Dale Peterson and Corey Thuen pinch hit for Kyle Wilhoit to present his concept of malware incubation. It is creating a realistic environment for malware to be grown so that it can be studied and help with incident response.
• A device or system (Honeynet) that is on a live
network, but has no operational purpose
– Different levels of interaction / realism
– How long will it fool an attacker
• Nothing should access the Honeypot since it has
no legitimate purpose
• Any traffic is either an attack or spurious traffic
• Debate on the value of Honeypot’s in detecting
– Many say there are better, more efficient solutions
– IDS and other network monitoring
Learn How Attackers Work
• Real value of the Honeypot
• High interaction may lead to attacker revealing
advanced techniques, end goals, other info
• Decision … how exposed is the Honeypot?
– Widely exposed (on Internet) many will hit the
Honeypot and lots of data to review
– Hidden on secure network, may see little activity
Why An Incubator?
• Be prepared to analyze malware / attacks
• Identify what the attack did so you can fix the
• Learn what information or control was lost
• Attempt to identify the attacker