Presented on November 4, 2016 at LASCON (https://lascon2016.sched.com/event/8W7h/honeypy-amp-honeydb). This talk will provide a light intro to honeypots and their benefits, and highlight two projects HoneyPy and HoneyDB. Operating honeypot sensors on your internal network is a simple way to make your network “noisy” and can trip up malicious actors that have already penetrated your network. Also, leveraging data from honeypot sensors on the Internet can be a useful source of threat information.
2. BIO
Previously did security stuff at
● Goldman Sachs
● Ernst & Young
● Florida International University (some IT stuff too)
On the socials
● Twitter: @foospidy
● Github: http://github.com/foospidy
● LinkedIn: https://www.linkedin.com/in/phillip-maddux-60499a105
● Blog: http://pxmx.io
LASCON
Senior Solutions Engineer
@ Signal Sciences
https://signalsciences.com
6. Honeypots Overview
A computer configured to look like a legit system on the network, but its real
purpose is to discover and/or track attackers.
Types of Honeypots:
● Production
● Research
● Hobbyist
Honeypot interaction tiers:
● Low - emulated services, limited to no emulated login capability (low risk).
● Medium - emulated services, emulated login, emulated commands.
● High - Actual services, system logins, and commands (very risky).
LASCON
7. Intro to honeypots
Production honeypots have are computers on the network that have no legitimate
business purpose and should never see any traffic, unless…
● Something is misconfigured on the network
● Someone is malicious on the network
Honeypot logs are low volume and high value
LASCON
8. Intro to honeypots
Research honeypots can have many purposes, just depends on what you are
researching.
● Identify sources of malicious traffic
● Discover malware, botnets, c&c servers.
● Attacker techniques & tools
LASCON
9. Intro to honeypots
Checkout…
No Budget Threat Intelligence - Tracking Malware Campaigns on the Cheap
https://www.youtube.com/watch?v=DKfWukYffsE
Andrew Morris ( @Andrew___Morris)- ShmooCon 2015
Great talk
- Reversing malware
- Uncovering c2 servers
- Uncovering imminent ddos attacks
LASCON
10. Intro to honeypots
Cool new idea… Collect stats on malicious hosts that respond to a scan.
https://twitter.com/backhack_detect
LASCON
22. HoneyPy Additional Deployment Options
LASCON
● Docker, because docker all the things...
○ https://github.com/foospidy/HoneyPy-Docker
● Raspberry Pi, because raspberry pi all the things...
○ https://github.com/foospidy/HoneyPyPi
○ Demos
■ https://asciinema.org/a/4814e766bqsgbdohcxandtvqc
■ https://asciinema.org/a/6erwn2n4w5jgjm5d2bvoontfv
23. HoneyDB
Web site for viewing and
accessing honeypot data.
Activity charts, session details,
and ThreatBin.
https://riskdiscovery.com/honeydb
LASCON
24. What’s Next?
● More plugins
● Enhance plugins
● More Integrations
● HoneyDB, more API endpoints
Or...
you come up with what’s next! Pull requests are welcome, please contribute :-)
LASCON
25. References
Blog post, HoneyPy getting started series.
Good books:
Honeynet Project
● https://www.honeynet.org
LASCON