Saturday, June 16, 2012

Honeypot Design

I worked with Micah Kays over the past couple weeks on building a full-interaction honeypot. I bought a Dell desktop off Craigslist (80gb hard drive, couple GB of RAM, don't remember anything else about it's stats) for $100. The hardware was cheap.

Here is how we instrumented it to prepare to perform Incident Response and Digital Forensics (DFIR) against it:

The base operating system is an installed version of Security Onion (http://securityonion.blogspot.com/). This provides a full Network Security Monitoring (NSM) suite complete with the following:

  • Snorby and Sguil, front ends for Snort that integrate the full NSM suite into a single interface
  • Snort/Suricata/Bro - different detection engines for alerting on possibly malicious network traffic
  • OpenFPC/daemonlogger - provides full-packet-capture for Snorby/Sguil, respectively
So we have the network all configured. To gain access to the host's memory, we are running virtualbox in debug mode (--debug). After the incident, we will use .pgmphystofile, which will dump the memory. We installed Volatility (https://www.volatilesystems.com/default/volatility) to be able to work with the memory image and assist in the investigation.

To perform investigations on the hard drive, we're going to try our hand at a post hogfly made (http://forensicir.blogspot.com/2008/01/virtualbox-and-forensics-tools.html).

Both the memory and hard drive acquisition techniques are minimally intrusive to changing the state of the machine. We are going to test the difference between using those two methods, and then adding triage-ir (http://code.google.com/p/triage-ir/) into the mix. Expect future blog posts with comparison notes, but note that traige-ir is meant to gather log files quickly as hard-drive acquisition is often not viable for -every- incident investigation.

What's the attack vector? I took a suggestion from a fellow coworker and we allowed FTP and RDP to be accessible from the outside, both configured with the same weak username and password combination.

To be alerted to when we need to start responding, Micah set up a rule looking for successful FTP logins. This isn't a valid server, so no one will be using it for legitimate reasons.

In the future, we'll be posting about the compromises that occurred and how to use the different DFIR tools to assist in the investigation process.

Do you have any suggestions on how to better instrument this honeypot, whether it's in the way we are monitoring/responding, or the attack vector?