Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
Packet capture (PCAP)
This layer is a full packet capture of the entire network session of events, which can be exported from the honeywall and be used for offline analysis by multiple third-party analysis tools.
The host (honeypot) has these layers:
Time/date stamps
This layer provides the analyst with some knowledge of when specific events occurred, which should match up with the network time/date stamps.
Attacker IP addresses
This layer records the IP address of the attacker in order to match up with the network flow data (in the event of two attackers being on a single honeypot).
Used process
This layer provides the analyst with insight into which exploit is being used and which methods the attacker favors when remotely interacting with a victim system.
Used process identifier (PID)
This layer will provide insight into the means by which attackers were able to enter the system and escalate their privileges. This information should match the process the attackers used during the session.
Session input/output (attacker keystrokes)
This layer contains the literal commands, options, and arguments inserted by the attacker into the honeypot. These are usually entered at the DOS prompt shell or Unix terminal (via SSH, telnet, and so on). This layer also helps the analyst better understand what the attacker is thinking and the
modus operandi
of the attacker.
Upon identifying a specific event as being truly malicious, an analyst should validate the honeynet information against the captured data from external honeynet devices. However, the most powerful layer in the preceding list is the session input/output captured data. This layer is capable of providing the analyst with previously unforeseeable information about the attackers themselves. A behavioral, social, and criminal scientist/analyst may be able to discern specific observable information from the attacker’s tools, techniques, and procedures. The following are some of the traits an analyst can discern from attackers’ interactions with a honeynet for extended periods of time:
Motivation
The level of intensity and degree of focus
Objectives
Boasting rights, disruption, destruction, learn secrets, make money
Timeliness
How quickly they work (years, months, days, hours)
Resources
Well funded to unfunded
Risk tolerance
High (don’t care) to low (never want to be caught)
Skills and methods
How sophisticated the exploits are (scripting to hardware life-cycle attacks)