CompTIA CYSA+ CS0-002 – Network Architecture and Segmentation Part 4

7. Honeypots (OBJ 2.1)

Honey Pots. In this lesson, we’re going to start talking about Honey Pots and active defense. Honey Pots are probably the most well known form of active defense, although there are several other types. Now, when we talk about defense, you probably have heard the old saying, the best defense is a good offense. Now, what does that mean? Well, this is actually a saying from a boxer back in the 1930s named Jack Dempsey. And his idea was if you have a really good offense and you’re hitting the other guy over and over and over again, you’re going to bloody him up to the point where he gets tired and gives up on you. That’s the idea of the best defense being a good offense. Now, does that really apply to our networks? Well, maybe, or maybe not.

But in this lesson, we are going to focus on active defense because that is one of the objectives underneath your cysaplus exam. Now, when we talk about active defense, we’re talking about the practice of responding to a threat by destroying or deceiving the threat actor’s capabilities. Now, what this really means is that we have an engagement with the adversary. That’s what active defense is all about. You’re going to hit me? Well, I’m going to hit you back, or you’re going to try breaking into my network. I’m going to let you in, but I’m going to put you in this other area. That’s a decoy. That’s the idea of active defense. For instance, I might want to set up something that is essentially bait for an attacker.

I set up an area of my network that is exposed to the Internet, and I don’t patch my servers, and I put false information on that stuff that all looks like a very attractive target to an attacker. And so they may go and grab that and I’m luring them in. Well, that concept is actually called a Honeypot. A Honeypot is essentially a host or a server that is set up with the purpose of luring attackers away from your actual network components that you care about and instead allowing them to start attacking this other area. When they do this, it allows you to discover attack strategies and weaknesses in different security configurations and learn from their attack methods. Because as you watch them doing things, you’re going to see, oh, when they first break in, then they try to pivot, or then they try to escalate privileges, or then they try to do X-Y-Z.

And by being able to gather that information, you can learn about your adversary. Now, in addition to a Honey Pot, which is a single host or server, you might have a Honey Net. And this is an entire network that’s set up to entice an attacker. And it looks really juicy, like it’s a real company’s network. And this is actually set up a lot of times by different Internet security companies so they can learn about the different attackers out there. Now, often these honey nets are set up by Internet security companies because they want to use that to allow their security teams to analyze an attacker’s behavior. Now, what’s a good example of this? Let’s say I went ahead and said I have this wonderful database, so I’m going to set up a database server.

I’m going to put some fake information in the database server, and I’m going to expose it to the Internet. Now, inside of that database, I have a lot of meaningless or unhelpful information. But the attacker doesn’t know that. They just see there’s a database with a lot of important financial records because that’s what I made it look like. And so as they go in there and they start attacking that database and they start getting into there, I can start seeing what they’re doing and figure out what their techniques are and then use that to better harden the rest of my network against that type of an attack. That’s the idea of using a honey pot or a honeynet. Now, one of the reasons why security researchers set up these big honey nets is to learn about new techniques, because when they learn about techniques, they can try to attribute them back to the actor.

When we talk about Attribution, we’re talking about the ability to do identification and publication of an attacker’s methods, techniques and tactics as useful threat intelligence. For instance, if you look at FireEye, they do this all the time. You can go look at a report on Apt 28, for instance, and they’ll tell you they believe this is attributed attributed to Apt 28, these types of malware. And these are the common techniques they use. And these are the common tactics they use. And this is who we think they are. We think they are part of the Russian Federation, or we think they are part of China, or we think they are part of the US. Or whoever it is they think they are. That is what Attribution does.

Now, in addition to dealing with things like honey nets and honey pots and Attribution, we also can do other strategies like annoyance strategies. Now, annoyance strategies often will rely on observation techniques. These are things we’re basically trying to annoy our attacker and waste their time. So for instance, we might put in bogus DNS entries so when they look at our DNS records, they see that we have a mail server and a SharePoint server and a file server and a web server. And we may not have any of those servers up, but we can give bogus DNS entries so they think there’s something else there and so they’ll waste their time trying to find it. Then we can also have things like web servers with decoy directories.

So I have a web server up and I have all my I do see information in a file called confidential. No I don’t, because I don’t want somebody to see that because they see confidential they’re going to try to get into it, right? But I might put decoy directories like confidential important financial and that way attackers might try to go for those and waste their time. Because if they’re wasting their time on stuff I don’t care about, hopefully they’re not using their time against stuff I actually do care about. And then the other thing we can do is we can use port triggering and spoofing. There’s a lot of techniques out there where when you see traffic coming come in on port X, have this action occur.

And so you might have something like they connect on port 25 to try to get into your SMTP server and you’re not really running an SMTP server, instead you’re going to send that over to port 80 and give them some other kind of message back. So again, you’re wasting their time. Now another thing you can do is what’s known as hack back. And this is something I don’t really encourage you to do. Most organizations are not going to allow you to do hack back unless you work for maybe a three letter agency or a military component or some other nation state. Because when you’re hacking back you are conducting offensive attacks. Hackback is essentially using offensive or counterattacking techniques to identify the attacker and degrade their capabilities.

The idea here with hackback is maybe you have somebody who is attacking your network and you identify that their command and control is at this particular IP. Well you can start doing a denial of service against their IP to get them to stop doing the attack against you. That’s the idea of a hackback. Now can you do this legally? Maybe it depends where you live because these things all are in different laws based on the city, the state, the country or the region of the world that you live in. And so you have to look into that because there are many legal and reputational implications that you have to consider and mitigate before you can use some of these active defense strategies, especially hackback. For instance, hackback is considered an offensive maneuver.

As I said, you are attacking somebody. So in the United States you can actually go to jail for that because you are breaking the law. It is illegal to do hacking. And so if you are hacking back against somebody who is hacking you, that doesn’t make two wrongs make a right here. You could still go to jail for that. So keep that in mind, remember where you are and the laws in your area and the laws of the server that you’re actually attacking because just because you’re in the United States that server may be someplace else and then it’s affected by those laws and regulations. So again, the best practice is really not to do hackback. But again, it is one of those things that’s covered in your textbook. So I wanted to bring it up here.

8. Configuring Network Segmentation (OBJ 3.2)

Network segmentation. In this lesson, we’re going to go through and do a little bit of configuration of how you would do network segmentation and security within your network. Now, to do this, I’m going to be using an open source unified Threat management appliance known as Pfsense. You can download this yourself, install it in your own network@pfsense. org. Now, this lab is going to be focused on the installation and configuration issues that you might come across, Ross, when you’re doing this in the real world, to get started, I’m going to go into my lab environment and I’m going to enter into the web application interface for this particular unified threat management system. I’m going to log in with my username and password, which in my case is admin and the password of password.

Now, once I’m in here, I want to go forward and look at the firewall ACLs. This firewall that we have has two different interfaces. It has an external one and an internal one. This might act like a router. On the external side, I have the Internet. On the internal side, I have my local area network. This firewall is going to be screening any traffic coming in from the external network before it gets into my local network segment. This means that any traffic that matches my access control list can get through and anything that’s denied by my access control list will be rejected. So let’s take a look at what rules we already have here. First we’re going to click on Firewall and then rules. From here we can see on the Win tab that there are several different types of traffic that’s permitted.

We have things like ICMP, which is ping traffic. We have DNS, which does domain name resolution. We have Http and Https, which is going to allow web browsing. And we have SMTP, which is going to allow outbound email. Now notice all of these things are things that you would normally expect to see and they all have forwarding rules. That means that traffic from these ports is going to be directed to a host inside the land. Now, all of these, except for ICMP, that is, ICMP just has an allow rule, not a forwarding rule. Now, why are these forwarding rules in place? Well, because I’m setting up a DMZ and so I’m going to have people from outside the network being able to go into my network using that forwarding and then get to my DNS server or my Http server, or my Https server or my SMTP server.

So now let’s click on the Land tab, which is the internal network. This is where I’m hosting those servers. Now notice here there is no egress filtering, which means there’s nothing blocking anything from going out. Any type of traffic from a host on the land can go to any other endpoint unless there’s going to be a denial rule put in place by a higher level ACL. Now, if I click on the firewall and click on Nat. You can see the host that I’m going to be sending this traffic to. Remember I had that Nat forwarding going on. So here you see DNS is going to go to the server located at ten 10 one. If you look at the web Http and Https, this is going to my Apache web server at ten. My SMTP is going to go to my email server at ten 10 two. So is there any issues with this? Well, there is an issue here.

Putting all these things in the same segment is pretty risky because a web server, for instance, is going to be exposed to a large number of vulnerabilities and exploits because they can have things like cross site scripting, they can have things like remote code execution and all sorts of other exploits. So if somebody was able to compromise that one server, they can then pivot over to the SMTP server or over to the DNS server and take advantage of those two. So we probably want to add some segmentation and that’s what we’re going to focus on here through the rest of this lab. Now, to configure this firewall so that my web server is put into an isolated demilitarized zone, I need to be able to separate it from the other host. And I’m going to do this by creating a third interface on the firewall.

Now to do this within Pfsense, I’m going to go to Interfaces and then Assignments. From here I’m going to click the Add button next to the unused interface. Now from the menu bar I can select Interfaces and then opt one. For option one, I’m going to check the Enable interface box and I’m going to go in and select Static IPV four for my IPV four configuration type. When I go down there, I’m going to put in the IPV four address of ten 125-4254 and I’m going to select 24 from the list box. Now I’m going to save my changes and apply those changes. This is going to enable that interface on the firewall using that IP address. Next I’m going to go to Firewall and then click Nat. And here I’m going to click the Edit button, that pen icon on the Http forwarding rule.

I want to redirect that IP value to ten 1254 ten and change my description of Http forwarding to the DMZ and then save it. Next I’m going to edit the Https forwarding rule again. I’m going to type in ten 1254 ten and I’m going to change the description to Https forwarding to the DMZ and click Save and then apply Changes.So at this point you can now see we have a couple of rules here. You can see we have the SMTP rule going to ten one, dot zero two. It’s using forwarding. Then we have Https and Http both going to ten 1254 ten using that forwarding rule to the DMZ. And finally we have DNS still going to the DNS server located at ten 10 one. Next I need to set up my logging so anything that’s going through this firewall gets logged. So what am I going to log? Well, let’s go up here and click on Status System Logs and Settings.

Then scroll down and click the check button next to Log. Packets match from the default block rules in the rule set. This means anything that’s blocked is going to get logged. All right, so everything’s looking good now, but we still have one more step. We haven’t configured the web server to move itself into the DMZ because we changed the IP address. So now we have to give that web server that new IP address of ten 1254 ten. To do this, I’m going to log into my web server. I’m going to click on the network icon and then select the wired connected and the wired settings. From here I’m going to turn the wired connection off, click the cog icon to be able to go into settings and then set IPV four tab to set static manual IP address.

And I’m going to give the address of ten 1254 1024 with a default gateway of ten 125-4254. Once I’ve done that, I can click that slider button to turn the wired connection back on and close the connection window. All right, at this point we should have our DMZ configured with the web server sitting in the DMZ, the DNS server and the SMTP server sitting on the internal network and the external network being the Internet out on that external interface. Let’s go ahead and test our segmentation. First I’m going to verify that we can browse the server as normal if we’re doing this from our PC, which is inside of that local area network. Well, to do this I’m going to go to www five one five support Dvwa and www five one five support multitilde. Notice both of these browse with no issues at all.

Next I’m going to see if this server is vulnerable to a reverse shell attack vector. To do this I’m going to go into metasploit like I’ve used in other lessons, and I’m going to use the exploit multi handler and then I’m going to type in exploit. From here I’m going to run the curl command and see if I can establish a reverse shell. So if I type in curl user and then the user I’m going to use, in this case Sam password and the site I’m trying to do this to http www five one five support webdavget PHP now this is not going to work this time. This means there’s no meterpreter shell that’s being open because our ACL should have been configured to only allow incoming connections on each interface. So it’s going to block opt one when the web server is trying to initiate a new connection to it. However, it can reply to web sessions.

The external host has started. So when I tried to access it through the Web browser, I made a request and then it responded. But in this case, with the curl command, I’m trying to have the server send that out initially without a request coming. And that is why we’re showing that this reverse shell is not going to work. All right, let’s go back and take a look at our firewall logs. Now, if I go back into my firewall, I can click on status system logs and then Firewall note here you can see the log view has been configured with the most recent events. At the top, observe the rule at the top for regular http browsing. This came from 192, 168, dot two, dot 192, and it went to the Web server at ten.

Dot one, dot 254, ten over port 80. Now observe the default blocking rule that we saw here. Ten, 1254. Ten is not allowed to establish a connection to 192, 168, 2192 over port 80, 80. This is what we tried to do when I use that curl command, essentially, I was trying to go from the Web server over to the client PC in the internal network. And because of this DMZ rule, it’s going to block that. Now, if I click on that cross, I can see additional details about this hidden default rule. So as you can see here, we have successfully isolated our Web server from other hosts on the internal network while still allowing it to have access from those hosts to the Web server when they need it, but preventing the Web server from getting back to those hosts.

So you can see how we can add segmentation here to make sure that the devices in the internal network are protected from the external network and from that untrusted DMZ. Now, we’ve talked about jump boxes as well, and you could configure a jump box on the DMZ as the single point of entry. Essentially, you would get SSH access into that jump box in the DMZ, and then from that jump box in the DMZ, you could access all of the other hosts inside the DMZ because it’s in that environment already. This would be a good way to set things up, especially if you configure a forward proxy connection to those different application servers. All right, so I hope you’ve enjoyed this lesson as we got a little hands on using Unified Threat Management and File Firewalls and going through some configurations for segmentation.

• Category: Uncategorized