Despliegue de honeypots de forma ágil y económica con SmartHive
SmartHive se trata de un proyecto cuyo principal objetivo es simplificar la creación de redes de honeypots a bajo coste, mediante una plataforma que permite la gestión, explotación y despliegue ágil de honeypots en Internet.
Un proyecto que nació en el evento de seguridad CyberCamp 2015 gracias al Hackathon organizado por INCIBE y sobre todo al equipo de valientes que no dudaron en ningún momento en participar: Gonzalo de la Torre, Emilio J. Grande, Francisco J. Rodríguez y el que escribe estas líneas.
Hace ya aproximadamente más de un mes que os contamos una Crónica del Hackathon en CyberCamp 2015, sin embargo, apenas nos detuvimos en explicaros SmartHive puesto que íbamos a reservar un artículo exclusivo para ello.
En este artículo os vamos a contar todos los detalles de SmartHive, desde su motivación, su aportación como proyecto, su arquitectura, hasta una demo sobre su funcionamiento.
Motivación de un despliegue ágil de honeypots
Es posible que en nuestra organización tengamos la necesidad de hacer un despliegue de honeypots para obtener información de los atacantes y mejorar nuestros sistemas de detección, o bien a nivel personal simplemente tengamos curiosidad por saber cómo funcionan y qué tipo de información podemos recoger.
En cualquiera de los casos se sabe que el despliegue y la gestión de honeypots a gran escala es un trabajo arduo y costoso. Principalmente por varios motivos:
- Existen pocas soluciones honeypot que se encuentren paquetizadas, dificultando su instalación.
- Necesidad de configurar cada uno de los honeypots, en especial el reenvío de toda la información recabada por ellos a un servidor central que agregue todos los eventos recibidos.
- Heterogeneidad en la información disponible en cada honeypot, requiriendo un análisis por separado y un proceso de normalización.
Por todo ello surgió la idea y la necesidad de comenzar el desarrollo de un proyecto donde todas estas tareas fueran transparentes para el usuario, de tal manera que pudiera centrar sus esfuerzos en la explotación de la información obtenida por la red de honeypots.
¿Qué nos podría aportar SmartHive?
En este apartado se comentan todas aquellas funcionalidades que vimos interesante incluir en el roadmap del proyecto antes de comenzar el Hackathon. Sin embargo, tal y como se verá al final del artículo (en la demo), a la finalización de la competición pudimos cerrar una versión funcional (cuyo código se encuentra en GitHub) pero muy reducida respecto a todo lo que habíamos pensado desarrollar.
Despliegue de honeypots en Internet
Hemos visto que gracias a SmartHive nos podemos despreocupar de todo el proceso de instalación y configuración de honeypots, así como del reenvío de eventos y la agregación y normalización de los mismos. ¿Pero qué más nos podría ofrecer?
- Respecto al despliegue de honeypots:
- Posibilidad de despliegue de diferentes tipos de honeypots y sistemas de detección de intrusos (IDS) como Snort o Suricata, por mencionar algunos. En la versión actual de SmartHive solo se permite el despliegue de los siguientes tipos de honeypots de baja/media interacción:
- Amun. Honeypot de baja interacción escrito en Python que permite emular una amplia variedad de servicios: SMB, DCOM, FTP, WINS, UPnP, HTTP, etc.
- TELNET Honeypot. Honeypot de baja interacción escrito en Python que básicamente permite emular un servicio TELNET.
- Cowrie. Honeypot de media interacción escrito en Python y basado en Kippo que permite registrar ataques SSH de fuerza bruta, y sobre todo, la interacción del atacante con la shell emulada.
- Tom’s Honeypot. Honeypot de baja interacción escrito en Python por la compañía InGuardians capaz de emular los siguientes servicios: RDP, MSSQL, VNC, Radmin y SIP.
- Posibilidad de despliegue en distintas ubicaciones. En este proyecto se utilizó DigitalOcean (el enlace incluye nuestro código de referencia 🙂 ) como IaaS, permitiendo la creación de VPSs a bajo coste (desde 5 dólares al mes) en Nueva York, Ámsterdam, San Francisco, Singapur, Londres, Frankfurt y Toronto.
- Posibilidad de despliegue de diferentes tipos de honeypots y sistemas de detección de intrusos (IDS) como Snort o Suricata, por mencionar algunos. En la versión actual de SmartHive solo se permite el despliegue de los siguientes tipos de honeypots de baja/media interacción:
- Respecto a la identificación de ataques:
- Identificación, geolocalización y categorización de ataques en función de los eventos recibidos en el servidor central.
- Identificación de nuevos ataques mediante la correlación de los eventos recibidos por todas las sondas (o VPSs).
- Aportación de valor añadido a los ataques con información procedente de diferentes fuentes de datos externas (e.g., listados de reputación).
- Respecto a la información recogida de los ataques:
- Creación de listados de reputación propios sobre direcciones IP, dominios, URLs y muestras de malware, que podrían tener varios casos de uso:
- Desde un punto de vista individual de una organización que contara con SmartHive, sus sistemas de detección podrían hacer uso de estos listados para consultar la reputación de un recurso cualquiera y tomar una decisión al respecto.
- Desde un punto de vista global en el que varias organizaciones utilizaran SmartHive, se podrían combinar todos los tipos de listados de reputación correspondientes para que todas las organizaciones pudieran beneficiarse de la información recogida de los atacantes en su totalidad. Además, en este caso también se podría averiguar, comprobando los listados, si una organización estuviera siendo víctima de un ataque automatizado o dirigido.
- Aportación de información sobre atacantes a la Comunidad. Se podría contribuir a la Comunidad simplemente difundiendo estos listados de reputación; y por lo que respecta a las muestras, estas podrían ser analizadas por analistas de malware.
- Creación de listados de reputación propios sobre direcciones IP, dominios, URLs y muestras de malware, que podrían tener varios casos de uso:
- Respecto a la representación gráfica de la información:
- Visualización de los ataques en tiempo real en un mapa.
- Visualización de tendencias de ataque en tiempo real.
- Visualización de estadísticas por servicio expuesto, país, puerto, dirección IP, organización, firma, honeypot, sonda, etc.
Despliegue de honeypots en redes internas
Aunque hasta ahora solo hemos hablado del despliegue de honeypots en Internet, también vimos interesante incluir en el proyecto la posibilidad de desplegar sondas en la red interna de una organización como sistemas de alerta temprana. Y para ello pensamos en utilizar Raspberry Pis para que un despliegue de este tipo estuviera al alcance de cualquier pyme o particular.
Por una parte, estos dispositivos se podrían equipar con adaptadores inalámbricos para que pudieran detectar posibles ataques contra la red Wi-Fi de una organización: suplantación de puntos de acceso mediante puntos de acceso falsos (rogue APs), intentos de autenticación y/o asociación de clientes no autorizados, ataques de denegación de servicio a los clientes de la red, etc.
Y por otra parte, en la misma línea del subapartado anterior, estas sondas podrían venir perfectamente preparadas con una serie de honeypots que permitieran no solo la detección de equipos comprometidos que estuvieran realizando escaneos de red, sino también la de aquellos equipos que llegaran a interactuar con los servicios expuestos internamente por los honeypots. En este sentido, convendría hacer un despliegue en distintas subredes y configurar adecuadamente los honeypots habilitando aquellos servicios que más sentido tendría dentro de la propia subred (respecto a los servicios habilitados en el resto de equipos de la subred).
En cualquier caso, estas sondas ya estarían preparadas con todo el software instalado y preconfiguradas para que empezaran a funcionar automáticamente nada más conectarlas a la red.
Dado que los usuarios de la organización no deberían de conocer la existencia de estos sensores, cualquier tipo de tráfico que llegara a los mismos procedente de la red interna debería de ser considerado como sospechoso y generar una alerta para que fuera investigado.
Arquitectura de la solución
A continuación se muestra un esquema de la arquitectura que tomamos como punto de partida para el desarrollo de SmartHive:
Una posible solución que estaría compuesta por los siguientes componentes:
- smarthive-frontend. Este componente estaría formado por una aplicación web desarrollada con la plataforma Meteor y una base de datos NoSQL como MongoDB. Desde la web, por una parte se daría la posibilidad de desplegar una serie de honeypots en distintas ubicaciones de forma rápida y sencilla, y por otra parte, se visualizaría en tiempo real toda la información relacionada con los ataques: representación de los ataques en un mapa, tendencias de ataque, estadísticas por servicio, puerto, país, organización, etc.
- smarthive-sensors. Estaría formado por todas las sondas (VPSs) utilizadas para el despliegue de honeypots. Proveedores como DigitalOcean o AWS podrían proporcionar estas sondas.
- smarthive-manager. Este componente estaría formado a su vez por:
- Un elemento que se ocuparía de gestionar todos los eventos recibidos por las sondas. Es decir, se encargaría de procesar todos los eventos recibidos para almacenarlos en una base de datos y, mediante el análisis de los mismos, trataría de identificar los ataques que se representarían en la aplicación web.
- Y otro elemento que se limitaría únicamente a la gestión de las sondas (creación, configuración, destrucción) donde se desplegarían los honeypots.
- smarthive-rabbitmq. Se encargaría de gestionar la comunicación entre todos los componentes de la plataforma a través de RabbitMQ. RabbitMQ es un sistema de mensajería de código abierto que implementa el protocolo AMQP diseñado para el intercambio de información a través de mensajes.
- smarthive-raspberry-pis. Estaría formado por todas las Raspberry Pis que se desplegarían dentro de la red interna de la organización.
SmartHive en funcionamiento
Una vez visto con detalle los fundamentos de SmartHive, para finalizar este artículo e intentar aclarar todo lo posible el funcionamiento de la plataforma, se incluye a continuación una demo de la última versión que llegamos a cerrar al finalizar el Hackathon:
Imagen del artículo: Top 10 Animal Crafts And Activities For Kids
- Despliegue de honeypots de forma ágil y económica con SmartHive - 3 febrero, 2016
- Crónica del Hackathon en CyberCamp 2015 - 23 diciembre, 2015
- I2P: Una red anónima que deberías conocer - 18 noviembre, 2015
SO. This situation may not even sound equivalent, then again my very own everyday living experience is what it is.
I’m a Prenatal Massage practitioner. I consult multiple moms-to-be nearly
every afternoon and guide individuals to build a considerably less vexing, more pleasant, and a lot less symptomatic pregnancy.
Each individual individual is afflicted with distinct issues.
spa for pregnant ladies NJ tackles this process, but yet as a
specialist I should really be adaptive and in a position to investigate information on how to most beneficially offer assistance.
Right now there is basically no scenario when a simple treatment would definitely assist absolutely everyone.
Which is my personal point, even though my very own manner of explaining could be
uncertain. Mid back pain is just not all of which a
pregnant woman handles. In the same way, absolutely no group of people actually suffer similarly,
and to aid the whole bunch, we should really come to be excellent audience
and listen adequately.
#file[Blog_Comment.dat
You actually make it seem so easy together with your presentation but I find this topic to be really something which I
believe I would by no means understand. It sort of feels too complicated and very broad for me.
I’m looking forward on your subsequent submit, I’ll
try to get the dangle of it! Escape rooms hub
Very interesting details you have mentioned, thank you for putting up.!
Prejudice is never really good. Whenever I proclaim My business is a Massage Therapist, does the fact have an effect on how families consider my
lifestyle? I’m certain it will. Why don’t you consider when I articulate I put into practice
NJMassages.com? Actually does that correct your primary impression of me
and my peers? Along with each and every completely new honest truth people find out, your primary belief can potentially adjust.
Evidently, there does exist usually never any kind of «final word» related to
the things all of us know; people may continuously know even more relating to someone or perhaps a specific
thing. Look into that. That just isn’t «being wishy-washy» the
moment you modify our perspectives using emerging points.
(If perhaps you might have never ever got word of a NJMassages.com Therapist, it certainly
is a FIRST-RATE health-related method available to pregnant people
today.)
First of all, many thanks for the information, and your unique
point of view. I can appreciate this weblog and especially this content.
At this point, I feel I throw away far too much of my hours on-line, browsing junk, mainly.
This is a stimulating switch from what I’ve known. However, I feel
that reading other’s important ideas is a particularly vital investment
of at least a bit of my regular measure of time in my plan. It’s the same as sorting
throughout the junk heap to get the treasure chest. Or
alternatively, whatever analogy is effective for you.
Nonetheless, being near the personal pc is most likely as harmful to you as tobacco use and deep-fried potato chips.
This site was… how do I say it? Relevant!! Finally I have found something which helped me. Appreciate it.
I really like it when people get together and share thoughts. Great website, stick with it.
Next time I read a blog, Hopefully it does not fail me just as much as this one. After all, Yes, it was my choice to read, nonetheless I really believed you would probably have something useful to say. All I hear is a bunch of crying about something that you can fix if you were not too busy seeking attention.
I’m amazed, I must say. Seldom do I encounter a blog that’s both equally educative and engaging, and let me tell you, you’ve hit the nail on the head. The issue is something which too few people are speaking intelligently about. Now i’m very happy I stumbled across this during my search for something relating to this.
I absolutely love your website.. Great colors & theme. Did you create this web site yourself? Please reply back as I’m wanting to create my own website and want to find out where you got this from or exactly what the theme is named. Appreciate it!
Pretty! This was an incredibly wonderful post. Many thanks for supplying this information.
There’s certainly a lot to find out about this subject. I really like all the points you have made.
Hi! I just want to give you a huge thumbs up for the excellent info you’ve got right here on this post. I am returning to your web site for more soon.
Excellent post. I absolutely appreciate this site. Continue the good work!
Oh my goodness! Amazing article dude! Thanks, However I am experiencing troubles with your RSS. I don’t know the reason why I am unable to join it. Is there anybody else getting similar RSS problems? Anyone that knows the solution can you kindly respond? Thanks!
I could not refrain from commenting. Very well written.
Pretty! This was an incredibly wonderful post. Thanks for providing this information.
I used to be able to find good info from your articles.
May I just say what a comfort to find an individual who actually knows what they are discussing over the internet. You certainly understand how to bring an issue to light and make it important. More people have to read this and understand this side of your story. It’s surprising you aren’t more popular given that you certainly possess the gift.
Excellent blog post. I absolutely love this site. Stick with it!
I enjoy looking through a post that will make men and women think. Also, many thanks for allowing me to comment.
A fascinating discussion is definitely worth comment. I do think that you should write more on this subject matter, it may not be a taboo subject but usually people do not speak about such subjects. To the next! Many thanks.
Spot on with this write-up, I really think this web site needs far more attention. I’ll probably be returning to read more, thanks for the info!
This is a really good tip particularly to those new to the blogosphere. Brief but very accurate information… Appreciate your sharing this one. A must read post!
An outstanding share! I have just forwarded this onto a colleague who had been doing a little research on this. And he in fact bought me lunch because I found it for him… lol. So let me reword this…. Thanks for the meal!! But yeah, thanx for spending some time to discuss this topic here on your web page.
Aw, this was a very good post. Taking the time and actual effort to make a great article… but what can I say… I put things off a whole lot and don’t seem to get anything done.
Good blog you have here.. It’s difficult to find high quality writing like yours these days. I seriously appreciate individuals like you! Take care!!
bookmarked!!, I love your site.
Can I simply just say what a comfort to find someone who truly knows what they are talking about online. You actually realize how to bring an issue to light and make it important. More and more people must check this out and understand this side of the story. I was surprised that you’re not more popular given that you most certainly possess the gift.
I wanted to thank you for this great read!! I certainly enjoyed every bit of it. I’ve got you book-marked to look at new stuff you post…
Aw, this was an incredibly nice post. Taking a few minutes and actual effort to create a superb article… but what can I say… I put things off a lot and never manage to get nearly anything done.
I couldn’t refrain from commenting. Exceptionally well written.
I truly love your site.. Very nice colors & theme. Did you make this site yourself? Please reply back as I’m attempting to create my very own website and would like to find out where you got this from or what the theme is named. Cheers.
priligy otc Pneumococcal Disease
It’s difficult to find experienced people about this topic, but you sound like you know what you’re talking about! Thanks
Nice post. I learn something totally new and challenging on blogs I stumbleupon everyday. It’s always useful to read articles from other writers and use a little something from other sites.
When I initially commented I seem to have clicked the -Notify me when new comments are added- checkbox and now whenever a comment is added I recieve four emails with the same comment. There has to be a way you can remove me from that service? Thanks.
There is definately a great deal to find out about this issue. I like all of the points you’ve made.
I really like this article. You can send any article like this. Playmods
I need to to thank you for this excellent read!! I definitely enjoyed every little bit of it. I have you book marked to look at new things you post…
Hey there! I’m Charles, your guide to generating income in your sleep– well, almost. Welcome to the 1K a Day System, where we turn your digital dreams into cold difficult cash. Are you all set to stop scrolling and start earning? Let’s ditch those cent techniques and prepare for some serious bank. Join us, and let’s hit those $1K days together!
Aw, this was a really nice post. Taking the time and actual effort to generate a top notch article… but what can I say… I procrastinate a lot and don’t seem to get anything done.
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me. phieuguige-grab-bat-net
I couldn’t refrain from commenting. Very well written.
Hi! I’m Charles. If you’re stuck in a monetary Groundhog Day, repeating the same struggles, let’s break the cycle. The 1K a Day System is your escape, leading you to brand-new mornings of prosperity and potential. Wake up to something fantastic!
số liệu thống kê về đội tuyển tây ban nha gặp đội tuyển bóng đá quốc gia ý update football news, match schedules, results, rankings of all football tournaments, transfer news, player backstage.
al nassr update football news, match schedules, results, rankings of all football tournaments, transfer news, player backstage.
Hey there! Just wanted dropping by to let you know how much I appreciate your blog. Your insights on making money online are genuinely remarkable. Earning an income from home has never been easier thanks to affiliate promotion. It’s all about discovering the ideal items to promote and nurturing connections with your audience. Your blog is a treasure trove of information for emerging online entrepreneurs. Keep on the excellent work!
Great info. Lucky me I came across your site by chance (stumbleupon). I have book marked it for later!
Hi, stumbled upon your fantastic blog! Your tips into affiliate marketing are genuinely valuable. Earning an income from home has never been easier with affiliate promotion. It’s a fantastic opportunity to earn passive income by promoting goods or services. With commitment and the proper methods, anyone can succeed in this rewarding field. Keep up the great work! Readers, make sure to check out Your Blog Name for more valuable tips and tricks on affiliate marketing. You won’t be disappointed!
Having read this I believed it was very informative. I appreciate you spending some time and energy to put this content together. I once again find myself spending way too much time both reading and leaving comments. But so what, it was still worth it!
Hello there! Just stopping in to praise your excellent blog. Your expertise on making money online are genuinely impressive. Earning an income from home has never been easier thanks to affiliate marketing. It’s all about leveraging your internet presence and marketing goods or services that resonate with your audience. Your blog is a valuable resource for those curious about making money from home. Keep doing the excellent work!
I love it when individuals get together and share thoughts. Great site, stick with it.
Saved as a favorite, I love your site!
I want to to thank you for this good read!! I certainly enjoyed every bit of it. I’ve got you book-marked to check out new stuff you post…
Hi, I do believe this is a great blog. I stumbledupon it 😉 I’m going to return once again since I bookmarked it. Money and freedom is the greatest way to change, may you be rich and continue to guide other people.
You’ve made some good points there. I checked on the net for more information about the issue and found most people will go along with your views on this site.
You’re so cool! I do not suppose I’ve truly read through a single thing like that before. So good to find someone with original thoughts on this topic. Really.. thanks for starting this up. This web site is something that’s needed on the web, someone with a bit of originality.
Greetings! Very helpful advice in this particular article! It is the little changes which will make the greatest changes. Thanks a lot for sharing!
Your style is so unique compared to other people I’ve read stuff from. I appreciate you for posting when you’ve got the opportunity, Guess I will just book mark this web site.
Pretty! This was an extremely wonderful article. Thanks for providing these details.
A fascinating discussion is definitely worth comment. I do think that you should publish more on this topic, it might not be a taboo subject but usually people don’t discuss these issues. To the next! Many thanks.
Very nice article. I definitely love this site. Thanks!
I would like to thank you for the efforts you’ve put in penning this website. I am hoping to view the same high-grade content by you in the future as well. In truth, your creative writing abilities has motivated me to get my own site now 😉
Good post. I learn something totally new and challenging on sites I stumbleupon everyday. It’s always interesting to read through content from other authors and use a little something from their sites.
Can I simply just say what a relief to discover somebody who actually understands what they’re discussing on the net. You actually realize how to bring an issue to light and make it important. A lot more people must check this out and understand this side of the story. I was surprised that you aren’t more popular because you most certainly possess the gift.
Everything is very open with a very clear clarification of the challenges. It was definitely informative. Your site is very helpful. Thank you for sharing!
I truly love your website.. Very nice colors & theme. Did you develop this amazing site yourself? Please reply back as I’m trying to create my own site and want to find out where you got this from or what the theme is called. Kudos!
Great post! We will be linking to this great article on our website. Keep up the good writing.
After I initially left a comment I appear to have clicked on the -Notify me when new comments are added- checkbox and now every time a comment is added I get four emails with the exact same comment. Is there a way you are able to remove me from that service? Kudos.
Having read this I believed it was rather enlightening. I appreciate you taking the time and effort to put this short article together. I once again find myself spending a lot of time both reading and commenting. But so what, it was still worth it.
Hi there! This blog post could not be written any better! Reading through this article reminds me of my previous roommate! He continually kept preaching about this. I will send this article to him. Fairly certain he will have a great read. Thanks for sharing!
Way cool! Some extremely valid points! I appreciate you writing this post plus the rest of the website is also really good.
I could not refrain from commenting. Exceptionally well written!
Spot on with this write-up, I truly believe that this website needs much more attention. I’ll probably be returning to read through more, thanks for the info.
Howdy! This article could not be written much better! Going through this article reminds me of my previous roommate! He always kept talking about this. I most certainly will forward this post to him. Pretty sure he will have a good read. Many thanks for sharing!
Greetings! Very useful advice within this article! It’s the little changes which will make the largest changes. Thanks for sharing!
This site certainly has all of the info I needed about this subject and didn’t know who to ask.
Oh my goodness! Incredible article dude! Many thanks, However I am going through issues with your RSS. I don’t know why I am unable to subscribe to it. Is there anybody else having identical RSS issues? Anybody who knows the answer will you kindly respond? Thanx.
Howdy, I think your blog could possibly be having internet browser compatibility problems. When I take a look at your site in Safari, it looks fine however, when opening in IE, it’s got some overlapping issues. I merely wanted to give you a quick heads up! Apart from that, excellent website!
This is a topic that is close to my heart… Best wishes! Where are your contact details though?
I’d like to thank you for the efforts you have put in writing this site. I’m hoping to check out the same high-grade blog posts by you later on as well. In truth, your creative writing abilities has motivated me to get my own, personal site now 😉
That is a great tip particularly to those fresh to the blogosphere. Short but very accurate info… Many thanks for sharing this one. A must read post!
Hello! I could have sworn I’ve visited your blog before but after going through some of the articles I realized it’s new to me. Anyhow, I’m certainly happy I came across it and I’ll be bookmarking it and checking back often.
It’s hard to come by educated people on this topic, but you sound like you know what you’re talking about! Thanks
You’re so interesting! I don’t suppose I have read through something like this before. So wonderful to discover someone with some unique thoughts on this subject matter. Seriously.. many thanks for starting this up. This website is something that’s needed on the internet, someone with a little originality.
You made some good points there. I looked on the internet for more info about the issue and found most individuals will go along with your views on this website.
Bongdalu cập nhật tin tức bóng đá nóng hổi, thể thao sôi động và giải trí hấp dẫn
You need to be a part of a contest for one of the greatest blogs online. I am going to recommend this blog!
Rồng Bạch Kim – Soi cầu lô chính xác miễn phí chính xác số #1 2024