i-code

Piotr Kijewski

HoneySpider Network 2.0: Detecting client-side threats the easy way

Malicious web pages that use either drive-by downloads or social-engineering to exploit systems of unsuspecting users are presently one of the most serious threats to end user security on the Internet. HoneySpider Network 2 is an open-source (but not public yet) framework for detection of client-side attacks, developed by NASK and NCSC. Version 1.0 was a unique combination of high-interaction client honeypot (Capture-HPC NG - see https://pl.honeynet.org) with a custom low-interaction honeypot, resulting in a system that is able to use different approaches for analysis of web pages. Building on the experience gathered from the previous version of the system, we completely redesigned the architecture, focusing on creating a flexible and scalable framework.
At the core of the solution is a high-performance engine that controls the flow of tasks that are being processed and distributes the workload using AMQP (Advanced Message Queuing Protocol). HSN 2.0 leverages the functionality of multitude of services (plugins) for data acquisition and analysis. It is possible to create new ones in a straightforward way - they can be implemented in any language, our protocol is well documented and AMQP is a standardized transport layer. Existing honeypot, crawler or threat analysis solutions can be easily plugged in.
All this allows the system to go beyond analyzing just URLs but also inspecting files such as PDFs, Office documents, Flash, etc.  Furthermore, the architecture is very fault tolerant, meaning that a failure of any service does not lead to the system being unusable.
Building such an open and universal architecture is necessary if the security community is to keep up to date with the dynamically shifting threat environment. In our experience, this goal is only achievable through a collaboration of many experts, each contributing knowledge - and code - about certain types of exploits and threats.
As part of the presentation we will also cover in more detail one future module of the system, Capture 4 Linux.  Capture Client for Linux is exactly what the name suggests - an alternative client module of Capture-HPC high-interaction client honeypot designed for Linux. It is fully compatible with the standard server module and provides the ability to detect threats aimed at Linux clients. The current implementation provides monitoring of process creation and filesystem access and successfully detects real exploits in tests.  Development is currently continued by Maciej Szawowski as a Google Summer of Code project mentored by NASK employees as members of Honeynet Project Chapter Poland.

Bio

Piotr Kijewski is the Head of the CERT Polska team and Chief Security Specialist at NASK since April 2010. His main interests in the computer and network security field include threat intelligence, intrusion detection, honeypot technologies and network forensics. Working at CERT Polska since 2002 in a technical role, Mr. Kijewski has been the main visionary of security research in the team, and leader of numerous threat monitoring and early warning related projects, such as ARAKIS?a nation-wide early warning system in Poland, HoneySpider Network?a complete client honeypot solution. He has also successfully led NASK involvement in EU funded projects, such as WOMBAT, FISHA and eCSIRT.net. He is the leader of various studies for European agencies such as ENISA: for example the Proactive Detection of Network Security Incidents study, and a followup study on Honeypots. Piotr is also the founder of the Polish Chapter of the Honeynet Project. Author of many papers and reports on security topics, as well as a frequent speaker at conferences both inside and outside of Poland. Mr. Kijewski holds an MSc degree in Telecommunications from the Warsaw University of Technology.