For this project I set up a honey pot. According to our workshop on honey pots, honey pots are “systems designed to appear to attackers as lucrative targets due to the services they run, vulnerabilities they contain, or sensitive information that they appear to host. The reality is that honeypots are designed to falsely appear vulnerable and fool attackers into attempting an attack against them”. Honey pots are intentionally easy targets for attackers because they are traps. We want attackers to fall for our honey pots and mistake them for valuable targets.
Why would we make easy targets for attackers? Our workshop also explains “when an attacker tries to compromise a honeypot, the honeypot simulates a successful attack and then monitors the attacker’s activity to learn more about their intentions. Information gathered on attackers can then be used to feed network blacklists, and shared with other security organizations.” This is a great way to see attack trends. Once we know what attackers are doing, and how they are doing it we can attempt to protect against those attacks. We can also blacklist known attackers. It is also a great way to gather intelligence and share it with others we trust.
In 24 hours I had 38,827 attacks on my honey pot.
100% of attackers caught in my honey pot were known attackers. If I knew this at my own company I would block these attacks, also known as black listing them. If I had the opportunity to block all the known attackers, I would like to see how many attacks happen in the next 24 hours. I had to keep in mind though that my honey pot had to appear as an easy target in order to get some data on attacks and trends.
99% were attacks on port 22, ssh. What is ssh, why is it used for attacks?
What is ssh? Ssh is a secure shell. This allows users a secure way to access a computer over an unsecure network. Nowadays you have more and more business and employees working remotely. These employees and businesses can use ssh to allow remote employees to securely access network systems that are located in a different location. Theoretically if I live in New York City and my company is in San Francisco, I should be able to log in to my company’s network using ssh. This login should authenticate who I am, encrypt my data as I use the internet, and allow me to interact with my company’s network. Once I access the network, I should be able to execute commands or create files, if I had the proper permissions to do so.
You may now be able to see how attackers use ssh to cause mayhem on networks. Attackers can attempt to gain access to our network remotely by using ssh. If they successfully enter our network, there are several things they can do. They can attempt to escalate privileges so they can become root users. This would mean as root users they have unrestricted access to the system. Attackers can also look at files that may be classified. There are several malicious things an attacker can do once they are on our network. As a security professional, the same way we do not want unwanted guests or trespassers in our physical space, we do not want trespassers in our cyberspace.
So how do attackers gain access to our ssh? It usually starts with a port scan. The port for ssh is port 22. This is basically attackers looking for open doors or weak points in your network. To compare it to a physical attack, it is an attack that is looking for a hole in your gate or an open, unlocked door or wind to enter your home or building.
What happens if an attacker finds port 22 on your network. Ssh is usually password protected. You use a password and a username to authenticate who you are so you can gain access. It is the equivalent of scanning your id at a turnstile in the lobby of your building. Scanning your id to enter your office space on the correct floor of a building. Or entering your debt car in the ATM and entering your pin. Attackers will attempt to guess your username and password. The two common ways attackers guess is by using dictionary attacks or brute force attacks.
A dictionary attack is attempting to guess your password by using common words, phrases, or obvious passwords. For example, if I am using a dictionary attack to gain access to your facebook, a password I would guess is “facebook123” or different variations of the word “facebook’’ or “social media”. This would be the equivalent of me guessing your birthday or a family member’s birthday as your ATM pin.
A brute force attack is trying to guess every possible password you have. It is using software to run through every combination of letters and numbers until the password is guessed. This takes an extremely long time for long passwords and is better for short passwords. So if I was using a brute force attack to guess your ATM pin I will start off by guessing 0000 then 0001 followed by 0002 until I get the right pin.
When attackers tried to gain access to my ssh these are the usernames and passwords they guessed.
Attacks on my password, interesting to see all the frequently used passwords and what people were guessing. On the list I saw 2 passwords I have used in the past. How do you try to defend against these password attacks? Long complicated passwords. Not easy to guess. Combination of letters, numbers and special characters. It doesn’t make it impossible to guess but more difficult. Hopefully this level of difficulty makes the attacker move on to the next target. I say use over 10 characters, mix in numbers and special characters as well. Not something easy or predictable, an example is P@ssw0rd or P@55w0rd. those actually showed up on the list of password attackers guessed or attempted to use to get in. instead try Ihate38Ha389kers$. Something that is not predictable and seems random.. Do not use words or phrases related to the platform you are using. For example if you have a password for your chipotle app do not use “burrito” chipotle” “food” texmex” as your password.
Use different passwords for different accounts. If someone gains access to one of your bank accounts, or debit card pins by guessing your password/pin, you don’t want them to gain access to all your financial platforms or debit cards. Having different passwords and pins can limit the amount of damage done by an attack if they were to get your password.
My last advice is use two step or multi factor authentication. This is just an added layer of security, even though it takes an extra 30 seconds to log in, it is worth it. Once you enter your password multi factor authentication will use a different way in addition to your password to verify who you are. This might be sending a pin to your phone number. So now an attacker has to guess your password to your account, steal your phone, and know the pin to your phone, in order to see the one time pin for multi factor authentication. The chances of all of this happening is slim. This just makes it harder for attackers.
Below I have attached a link to an article that explains how attackers were able to gain access to ssh, change root users passwords and then upload code to encrypt all the data on the network. Once the data is encrypted the attacker usually asks for a ransom in order to give the data back to the victim. This kind of attack is known as ransomware.
Attack dwell times drop, ransomware TTPs evolve, China ramps up espionage activity
The next thing that I analyzed was “Attack by country”. I thought to myself, is this data accurate and is this even relevant? The reason I asked myself these questions is because when I was setting up my honey pot I was able to make my server appear like it was almost in any country in the world. I actually decided to use servers that were located over 2000 miles away from my current location. I used open source intelligence to see if I could find any trends that would match my data. I was specifically looking for cyber attacks from Japan. I could not find much news or forums that could verify if a great number of cyber attacks are coming from Japan. I also thought to myself, can I trust these statistics? With cloud services and vpns, I can be working in one country and make it appear like I am in another. It is very common and easy to spoof your location in this day and age. My final thought to myself when I was looking at this data was does location even matter? My answer was no. Why should it matter if someone is attacking my network from across the world, across the country or across the street. My job is to protect my network from all threats regardless of where in the world they originate from. The location of my attacker may be important if I want to report the attack and take legal action against my attack. If the attack is a forign national then I would have to get the government involved. But in the meantime I should be learning attack trends, focusing on how to prevent the attacks, how to respond to attacks and minimize the damage.
Top attacker was from Digital Ocean LLC, what is it? Why is it used this way?
Digital Ocean LLC is a cloud service that provides infrastructure as a service (IaaS). They give you the hardware needed to start your service. They provide you with cpu, memory and network connection. You can even encrypt your data. Although the data is hosted on a third party cloud hosted server, you can encrypt it so no one at the company can actually see your data. Other popular IaaS are Amazon Web Services, Google Compute Engine, and Oracle.
I was able to use AWS and set up a honey pot in minutes. My adversaries seem to be doing the same thing to run attacks or spoof their location while they run attacks by using Digital Ocean. They may be able to hide what they are doing from the Digital Ocean by encrypting their data. Digital Ocean seems to have a bad reputation when you look them up online. They are a well known IaaS provider that attackers use. It is not hard to find a lot of complaints about Digital Ocean. People complain about the same IP addresses that are hosted on their servers. These IP addresses are used many times to attack systems world wide. Is Digital Ocean turning a blind eye just so they can make more revenue? Or is it in the name of keeping their clients data protected and private? What are your thoughts?
The IP address that attacked my honey pot the most was 206.189.205.93. This is a known attacker and a known IP address associated with Digital Ocean. Below you can see some complaints about this IP address.
What is the “cat/proc/cpuinfo” command? This command displays what type of processor the system is running. The “| grep model | grep name” searches the reply to the initial command and displays the model and the name of the processor. The final part of the command is “ | wc -l”. This displays the number of lines in the reply to the initial command. This is a common command because attackers are trying to learn about the system they are attempting to compromise. If they can learn about the system there may be a know vulnerability to the system and make it easier for the attacker to accomplish their goal.
Summary:
In summary, I set up a honey pot for 24 hours. The honey pot was intentionally made easy to attack so I can gather information on attackers. With the information I gathered I can learn about attackers trends and learn what I need to do to protect against these attacks. This was just a brief overview of the data that stuck out to me after the first 24 hours. For my next phase of my project I plan to block known attackers. I want to see where other attacks are coming from and what other IP addresses are being used to conduct attacks. During each phase of this project I will learn from attack trends and make my honey pot less vulnerable. I would like to learn if the security measures I take are effective. This will be a continuing project and I am looking forward to sharing with you the things that I learn. Please feel free to share your experiences and thoughts. Thank you!
