Reverse Deception: Organized Cyber Threat Counter-Exploitation (75 page)

BOOK: Reverse Deception: Organized Cyber Threat Counter-Exploitation

2.72Mb size Format: txt, pdf, ePub

ads

Packet capture (PCAP)
This layer is a full packet capture of the entire network session of events, which can be exported from the honeywall and be used for offline analysis by multiple third-party analysis tools.

The host (honeypot) has these layers:

Time/date stamps
This layer provides the analyst with some knowledge of when specific events occurred, which should match up with the network time/date stamps.

Attacker IP addresses
This layer records the IP address of the attacker in order to match up with the network flow data (in the event of two attackers being on a single honeypot).

Used process
This layer provides the analyst with insight into which exploit is being used and which methods the attacker favors when remotely interacting with a victim system.

Used process identifier (PID)
This layer will provide insight into the means by which attackers were able to enter the system and escalate their privileges. This information should match the process the attackers used during the session.

Session input/output (attacker keystrokes)
This layer contains the literal commands, options, and arguments inserted by the attacker into the honeypot. These are usually entered at the DOS prompt shell or Unix terminal (via SSH, telnet, and so on). This layer also helps the analyst better understand what the attacker is thinking and the
modus operandi
of the attacker.

Upon identifying a specific event as being truly malicious, an analyst should validate the honeynet information against the captured data from external honeynet devices. However, the most powerful layer in the preceding list is the session input/output captured data. This layer is capable of providing the analyst with previously unforeseeable information about the attackers themselves. A behavioral, social, and criminal scientist/analyst may be able to discern specific observable information from the attacker’s tools, techniques, and procedures. The following are some of the traits an analyst can discern from attackers’ interactions with a honeynet for extended periods of time: