SlideShare a Scribd company logo

Honeypots for Cloud Providers - SDN World Congress

Download as PPTX, PDF
V
Vallie Joseph

1. Cloud providers face new security challenges with software-defined networking and network function virtualization technologies, as virtualized network appliances can now be remotely accessed and hacked. 2. Honeypots can help by diverting attacks to isolated, monitored systems, collecting valuable attacker data without risk to real systems. Analytics of honeypot data can reveal attack patterns to predict future threats. 3. Pairing honeypots with cloaking technologies provides layered defenses, and honeypot data analytics could enable new "security as a service" offerings from cloud providers.

Related slideshows

2° Ciclo Microsoft Fondazione CRUI 6° Seminario: Classificazione e protezion...
2° Ciclo Microsoft Fondazione CRUI 6° Seminario: Classificazione e protezion...2° Ciclo Microsoft Fondazione CRUI 6° Seminario: Classificazione e protezion...
2° Ciclo Microsoft Fondazione CRUI 6° Seminario: Classificazione e protezion...
 
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAREAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
 
SoleraNetworks
SoleraNetworksSoleraNetworks
SoleraNetworks
 
1 of 24
Honeypots for Cloud Providers Matthew A Johnson Professional Lecturer of Computing Technology Matthew.Johnson1@marist.edu Daniel Jast Vallie Joseph Piradon Liengtiraphan
Challenges for providers/carriers Networks are moving toward SDN and NFV Adoption/migration presents new challenges Virtualized appliances are software Typically VMs running familiar OS (Linux, BSD, Windows) May be accessed remotely (e.g., via SSH) As such they have traditional IT vulnerabilities Remote intrusion Denial of service Imagine losing a vrouter, firewall, controller, load balancer!
Security policy implications Awareness of threats to network resources is critical Actively monitor access attempts Record attack data for future audit or analysis Defensive measures must be appropriately deployed Block/divert unauthorized access Hide virtual network resources to mitigate DDoS Analytics can transform attack data into threat intelligence Orchestrate/deploy both proactive + reactive measures
Traditional defense strategies Corporations often use Patch-and-Pray 1 Patching security software after harmful attacks Keeping security software up to date Find tools to deal specifically with attack types suffered previously These strategies assume that the attacks have already happened By the time a company discovers an attack, it’s usually too late Damage is already done Business now spends additional funds to remedy the situation Examples: Yahoo, Sony, AT&T 1. http://blog.eiqnetworks.com/blog/don-t-rely-on-patch-and-pray-use-vulnerability-management-to-secure-your-network
Evolving threat landscape Threat landscape is constantly changing Attack technologies evolve alongside new security measures Various types of threats Brute force attackers Botnets Advanced persistent threats Attackers have the advantage Only one vector needs to work Defenders must account for all attack vectors Cannot stay ahead of attackers using only traditional defense strategies
“Smart” Defense Using analytics to adjust security protocols as needed Generated from detailed attacker information collected from honeypots Constantly updated with new attacker data Predict attack patterns Patterns drawn from similarities in data Allow firewalls and other cybersecurity protocols to learn from attacks Data collection and analytics are required for adaptive security protocols Honeypots can collect this data
Cowrie What is a honeypot? A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, which are then blocked.1 More generally… “a security resource whose value lies in being probed, attacked, or compromised.”2 1. https://www.sans.org/security-resources/idfaq/what-is-a-honeypot/1/9 2. http://www.honeypots.net/
Why do we need honeypots? Honeypots keep systems and information safer by attracting attacks Breaches result from gaps in - or lack of - security Easily accessible resources that appear valuable shift will divert attackers Protected resources with real value might be overlooked Why not simply block all attacks? Plethora of valuable information gained from the attacks to the system Information can be used for auditing as well as analytics Analytics enable predictive security protocols Additional capabilities Learn not only how attackers get in… but what they do once they get in
Honeypot data collection Honeypots typically provide analytics software with basic information IP address Username/password credentials Time stamps Analytics can be improved through providing additional details Client information (operating system, web browser, etc.) GeoLocation ISP data
What can we do with the data? Learn more about attackers Classifying attack patterns Detecting trends Use what is learned to perform predictive analytics Use dynamically provisioned firewalls to prevent future attacks Blacklist IP addresses Identify harmful geographical groups and areas How do we do this? Longtail Syslog Analyzers (IP Counting functions, Country Counting functions, etc.)
Longtail Analytics Open source analytics software Developed at Marist College Crawls through information provided by honeypots Analyzes different types of attacks to sort them into attack patterns Attack Patterns Example: determine if the attack is a botnet attack Identifies and classifies botnets Information has use for the future Could be used to create dynamic firewalls Proactively deploy security protocols to help defend against attacks
Honeypots for Cloud Providers - SDN World Congress
Issues with honeypots Vulnerable to fingerprinting Scanning a network will reveal identifying characteristics Attackers can find weaknesses specific to the network they fingerprint If a honeypot can be fingerprinted then attackers can avoid it Need to make honeypots hard to fingerprint Original resources are still vulnerable Prone to reconnaissance scans Honeypots effectively fail if attacker finds the real resource Need to also hide the real resources
12 Open Ports Found Fingerprinting Examples
Preventing Fingerprinting A convincing honeypot must mimic fingerprint of the real resource Approach depends on the type of honeypot (SSH, client, application, etc.) SSH honeypot same open ports as the real portal same responses to login attempts same libraries installed Client honeypot same server type and version same look and feel Nearly impossible to mimic real resource exactly Honeypot must always reside on different server or port
Current security products start after network sessions are established. First Packet Authentication stops unauthorized access at the earliest possible time. time Data Packet Flows Session Setup Before caller-ID… must answer to determine identity After caller-ID… only answer known and trusted callers First-Packet Authentication™ Problem with traditional protocols Identity of user/device determined only AFTER establishing session Leaves networks vulnerable to several kinds of attacks BlackRidge Transport Access Control (TAC) solves the problem Authenticate identity & enforce policy on first packet before session
Cloaking with BlackRidge Hiding critical resources First-packet authentication™ blocks without revealing info to an attacker With BlackRidge we can completely cloak desired devices These devices include but are not limited to: SDN Controllers, ESXI Servers, Virtual Machines, etc. Defense in Depth Combine with honeypots to more effectively divert traffic Optimal data collection requires catching more attacks on the honeypot
Without BlackRidge Open Ports Host Details With BlackRidge Open Ports Host Details BlackRidge examples
Firewall IPS Protection Firewall/IPS allows large number of TCP connection attempts through and information to leak. BlackRidge Protection BlackRidge does not allow any unauthorized connection attempts or scans (information leakage) to occur. BlackRidge in testbed
WDM Node C WDM Node B SDN Controller and Network Hypervisor With cloud orchestrator API Brocade/Vyatta 5600 V-Router/Firewall Ciena Metro Ethernet Marist API code Marist LongTail Honeypots & Analytics SDN Controller and Network Hypervisor With cloud orchestrator API Orchestrator with Application Security Policy Brocade/Vyatta 5600 V-Router/Firewall Marist Remote Management App NetConf NYS CCAC Ecosystem
1. A. Jain, B. Buksh, Advance Trends in Network Security with Honeypot and its Comparative Study with other Techniques, IJETT 29/6 Nov 2015 2. http://www.infoworld.com/article/3128818/security/10-decisions-youll-face-when-deploying-a-honeypot.html 3. https://www.honeynet.org/blog 4. http://searchsecurity.techtarget.com/definition/Security-as-a-Service Honeypot popularity Companies are increasingly interested in this space1,2,3 Seeking more data to support security analytics Setting up honeypots in their networks Tenants might be deploying these technologies in the cloud Providers have an opportunity to enhance their cloud offerings SECurity as a Service “a business model in which a large service provider integrates their security services into a corporate infrastructure on a subscription basis more cost effectively than most individuals or corporations can provide on their own, when total cost of ownership is considered”4
What can providers do? Deploy their own honeypots Collect data for historical and predictive analytics Honeypots as a service Offer templates to customers who wish to use honeypots Simplify setup and deployment Security analytics as a service Up-to-date threat intelligence can enable dynamic security policies Offer tenants access to valuable information from honeypot analytics Opportunities for SECaas
Conclusion SDN+NFV poses new cybersecurity challenges for providers Adaptive intelligence-driven security measures are needed Honeypots not only add a layer of security… they can also capture vital data Analytics (e.g. “Longtail”) leverages data for prediction and real-time response Pair honeypots with cloaking technologies for Defense in Depth Honeypots and threat analytics also present SECaaS opportunities
Acknowledgements This work is supported in part by the National Science Foundation grant 1541384 Campus Cyberinfrastructure - Data, Networking and Innovation Program (CC-DNI), per NSF solicitation 15-534, for the project entitled CC- DNI (Integration (Area 4): Application Aware Software-Defined Networks for Secure Cloud Services (SecureCloud)) Questions?

More Related Content

Honeypots for Cloud Providers - SDN World Congress

  • 1. Honeypots for Cloud Providers Matthew A Johnson Professional Lecturer of Computing Technology Matthew.Johnson1@marist.edu Daniel Jast Vallie Joseph Piradon Liengtiraphan
  • 2. Challenges for providers/carriers Networks are moving toward SDN and NFV Adoption/migration presents new challenges Virtualized appliances are software Typically VMs running familiar OS (Linux, BSD, Windows) May be accessed remotely (e.g., via SSH) As such they have traditional IT vulnerabilities Remote intrusion Denial of service Imagine losing a vrouter, firewall, controller, load balancer!
  • 3. Security policy implications Awareness of threats to network resources is critical Actively monitor access attempts Record attack data for future audit or analysis Defensive measures must be appropriately deployed Block/divert unauthorized access Hide virtual network resources to mitigate DDoS Analytics can transform attack data into threat intelligence Orchestrate/deploy both proactive + reactive measures
  • 4. Traditional defense strategies Corporations often use Patch-and-Pray 1 Patching security software after harmful attacks Keeping security software up to date Find tools to deal specifically with attack types suffered previously These strategies assume that the attacks have already happened By the time a company discovers an attack, it’s usually too late Damage is already done Business now spends additional funds to remedy the situation Examples: Yahoo, Sony, AT&T 1. http://blog.eiqnetworks.com/blog/don-t-rely-on-patch-and-pray-use-vulnerability-management-to-secure-your-network
  • 5. Evolving threat landscape Threat landscape is constantly changing Attack technologies evolve alongside new security measures Various types of threats Brute force attackers Botnets Advanced persistent threats Attackers have the advantage Only one vector needs to work Defenders must account for all attack vectors Cannot stay ahead of attackers using only traditional defense strategies
  • 6. “Smart” Defense Using analytics to adjust security protocols as needed Generated from detailed attacker information collected from honeypots Constantly updated with new attacker data Predict attack patterns Patterns drawn from similarities in data Allow firewalls and other cybersecurity protocols to learn from attacks Data collection and analytics are required for adaptive security protocols Honeypots can collect this data
  • 7. Cowrie What is a honeypot? A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, which are then blocked.1 More generally… “a security resource whose value lies in being probed, attacked, or compromised.”2 1. https://www.sans.org/security-resources/idfaq/what-is-a-honeypot/1/9 2. http://www.honeypots.net/
  • 8. Why do we need honeypots? Honeypots keep systems and information safer by attracting attacks Breaches result from gaps in - or lack of - security Easily accessible resources that appear valuable shift will divert attackers Protected resources with real value might be overlooked Why not simply block all attacks? Plethora of valuable information gained from the attacks to the system Information can be used for auditing as well as analytics Analytics enable predictive security protocols Additional capabilities Learn not only how attackers get in… but what they do once they get in
  • 9. Honeypot data collection Honeypots typically provide analytics software with basic information IP address Username/password credentials Time stamps Analytics can be improved through providing additional details Client information (operating system, web browser, etc.) GeoLocation ISP data
  • 10. What can we do with the data? Learn more about attackers Classifying attack patterns Detecting trends Use what is learned to perform predictive analytics Use dynamically provisioned firewalls to prevent future attacks Blacklist IP addresses Identify harmful geographical groups and areas How do we do this? Longtail Syslog Analyzers (IP Counting functions, Country Counting functions, etc.)
  • 11. Longtail Analytics Open source analytics software Developed at Marist College Crawls through information provided by honeypots Analyzes different types of attacks to sort them into attack patterns Attack Patterns Example: determine if the attack is a botnet attack Identifies and classifies botnets Information has use for the future Could be used to create dynamic firewalls Proactively deploy security protocols to help defend against attacks
  • 13. Issues with honeypots Vulnerable to fingerprinting Scanning a network will reveal identifying characteristics Attackers can find weaknesses specific to the network they fingerprint If a honeypot can be fingerprinted then attackers can avoid it Need to make honeypots hard to fingerprint Original resources are still vulnerable Prone to reconnaissance scans Honeypots effectively fail if attacker finds the real resource Need to also hide the real resources
  • 15. Preventing Fingerprinting A convincing honeypot must mimic fingerprint of the real resource Approach depends on the type of honeypot (SSH, client, application, etc.) SSH honeypot same open ports as the real portal same responses to login attempts same libraries installed Client honeypot same server type and version same look and feel Nearly impossible to mimic real resource exactly Honeypot must always reside on different server or port
  • 16. Current security products start after network sessions are established. First Packet Authentication stops unauthorized access at the earliest possible time. time Data Packet Flows Session Setup Before caller-ID… must answer to determine identity After caller-ID… only answer known and trusted callers First-Packet Authentication™ Problem with traditional protocols Identity of user/device determined only AFTER establishing session Leaves networks vulnerable to several kinds of attacks BlackRidge Transport Access Control (TAC) solves the problem Authenticate identity & enforce policy on first packet before session
  • 17. Cloaking with BlackRidge Hiding critical resources First-packet authentication™ blocks without revealing info to an attacker With BlackRidge we can completely cloak desired devices These devices include but are not limited to: SDN Controllers, ESXI Servers, Virtual Machines, etc. Defense in Depth Combine with honeypots to more effectively divert traffic Optimal data collection requires catching more attacks on the honeypot
  • 18. Without BlackRidge Open Ports Host Details With BlackRidge Open Ports Host Details BlackRidge examples
  • 19. Firewall IPS Protection Firewall/IPS allows large number of TCP connection attempts through and information to leak. BlackRidge Protection BlackRidge does not allow any unauthorized connection attempts or scans (information leakage) to occur. BlackRidge in testbed
  • 20. WDM Node C WDM Node B SDN Controller and Network Hypervisor With cloud orchestrator API Brocade/Vyatta 5600 V-Router/Firewall Ciena Metro Ethernet Marist API code Marist LongTail Honeypots & Analytics SDN Controller and Network Hypervisor With cloud orchestrator API Orchestrator with Application Security Policy Brocade/Vyatta 5600 V-Router/Firewall Marist Remote Management App NetConf NYS CCAC Ecosystem
  • 21. 1. A. Jain, B. Buksh, Advance Trends in Network Security with Honeypot and its Comparative Study with other Techniques, IJETT 29/6 Nov 2015 2. http://www.infoworld.com/article/3128818/security/10-decisions-youll-face-when-deploying-a-honeypot.html 3. https://www.honeynet.org/blog 4. http://searchsecurity.techtarget.com/definition/Security-as-a-Service Honeypot popularity Companies are increasingly interested in this space1,2,3 Seeking more data to support security analytics Setting up honeypots in their networks Tenants might be deploying these technologies in the cloud Providers have an opportunity to enhance their cloud offerings SECurity as a Service “a business model in which a large service provider integrates their security services into a corporate infrastructure on a subscription basis more cost effectively than most individuals or corporations can provide on their own, when total cost of ownership is considered”4
  • 22. What can providers do? Deploy their own honeypots Collect data for historical and predictive analytics Honeypots as a service Offer templates to customers who wish to use honeypots Simplify setup and deployment Security analytics as a service Up-to-date threat intelligence can enable dynamic security policies Offer tenants access to valuable information from honeypot analytics Opportunities for SECaas
  • 23. Conclusion SDN+NFV poses new cybersecurity challenges for providers Adaptive intelligence-driven security measures are needed Honeypots not only add a layer of security… they can also capture vital data Analytics (e.g. “Longtail”) leverages data for prediction and real-time response Pair honeypots with cloaking technologies for Defense in Depth Honeypots and threat analytics also present SECaaS opportunities
  • 24. Acknowledgements This work is supported in part by the National Science Foundation grant 1541384 Campus Cyberinfrastructure - Data, Networking and Innovation Program (CC-DNI), per NSF solicitation 15-534, for the project entitled CC- DNI (Integration (Area 4): Application Aware Software-Defined Networks for Secure Cloud Services (SecureCloud)) Questions?