HEY! YOU! GET OFF MY CLOUD! ATTACKS AGAINST CLOUD HONEYPOTS. Martin Lee Neil Rankin

Transcription

1 HEY! YOU! GET OFF MY CLOUD! ATTACKS AGAINST CLOUD HONEYPOTS Martin Lee Neil Rankin

2 Cloud Adoption Choose two: Fast Cheap Good

3 Cloud Models Public IaaS PaaS SaaS Private

4 Cloud Models Public IaaS PaaS SaaS Private

5 IaaS Cloud Security Layers SECURE API / GUI Application Code Operating System Your problem Virtual Machine Hypervisor Device Network Provider s responsibility Facility

6 Threat Model Cyber Criminal Hacktivist APT

7 Elastic Computing Development Deployment Low utilisation Low cost Heavy utilisation High cost

8 Elastic Computing Source: Quora.com

9 Threat Types - Customers Cloud Environment On Premise Environment application-attack brute-force suspicious-activity recon trojan-activity denial-of-service other application-attack brute-force trojan-activity suspicious-activity recon denial-of-service other Source: Alert Logic ASR 2015

10 Relative Threats - Cloud vs On Premise trojan-activity other application-attack brute-force recon suspicious-activity denial-of-service Source: Alert Logic ASR 2015

11 Cloud Threats by Customer Industry Vertical Suspicious Recon Brute force 100% 90% 80% 70% 60% 50% 40% DoS Application attack 30% 20% 10% 0% Source: Alert Logic ASR 2015

12 Subtle Differences Cloud threats On premise threats Your threats Your neighbour s threats

13 Honeypot Infrastructure share.example.com sys.example.com db.example.com Cloud Honeypot Cloud Production System Increased Protection Cloud Honeypot Threat Intelligence Threat Intelligence

14 Honeypot Types Low Interaction Medium Interaction Simulates high level services Collects basic information Simulates generic functions Records interaction High Interaction Simulates specific environment Collects details of attack

15 Medium Interaction Kippo medium interaction Simulates SSH shell Fake file system Easily detected! we use heavily modified version We used to log brute force attacks & replay session

16 Medium Interaction Dionaea medium interaction Simulates network services SMB / HTTP / FTP / MySQL / SIP (VOIP) Simulates shellcode execution We see mostly SMB activity

17 Low Interaction Amun low interaction Modular Honeypot Simulates vulnerable services We see mostly SMB activity

18 Low Interaction p0f low interaction Fingerprint connecting IPs Run in tandem

19 Custom Interaction Create your own Modify modular honeypot Reflect your environment Respond to new threats Research attacks against specific vulnerabilities

20 Results What do we find? April 2015

21 Findings Top 20 IP Addresses Number of Attacks

22 Findings Top 20 Source Countries Japan Taiwan Venezuela China Georgia Japan Brazil Unknown United States Georgia Romania Mexico Brazil Russian Federation Netherlands Taiwan Bulgaria United Kingdom China Armenia India Venezuela Kazakhstan Korea, Republic of Ukraine Iran, Islamic Republic of

23 Findings Attacker OS Win 7/8 Linux 2.2.x Linux 3.1 Win XP Linux 2.4.x Linux 2.4.x Windows XP Linux Linux 2.2.x-3.x Windows 7 or 8 Linux 2.6.x Linux 3.11 and newer Linux 2.4.x-2.6.x Linux 2.2.x-3.x (no timestamps) Linux 3.x Linux 2.2.x-3.x (barebone) Windows NT kernel Linux 2.0

24 Findings Top 20 Destination Ports Active Directory Service / SMB (445) SSH (22) Secure Shell (SSH) Microsoft Directory Service Remote Desktop Protocol NETBIOS Session Service SMTP HTTP Active API Server Port (Proxy) Telnet POP3 HTTP Alternate (Proxy) MySQL Microsoft SQL Server Abyess Web Server HTTPS FTP Socks (Proxy) Universal Plug 'N Play (UPnP) Microsoft DCOM IMAP Apple OSX RPC Services

25 Findings Top 20 Brute Forced Usernames Root (98.5%) root oracle support test MGR administrator ftpuser admindb info pi admin ubnt user guest ubuntu operator PlcmSpIp Administrator db01

26 Findings Top 20 Brute Forced Username/Password root/admin admin/admin root/ root/default root/zaq1xsw2 root/a root/ root/changeme root/qwerty root/admin1 root/123456] root/ root/administrator root/qazwsx root/ root/aaaaaa root/root root/ root/meiyoumima root/vision

27 Findings Top 20 Uploads Troj/Agent-AMRO PsExec?.exe Mal/HckPk-A Troj/Agent-AMRO Unknown Troj/Agent-AMRO Mal/PWS-JJ Mal/HckPk-A Unknown Unknown Unknown Unknown Mal/Spy-Y PsExec Mal/HckPk-A Troj/DLoad-IK W32/Parite-B Mal/Spy-Y Unknown Unknown Unknown Unknown Unknown

28 Deployment Honeypots in Operation

29 Honeypots for Managed Services Connecting IPs Cloud Honeypot Customer Cloud System Security Agent Blocklist update Threat Intelligence

30 Honeypots for Managed Services Malware Cloud Honeypot Customer Cloud System Security Agent Correlate Threat Intelligence

31 Conclusion Cloud environments have a specific threat profile. Well placed honeypots provide timely intelligence. Apply intelligence to protect production systems.

32 Get linkedin.com/company/alert-logic alertlogic.com/resources/blog/ youtube.com/user/alertlogictv brighttalk.com/channel/11587

33 Thank you Will Semple VP ActiveIntelligence Brian Wilson Director, Intelligence Michael Laughlin Tools Engineer

34 Thank you.