25C3 - 1.4.2.3

25th Chaos Communication Congress
Nothing to hide

Speakers
Markus Kötter
Tillmann Werner
Schedule
Day Day 3 (2008-12-29)
Room Saal 3
Start time 16:00
Duration 00:30
Info
ID 3002
Event type lecture
Track Hacking
Language used for presentation en
Feedback

Squeezing Attack Traces

How to get useable information out of your honeypot

This talk will give an overview about how modern attack analysis tools (dynamic honeypots, an automated shellcode analyzer, and an intrusion signature generator) can be used to get a deep understanding about what attacks do and how they work. A live demo will be given to demonstrate the usage of those tools.

Knowing what's going on in the field of attacks against Internet hosts is one of the most important things for everybody dealing with IT security. People need to stay current with attack technology to understand and implement countermeasures. However, firewall logs and IDS alerts do not provide the details we need. New technologies like honeynets try to bridge this gap: As active sensors they try to catch as much information as possible about an intrusion attempt. But they only collect data most of the time and help little when it comes to actually analyzing attacks.

If we want to understand the attack situation, we need to get some real attack traces first. After that, we can extract the exploit and try to understand, what it does. This can be easy (SQL injection attempts are human readable, for example) but also very hard and time consuming: For a piece of shellcode it would generally be necessary to step over the code in a debugger, a task that is hard to automate. We show a workaround. Finally, once an attack is analyzed, it would be nice to construct a blocking rule or an IDS signature to catch further attempts and prevent other systems from being exploited.

In the talk, we will introduce the idea of using dynamic honeypots for gathering traces of nearly arbitrary server-side attacks. We will show how an automatic shellcode detection and analysis can be performed with a x86 CPU emulation software. Lastly, we will briefly explain how a signature generator can find common parts in different attack traces and how these can be used to assemble a pattern which can be used in a network intrusion detection system.

We will show how to put these tools together in a short live demo.