The document discusses using honeypots for network security analysis. It begins with background on honeypots, explaining that they are decoy systems meant to attract cyber attacks. The document then discusses threat intelligence gathered from a honeypot including unique source IPs, attacked ports, downloaded scripts and their origins, and affected internal IPs. It notes the top devices targeted were outdated routers and IP cameras. The document concludes with discussing internal analysis and challenges convincing a client they have an issue after honeypot alerts.

1. Having Honeypot for Better Network Security Analysis
A journey with APNIC honeypot
A. S. M. Shamim Reza
Link3 Technologies Limited
shamimreza@link3.net

2. Today's talk
Background history and challenges
What is this honey things ?
Threat Intel??
Use-cases !!!

3. Honeypot – what is it?
“a honeypot It's a sacrificial computer system that's intended to attract cyber-
attack, like a decoy. It mimics a target for hackers, and uses their intrusion
attempts to gain information about cyber-criminals and the way they are
operating or to distract them from other targets. “
– Kaspersky LAB

4. Honeypot – what is it?
“a honeypot It's a sacrificial computer system that's intended to attract cyber-
attack, like a decoy. It mimics a target for hackers, and uses their intrusion
attempts to gain information about cyber-criminals and the way they are
operating or to distract them from other targets. “
– Kaspersky LAB
Honeypots are classified as:
– Low level interaction
– Mid interaction honeypot
– High interaction honeypot
“Cowrie is a medium to high interaction SSH and Telnet honeypot designed to
log brute force attacks and the shell interaction performed by the
attacker.”
– Michel Oosterhof.

5. Background history
– The idea of honeypots began in 1989 with a
Publication “The Cuckoo’s Egg” by Clifford Stoll.
– First ever Honeypot was released in 1997, called
the Deceptive Toolkit.
– In 1998 the first commercial honeypot came out,
called Cybercop Sting.

6. Background history
– The idea of honeypots began in 1989 with a Publication “The Cuckoo’s Egg”
by Clifford Stoll.
– First ever Honeypot was released in 1997, called the Deceptive Toolkit.
– In 1998 the first commercial honeypot came out, called Cybercop Sting.
– For me it started, interest, at bdNOG1, 2014
– Planned to host it at Link3 in APRICOT 25, 2020.
– Influenced by Adli Wahid, Senior Internet Security Specialist, APNIC
Link3 has hosted APNIC Honeypot, as a part of on going project “SOC”.

7. Honeypot – Question to ASK !!!
Motivations
• What is the primary purpose of the honeypot?
• What are you trying to protect?
• Are you interested in any attacks, or just ones that could be successful?
• Are you interested in learning how the hacker or malware was initially successful?
• Are you interested in identifying the hacker or origination point of the malware?
• Are you interested in what the hacker or malware did (or wanted to do) after the initial exploit
gained entrance to the honeypot?
• Are you interested in what tools, techniques, or tactics were used?
Based on this brainstorming, you can decide which sort of honeypot you are gonna work with.
*** Honeypot Data Analysis. In: Honeypots for Windows. - Roger A. Grimes

8. Honeypot – how is it being useful
By Analyzing the traffic towards the Honeypot will help to get
– where the cyber-criminals are coming from
– the level of threat
– what are the methods they are using
– what data or applications they are interested in
– how well your security measures are working to stop cyber-attack
Who Host Honeypot ?
– large organization
– Security researcher

9. 16,312 4 57
Unique Source IP Adversary script Unique Internal IPs

10. Threat Intel ?
SSH – 22 Telnet – 23
98.12% 1.88%

11. Threat Intel ?
Those URLs ?? hxxp://1.2.3.4/bot.x86_64
– Reported as C2C server.
– Since June 2020

12. Threat Intel ?
Those URLs ?? hxxp://1.2.3.4/bot.x86_64
– I need to know the detail of these files, so I have taken it to hybrid analysis.
And The Kaspersky LAB says - “Usually malware of this family is used to perform DDoS attacks.”

13. Threat Intel ?
Those URLs ??
hxxp://2.3.4.5/div
Hxxp://2.3.4.5/miner.sh
These TWO script was downloaded by an outsider IP – 213.202.233.171
Open Ports – 22 80 443

14. Threat Intel ?
Those URLs ??
hxxp://2.3.4.5/div
Hxxp://2.3.4.5/miner.sh
These TWO script was downloaded by an outsider IP – 213.202.233.171
First Report – 18 August 2020
Last report – 25 August 2020
– Mostly Scan for SSH port
– patterns show they are looking for Honeypots.

15. Threat Intel ?
Those URLs ??
hxxp://2.3.4.5/div
Hxxp://2.3.4.5/miner.sh
These TWO script was downloaded by an outsider IP – 213.202.233.171

16. Threat Intel ?
Those URLs ??
hxxp://2.3.4.5/div
Hxxp://2.3.4.5/miner.sh

17. Threat Intel ?
Those URLs ??
hxxp://2.3.4.5/div
Hxxp://2.3.4.5/miner.sh

18. Threat Intel ?
Those URLs ??
hxxp://2.3.4.5/div
Hxxp://2.3.4.5/miner.sh
This IP from USA serves the scripts,
and the script download another 10 scripts
from Canada.

19. Threat Intel ?
Few things to remember while
working with Honeypot or similar.
1. All those script check was performed
in a strict LAB environment.
2. NMAP scan and web-URL check
was followed the same procedure (as 1).
3. If you do not take proper precautions,
things might get worse and make you the
victim accidentally

20. What about the internals !!!
What I do, when I got any notifications at slack
– Run nmap scan to get the port/service info of the device, associated with the IP.
– Search for the DNS query history for the respective IPs.
– Search for the type of the client in to our Client-Database.
– Tricky part is to convince the client, so that I can get NetFlow or Packet-Capture accordingly.
– Analyze the data, and try to find out the story behind it.
– Recommend some best practices to the respective clients accordingly.

21. What about the internals !!!
What I do, when I got any notifications at slack
– Run nmap scan to get the port/service info of the device, associated with the IP.
– Search for the DNS query history for the respective IPs.
– Search for the type of the client in to our Client-Database.
– Tricky part is to convince the client, so that I can get NetFlow or Packet-Capture accordingly.
– Analyze the data, and try to find out the story behind it.
– Recommend some best practices to the respective clients accordingly.
Devices that are related to those 57 IPs
So let us watch a story on the next few slides
Device Name Version %
Mikrotik Router < 6.46.6 92%
Zyxel Router Backdated firmware 2.1%
DVR System Backdated firmware 4.2%
Netgear Router Backdated firmware 1.78%

22. What about the internals !!! one CCIE got it covered?
– Slack gives me an alert, and I let my CS team knew to work on that particular client.
– 2 days later I got alert for the same IP, me again knock my CS team to work on it.
– 1 day later, I got the alert again; and then I asked our CS team whether they have worked on it or not ?
– they replied, on second day client IT concern replied

23. What about the internals !!! one CCIE got it covered?
– Slack gives me an alert, and I let my CS team knew to work on that particular client.
– 2 days later I got alert for the same IP, me again knock my CS team to work on it.
– 1 day later, I got the alert again; and then I asked our CS team whether they have worked on it or not ?
– they replied, on second day client IT concern replied “i am a CCIE, I know what is happening
in my network, you guys dont have to bother me again & again”
So the challenge begins for me → → →
[192.168.0.133 ← Faked the User’s IP for demonstration purpose]

24. What about the internals !!! what I was doing ?
So before going to him.
– Run nmap scan, and got this info →→→→→→→→

25. What about the internals !!! what I was doing ?
So before going to him.
– Run nmap scan, and got this info →→→→→→→→
– At the same time, I have set a logic at
my NetFlow server to give me associated info.
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows
2020-07-01 00:05:04.760 3.168 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 413 615089 130 1.6 M 1489 1
2020-07-01 00:05:05.754 1.504 TCP 192.168.0.133:80 -> 185.220.103.9:60310 ...AP..F 0 83 122394 55 651031 1474 1
2020-07-01 00:05:05.775 2.784 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 62 88548 22 254448 1428 1
2020-07-01 00:05:05.766 3.200 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...A.... 0 205 307500 64 768750 1500 1
2020-07-01 00:05:05.759 0.000 GRE 192.168.0.133:0 -> 103.92.153.42:0 ........ 0 1 28 0 0 28 1
2020-07-01 00:05:05.764 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 25 33531 9 99794 1341 1
2020-07-01 00:05:07.757 2.656 TCP 192.168.0.133:80 -> 185.220.103.9:35334 ...AP... 0 145 212395 54 639743 1464 1
2020-07-01 00:05:07.757 3.008 TCP 192.168.0.133:80 -> 185.220.103.9:60268 ...AP... 0 271 403745 90 1.1 M 1489 1
2020-07-01 00:05:08.764 2.592 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 98 142399 37 439503 1453 1
2020-07-01 00:05:08.775 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 37 52879 13 157377 1429 1
2020-07-01 00:05:08.762 2.080 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...AP..F 0 174 258552 83 994430 1485 1
2020-07-01 00:05:09.778 3.104 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 213 317835 68 819162 1492 1s

26. What about the internals !!! what I was doing ?
So before going to him.
– Run nmap scan, and got this info →→→→→→→→
– At the same time, I have set a logic at
my NetFlow server to give me associated info.
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows
2020-07-01 00:05:04.760 3.168 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 413 615089 130 1.6 M 1489 1
2020-07-01 00:05:05.754 1.504 TCP 192.168.0.133:80 -> 185.220.103.9:60310 ...AP..F 0 83 122394 55 651031 1474 1
2020-07-01 00:05:05.775 2.784 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 62 88548 22 254448 1428 1
2020-07-01 00:05:05.766 3.200 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...A.... 0 205 307500 64 768750 1500 1
2020-07-01 00:05:05.759 0.000 GRE 192.168.0.133:0 -> 103.92.153.42:0 ........ 0 1 28 0 0 28 1
2020-07-01 00:05:05.764 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 25 33531 9 99794 1341 1
2020-07-01 00:05:07.757 2.656 TCP 192.168.0.133:80 -> 185.220.103.9:35334 ...AP... 0 145 212395 54 639743 1464 1
2020-07-01 00:05:07.757 3.008 TCP 192.168.0.133:80 -> 185.220.103.9:60268 ...AP... 0 271 403745 90 1.1 M 1489 1
2020-07-01 00:05:08.764 2.592 TCP 192.168.0.133:80 -> 185.220.103.9:60264 ...AP... 0 98 142399 37 439503 1453 1
2020-07-01 00:05:08.775 2.688 TCP 192.168.0.133:80 -> 185.220.103.9:60312 ...AP... 0 37 52879 13 157377 1429 1
2020-07-01 00:05:08.762 2.080 TCP 192.168.0.133:80 -> 185.220.103.9:60266 ...AP..F 0 174 258552 83 994430 1485 1
2020-07-01 00:05:09.778 3.104 TCP 192.168.0.133:80 -> 185.220.103.9:59778 ...AP... 0 213 317835 68 819162 1492 1s
Noticed
something

27. What about the internals !!! what I was doing ?
– Searched the IP at AbuseDB and Other Places.
– and the reputation was not good; actually it was
worse

28. What about the internals !!! what I was doing ?
So I have got what I need, to talk to him.
– the conversation was like … …. …
… … … … … … …
… .. .. .. .. .. .. ..
– I finally managed to convince him that, he is not responsible for
anything, rather there is something bad is happening and I am here
to help only.
– but I didnt get any Netflow or Packet-Capture data from him. SO
me only have options to monitor the activities of that IP.

29. What about the internals !!! what I was doing ?
So I have got what I need, to talk to him.
– the conversation was like … …. …
… … … … … … …
… .. .. .. .. .. .. ..
– I finally managed to convince him that, he is not responsible for
anything, rather there is something bad is happening and I am here
to help only.
– but I didnt get any Netflow or Packet-Capture data from him. SO
me only have options to monitor the activities of that IP.
Update: since September 2020 I dont get any hit from that IP.

30. SO the benefits of having APNIC Honeypot in place
– Before having APNIC honepot in place, we didn't have any direct info of which IP or its
internal LAN is compromised.
– Though Cowrie is for only ssh & telnet service, but still the logs gives some meaning full
info to study on. And we are planning to host some other honeypot aswell.
– Since 2013/2014 we have been maintaining security policy strictly, which are fine tuned on a
regular basis.
– Hosting APNIC honeypot is a low cost solution.
– Info-graphic dashboard gives a greater view, like - which region is performing most of the
attack.

31. “There are known knowns, things we know that we know;
and there are known unknowns, things that we know we
don't know. But there are also unknown unknowns, things
we do not know we don't know.”
Donald Rumsfeld, Known and Unknown: A Memoir
‘‘
‘‘

32. Thank You
for your attention
shamimrezasohag
Contact with Me | asmshamimreza
sohag.shamim