Honeypots: A Means of Sensitizing Awareness of Cybersecurity Concerns - Ilirjana Zymberi
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Ilirjana Zymberi Honeypots: A Means of Sensitizing Awareness of Cybersecurity Concerns Metropolia University of Applied Sciences Bachelor of Engineering Information and Communication Technology Bachelor’s Thesis 1 May 2021
Abstract Author: Ilirjana Zymberi Title: Honeypots: A Means of Sensitizing Awareness of Cybersecurity Concerns Number of Pages: 39 pages Date: 1 May 2021 Degree: Bachelor of Engineering Degree Programme: Information and Communication Technology Professional Major: Internet of Things and Cloud Computing Instructors: Erik Pätynen, Senior Lecturer The cybersecurity landscape is constantly evolving, meaning threat actors continually find and develop novel ways to cause disruptions across networks, systems, and devices. To counter these disruptions, there is a need to find new ways of detecting and defending. The objective of this thesis was to gain an understanding of current threats facing cybersecurity and to identify the usefulness of honeypot systems in a network. The goal was to set up two honeypots, the first one being the DShield Honeypot system installed and set up on a Raspberry Pi, which ran for five days. The second honeypot system, T-Pot, installed on a dedicated laptop ran for six days. These honeypot systems were deployed on a private network for research purposes to gain data of threat actors, such as source IP addresses, country of origin or the exploits used. Using this data, an analysis of the results was conducted, providing an insight and understanding into cybersecurity threats facing a network. In conclusion, the study has given understanding of how honeypots can work as a valuable resource in securing networks. Keywords: cybersecurity, honeypot, intrusion detection system
Tiivistelmä Tekijä: Ilirjana Zymberi Otsikko: Hunajapurkit: Tapa lisätä tietoisuutta kyberturvallisuuteen liittyviin huoliin Sivumäärä: 39 sivua Aika: 1.5.2021 Tutkinto: Insinööri (AMK) Tutkinto-ohjelma: Tieto- ja viestintätekniikka Ammatillinen pääaine: IoT ja Pilvipalvelut Ohjaajat: Lehtori Erik Pätynen Kyberturvallisuus kehittyy jatkuvasti ja niiden mukana myös niihin liittyvät uhkat. Kyberrikolliset keksivät jatkuvasti keinoja aiheuttaa häiriöitä organisaatioiden sekä yksilöiden verkostoihin ja niihin kuuluviin laitteisiin. Jotta näitä uhkia vastaan voidaan taistella, on kehitettävä keinoja niiden voittamiseksi. Tämän työn tarkoituksena on pyrkiä ymmärtämään kyberturvallisuuden merkitys nykyisessä maailmassa ja hunajapurkkien rooli siinä. Tavoitteena oli rakentaa kaksi hunajapurkkia, joista ensimmäinen on DShield hunajapurkkisysteemi, joka asennettiin Raspberry Pi -laitteeseen. Toinen hunajapurkkisysteemi on T-Pot, joka asennettiin tälle tehtävälle omistautuneelle kannettavalle tietokoneelle. Dshield hunajapurkki oli päällä viisi päivää ja T-Pot systeemi oli taas kuusi päivää toiminnassa. Näiden päivien aikana nämä hunajapurkkisysteemit keräsivät monenlaista dataa, kuten hyökkääjien IP-osoitteita, hyökkääjän sijaintitietoja sekä keinot, joita hyökkäyksen yritykseen on käytetty. Näiden kerättyjen tietojen ja tulosten analysointi auttoi pääsemään jyvälle uhkista, joita systeemit kohtaavat. Lopputuloksena ymmärrettiin hunajapurkkien merkitys resurssina kyberturvallisuuden parantamiseksi. Avainsanat: tietoturva, hunajapurkki
Contents List of Abbreviations 1 Introduction 1 2 Technical background 2 2.1 Cybersecurity history 2 2.2 Current state of Cybersecurity 5 2.3 Honeypots 6 2.3.1 Definition of Honeypots 6 2.3.2 Different Honeypot technologies 7 2.3.3 Honeypots that will be used 9 2.3.4 Selecting network deployment location for Honeypots 10 2.3.5 Disadvantages of Honeypots 12 3 Methodology 13 3.1 DShield installation 13 3.2 T-Pot Installation 15 3.3 Threat Actor Demonstration 24 4 Results and Analysis 28 4.1 Dshield Data 28 4.2 T-Pot Data 29 5 Discussion 33 5.1 Comparison 33 5.2 Limitations 33 5.3 Future research considerations 34 6 Conclusion 35 References 37
List of Abbreviations OS: Operating System IDS: Intrusion Detection System NIDS: Network Intrusion Detection System.
1 1 Introduction Currently, the rise of cybercrime has driven threat actors to find novel ways of targeting and disrupting networks. Despite all implemented security measures on a network, threat actors still find the means to gain access into systems and acquire valuable data. There are multiple ways to defend a network from an attack; regardless, there is no system that is fully safe in today’s world. Cybercriminals have a variety of tools in their arsenal to conduct attacks. Over the years, new types of attacks have been seen where individuals and organizations have been victims of malicious exploitation. This thesis will attempt to answer the following question: “How is it possible to gain more knowledge of threats that are related to our networks?” This is not an easy question to answer due to the broad and complex topic of cybersecurity as one must consider multiple factors that affect it. Furthermore, this thesis will discuss important facts and features of honeypots and their role in cybersecurity. Firstly, this paper will examine cybersecurity in general, which is followed by what honeypots are, their differences and disadvantages. Secondly, the methodology section will describe how two honeypots were chosen for the project to collect data based on the needed criteria. In addition, the section deals with the threat actors’ view. Thirdly, a comparison of the data collected will be analysed, which is followed by a discussion of the limitations of the study and future development possibilities. Lastly, the conclusion will provide a summary of the main findings of this thesis. Honeypots were chosen based on the needed criteria and they were set up in dedicated devices in a home network environment for testing purposes. The aim of this testing is to collect as much data as possible of the external threat and use this information to analyse and improve the network and systems security in the future.
2 2 Technical background This section will discuss the technical aspects of the thesis, beginning with a history of cybersecurity, pointing out key historical events which led to the development of cybersecurity. Subsequently, this is followed by a description of the current state and the latest threats in cybersecurity. An in-depth analysis of honeypots, their role in cybersecurity, and their advantages and disadvantages will be covered. It is relevant to know the various types of honeypots available and their function. It is also useful to know how demanding different honeypots are and how much monitoring they require. Moreover, this thesis will look at the two honeypots chosen for this work in detail, providing reasons why they were selected. 2.1 Cybersecurity history Presently, it is easy for people to forget what it is like not to use technology on an everyday basis. Cybersecurity was not a main concern in people’s lives before the first use of interconnected devices. [1.] To understand cybersecurity today and how it might develop in the future, it is important to be aware of crucial historical events relating to cybersecurity. Computer historians discovered the first cybersecurity related threat, the first documented computer password breach during the 1960s. The password breach involved a Massachusetts Institute of Technology (MIT) researcher working with a mainframe. The mainframe was restricted by a four-hour time- limit set by MIT’s time-sharing system. To overcome the time-limit he printed out usernames and passwords in plain text and used them to allow himself more than the allocated time limit. [2.] The Advanced Research Projects Agency Network (ARPANET) was formed in 1967 and it set in motion the basis for cybersecurity. [3.] ARPANET was the network that provided the foundation for the Internet to be built upon. [4.] Figure
3 1 illustrates the first logical mapping of an interconnected network from the year 1973. Figure 1. The Logical Map of ARPANET. Copied from [5]. The 1970s brought significant development in cybersecurity, when the first computer worm was created. Worms are a type of malicious software (malware) that replicates itself from one computer to another one. Created by Bob Thomas, the first worm would travel through ARPANET computers and would display the text, “I’m the creeper, catch me if you can.” on victim computer screens. [5.] Figure 2 below shows a printout of the worms’ output. Despite the worm being harmless, it opened the possibility for causing issues on networks in a malicious way.
4 Figure 2. ‟I’m the creeper: Catch me if you can”. Copied from [6]. The 1980s saw an expansion of network usage and connections across universities, industry and military sectors, and governments. The decade witnessed the first use of government funded cyberattack, where the Soviet Union hired a German computer hacker Marcus Hess, to break into 400 military computers and steal military secrets of the United States. Even though the hack was unsuccessful, it marked the beginning of cyberwarfare. [5.] 1987 is said to be the year cybersecurity was born, due to the first commercially available products designed to defend systems from viruses. An example was McAfee, founded by John McAfee, a piece of software which included a VirusScan. [3.] During the 1990s, researchers at NASA developed the first program which would be known as a firewall. The need to create this kind of a program was because their California base was attacked with a virus and the need to secure their data was important. [5.]
5 2.2 Current state of Cybersecurity The concept of cybersecurity has been around for the past five decades. As time has passed, cybersecurity has taken a more important role in organizations and people’s lives. Damaging reputation, wealth, health, and even losing ones’ life are a few examples of the consequences of cybercrimes. [7.] The current state of cybersecurity has changed over the past thirty years, as technology is a constantly evolving phenomenon, threat actors keep developing new ways to attack. [3; 7.] Nowadays, using hacking tools is easier because all the needed equipment is available online for download. Using these tools is not challenging and anyone can attempt hacking because there is no need for the same technical knowledge as in the past. [8.] 2.2.1 Current Cybersecurity Threats Social engineering is still seen as the biggest threat today, as exploiting human psychology is seen as the easiest means of accessing many systems. Every third cyberattack conducted in 2020 included social engineering. [9.] There are many types of social engineering attacks, such as phishing emails, scareware, and baiting. Quid pro quo attacks, however, have become a prevailing social engineering attack conducted by threat actors. This type of an attack attempts to deceive the intended victim to install malware or provide sensitive information by following instructions given by the threat actor pretending to be someone of a legitimate source. For example, the threat actor may contact the victim via phone call, acting as an IT support manager, and getting them to install malware that they mask as a legitimate service. [7.] Another common threat is ransomware, a type of malware which encrypts the victim’s data and demands payment for decrypting the infected data. [9.] The most common method of spreading ransomware is via email as this method is cost effective and enables the threat actor to take advantage of botnets, a
6 network of compromised devices, to spread ransomware through large-scale phishing efforts. [10.] As different threats have developed over the years, so too have security measures and tools needed to counter these threats and defend systems. The following sub-section will introduce one of the many tools available, honeypots, which is the focus of this thesis. 2.3 Honeypots The purpose of this sub-section is to explain what honeypots are, the way they can build threat awareness of a network, and how they can be utilized to enhance a system’s security. Furthermore, a description of different honeypots and the variety of purposes they can be applied to is provided. Finally, the disadvantages of honeypots will be discussed. A honeypot is a security tool that is intended to be probed and attacked by a threat actor. There is a multitude of reasons why one would want to use a tool like this. An important reason to have a honeypot is to study the patterns of threat actors to develop a variety of defense mechanisms against attacks. [11.] 2.3.1 Definition of Honeypots There is a range of definitions for honeypots, which has caused some confusion of how they should be defined. Some see honeypots as a way to deceive threat actors into thinking that they have managed to infiltrate a valuable system. Whilst others see honeypots as a means of buying time when a threat actor is attacking the honeypot instead of their systems. In addition, some view honeypots as a basic Intrusion Detection System (IDS). [12.] Lance Spitzner formally defined a honeypot in the following way: “A honeypot is a security resource the value of which lies in being probed, attacked, or compromised”. [8.]
7 Unlike IDSs or Network Intrusion Detection Systems (NIDS), the value of honeypots lies on their capability of gathering data about threat actors, for example the ability to store keystroke data of the interaction between threat actor and honeypot. [13.] Additionally, honeypots can detect zero-day attacks, which are exploits previously unseen and not yet understood by the cybersecurity community. Moreover, any effort to reach services run by honeypots are viewed as questionable by definition. As a result, data gathered by them is more likely to give a true positive result. [12.] Another important characteristic of a honeypot is that it can be run on any OS and a variety of devices and run a limitless number of services. These services will establish the angles by which a threat actor can probe or jeopardize a system. [13.] 2.3.2 Different Honeypot technologies The deployment type or build of a honeypot will depend on its purpose. For example, if searching for a specific type of attack, one will need to configure the honeypot to emulate the service to match the said attack. A honeypots’ customizability is a true advantage, as one can decide on the level of interaction between the threat actor and the honeypot. This allows the honeypot deployer to determine the type of data which will be collected. [8.] Honeypots can be classified by their interaction level, service emulated or generated fake data. The rest of this sub-section will define five categories of honeypots. [14.] High-interaction honeypots commonly emulate actual systems and their purpose is to gather data of the threat actors moves, sometimes in real-time. Emulating a real system can cause a honeypot to become a threat in itself. Because of the system being rooted, the honeypot can be used by the threat actor to take advantage of the honeypot and further their attack on the network
8 the honeypot is on. [14.] In addition to the risk of high-interaction honeypot, these systems require more time and effort to set up and are more complex when it comes to monitoring them [15]. Low-interaction honeypots are uncomplicated technically to implement. This type of a honeypot can emulate a single to a few services that a threat actor can interact with. Furthermore, these emulations are restricted, meaning that when simulating, for example, a Telnet service, all commands might not work. [14] The threat actors have limited interacting possibilities with the honeypot, especially since these honeypots do not have an OS. The main task of a low- interaction honeypot is to detect suspicious attempts and collect attempted login credentials by threat actors or port-scans of the honeypot system. [12.] DShield is an example of a low-interaction honeypot, as it emulates SSH, Telnet, or HTTP requests, and if configured separately, firewall logs from the honeypot. [16.] A medium-interaction honeypot is a blend of high- and low-interaction honeypots. They do not contain the same risks as the high-interaction honeypots and are not as simple as a low-interaction honeypot. In other words, these honeypots in a way combine the best features of both honeypot systems. Medium-interaction systems do not simulate a full OS, but they virtualize application layer services and enable all the responses and payloads a threat actor would expect during an exploitation. [12.] The purpose of a Honeyclient system is not to gather data by waiting for an attack on the system, but by trying to find vulnerabilities and exploitations on its own. [17.] These Honeypots are configured as client applications and aim to find systems that have been compromised or contain malware. One type of a Honeyclient is a web-based application, where its purpose is to find suspicious websites. [14.] A Honeytoken is not a conventional honeypot technology. This type of a honeypots’ task is to lure a threat actor with falsely generated data of any form,
9 such as a file. This file could contain usernames or passwords and could be named in a way that the threat actor recognizes the contents of it. The goal of these lures is to deceive the threat actor to open the file and use the credentials, which would trigger an alarm in the organization’s Security Information Event Management (SIEM) system. This will provide defenders with the knowledge of suspicious activity on the network. There are open-source tools available to create honeytokens. An example of this would be found in canarytokens.org. [14.] 2.3.3 Honeypots that will be used The first honeypot described in this thesis is a low-interaction honeypot developed by Internet Storm Center (ISC). This honeypot can be run on a Raspberry Pi, which is a small and affordable computer that can be used for multiple purposes, mainly for playing around [18]. Raspberry Pi was selected for this honeypot because it is ideal for this because it is easy to use and due to low-price it is easy to replace it if things go wrong. The purpose of Dshield is to gather as much data conducted by malicious hackers from the Internet. [19]. The DShield honeypot runs three services, which are SSH, Tenet and HTTP. DShield collects SSH and Telnet data with the Cowrie service. This service collects hackers’ attempts at guessing usernames and passwords, i.e., login information. The HTTP part collects HTTP requests and Dshield also collects firewall logs. [20.] The second Honeypot used, T-Pot, is not a Honeypot, but rather a single Honeypot system, which combines eighteen various dockerized Honeypot services together. These dockerized services combined with tools such as Cockpit, Cyberchef, and ELK Stack to provide a web user interface with real- time performance monitoring, data analysis and visualization of the data. Furthermore, T-Pot takes advantage of Suricata, an open-source threat detection engine, which provides information on Common Vulnerabilities and Exposures (CVE). [21.]
10 Table 1. Services running on T-Pot. Honeypot Service role: name: Adbhoney Utilizes the Android Debug Bridge (ADB) protocol to emulate phones, TVs and DVRs connected to the host. [21]. Citrixhoneypot Creates a Hypertext Transfer Protocol Secure (HTTPS) authentication for website access. Therefore, it emulates a false website [22]. Cowrie Acts as an SSH and Telnet medium- to a high-interaction honeypot, and it mainly logs the interaction performed by the threat actor with the shell and brute force attacks [23]. Dionaea Aims to get a copy of malware for research purposes [24]. Heralding Service that collects only credentials [25]. Honeysap Low-interaction honeypot, where the only goal for it is to collect data related on Session Announcement Protocol (SAP) attacks [26]. Mailoney Focuses on Simple Mail Transfer Protocol (SMTP) traffic [27]. Rdpy Python version of Microsoft Remote Desktop Protocol (RDP) [28]. Snare Converts web pages into a surface to attack for threat actors [29]. 2.3.4 Selecting network deployment location for Honeypots To ensure a honeypot is working properly and collecting the wanted data, it is important to consider the network location of the honeypot. A honeypot used for research purposes will differ in location compared to a honeypot used for
11 production purposes. Figure 3 below illustrates various locations in a network topology where honeypots can be deployed. [8.] Figure 3. Locations for Honeypots in the Network. Copied from [8]. As we can see from the figure, there are four possible locations, but where a honeypot can be placed is not limited to only these. Honeypots can be used singularly, or one can have multiple honeypots in various places on the network. Honeypot A in the figure is placed outside of the network, where the threat actor will find it when scanning the network and interacting with it. This successful interaction will draw more attackers, therefore gain more knowledge of the types of attacks on the network. Honeypots B and C seen in Figure 3 are used for deceit, drawing the attacker to them rather than the other devices on the network. These two honeypots are examples of production honeypots, which are used mainly by organisations to collect data such as source IP addresses. On the other-hand, honeypot D is an example of a research honeypot, which focuses more on the methods the threat actors use to break into a system.
12 Being close to the firewall and having its own independent network, this honeypot cannot become a risk because the firewall blocks all outbound traffic, meaning the threat actors cannot use the honeypot to attack other systems on the network. [8.] 2.3.5 Disadvantages of Honeypots A disadvantage with honeypots is that if they are erroneously configured, they can cause a severe security threat to the system allowing an attacker to access sensitive data through the honeypot. This would be the opposite of what we want to do with the honeypot. [31.] Developments in tools such as machine learning and artificial intelligence have permitted threat actors to not only recognize honeypots but seek ways to further exploit them [31]. A honeypot can become meaningless in a short time once a threat actor realizes that it is not a genuine system. There are several ways for a hacker to detect a honeypot and these ways differ when comparing if it is a low- or high-interaction honeypot. Another risk is the threat actor noticing that the system they are in is a honeypot, causing them to stop interacting with it and avoiding it. [32.] A disadvantage of low-interaction honeypots is that they do not provide an OS and can disclose to the threat actor right away that they did not attack a genuine system. These kinds of honeypots might not provide enough of a complex or realistic looking service. [13].
13 3 Methodology The following section will provide a detailed method for installing and running the two selected honeypot systems and is divided into three parts. The first part will describe how the first honeypot system, DShield, was installed and setup on a Raspberry Pi (RPi). The following part provides the installation and setup instructions for the second honeypot system, T-Pot honeypot. The last part of this section demonstrates how these honeypots are viewed by threat actors. Section four of the thesis, Results and Analysis, will analyze the data collected from the above-mentioned honeypot systems. 3.1 DShield installation This sub-section is intended to provide a step-by-step means of installing and running the DShield honeypot system on an RPi. These instructions are interpreted from the Linux Format magazine [19]. 1. The first step of the installation was to create a bootable Secure Digital (SD) card by using BalenaEtcher, an open-source utility used for writing optical disk images (ISO). For the purpose of this, Raspberry Pi Foundation’s own Debian based Operating System (OS), Raspberry Pi OS is used, which is ideal for the RPi 3B+ device in use. The OS with a Graphical User Interface (GUI) was chosen, rather than the recommended light version without a GUI because when using the light version, you will need to SSH into the device every time you need access. It is easier to use the GUI version and attach a monitor, keyboard, mouse, and Ethernet cable into the device. 2. When the OS installation is done, the terminal on the RPi will need to be opened and the following commands typed into the terminal: $ sudo apt update $ sudo apt upgrade $ sudo apt install git $ sudo reboot
14 These commands make sure that the device is up-to date, and one of them installs git, which is essential for this Dshield Pi honeypot installation to succeed. 3. Next, it is needed to clone the repository by typing the following command: $ git clone https://github.com/DShield-ISC/dshield.git 4. After cloning the DShield repository, running the following installation script commands as root (Linux superuser) will install DShield on to the RPi: $ cd dshield/bin $ sudo ./install.sh Once the installation finalizes, the DShield honeypot is up and running. However, for the honeypot to retrieve data from attacks we need to expose it to the internet. This was done by going to the router’s management page (192.168.1.1) and from there applying port forwarding rules directed at the DShield honeypot IP address. The SSH port, 22, Telnet port, 23 and HTTP port, 80 were used. All routers are not the same, which means port forwarding or adding the honeypot to the DMZ zone may vary depending on the type of management page the router has. After port forwarding is set up, one can view the results of connection attempts in real-time with the following command in the terminal: $ tail -f /var/log/dshield.log The next command shows the login attempts using telnet and SSH: $ tail -f /srv/cowrie/var/log/cowrie/cowrie.log This data can also be seen in the form of graphs and reports. After logging into the webpage https://dshield.org/, one can view the data in a more readable form, compared to what can be seen in the command line interface.
15 3.2 T-Pot Installation This sub-section will provide detailed step-by-step instructions for the T-Pot honeypot system installation, and how to get the system running. These instructions are based on the README.md file, which can be found on the following GitHub page, https://github.com/telekom-security/tpotce/blob/master/README.md Before installation and setup was possible, it was important to check the technical hardware specifications for the device intended to run the T-Pot honeypot system. These specifications were as followed: • 8 GB of RAM • A Solid-State Drive (SSD) with a minimum of 128 GB • DHCP enabled Network + Internet connection For the T-Pot honeypot system, a laptop which filled all the needed criteria was used. 1. The first step of the installation process was to clone the T-Pot repository. A separate computer running Ubuntu 20.04 Long-Term Support (LTS) was used to clone and build the T-Pot ISO. The following command clones the repository to the home directory and enters the newly created tpotce directory: $git clone https://github.com/telekom-security/tpotce $cd tpotce 2. The T-Pot ISO image can be built using the following script: $sudo ./makeiso.sh 3. After the ISO is built, the new tpot.iso file can be found in the directory. Using the Rufus utility, a program which allows one to format and create bootable
16 USB installation media, seen in Figure 4, we write the newly created T-Pot ISO to the USB flash drive: Figure 4. Rufus utility. 4. The next step of the installation process is to use the USB installation media to boot the T-Pot ISO. It is important to verify the boot order of the computer used for the installation. This can be checked and changed, if needed, through the BIOS options. 5. When the computer is turned on, with the USB installation media plugged in, you will be prompted with the “Debian GNU/Linux installer boot menu”. It is then necessary to select the “Advanced options” option. 6. After selecting ‟Advanced options”, a prompt with several installation options will appear, with the first one being ‟Select your location”, as seen in Figure 5 below:
17 Figure 5. Location selections in installation process. 7. The next several prompts continue the base installation process. Due to the length limitation of this thesis images of each prompt will not be provided. However, the following list provides the prompts in order: -Select a language -Configure the keyboard -Choose a mirror of the Debian archive 8. After completing the installation prompts, the base system will begin installation. The installation progress prompt can be seen, as is shown in Figures 6 to 8 below: Figure 6. Installing the base system.
18 Figure 7. Configuring apt. Figure 8. Finishing the installation. 9. Once the base system has been installed, a prompt with the T-Pot-Installer will appear. The installer begins the installation of the T-Pot honeypot system on top of the Debian base system. Firstly, you need to choose the type, or edition, of the T-Pot you would like to use. As seen Figure 9 below, there are five editions to choose from. For this thesis, the Standard edition of T-Pot was chosen, as it suited the research needs. Figure 9. T-Pot installer: Honeypot type.
19 10. After selecting the edition, a prompt to set the password, as illustrated in Figure 10 below, for console and SSH access, where tsec is the default user appears and is followed by a password repetition prompt. Figure 10. T-Pot installer: Password prompt. 11. Subsequently, one will need to create a username and password for the T-Pot Honeypot Systems’ web-based Dashboard. Figures 11 and 12 below show the two prompts. Figure 11. T-Pot installer: Web user creation prompt. Figure 12. T-Pot installer: Web user password prompt. 12. This completes the T-Pot honeypot system installation and is followed by an automatically executing installation script, where the various T-Pot services are installed via docker. Figure 13 below shows the beginning of the installation script.
20 Figure 13. Beginning of T-Pot installation script. There are a few ways to verify the system is up and running. Firstly, one can access the Admin User Interface (UI) by entering the following into the chosen browser: https://:64294 Here 64294 is the Admin UI access port. One will be prompted for the tsec user and the password, which was set during the installation, following the sign-in where can be seen the webpage shown in Figure 14 below: Figure 14. Admin UI interface on port 64294.
21 The Admin UI provides technical information, such as CPU, RAM, Hard drive and network usage, and the current state of the computer running the T-Pot system. Furthermore, one can edit users, view services, check on docker containers, apply updates, and access the terminal. The second way to confirm successful installation is to access the T-Pot honeypot systems’ Dashboard, which is accessed through the 64297 port. The following should be entered into the browser: https://:64297 A sign-in prompt will appear and here the web user and password created during installation will allow access to the Dashboard, which is illustrated in Figure 15. Section 4 of this paper will go into further detail of the dashboard and perform an analysis on the results. Figure 15. T-Pot web-based dashboard. The last option of verifying a successful installation is to access the computer directly, using the default user, tsec, and password. Finally, one can use SSH to access the terminal of the T-Pot computer, by issuing the following command in the terminal:
22 $ssh -l tsec -p 64295 Here 64295 is the SSH port for the system, as we should not use the default port, 22. One can also use PuTTY, an SSH and telnet client for Windows systems, as seen in Figure 16. Figure 16. PuTTY SSH connection window. Once SSH access is successful after sign-in, one can verify the various docker containers and their related honeypot services which are running. By navigating to the /opt/tpot/bin directory one can view the status of services by running the dps.sh script as superuser. $cd /opt/tpot/bin $sudo ./dps.sh Figure 17 below shows the output of the command in the figure, the names of services, their status and running time, as well as the ports associated with the services can be viewed.
23 Figure 17. Picture of the output: sudo ./dps.sh As with DShield, port forwarding must be applied on the router, so the honeypot services can be exposed attacks. Table 2 below shows which ports were opened and the protocols and services associated with them. Table 2. Services running on T-Pot with associated ports and protocols. Honeypot Service Ports Protocol TCP 20 File Transfer Protocol (FTP) data Dionaea transfer TCP 21 File Transfer Protocol (FTP) control TCP 445 Microsoft-DS (Directory Services) TCP 22 Secure Shell (SSH) - secure logins Cowrie TCP 23 Telnet - unencrypted text communication Mailoney TCP 25 Simple Mail Transfer Protocol (SMTP) Snare TCP 80 Hypertext Transfer Protocol (HTTP) TCP 110 Post Office Protocol, version 3 Heralding (POP3)
24 TCP 143 Internet Message Access Protocol (IMAP) TCP 993 Internet Message Access Protocol over TLS/SSL (IMAPS) TCP 995 Post Office Protocol 3 over TLS/SSL (POP3S) Citrixhoneypot TCP 443 Hypertext Transfer Protocol Secure (HTTPS) Honeysap TCP 3299 Session Announcement Protocol (SAP) Rdpy TCP 3389 Remote Desktop Protocol (RDP) Adbhoney TCP 5555 Android Debug Bridge (ADB) 3.3 Threat Actor Demonstration The first step, as a threat actor, would be reconnaissance, where one would find the public IP address of the victim. The second step would be to perform scanning of the victim, in this case, using an online Nmap tool, https://pentest- tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap#. Figure 18 below illustrates the results of the port scan. Figure 18. Results of the online port scanning tool.
25 The next step would be to gain access to the victims’ system. As we can see ports 80 and 443 are open. These are web browsers running on the T-Pot. As the ports are public, anyone can have access to them. Figures 19 and 20 below show the web browsers running on DShield and T-Pot. Figure 19. DShield HTTP web server. Figure 20. T-Pot HTTP web server. As a threat actor, we can access the system via SSH or Telnet. By using SSH we can see how DShield, and T-Pot simulate operating systems. DShield emulates a Debian OS and as seen in Figure 21 after gaining access into the honeypot.
26 Figure 21. SSH connection into DShield. T-Pot, on the other hand, emulates Ubuntu when SSH access into it is gained, as can be seen in Figure 22. Figure 22. SSH connection into T-Pot In the T-Pot it was also possible for the threat actor to access the emulated shadow file, which contains all the hashed passwords, as it can be seen in Figure 23 below. This gives more interaction for the threat actor with the system.
27 Figure 23. T-Pot Shadow File.
28 4 Results and Analysis This section will provide the collected results of the DShield and T-Pot honeypot systems. A brief analysis of the results will highlight the most useful data collected, explain the most common vulnerabilities, and provide the reader with an understanding of threats towards networks. 4.1 Dshield Data The data collected from the DShield honeypot was straightforward. As mentioned earlier, DShield emulates three services, SSH, Telnet, and HTTP, so the data collected was limited to the traffic involving these services. Figure 24. Percentage data of how many of the attacks are attempted on which port. Figure 24 above provides the percentage of the attacks targeted towards individual ports. It can be seen from the graph that most attacks were aimed at port 22, which is known to be the port for SSH connections. Based on this, it can be concluded that attacks made through SHH connections are the most popular with 93 percent of attacks.
29 Figure 25. Data sorted based on from which source IP address the attacks occurred. Figure 25 illustrates the source IP addresses from which the attacks came from. It can be seen that three of the threat actors’ IP addresses were seen more than one time in the data and 85 percent of the attacks came from various different IP addresses. Over the course of five days of running DShield, the total amount of attacks recorded was 17,235. 4.2 T-Pot Data After running for six days, the T-Pot system had collected a large amount of data from various sources and different attack vectors. This data was accessible through the T-Pot Dashboard, which includes a general dashboard that shows a summary of all the honeypot services. It also includes a list of individual services, which can be viewed independently, as shown in Figure 26.
30 Figure 26. T-Pot Dashboard service list. For this thesis, the focus will be on the summarized T-Pot dashboard. The dashboard provides insight into various types of data, such as the top ten honeypot attacks, destination ports, attacks by country, source IP of the attackers, top usernames and passwords used and many more. These attack vectors were focused on the open ports, which were discussed in section three. Firstly, the number of attacks that took place over the six days that T-Pot was running will be discussed. As we can see from Figure 27, the Cowrie service was attacked over 150,000 times. This is not surprising as Cowrie emulates Telnet and SSH connections which are the most popular amongst threat actors and unsafe to use publicly, especially Telnet. Figure 27. T-Pot Top 10 Honeypot attacks.
31 P0f is a passive TCP/IP stack fingerprinting tool, which helps identify the systems running on the machines threat actors use, such as OS. As we can discern from the left-hand side of Figure 28 below, there are various operating systems used to conduct attacks, most of them coming from an unknown source, followed by Windows 7 or 8 and Linux 2.2.x-3.x OSs. Figure 28. P0f OS Distribution and Attacks by Country. The graph on the right in Figure 28 displays the number of attacks based on country, where most of the attacks originated from Ireland. An interesting discovery was that the general dashboard includes the top usernames and passwords used to break into the T-Pot services, as shown in Figure 29. Figure 29. Most popular usernames and passwords.
32 The username “admin” was the most frequently used, the reason being that this username comes as a default in many systems, and is generally not changed by unmindful users, making it an optimal guess for threat actors. “123456” is the most common password with over 15,000 counts. One way to explain this is users not wanting to set a complicated password for the fear of forgetting it. Another valuable tool in the T-Pot dashboard is the Suricata CVE data. As mentioned earlier, Suricata is a threat detection engine, which provides CVE identification. In Figure 30 below the vulnerability CVE-2001-0540 was the most frequent vulnerability exploited. This vulnerability exploit takes advantage of memory leak in terminal servers running on Windows NT and 2000 systems, enabling threat actors to cause denial-of-service attacks. Figure 30. Most common Suricata CVE and alert signature. There is an abundance of data available through the T-Pot dashboard, allowing users to become more aware of the threats facing their networks and systems.
33 5 Discussion The purpose of this section is to compare the two honeypot systems used in this work and analyse their limitations. Furthermore, future research considerations will be proposed. 5.1 Comparison Based on the amount of data collected from the two honeypot systems, it can be stated that the T-Pot honeypot system produced a greater amount of data compared to the DShield honeypot system for various reasons. Firstly, T-Pot had fifteen ports open with nine services running, whilst DShield was limited to three ports and three services. Naturally, having more services running enables one to gather a higher volume of data. Secondly, there was a difference in the visualization of the data collected. The graphs provided by DShield were plain, lacked versatility, and could have exhibited more data. T-Pot, on the other hand, not only displayed data, such as source IP addresses, country of origin or passwords, used during attacks occurring on the various honeypot services, but provided tables and allowed for further inspection and analysis of the data. Lastly, comparing the installation needs of the two honeypot systems, DShield required rudimentary hardware and less installation steps, whereas the T-Pot honeypot system needed a complex setup to get the range of services running and demanded a larger hardware requirement. 5.2 Limitations There were few factors that limited this thesis. Time was one of the limitations, as the honeypots could have been running for a longer period. This may have provided a wider variety of data collected and drawn more threat actors.
34 Another limitation was that there was a possibility to open more ports for the T- Pot system to monitor. If all the ports had been opened, the length of the thesis would have been too extensive and would have exceeded the limited page amount. However, having these ports open would have possibly provided different data forms. Moreover, finding the current documentation of the honeypot systems was challenging due to deprecation and lack of maintenance of these honeypot systems, making them unsecure, unavailable, and impossible to set up. 5.3 Future research considerations As for the future, I would firstly experiment with other types of honeypots or honeypot systems, to gain a broader picture of what data can be collected. Secondly, I would take into consideration different placements of honeypots in a network, this would allow insight into the behaviour of threat actors in different environments. Thirdly, testing honeypots using virtual machines on a network rather than running them on dedicated hardware could be one future research consideration, as this could limit costs and possibly reduce set up and build needs. Lastly, by using virtual machines the deployment of a Honeynet, a network of honeypots, would become effortless.
35 6 Conclusion The purpose of this thesis was to use honeypots as a means of sensitizing awareness of cybersecurity concerns over a network. Firstly, reviewing cybersecurity history and its current state provided insight into the importance of securing networks, systems, and devices. By understanding the dangers of cyber threats, tools can be used and developed to prevent and counter them. A honeypot is an example of a valuable tool to detect and understand cyber threats. Honeypot systems are a very efficient and informative tool for not only collecting threat actor data and attack tactics, but also acting as an intrusion detection system. The versatile nature of honeypots makes them customizable for different uses, purposes, and environments. However, there are certain disadvantages with honeypots which should be taken into consideration when they are deployed. Secondly, this thesis provides a methodology on how two different honeypot systems used in this work were installed, setup, and deployed. These two honeypot systems were DShield, a low-interaction honeypot, and T-Pot, a system of honeypot services that have varying degrees of interactions. Furthermore, a demonstration of how a threat actor would approach these systems was provided. Thirdly, an analysis of the results collected by the two honeypot systems was conducted. Viewing the various data types gave insight into the kinds of threats targeted towards a network. Lastly, a comparison of these two honeypot systems, limitations of this work, and future research suggestions were discussed. It was seen that the T-Pot honeypot system provided more valuable data in comparison to DShield system.
36 This thesis shows how honeypots can be easily deployed into any network and how they can provide valuable data that builds awareness of cybersecurity threats facing private and organizational networks.
37 References 1 Sutton, David. 2017. Cybersecurity: A Practioner’s Guide. Swindon: BCS Learning & Development Ltd. 2 Khalil, George. 2014. Password Security – Thirty-Five Years Later. SANS Institute. URL: https://www.sans.org/reading-room/whitepapers/basics/password- security-thirty-five-years-35592. Accessed 27 February 2021. 3 Chadd, Katie. 2020. The History of Cybersecurity. Avast. URL: https://blog.avast.com/history-of-cybersecurity-avast. Accessed 28 February 2021. 4 Featherly, Kevin. 23 March 2021. ARPANET. Encyclopedia Britannica. URL: https://www.britannica.com/topic/ARPANET. Accessed 28 February 2021. 5 Murphey, Dakota. 27 June 2019. A History of Information Security. IFSEC GLOBAL. URL: https://www.ifsecglobal.com/cyber-security/a-history-of- information-security/. Accessed 26 February 2021. 6 Core War: Creeper & Reaper. URL: https://corewar.co.uk/creeper.htm. Accessed 19 March 20. 7 Steinberg, Joseph. Cybersecurity for Dummies. 2019. Indianapolis: John Wiley and Sons. 8 Spitzner, Lance. 2002. Honeypots: Tracking Hackers. Boston: Addison- Wesley Professional. 9 Gurinaviciute, Juta. 3 February 2021. 5 Biggest Cybersecurity Threats: ‟How Hackers Utilize Remote Work and Human Error to Steal Corporate Data”. URL: https://www.securitymagazine.com/articles/94506-5-biggest- cybersecurity-threats. Accessed 1 March 2021. 10 McDonough, Bart. January 2019. Cyber Smart: Five Habits to Protect Your Family, Money and Identity from Cyber Criminals. Indianapolis: John Wiley & Sons, Inc. 11 Gerrit Göbel Jan, Dewald Andreas. 2011. Client-Honeypots: Exploring Malicious Websites. München: Oldenbourg. 12 Mohammed Mohssen, Rehnman Habib-ur. 2015. Honeypots and Routers. New York: Auerbach Publication.
38 13 Holz Thorsten, Provos Niels. 2007. Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley Professional. 14 Spasojevic Branko, Linn Ryan, Sims Stephen, Regaldo Daniel, Harris Shon, Ness Jonathan, Eagle Chris, Harper Allen. 2018. Gray Hat Hacking: The Ethical Hacker’s Handbook 5th Edition. McGraw-Hill. 15 Livshitz, Igor. 3 January 3 2019. What’s the Difference Between a High Interaction Honeypot and a Low Interaction Honeypot? Guardicore. URL: https://www.guardicore.com/blog/high-interaction-honeypot-versus- low-interaction-honeypot-comparison/. Accessed 1 March 2021. 16 Unknown writer. URL: https://isc.sans.edu/honeypot.html Accessed 27 February 2021. 17 1 November 2007. Honeyclients Bring New Twist to Honeypots. SearchSecurity. URL:https://searchsecurity.techtarget.com/magazineContent/Honeyclients- bring-new-twist-to-honeypots. Accessed 6 March 2021. 18 McManus Sean, Cook Mike. 2017. Raspberry Pi for Dummies. New Jersey: John Wiley & Sons, Inc. 19 Bidwell, Jonni. December 2020. Hackers Manual: Dshield Pi honeypot. Linux Magazine. 20 Unknown writer. URL: https://dshield.org/honeypot.html. Accessed 27 February 2021. 21 20 August 2020. Telekom Security. URL: https://github.security.telekom.com/2020/08/honeypot-tpot-20.06- released.html#firstrun. Accessed 3 March 2021. 22 Cirlig, Gabriel. 9 November 2019. ADBHoney. Github-link: https://github.com/huuck/ADBHoney. Accessed 4 March 2021. 23 Bontchev, Vesselin.19 August 2020. Honeypot for CVE-2019-19781 (Citrix ADC). Github-link: https://github.com/bontchev/CitrixHoneypot. Accessed 4 March 2021. 24 Oosterhof, Michel. 2018. ‟Welcome to Cowrie’s documentation!”. URL: https://cowrie.readthedocs.io/en/latest/index.html. Accessed 4 March 2021. 25 27 December 2020. dionaea Documentation URL: https://readthedocs.org/projects/dionaea/downloads/pdf/latest/. Accessed 4 March 2021.
39 26 Vestergaard, Johnny. 27 Devember 2020. Heralding. Github-link: https://github.com/johnnykv/heralding. Accessed 4 March 2021. 27 Gallo, Martin. 2021. HoneySAP: SAP Low-interaction honeypot. SecureAuth Corporation. Github-link: https://github.com/SecureAuthCorp/HoneySAP. Accessed 4 March 2021. 28 Awhitehatter. 2021. Mailoney. Github-link: https://github.com/awhitehatter/mailoney. Accessed 4 March 2021. 29 Peyrefitte, Sylvain. 10 April 2020. RDPY PyPI version. Github-link: https://github.com/citronneur/rdpy. Accessed 4 March 2021. 30 Rist Lukas, Vestergaard Johnny, Haslinger Daniel. 2020. Snare. URL: http://mushmush.org/. Accessed 5 March 2021. 31 Tsikerdekis Michail, Zeadally Sherali, Schlesener Amy, Sklavos Nicolas. Approaches for Preventing Honeypot Detection and Compromise. The Institute of Electrical and Electronics Engineers, Inc. (IEEE). URL:https://www.researchgate.net/publication/328430317_Approaches_fo r_Preventing_Honeypot_Detection_and_Compromise. Accessed 15 March 2021. 32 Chismon, David. Hunting with Honeypots. F-Secure. URL: https://www.f-secure.com/en/consulting/our-thinking/hunting-with- honeypots. Accessed 17 March 2021.
You can also read