Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2015 ThreatStream Inc.
Lessons Learned from Building and Running MHN,
the World's Largest Crowdsourced Honeynet
© 2015 ThreatStream Inc.
whoami
• Jason Trost
• Director of ThreatStream Labs
• Previously at Sandia, DoD, Booz Allen, End...
© 2015 ThreatStream Inc.
ThreatStream
• Cyber Security company founded in 2013 and venture
backed by Google Ventures, Pala...
© 2015 ThreatStream Inc.
Agenda
• Intro to Honeypots
• Modern Honey Network (MHN)
• MHN Community
• Crowdsourcing Security...
© 2015 ThreatStream Inc.
Honeypots
• Software systems designed to mimic
vulnerable servers and desktops
• Used as bait to ...
© 2015 ThreatStream Inc.
Why Honeypots?
• Cheapest way to generate threat intelligence feeds around
malicious IP addresses...
© 2015 ThreatStream Inc.
Why Honeypots?
© 2015 ThreatStream Inc.
What is Modern Honey Network
• Open source platform for managing honeypots,
collecting and analyz...
© 2015 ThreatStream Inc.
MHN Server Architecture
Mnemosyne
Webapp REST APIhoneymap
MHN Server
wordpot
shockpot p0f
snort
c...
© 2015 ThreatStream Inc.
MHN Community
• MHN is also a community of MHN Servers that
contribute honeypot events
• MHN Serv...
© 2015 ThreatStream Inc.
MHN Community
MHN Servers
Honeypots/Sensors
MHN Project
Stats on Attackers
Events
© 2015 ThreatStream Inc.
Data Sharing
© 2015 ThreatStream Inc.
MHN Community Stats
269,746,704 Events
1.2M Events/day
2,959 Honeypots
~300 MHN Servers
42 Countr...
© 2015 ThreatStream Inc.
MHN Community: Events per Sensor
Sensors Events Submitted
2,191 100+
1,660 1,000+
963 10,000+
381...
© 2015 ThreatStream Inc.
MHN Community: Project
• github.com/threatstream/mhn
– 12 contributors
– 76 Forks
– 459 Stars
• m...
© 2015 ThreatStream Inc.
Sensors Added Daily
© 2015 ThreatStream Inc.
Cumulative Sensor Growth
Unique Sensors Deployed: 2,959
© 2015 ThreatStream Inc.
Events
269,746,704 Events Total, ~1.2M Events/Day
© 2015 ThreatStream Inc.
Events
230,589,522 non-rfc1918 Events Total
© 2015 ThreatStream Inc.
Events by Honeypot
© 2015 ThreatStream Inc.
Events By Honeypot
© 2015 ThreatStream Inc.
Events By Attacker Country
© 2015 ThreatStream Inc.
Events By Attacker Country
© 2015 ThreatStream Inc.
Crowdsourcing Security Data
• Diverse perspectives (cloud providers vs.
residential ISPs vs. comm...
© 2015 ThreatStream Inc.
Lessons Learned Building a Community
• We've found that lots of people like honeypots,
especially...
© 2015 ThreatStream Inc.
Lessons Learned Building a Community (cont.)
• There will be many n00bs, help them and be
patient...
© 2015 ThreatStream Inc.
Lessons Learned Building a Community (cont.)
• Create a FAQ ASAP and populate it, this saves
so m...
© 2015 ThreatStream Inc.
Announcement: MHN Splunk App
• Open source (LGPL) release of
MHN App for Splunk
• New integration...
© 2015 ThreatStream Inc.
Demos
© 2015 ThreatStream Inc.
Open Source @ ThreatStream
• github.com/threatstream/mhn
• github.com/threatstream/mhn-splunk
• g...
© 2015 ThreatStream Inc.
Thanks
• The Honeynet Project
• Andrew Morris
• David Cowen
• Andrew Hay
• Matt Bromiley
• Miguel...
© 2015 ThreatStream Inc.
Questions
? ?
Upcoming SlideShare
Loading in …5
×

Lessons Learned from Building and Running MHN, the World's Largest Crowdsourced Honeynet

2,947 views

Published on

Honeypots are really useful for collecting security data for research, especially around botnets, scanning hosts, password brute forcers, and other misbehaving systems. They are also the cheapest way collect this data at scale. Deploying many types of honeypots across geo-diverse locations of the Internet improves the aggregate data quality and provides a holistic view. This provides insight into both global trends of attacks and network activity as well as the behaviors of individual malicious systems. For these reasons, we started the Modern Honey Network, which is both an open source (GPLv3) project and a community of hundreds of MHN servers that manage and aggregate data from thousands of heterogeneous honeypots (Dionaea, Kippo, Amun, Conpot, Wordpot, Shockpot, and Glastopf) and network sensors (Snort, Suricata, p0f) deployed by different individuals and organizations as a distributed sensor network. The project has turned into the largest crowdsourced honeynet in the world consisting of thousands of diverse sensors deployed across 35 countries and 5 continents worldwide. Sensors are operated by all sorts of people from hobbyists, to academic researchers, to Fortune 1000 companies. In this talk we will discuss our experience in starting this project, analyzing the data, and building a crowdsourced global sensor network for tracking security threats and gathering interesting data for research. We've found that lots of people like honeypots, especially if you give them a cool realtime visualization of their data and make it easy to setup; lots of organizations will share their data with you if it is part of a community; and lots of companies will deploy honeypots as additional network sensors, especially if you make it easy to deploy/manage/integrate with their existing security tools.

Published in: Internet
  • Be the first to comment

Lessons Learned from Building and Running MHN, the World's Largest Crowdsourced Honeynet

  1. 1. © 2015 ThreatStream Inc. Lessons Learned from Building and Running MHN, the World's Largest Crowdsourced Honeynet
  2. 2. © 2015 ThreatStream Inc. whoami • Jason Trost • Director of ThreatStream Labs • Previously at Sandia, DoD, Booz Allen, Endgame Inc. • Big advocate of open source and open source contributor – Binary Pig – large-scale static analysis using Hadoop – Apache Accumulo – Pig integration, pyaccumulo, Analytics – Apache Storm – Elasticsearch plugins – Honeynet Project
  3. 3. © 2015 ThreatStream Inc. ThreatStream • Cyber Security company founded in 2013 and venture backed by Google Ventures, Paladin Capital Group, Institutional Venture Partners, and General Catalyst Partners. • SaaS based enterprise security software that provides actionable threat intelligence to large enterprises and government agencies. • Our customers hail from the financial services, retail, energy, and technology sectors.
  4. 4. © 2015 ThreatStream Inc. Agenda • Intro to Honeypots • Modern Honey Network (MHN) • MHN Community • Crowdsourcing Security Data through MHN • Lessons Learned Building MHN • Announcement • Demos
  5. 5. © 2015 ThreatStream Inc. Honeypots • Software systems designed to mimic vulnerable servers and desktops • Used as bait to deceive, slow down, or detect hackers, malware, or misbehaving users • Designed to capture data for research, forensics, and threat intelligence
  6. 6. © 2015 ThreatStream Inc. Why Honeypots? • Cheapest way to generate threat intelligence feeds around malicious IP addresses at scale • Internal deployment – Behind the firewall – Low noise IDS sensors • Local External deployment – Who is attacking me? – Outside the firewall and on your IP space • Global External deployment – Rented Servers, Cloud Servers, etc – Who is attacking everyone? – Global Trends
  7. 7. © 2015 ThreatStream Inc. Why Honeypots?
  8. 8. © 2015 ThreatStream Inc. What is Modern Honey Network • Open source platform for managing honeypots, collecting and analyzing their data • Makes it very easy to deploy new honeypots and get data flowing • Leverages some existing open source tools – hpfeeds – nmemosyne – honeymap – MongoDB – Dionaea, Conpot, Snort, Kippo, p0f – Glastopf, Amun, Wordpot, Shockpot
  9. 9. © 2015 ThreatStream Inc. MHN Server Architecture Mnemosyne Webapp REST APIhoneymap MHN Server wordpot shockpot p0f snort conpot dionaea Sensors hpfeeds suricata KippoAmun Glastopf hpfeeds-logger Integrations Users 3rd party apps
  10. 10. © 2015 ThreatStream Inc. MHN Community • MHN is also a community of MHN Servers that contribute honeypot events • MHN Servers and their honeypots are operated by different individuals and organizations • Sharing data back to the community is optional • Anyone that does share can get access to aggregated data on attackers • Currently working on a way to share more granular event data
  11. 11. © 2015 ThreatStream Inc. MHN Community MHN Servers Honeypots/Sensors MHN Project Stats on Attackers Events
  12. 12. © 2015 ThreatStream Inc. Data Sharing
  13. 13. © 2015 ThreatStream Inc. MHN Community Stats 269,746,704 Events 1.2M Events/day 2,959 Honeypots ~300 MHN Servers 42 Countries 6 Continents
  14. 14. © 2015 ThreatStream Inc. MHN Community: Events per Sensor Sensors Events Submitted 2,191 100+ 1,660 1,000+ 963 10,000+ 381 100,000+ 62 1,000,000+ 2 10,000,000+
  15. 15. © 2015 ThreatStream Inc. MHN Community: Project • github.com/threatstream/mhn – 12 contributors – 76 Forks – 459 Stars • modern-honey-network Google Group: – 64 Members – 135 Topics – 461 Messages
  16. 16. © 2015 ThreatStream Inc. Sensors Added Daily
  17. 17. © 2015 ThreatStream Inc. Cumulative Sensor Growth Unique Sensors Deployed: 2,959
  18. 18. © 2015 ThreatStream Inc. Events 269,746,704 Events Total, ~1.2M Events/Day
  19. 19. © 2015 ThreatStream Inc. Events 230,589,522 non-rfc1918 Events Total
  20. 20. © 2015 ThreatStream Inc. Events by Honeypot
  21. 21. © 2015 ThreatStream Inc. Events By Honeypot
  22. 22. © 2015 ThreatStream Inc. Events By Attacker Country
  23. 23. © 2015 ThreatStream Inc. Events By Attacker Country
  24. 24. © 2015 ThreatStream Inc. Crowdsourcing Security Data • Diverse perspectives (cloud providers vs. residential ISPs vs. commercial broadband) – Different Attackers – Different Locations/Timezones • Diverse data collection • Distribute the costs in terms of $$$, management time, and energy • Provide useful data to the community, esp. for research
  25. 25. © 2015 ThreatStream Inc. Lessons Learned Building a Community • We've found that lots of people like honeypots, especially if you give them a cool real-time visualization of their data and make it easy to setup • Lots of organizations will share their data with you if it is part of a community • And lots of companies will deploy honeypots as additional network sensors, especially if you make it easy to deploy/manage/integrate with their existing security tools.
  26. 26. © 2015 ThreatStream Inc. Lessons Learned Building a Community (cont.) • There will be many n00bs, help them and be patient • Be willing to provide help beyond the scope of just your project (within reason) – network/firewall troubleshooting – misconfigured systems – etc. • Courtesy can be lost in translation (literally)
  27. 27. © 2015 ThreatStream Inc. Lessons Learned Building a Community (cont.) • Create a FAQ ASAP and populate it, this saves so much time, esp. if a teacher happens to make your project part of their college class assignment.  • Make it clear that users must provide logs if they want assistance • Be appreciative of those who report bugs • Encourage participation and asked questions
  28. 28. © 2015 ThreatStream Inc. Announcement: MHN Splunk App • Open source (LGPL) release of MHN App for Splunk • New integration option during the MHN installation • Enables more advanced analysis, exploration, dashboards, and alerting in Splunk • Provides pivots to VirusTotal, TotalHash, and Dshield • Uses Splunk’s Common Information Model (CIM)
  29. 29. © 2015 ThreatStream Inc. Demos
  30. 30. © 2015 ThreatStream Inc. Open Source @ ThreatStream • github.com/threatstream/mhn • github.com/threatstream/mhn-splunk • github.com/threatstream/hpfeeds-logger • github.com/threatstream/shockpot
  31. 31. © 2015 ThreatStream Inc. Thanks • The Honeynet Project • Andrew Morris • David Cowen • Andrew Hay • Matt Bromiley • Miguel Ercolino • github.com/ch40s • github.com/zeroq • github.com/tweemeterjop • github.com/sidra-asa • Keith Faber • Mike Sconzo • Roxy Dehart • Lenny Zeltser • Andrew Hay • Eric Brinkster • github.com/karlnewell • github.com/exabrial • github.com/hink • github.com/aabed
  32. 32. © 2015 ThreatStream Inc. Questions ? ?

×