RE: Thinking out loud: On the value of honeynets, trojans, botnets, etc.

["StyleWar" <stylewar () cox net>]

If you have the ability to install them, and the time to manage them, or
want to use them as a training tool for detection and response personnel...I
think they're still useful.

A while back I was (relatively speaking to my peers anyways) of the opinion
that honeynets were ultimately a waste of time because they generated more
false positives, and pseudopositives (positives you can do nothing about)
than they did positive positives (ya man ... thats the good stuff). 

I've since modified my opinion slightly. Whether it's the user interaction
branch of the threat tree or otherwise, the threat agent is rare that can
cherry pick. For those threat agents that *can* cherry pick, honey nets may
be relatively useless... But I would challenge the assumption that trojans
are more predominantly spread through unwitting install, rather than some
other method, and suggest that they (honenets) still have value as tripwires
along the path to the goodies...

And I think "Iskorpitx" would probably agree with me....that is, if they
woulda had some honeynets to help catch his Turkish a$$.

-

StyleWar

"There are 3 kinds of people: Those who MAKE things
happen, those who WATCH things happen, and those who
wonder 'WHAT HAPPENED?'" 

> -----Original Message-----
> From: funsec-bounces () linuxbox org 
> [mailto:funsec-bounces () linuxbox org] On Behalf Of Fergie
> Sent: Sunday, June 04, 2006 8:54 PM
> To: robert () servalens com
> Cc: funsec () linuxbox org
> Subject: Re: [funsec] Thinking out loud: On the value of 
> honeynets, trojans, botnets, etc.
>
> The user-interaction angle in the one that I'm really talking 
> anout here.
>
> Bots generally "spread" one of two ways: Either by actively 
> infecting via scanning and infecting an unpatched OS flaw (e.g.
> the MS05-039 PnP vulnerrability/exploit), or via a user 
> clicking on a dirty link & unwittingly installing the code 
> (or a backdoor downloader which, in turn, can install the bot 
> code itself).
>
> The latter, I think, is what we are seeing much more of these 
> days, and to that end, I'm not really seeing that a honeynet 
> is of much utility in that regard.
>
> Would love to hear opinions on this, however. :-)
>
> Cheers,
>
> - ferg
>
>
> -- Robert <robert () servalens com> wrote:
> Ferg,
>
> Sorry bout that. I thought I at least nicked it.
> I would argue that the user activation part be automated from 
> a honeyclient.
> And yes I agree about droppers, life boats, etc. When I 
> deploy honeyclients its on a fully instrumented network.
> So the dropper behavior can be picked up using:
> squid logs
> iptables traffic logs,
> pcaps
> windows firewall connection logging
> filesystem integrity checking
> etc,etc
>
> I'm a fan of correlating all the available information to get 
> a picture of whats going on.
> I also think that a full OS is needed to get the 
> secondary/tertiary events. Something like norman sandbox 
> could provide the address the dropper might connect to, but I 
> think you gotta let the program run and see what happens to 
> get the full info.
>
> Everything above could be accomplished in a honeypot scenario 
> unless techniques break out along vector lines which I think 
> is happening.
> Closer this time?
>
> Robert
>
> Fergie wrote:
>
> > Robert,
> >
> > That's great, but you really didn't adress my question(s). :-)
> >
> > - ferg
> >
> >
> > -- Robert <robert () servalens com> wrote:
> > Ferg,
> >
> > One outcropping of honeypots that I think helps address some 
> of these 
> > new vectors is client-side honeypots aka honeymonkies or 
> honeyclients.
> > <shameless plug>I'm presenting on honeyclients at SANSFIRE 
> '06 in DC in 
> > July</plug> and Microsoft and Mitre have been doing a lot of work in 
> > this area.
> > I guess I would also throw spyware crawlers in there too. 
> Which don't 
> > necessarily act as honeypots and get infected/compromised, 
> but they do 
> > offer the ability to harvest some malware and characterize websites. 
> > Dan Hubbard at Websense has done great work in this area too.
> >
> > I was running a honeyclient project at StillSecure and I agree a big 
> > element (and one hard to automate and factor in) is the end-user 
> > behavior. I think a lot of studies so far have not taken 
> into account 
> > how many people get duped (fake anti-spyware alerts, etc). In my 
> > project I have a great time clicking OK on any popup that 
> arose (very 
> > liberating). But automation methods are needed in honeyclients to 
> > automate the UI. Otherwise crawlers miss the rich malicious content.
> >
> > I'm a big believer in this area if anyone is interested in 
> discussing 
> > any of it. I had a full implementation in PERL that I was trying to 
> > GPL, but lost control of when I left StillSecure. I believe 
> Mitre will 
> > be releasing a GPL honeyclient (not the honeyclient.org one) 
> before too long.
> > Cheers,
> >
> > Robert
> >
> > Fergie wrote:
> >
> >  
> >
> > > Just tossing some thoughts around earlier this evening.
> > >
> > > Would appreciate some feedback.
> > >
> > > How valuable, would you say, are honeynets now that most 
> > > malware/crimeware seems to trojan downloader backdoor droppers that 
> > > are "dropped" due to user activation (e.g. clicking on a link in an 
> > > e-card), as opposed to trojan backdoors that are dropped via an OS 
> > > exploit?
> > >
> > > Think about that for a moment.
> > >
> > > Serious feedback appreciated,
> > >
> > > - ferg
> > >
> > > p.s. This is _not_ to question the value of honeynets, per se, but 
> > > more appropriately, to examine methodology in a broader 
> context given 
> > > the change in attack vector(s).
> > >
> > > --
> > > "Fergie", a.k.a. Paul Ferguson
> > > Engineering Architecture for the Internet fergdawg () netzero net or 
> > > fergdawg () sbcglobal net ferg's tech blog: 
> http://fergdawg.blogspot.com/
> > >    
>
>
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.