Innovation and Effectiveness in Cyber Security
Introduction
The rapid growth of internet usage paved the way for the evolution of interconnected systems leading to a fully connected world of devices. Such devices as smart TV, smart fridge, baby monitor, and so on, are mostly targeted due to their low-cost values, lack of adequate security hardening, poor vendor focus on security aspects, and they can be easily used as a source to attack further systems or networks.
Traditional defensive controls in cyberspace are no longer efficient for protecting networks and data of interest due to many unexpected emerging flaws progressively in the IT protocols and digital systems. Matured intelligent security strategies consider orchestration of tools to cover the entire security posture across the protected scope. Key element within the set of tools is an early warning system as of Honeypots. Honeypots simulate vulnerable systems or services and trap threat actors , which help estimate their behavior to strengthen the deployed defensive strategy. In our study, we aim to understand the cyber-attacks that roam around the Lebanese perimeter. To this end, we deployed as a first step several honeypots on one public system located in the capital city area. The deployed system has a main goal to detect automated attacks where threat actors apply large scans to identify vulnerabilities and exploit these.
This study will discuss and visualize the result of 10 honeypots devices that mimic the T-Pot implementation originally created by Deutsche Telekom [1]. T-Pot is a ready-to-deploy system running on Linux which comprises multiple honeypots each is configured to track specific services and vulnerabilities. The systems are designed with a friendly graphical user interface that can be accessed through the web beside other access methods, which provides a meaningful option for viewing the captured logs in different formats. The traffic was collected by Honeypots over 21 days from January 8th – February 1st, 2022 . Throughout our study, we focused on answering the following:
- What are the most attractive services for attackers?
- Where do most attacks originate from?
- How are attacks distributed over time?
- What username/password are mostly attempted by threat actors?
Selected Honeypots
The following table shows a brief description of the deployed honeypots.
| Honeypot | Description |
|---|---|
| Dionaea | A python script using libemu to detect shellcodes, supporting IPv6 and TLS |
| RDPy | A python implementation of Microsoft Remote Desktop Protocol (RDP), client and server side |
| Mailoney | An SMTP email honeypot that provides custom modes to fit the needs |
| Cowrie | A medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by an attacker |
| Honeytrap | A network security tool that observes attacks against TCP or UDP services |
| CiscoASA | Cisco ASA component capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability |
| ADBHoney | The Android Debug Bridge (ADB) is a protocol made to control and track connected android devices (phones, tablets…) using several tools and commands |
| Heralding | Simple honeypot logger that collects credentials |
| SNARE/TANNER | SNARE is a web application honeypot sensor, TANNER is SNARES "brain". Every event is sent from SNARE to TANNER, gets evaluated and TANNER decides how SNARE should respond to the client |
| Citrix | Honeypot for CVE-2019-19781 (Citrix ADC), detects and logs CVE-2019-19781 scans and exploitation attempts |
Number of Attacks
The selection of the honeypots is based on the criticality of the services they simulate. For example, the Cisco ASA is deployed in all Cisco firewalls deployed in most Cisco based networks. The RDPY is the python implementation of the Microsoft RDP protocol widely used in windows servers.
The analytics showed that within 21 days more than 2,500,000 attacks had been performed , as depicted in the next figure. Hereby, Cisco ASA and Citrix ADC had been tackled by 16,268 and 667 attacks, respectively. Pointing these two aforementioned services is because it has been previously proven in [2] that many systems in the Lebanese perimeter are vulnerable due to these services.
To identify the activeness of attackers over the Lebanese perimeter, the next figure presents the distribution of the attacks over the time, per honeypot. It can be noticed that for most of the deployed honeypots, the attacks are quasi-uniformly distributed, which might indicate a periodic scan performed over the perimeter. However, for some honeypots like Cisco ASA, one can realize that there are some specific periods where the attackers were very active, such as on 25-01-2022 with more than 15,000 attacks. This leads to a conclusion that the perimeter is exposed to the whole world and any existing vulnerability is actually known to thousands of attackers.
Origin of Attacks
Looking at the origin of attacks, it was noticed that the United States is ranked on top with more than 60% of the attacks . Other countries in the ranking scale are Lebanon, Vietnam, and Russia. It is unusual to count so many attacks from the origin country of Lebanon, therefore it is planned to further investigate the analysis results that are sourced from Lebanon as the assumption is that other countries have more powerful scanning capabilities in cyberspace.
The next figure shows that 95% of the attackers are mainly classified in the “known attacker” category, whereas 2% are classified in the bad reputation category. The remaining attacks are classified as of crawling, mass scanning, and spamming activities. Such results highlight the high risk level of being exposed online and stresses more the importance of our work in [2] on uncovering unpatched critical vulernabilities..
Top Username Password Used by Hackers
The figure below illustrates the main used combination of usernames/passwords. It is obvious that trivial built-in accounts such as root, administrator, guest, beside other derivations and known service accounts, are the primary targets. Password provided attempts for the targeted accounts are basics from any password dictionary files as of admin, sequence of numbers, or default password set by product/application providers. The results demonstrate the need for a stronger password policy and the implementation of advanced authentication methods as of MFA (Multi-factor authentication) .
Conclusion
The main purpose of this study is to demonstrate how threat actors are very active in the lebanese cyberspace and how system and application owners within the Lebanese perimeter scope should benefit from the analysis results to improve their security plans to assure continuous system patching, limit open ports, monitor unsolicited traffic reported by their monitoring systems, and build a strong identification & Authentication mechanism.
References
[1] T-Pot, Deutsche Telekom, Apr. 2022, https://github.com/telekom-security/tpotce[1] Lebanon CERT, Jan. 2022, https://lebanoncert.org/en/blog/vulnerabilities_study
