeypots can distract attackers from the most critical systems, and quickly warn the system administrator of an attack attempt, appart from allowing a deep attack & attackers examination, during and after the attack to the honeypot system.

A Honeynet is a special type of honeypot. It's a high interaction honeypot that act over a whole network, designed to be attacked and therefore recover mauch more information about the possible attackers. In a honeynet real systems are used with real operative systems and running real application. This type of noneypots are mainly used for researching of new attack techniques and therefore testing the modus-operandi of intruders.


What are honeynets for in an ICS environment?

Presently is difficult to reproduce a standard SCADA network, given that there is a hugh variety of different industrial network deployments. This is caused by the heterogeneous nature of industrial sectors and by a lack of standard architectures for each of these specific sectors. One of the main reasons why control network emulation becomes very hard to implement is difficulty to simulate communication networks, due to the fact that there are many different and complex networks and network topologies.

As a honeynet is a dynamic environment, this allows the quick modification of the honeynet infrastructure to adapt it to different environments or industrial sectors. Critical data acquisition obtained from the possible attacks reeived by the honeynet will allow the development of mechanisms, tools and procedures to mitigate these attacks in a near future or recover in a most effective way.


Honeynet development phases

To develope a honeynet there are a number of phases that need to be followed:

  • Phase 0: Project initial phase. In this phase a set of different systems are connected directly to internet. These systems will only collect attack attempts, ports, services, IPs, etc.
  • Phase 1: In this phase, different devices inside the honeynet network will interact among them. Starting from the data acquired in phase 0, a network infrastructure will be formed following the attack preferences found in phase 0. In this phase the software applications will be deployed in the different systems in order to run their own roles inside the honeynet. In this phase there will be a more thorough process of information gathering and willl focus in media and methods used during the attacks.
  • Fase 2: research phase and honeynet dynamic changes. Starting with the data obtained in phase 1, different elements from the honeynet will be modified to improve the network infrastructure and the securization process. In this phase first reports will be obtained and printed.

Glossary

Low interaction honeypot

A Low interaction honeypot simulates some services to detect directed attacks to those services. Depending on the quality of simulation, these honeypots will obtain more or less information. This type of honeypots are mainly used to detect attack attampts and protect a network infrastructure.


High interaction honeynet

High interaction honeypots are used to be able to analyze in depth the previously detected attacks. To obtain as much information as possible to be as close to reality as possible, real devices are used, from which all possible information is extracted about the different attacks they receive.


When talking about ICS, devices like PLCs, RTUs, IEDs, etc, do not generally have enough computing power to include them in the information gathering process. For this reason a better alternative is to use a gateway system, that will relay connections to ICS device and that will extract all the attack data and will send them to a centralized server which will be the responsible for the analysis in depth.

Available tools

In the next post, some freely available tools like the following will be discussed:

  • Modern Honey Network (MHN)
  • Conpot
  • Honeytokens
  • Gridpot
  • ScadaHoneynet
  • GasPot
  • HoneyComb
  • IOThoneypot
  • PlanetLab