A brief overview of threat intelligence infrastructure, where Andrew Morris focuses on tools for making honeypots that do not require a bunch of resources.
So, again, the tl;dr of infrastructure – we are going to talk about honeypots briefly. Raise your hand if you know what a honeypot is. Okay, almost everybody’s hand just went up. That’s good. I was giving a very similar talk to this elsewhere and I was like “Okay, raise your hand if you know what a honeypot is,” and literally nobody in the room raised their hand. I was like “Oh god, this talk is going to suck so bad for all of you guys, I’m so sorry…” So, in case you aren’t aware, a honeypot is a machine or a service that serves no business purpose whatsoever. Its only job is to attract the attention of bad guys.In terms of infrastructure, like I said, we are going to kind of breeze over this a little bit (see right-hand image), because I have another presentation that talks about this a lot more in-depth. Basically, I set up lots of cheap honeypots that are sitting directly on the Internet. I use a lot of Kippo, and I’m going to talk about that in a little bit; some Dionaea, which is another type of honeypot; and a bunch of empty Apache servers which actually, believe it or not, are really cool because they are going to collect logs on people that are just blasting the Internet looking for the presence of a file, or looking for shellshock, or looking for a bunch of stuff like that. We are going to talk about centrally managing and aggregating the data. Something that I use is called MHN, which is Modern Honey Network. It’s developed by ThreatStream, it’s awesome!
And then, I’m going to talk about some stupid-cheap hosting. Cloud at Cost – if you guys aren’t familiar with it – is an awesome company that you can rent just stupid-cheap VPS’s with. You can get them for $1 a month, or you can get them for $35 one-time fee and you have them forever. Can confirm, have had Cloud at Cost VPS for, like, two years that I paid $35 for two years ago, so now I have, like, 30 of them. It’s awesome! And then there’s also AWS Free Tier, which you can get four or five of them and you pay nothing. You get cheap, low-performance VPS’s that sit on the Internet that you can do whatever you want with. So, if you want to set up 10 sensors for $40 a year, you can get five Amazon Free Tier boxes, four or five Cloud at Cost boxes, and you’ve just paid $40 for one year of having 10 servers that sit directly on the Internet. They might not have the best performance in the world, because they are Free Tier and they are Cloud at Cost, but honeypots don’t really necessarily take up a lot. They’re not super CPU-intensive or anything, and they’re not really going to be doing anything crazy.So, I’ll talk about Kippo a little bit (see left-hand image). I use lots of Kippo. Kippo is a medium-interaction SSH honeypot. “Medium-interaction” basically means it sits between low and high interaction. A low-interaction honeypot can be classified as something that just sits there and maybe looks at things that are port-scanning it, or anything like that. It doesn’t actually emulate the service. Or maybe it even gives something like a banner. Kippo is a great example of a medium-interaction honeypot because it emulates the service itself, what SSH client is used to looking at. So, it’s kind of tough to tell whether this is a honeypot or not when you’re just looking at it, because you’re actually interacting with it, you’re typing commands, you’re authenticating, all that stuff. And then, a high-interaction honeypot will be something like it is the code, it’s not emulating, and maybe it’s just ephemeral, maybe it goes away once the bad guy logs out or something like that.
Kippo logs bad guys’ terminal sessions for playback, which is really cool. So, when a bad guy logs into your Kippo session or logs into your Kippo instance trying to do bad stuff or whatever, it actually records the TTY log, and you can play it back. And sometimes it’s hilarious, because sometimes the bad guys have no idea what they are doing. You’ll see them, like, type a command and then the command will fail, and you’ll see them pause, and then you’ll see them type another command – backspace it and type another command. You’re like, alright man, come on, get it together.
You can configure what credentials you want it to allow. By default there’s, like, one password that allows that will let bad guys in. You can make it allow any password. I actually haven’t done that. That’s hilarious, I should do that. You can set up a list of, you know, five passwords that you want. And sometimes you do have to be careful with the passwords that you want it to accept, because sometimes bad guys will actually not use really-really-really easy passwords, believe it or not. Or if there are more than one passwords that are accepted on a box – the bad guys will know that it’s a honeypot and they won’t execute any activity on it, which is weird, but that’s what they’ve started doing recently.
The things that Kippo logs are the username that somebody is trying to authenticate with, the password, the source IP address it’s coming from, and the SSH library version. And then, once attackers actually get into Kippo, it has a fake ‘wget’ command that actually hooks an HttpGet request or whatever. So, if a bad guy logs in and tries something like ‘wget’ a piece of malware – even though Kippo is a honeypot, it’s not actually real – it will still reach out and grab that malware sample and pull it in so that you can analyze it later. Unrelated – I actually wrote a Metasploit module which identifies Kippo instances externally. I don’t think this has been fixed yet, so you can still identify, which is funny because that’s something that bad guys should do, but they don’t. It’s probably going to be fixed pretty soon.I did some no budget illustrations in MS Paint (see right-hand image), because I don’t have Photoshop and I kind of wanted to stick with the theme. This is your machine talking to a honeypot. This is you managing a honeypot, and a bad guy is going to be attacking the honeypot. This is really entry-level and blown out of budget. You got one honeypot, you got your box, you log in, you look at attacks that people are doing, and that’s just kind of how it looks. And MHN comes in (see left-hand image), which is really handy for a number of different things. Yeah, it should say “Modern” instead of “Managed”, I’m sorry. It’s developed by ThreatStream. The developer is awesome for answering all my dumb ass questions. It’s “open source-ish”. You can still download and implement it, but they have a pay model. It allows you to deploy honeypots really easily. It’s got deployment scripts that you can just paste into your box when you are configuring them. It sets everything up. It’s super-easy, and it will configure it in five or ten minutes. It aggregates the data for you. It’s got the Mnemosyne database that sits on top of MongoDB, so if you have ten honeypots that are all configured to use hpfeeds and talk to an MHN instance, then it will aggregate everything together and you can query it kind of centrally, which is awesome. The API is awesome for it. It’s not documented currently, so you have to literally read through the Python code or, in my case, just email the developer until he emails you back, which he does. He’s getting sick of it, but he does. And yes, Mnemosyne is awesome. It’s something that somebody else wrote that, basically, sits in between; it expects hpfeeds data and it writes it to MongoDB. It’s really cool. It looks like this (see right-hand image). I took this about an hour ago. Usually those little question marks there are actually the country’s flag of where the IP address is originating from. In this case, I’m getting hit a lot by this group in Hong Kong. For some reason the geo data doesn’t report that it’s in Hong Kong, but it is in Hong Kong. These people are crazy. They’ll hit you with 200,000 attempts per day. It’s actually nuts. A couple of gotchas about MHN (see left-hand image). I really recommend that you update the deploy scripts so that you have more stuff, like include your own SSH public key or update the hostname, have it install packages – you can update all this stuff in the deployment scripts, which I didn’t realize for a long time. MHN pulls ThreatStream forks of popular GitHub repos by default, so if you want to use MHN to deploy a Kippo instance onto a box, then it will pull from the ThreatStream fork of Kippo instead. You can consider forking your own repos. I have actually just done this recently, so I can update Kippo and I can update the version that it pulls and I can add my own stuff and I don’t have to worry about doing it after the fact.
And then, also some other things. I try to make a habit of maintaining a safe list, like a whitelist. If I’m testing my honeypots or whatever and I don’t want my benign data to contaminate otherwise 100% attacker data, it’s a good idea to maintain a safe list of the IP addresses that you’re coming from so that you can ‘grep -v’ that later or suck that out of the database.So, after implementing MHN and some other stuff, my no budget threat intel stuff is kind of more blown up to look a little bit more like this (see right-hand image). We’ve got more no budget architecture diagrams right now. Didn’t use Visio because I got no budget. I used MS Paint. We’ve got untrusted honeypots that are sitting out there on the Internet. They are all centrally talking back to a semi-trusted MHN instance. It’s semi-trusted in that I still don’t have anything that’s on there. You can think of it like a DMZ almost. And then, behind that I have my trusted machine which connects to that. And I do actually trust the machine at the bottom; it’s configured with a password that I actually use, and things like that. Then my machine connects to the trusted machine. Everything sucks logs ever so. You can assume that if a honeypot just blows up or gets completely compromised – it doesn’t matter. You don’t trust any data on it, you’re not losing anything and so on and so forth. If this kind of stuff is interesting to you, just the infrastructure itself, see the “Ballin on a Budget” talk that I did at BSides Charleston.