Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Modern Honey Network (MHN)

4,296 views

Published on

Open source platform for deploying/managing Honeypots & using their data http://threatstream.github.io/mhn/

Published in: Software, Technology
  • Be the first to comment

Modern Honey Network (MHN)

  1. 1. Colby DeRodeff Chief Technology Officer Modern Honey Network (MHN) Open Source Honeynet Management Platform Jason Trost @jason_trost jason.trost [AT] threatstream [DOT] com
  2. 2. Who am I • Jason Trost (@jason_trost) • Senior Analytics Engineer at ThreatStream • Formerly at Endgame, Booz Allen, Dept. of Defense, Sandia Nat’l Labs • Background in Big Data Security Analytics • Big advocate of open source and open source contributor – Binary Pig – framework for large-scale static analysis using Hadoop – Apache Accumulo – Pig integration, Python integration, Analytics – Apache Storm – Elasticsearch plugins www.threatstream.com © 2014 threatstream Confidential 2
  3. 3. ThreatStream • Cyber Security company founded in 2013 and recently closed Series A round with Google Ventures and Paladin Capital Group. • SaaS based enterprise security software that provides actionable threat intelligence to large enterprises and government agencies. • Our customers hail from the financial services, retail, energy, and technology sectors. www.threatstream.com © 2014 threatstream Confidential 3
  4. 4. Agenda • Background • The Problem • What is MHN • MHN Architecture • Demo • Wrap-up www.threatstream.com © 2014 threatstream Confidential 4
  5. 5. Background • Honeypots can be very useful – Esp. if deployed behind your firewall – Catch internal scanning hosts – Early warning system • Honeypot and network sensor data is useful, esp. at scale – Threat feeds – Reputation engine – Attack trends – Is this IP only attacking me? Or others? www.threatstream.com © 2014 threatstream Confidential 5
  6. 6. The Problem • Deploying/Managing Honeypots is difficult • These activities are harder than they should be: – Installing Honeypot packages – Managing Honeypot sensors – Setting up data flows – Analyzing the collected data • Because of this, honeypots are not used as much as they could be in production • We hope to change that www.threatstream.com © 2014 threatstream Confidential 6
  7. 7. What is MHN • Modern Honey Network • Open source platform for managing honeypots, collecting and analyzing their data • Makes it very easy to deploy new honeypots and get data flowing • Leverages some existing open source tools – hpfeeds – nmemosyne – honeymap – MongoDB – Dionaea, Conpot, Snort – Soon: Suricata, Kippo, others www.threatstream.com © 2014 threatstream Confidential 7
  8. 8. Honeypot Management • MHN Automates management tasks • Deploying new honeypots • Setting up data flows using hpfeeds • Store and index the resulting data • Correlate with IP Geo data • Real-time visualization www.threatstream.com © 2014 threatstream Confidential 8
  9. 9. Architecture www.threatstream.com © 2014 threatstream Confidential 9 Mnemosyne Webapp REST APIhoneymap MH N 3rd party apps snort conpot dionaea snort conpot dionaea snort conpot dionaea Sensors hpfeeds YOURS YOURS YOURS
  10. 10. Demo www.threatstream.com © 2014 threatstream Confidential 10
  11. 11. Open Source (GPLv3) github.com/threatstream/MHN www.threatstream.com © 2014 threatstream Confidential 11
  12. 12. Future Work • Support for more sensors – Suricata – Glastopf – Shiva – Kippo • CEF output for SIEM integration • Better support for Redhat/Centos sensors • More data search/exploration options www.threatstream.com © 2014 threatstream Confidential 12
  13. 13. Questions www.threatstream.com © 2014 threatstream Confidential 13
  14. 14. Contact • Jason Trost • @jason_trost • jason.trost [AT] threatstream [DOT] com • github.com/jt6211 www.threatstream.com © 2014 threatstream Confidential 14

×