My Intrusion Detection Honeypot

Leave a reply

Please note that some of the links below may be affiliate links. As an Amazon Associate I earn from qualifying purchases.

For the last several years, I’ve been working on a honeypot system to detect “east to west” internal traffic that doesn’t go “north to south” to the internet. The reason is to detect potential threat actors moving laterally in the network. While this doesn’t catch all internal to internal traffic, it does alert on internal traffic to the device. The need for such a device came from a job several years ago.

At a place where I worked, the managers would comment that we could see North-South traffic to and from the internet. But we couldn’t detect potentially malicious East-West traffic internally between systems. We could see East-West between Zones, but not systems in the same zone.

Which lead to the suggestion of Honeypots. Both Management and Legal said we can’t have a honeypot because they believe them to be entrapment devices. Management also didn’t want to give threat actors a beachhead device to take over and use to attack other devices.

What was needed was a device that could act like an alarmed/monitored door, that would alert when used. Something that had next to zero interaction. It took a couple of years but I found a workable solution with Chris Sanders’ Intrusion Detection Honeypots (affiliate link).

Continue reading

Always remember to document with screenshots when doing investigations

Leave a reply

I’ve been looking for a job. I applied to one recently and came across something a little scammy. Seconds after getting a thank you for applying email, I got an email saying I had to run software to prove I met the requirements to work from home. Plug the computer into the modem and run their test. Wasn’t happening on my daily driver. I ran it through some VMs.

The link in the email was for what looks like a head hunter software firm. It redirected to the company’s website. The company I applied to. I tested with Flare Vm running on Proxmox on an old I3 server I have. The Flare VM passed everything but the processor test. It wanted an i5 or higher. I didn’t bother to get screenshots, because I thought I’d run it again on something with a newer processor.

I spent today (the day I wrote the blog post, not the day it was published) setting up a Flare VM on my laptop. I loaded up the Flare VM, and started Wireshark, Regshot, and Procmon. I started Edge, went to the link again, only to get a blank page with no option to test. Note: The site said after I ran the test to try again from another computer. But there was nothing there to run this time.

There were two takeaways from this.

1. I should have built some Flare VMs sooner, because they take a while to build. Build them before you want to use them.

2. Follow the rules of getting screenshots and taking notes as you work because it would have made a great blog post walking through the steps.

Updating still

Leave a reply

I’m still going through updating the old links. The good news is that my RSS feed didn’t start bringing back the old posts that I’ve been updating. The bad news is that I had to delete my feed from The Old Reader and re-add my RSS feed.

I do plan on getting back to writing soon. I’ve opened the FAIR and CTI posts. I want to get back to those. I also want to write up some of the Honeypot stuff I’ve been working on over the last several years. I don’t think I ever did a book review on Chris Sanders’ book Intrusion Detection Honeypots, which got me started and I’ve been expanding on. Also, I want to compare and contrast Intrusion Detection Honeypots running NetCat listeners vs. OpenCanary.

* Note the amazon links above are alffilate links, for which I earn a commission from qualifying purchases.

Issue with the WordPress server.

Leave a reply

Oh hey, look… a post. 🙂

Anyway, a couple of weeks ago, two at the time of this writing, I updated my Debian Gnu\Linux server running this site. It broke things. Instead of showing the site, the Apache server showed the text in index.php.

I was running WordPress 6.2 with PHP 8.2. Those two key points are essential because most of the documentation out there for the problem talks about Old versions of WordPress and Old versions of PHP. Neither of which fit me.

Going through sites, I found the fixes. The first was ensuring that PHP was set up in the Apache modules. The easiest way to set it up was to install Libapache2-mod-php8.2.

 

This command changed the error from the index.php to an error:
Your PHP installation appears to be missing the MySQL extension, which is required by WordPress. Please check that the mysqli PHP extension is installed and enabled.

Again, searching said to update WP and PHP (both were already at the newest), so little help. Luckily I found something pointing to  the WP support forum; someone with WP 6.2 and PHP 8.2 having the same issue. The volunteer support person, Steven Stern (sterndata) (@sterndata), said to check php-mysqlnd. The command he used, for that thread’s OP Centos box.

So one search and installation later, I’m back in business and updated to WP 6.2.2.

Now if I could just find my notes and remember everything, I was writing about CTI in January of 2022.

For those interested in root cause analysis: My last upgrade was for Testing to the newest level. It looks like some things with MySQL and php didn’t get updated right and broke the site. I just didn’t think to check if my site was working after the update.

Using FAIR with CTI – The Intelligence Models/Processes

Leave a reply

This post is part of the FAIR and CTI related blog posts; an event back in January made me want to add this to the mix.

I was interviewing for a Cyber Threat Intelligence Manager position, and part of the interview process was to talk to the person doing intelligence for the Physical Threat Intelligence space. During the interview, I asked which Intelligence models they used in case I had to brush up on one or learn something new. Part of the role was sharing data between the two intelligence groups. Even though the interviewer previously worked in Military Intelligence, they said they didn’t know what I was talking about.

That gave me pause because I went to a DoD-backed program in Undergrad, and we learned multiple Intelligence Processes/Models. I covered them in most of my Threat intelligence presentations and when I was teaching at the same DoD-backed program after I got my master’s degrees. Even after walking through the three, I knew the best; the person I was talking to didn’t know what I was talking about.

So, as I said, I thought I’d go through them into here, for people that haven’t been exposed to them yet. I’ve always figured people reading my blog would be familiar with at least a couple of the models.

Continue reading

Walking Through Applied Network Security Monitoring – Forward through Chapter 1

Leave a reply

Back in December, it really doesn’t feel that long ago, I talked about how I was prepping for a project.

The end goal is to brush up on Network Security Monitoring (NSM) and use it to better monitor my home network. I occasionally check the logs but think I would be more active if I had a centralized tool to help. Right now, I have a log of blocked domain alerts in my PFSense Firewall’s PFBlocker-NG reports screen. Most of the entries are tracking related that the Pi-Hole isn’t blocking and is getting to the second block list on the firewall.

Note: I say my home network, not my home lab. As I said in the past, I no longer maintain a home lab due to cost and space. I have parts of my network isolated, but I wouldn’t call that a lab.

Continue reading

Using FAIR with CTI – Some key definitions

Leave a reply

Using FAIR with CTI – Some key definitions

This post won’t cover all the Factor Analysis of Information Risk (FAIR) definitions. It will provide the ones I think are vital for using FAIR with Threat Intelligence (TI) and Cyber Threat Intelligence (CTI). I’m paraphrasing several sources, but it’s the way I understand the definitions I learned over the years. If you want in-depth/exact definitions from my sources, for FAIR, lookup: Measuring and Managing Information’s Risk, The Open Group’s Open FAIR Risk Taxonomy and Risk Analysis whitepapers, the RiskLens FAIR study guide (provided as part of the course). For Threat Intelligence, lookup: Effective Threat Intelligence, and Intelligence Analysis 6th edition.

Continue reading

Hello php8.1, thank you for breaking things.

Leave a reply

This server runs Debian’s Testing release. Yes, Testing changes a lot and is not meant for long-term production servers. But I like to be a little more up-to-date on the software packages, and there are times when Debian Stable is too far out of date for what I need or want to run on this server. I do use it as a shell server too. And yes, I know bastion hosts, one “process” per server. That assumes one has a budget for multiple servers.

Anyway, I updated the server, and it pulled PHP 8.1. Previously I was running PHP7.4. Well, something interesting happened during the upgrade. I rebooted the server to get the new kernel loaded, and when everything came back up, I had the “White Page of Death” on the WordPress page. This is a self-hosted server, no CPanel, phpAdmin, or anything like that. If I have to fix a problem, it’s the command line and me.

Continue reading