Shulou(Shulou.com)06/01 Report--

This article mainly discusses the active defense technology of j honeypot. The content is more comprehensive, there is a certain reference value, there are friends in need can refer to, I hope to help everyone.

HW, which lasted for 3 weeks, was finally over. In HW action, both the red and blue sides tried their best to launch the ultimate war between *** and anti-***. As a blue party personnel, not only saw the wonderful performance of traditional defense technology in HW this time, but also felt the great role played by active defense technology in HW. In my opinion, the most typical one is honey pot. Red party personnel mistakenly enter honey pot and are captured by blue party personnel and carry out identity portrait. Then let's talk about why honey pot is so diao.

From passive defense to active defense

For a long time, passive defense is to detect suspicious behavior based on accurate matching of feature library through threats facing known features, compare target programs with feature library one by one, and realize monitoring and blocking abnormal behavior. These feature libraries are based on what has already happened, which explains why passive defense is an "afterthought" behavior. Typical technologies are firewalls, *** detection, etc. However, for unknown *** such as 0day, defense relying on feature library matching cannot effectively deal with it. In order to deal with this ** unequal pattern, active defense technology has emerged, and typical technologies include cyberspace mimicry defense.

Introducing proactive defense strategies

With the further improvement of technology, more and more methods can bypass the traditional passive defense technology to launch attacks on target systems, traditional passive defense technology has also introduced active defense strategies, such as intelligent firewalls launched by major manufacturers, Cisco's next generation firewall, and the intelligent firewall of Shanshi. In addition, there are also new active defense technologies such as sandboxes and honeypots, which further make up for the asymmetric situation. Such techniques primarily address "known unknown threats," such as honeypots that actively lure criminals by building disguised businesses to capture behavior. During HW period, there is a honeypot disguised as a certain service ××× mapping on the external network to lure ***, thus confusing ***

sandbox technology

Sandbox technology is derived from software-based fault isolation (SFI). SFI's main idea is isolation. Sandbox constructs an isolated running environment by using virtualization technology, and provides basic computing resource abstraction for programs running in it. By detecting and analyzing target programs, malicious code in programs can be accurately discovered, and then the purpose of protecting host computers can be achieved. For example, Mo An's architecture uses kvm, and Changting uses docker.

Due to the isolation of the sandbox, malicious programs will not affect the system outside the sandbox isolation, and the sandbox also has the function of detection analysis to analyze whether the program is malicious. But there is also a pitfall: Sandboxes monitor only common OS APIs, making it easy for malicious code to bypass them and exploit the off-host environment. Virtual machine-based sandbox provides a virtualized operating environment for untrusted resources, ensuring the original function while providing corresponding security protection, which will not affect the host machine. The sandbox based on virtual machine adopts virtualization technology and malicious behavior detection technology. The malicious behavior detection technology adopts signature detection method and behavior detection method to detect. Signature detection is powerless to detect 0day, behavior detection can detect 0day, but the false alarm rate is high.

honeypot technology

Honeypot technology originated in the 1990s, it deployed a set of simulated real network systems to lure the ***, and then in the preset environment to detect and analyze the ** behavior, restore the *** way, method, process, etc., and the obtained information is used to protect the real system. Widely used in malicious code detection and sample capture, *** detection and *** feature extraction, network *** forensics, botnet tracking, etc.

Honeypots are called honeypots because they are designed to contain a large number of loopholes in the system, is used to trap the **, essentially a kind of ** a deception technology, only when the honeypot is constantly scanned, ** and even broken, can the value of the honeypot be reflected. Honeypots don't actually contain any sensitive data. It can be said that those who can access the honey pot are suspicious behaviors, which can be confirmed as ***, so as to take the next action.

Through the above analysis, it is concluded that honeypots have three abilities:

Camouflage, by simulating a variety of applications containing vulnerabilities to lure the enemy to reduce the threat to the actual system.

Data entrapment, if the *** person enters the honeypot, then the honeypot log records can be used to restore all the activities and other information of the *** person from entering to leaving the honeypot.

Threat data analysis, analysis of ***

But at the same time, the honeypot also has limitations, he can only play its own role when the ***, if the ** did not trigger the honeypot, then the honeypot will be meaningless, so now we have to pay more attention to how to make the ** can effectively touch the honeypot, and then use relevant technology to trace this. Similarly, if the honeypot is identified by the ***, and successfully enters, and the honeypot is expanded *** by using the relevant escape 0day (the honeypot records are not recorded), then the honeypot will be used as a springboard machine to launch ** to other real businesses, which is extremely harmful.

honeypot classification

Honeypots can be divided into three categories: low interactive honeypots, medium interactive honeypots, and high interactive honeypots.

Low-interaction honeypot: usually refers to a honeypot system with a low degree of interaction with the operating system, only open some simple services or ports, used to detect scans and connections, which are easy to identify.

Medium interactive honeypot: between low interactive and high interactive, able to simulate more services of the operating system, so that the user looks more like a real business, so that the honeypot can get more valuable information.

Highly interactive: refers to the honeypot with high interaction with the operating system, it will provide a more realistic environment, so that it is easier to attract **, conducive to mastering new ** methods and types, but there will also be hidden dangers, will cause *** to the real network.

In this HW, quite a large number of honeypots are deployed in the intranet. There are only a few honeypots deployed in the extranet. The honeypots deployed in the extranet can detect many things, especially after binding domain names, which confuses the ** people. A certain manufacturer's honeypot can be said to shine brightly in HW. As long as the *** person visits the honeypot, it will be able to obtain your social account ID to a large extent, and then restore the ** person's identity portrait according to the fingerprint information. I believe many red parties did not expect this, so they were very miserable by social workers. As for what technology I used, I won't write, afraid I won't see the sun the next day. Honeypots can not only detect the *** methods of ***, but also detect botnets. For example, in HW this time, many broilers use weblogic vulnerabilities to automatically launch ** to the external network, and then implant ** viruses. The public network honeypot can detect this behavior very well, and then collect or track information.

The above is the honeypot active defense technology details, after reading whether there is any harvest? If you want to know more about it, welcome to pay attention to industry information!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.