Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Modern Honey Network at Bay Area Open Source Security Hackers

2,004 views

Published on

Modern Honey Network talk presented at Bay Area Open Source Security Hackers on 2014-09-24.

Published in: Data & Analytics
  • Be the first to comment

Modern Honey Network at Bay Area Open Source Security Hackers

  1. 1. Modern Honey Network (MHN) Open Source Honeynet Management Platform Colby DeRodeff Chief Technology Officer Jason Trost @jason_trost jason.trost [AT] threatstream [DOT] com
  2. 2. Who am I • Jason Trost (@jason_trost) • Director of ThreatStream Labs • Formerly at Endgame, Booz Allen, Dept. of Defense, Sandia Nat’l Labs • Background in Big Data Security Analytics • Big advocate of open source and open source contributor – Binary Pig – framework for large-scale static analysis using Hadoop – Apache Accumulo – Pig integration, Python integration, Analytics – Apache Storm – Elasticsearch plugins – Honeynet Project www.threatstream.com © 2014 threatstream Confidential 2
  3. 3. ThreatStream • Cyber Security company founded in 2013 and venture backed by Google Ventures and Paladin Capital Group. • SaaS based enterprise security software that provides actionable threat intelligence to large enterprises and government agencies. • Our customers hail from the financial services, retail, energy, and technology sectors. www.threatstream.com © 2014 threatstream Confidential 3
  4. 4. Agenda • Background • The Problem • What is MHN • MHN Architecture • Demo • Wrap-up www.threatstream.com © 2014 threatstream Confidential 4
  5. 5. Background • Honeypots can be very useful – Esp. if deployed behind your firewall – Catch internal scanning hosts – Early warning system • Honeypot and network sensor data is useful, esp. at scale – Threat feeds – Reputation engine – Attack trends – Is this IP only attacking me? Or others? www.threatstream.com © 2014 threatstream Confidential 5
  6. 6. The Problem • Deploying/Managing Honeypots is difficult • These activities are harder than they should be: – Installing Honeypot packages – Managing Honeypot sensors – Setting up data flows – Analyzing the collected data • Because of this, honeypots are not used as much as they could be in production • We hope to change that www.threatstream.com © 2014 threatstream Confidential 6
  7. 7. What is MHN • Modern Honey Network • Open source platform for managing honeypots, collecting and analyzing their data • Makes it very easy to deploy new honeypots and get data flowing • Leverages some existing open source tools – hpfeeds – nmemosyne – honeymap – MongoDB – Dionaea, Conpot, Snort, Kippo – Glastopf, Amun, and Wordpot www.threatstream.com © 2014 threatstream Confidential 7
  8. 8. Honeypot Management • MHN Automates management tasks • Deploying new honeypots • Setting up data flows using hpfeeds • Store and index the resulting data • Correlate with IP Geo data • Real-time visualization www.threatstream.com © 2014 threatstream Confidential 8
  9. 9. Architecture MH N Mnemosyne honeymap Webapp REST API 3rd party apps hpfeeds snort conpot dionaea snort conpot dionaea snort conpot dionaea Sensors Kippo Kippo Kippo Glastop f Glastop f Glastop f Amun Amun Amun www.threatstream.com © 2014 threatstream Confidential 9
  10. 10. Demo www.threatstream.com © 2014 threatstream Confidential 10
  11. 11. Open Source (GPLv3) github.com/threatstream/MHN www.threatstream.com © 2014 threatstream Confidential 11
  12. 12. Questions www.threatstream.com © 2014 threatstream Confidential 12
  13. 13. Contact • Jason Trost • @jason_trost • jason.trost [AT] threatstream [DOT] com • github.com/jt6211 www.threatstream.com © 2014 threatstream Confidential 13

×