Tue Oct 5 18:13:23 EDT 2004 netForensics Honeynet Project Bi-annual Status Report ----------------------------------------------------- Anton Chuvakin, Ph.D., GCIA, GCIH http://www.chuvakin.org/honeynet 1.0 DEPLOYMENTS ================= 1.1 Current technologies deployed. Please include diagrams, so others could replicate your methods. If this has not changed since the last report, please link to the information so readers can reference (and learn from it). Victim: RedHat Linux on Intel Control: modified GenII iptables script Network monitoring: snort 2.2.x, tcpdump, Bro 0.9_x, ipaudit, Snort Spade, Dragon NIDS 5.0, shadow/IDAbench, ngrep, argus, ifmonitor, p0f Host monitoring: modified bash Correlation and analysis: netForensics SIM, ACID, IDAbench, IPAudit HTML GUI Diagram: http://www.chuvakin.org/honeynet 1.2 Lessons learned from the technology, what you like about it. 1. The above provides sufficient monitoring for the activities of amateur attackers 2. Combining all or most data in a single database makes honeynet monitoring a fairly easy task 1.3 Lessons learned from the technology, what is lacking, what you would like to see improved. 1. Sebek should work on more Linux versions, so that it can be used on out honeynet 2. More automation such as compromise notification is needed (to better integrate honeypot management with a busy life :-)) 3. More long-term data analysis in the absence of a compromise 4. Ability to easily centralize data over multiple honeynets and to combine sebek-type data with NIDS/log data 2.0 FINDINGS ============= 2.1 Number and type of systems compromised during six month period. The system was compromised 2 times via OpenSSL (the hole was patched after the 2nd time) 2.2 Highlight any unique findings, attacks, tools, or methods. 2.3 Any trends seen in the past six months; It was an unusually quiet time. The main reason was likely deploying the late version of RedHat system. However, more trends will be discovered if automated trend analysis is implemented 2.4 Document data analysis tools and methods being used. The main data analysis tool was a netForensics SIM solution that integrated most of the data 2.5 For data analysis what tools work well, and what still needs to be developed. netForensics SIM database with a uniform schema for all events coming from a honeynet worked really well. Several data mining tools to automate the analysis were developed to run off nF database. 3.0 MISC ACTIVITIES ==================== 3.1 Presenting at conferences None related to honeynets during the specified period. Participation in the Annual Honeynet meeting (Sept 2004) 3.2 Developing, testing or releasing code None related to honeynets during the specified period 3.3 Publication of papers 1. Contributing to "Know Your Enemy II" book (AWL, 2004) 2. Section on honeypots for CRC/Auerbach "Security Management Handbook" 3.4 Involvement in SotM challenges. SotM30 (http://www.honeynet.org/scans/scan30/) "This month's challenge is different. Traditional SotM challenges have been about analyzing specific attacks against specific honeypots. This time we are going to take a step back and look at the bigger picture. Your job is to analyze a months worth of connection activity to and from a honeynet by analyzing the firewall logs. This is where analysis of any honeynet most often begins." 3.5 Other 4.0 ORGANIZATIONAL ================== 4.1 Changes in your structure of your organization. None 5.0 LESSONS LEARNED =================== 5.1 What positive things can you share with the community, so they can replicate your success. 1. Considering that this was a relatively uneventful half-year, I'd stress the importance of analysis tools to look at the volume of honeynet data: if you want to run a honeynet, you need good data analysis tools to get value even in the absence of a compromise 5.2 What mistakes can you share with the community, so they don't make the same mistakes. 1. Not deploying Sebek (due to software incompatibility) to get more detailed data 2. Not deploying Windows to catch botnets and possibly credit card abuse or even a phishing scam 6.0 FUTURE GOALS ================ 6.1 Plans/Goals for next six months 1. Involvement with post-Track3 activities to build a global threat portal for prediction and advanced stat analysis of honeynet data 2. More data mining research on automated compromise discovery 3. Possibly more honeypots online