Ronald Pazo Torres
Honeypot with caution: Executing malware and learning from our automated adversaries.
Bio:
Ronald Pazo Torres, also known by the alias of n0roz4py, is a self-taught "hacker/defender" with experience in the non-profit, financial, and advertising industries. A native of Ponce, Puerto Rico, he has held various roles in the Information Technology field, specializing in Linux systems, automation, system administration, and cybersecurity. Currently, Ronald works as a Cyber Incident Response Analyst.
In his free time, you can find him engaging in the sport of bodyboarding, gaming, participating in Capture The Flag (CTF) tournaments, hiking, attending concerts, or enjoying a good cup of coffee or bourbon at home. Additionally, he values spending quality time with his wife, three cats, and two dogs.
Abstract:
In today's era, the rise of automated cyber threats targeting open internet ports calls for a nuanced security approach. While a "perfect security solution" remains elusive, certain vendors provide technologies significantly enhancing defense mechanisms against a myriad threats. This research involved configuring a live honeypot environment in the cloud, exposing Telnet and SSH services. The research delved into data from honeypots, subsequently establishing controlled environments to execute collected binaries and capture comprehensive datasets, including network traffic, memory snapshots, and disk images. Exposing deceptive tactics within collected malware samples, the analysis revealed manifestations of SSH brute-forcing, command-and-control (C2) beaconing, and cryptocurrency mining. Indicators of Compromise (IoCs) were meticulously cataloged into a database, correlating with Open Source Threat Intelligence to flag multiple IPs as malicious, aligning with various bot infrastructures like the notorious Mirai botnet. This exploration of malware behavior in controlled settings provided crucial insights into evolving cyber adversary strategies. Leveraging honeypots emerged as a valuable strategy, offering a deeper understanding of threats and enhancing intelligence programs by providing indicators of compromise (IoCs) like source and destination IPs, and checksums for executed binaries. Accumulating such knowledge is pivotal for fortifying organizational defenses, with an emphasis on approaching malware execution with caution. This research underscores the significance of proactive cybersecurity in navigating the intricate landscape of evolving threats.