The document discusses insights from a security researcher regarding honeypots and malware analysis systems from the attacker's perspective. It emphasizes the importance of designing honeypots to appear more realistic and random to effectively trick attackers. The researcher suggests using unrelated IP addresses and cloud services for better concealment.

1. HONEYPOT SPOTTED
@Sh1n0g1

2. ABOUT ME
• @Sh1n0g1
• Security Researcher of Macnica Networks Corp.
• Malware Simulator Developer

3. Malware Simulators
• Backdoor Simulator
– ShinoBOT
– ShinoBOT.ps1
• APT Simulator
– ShinoBOT Suite
• Ransomware Simulator
– ShinoLocker
• ICS Malware Simulator
– ShinoICS (not published yet)
https://shinosec.com

4. QUESTION?
• How do the honeypots, malware
analysis systems, sandboxes look like
from the attacker's point of view?

10. BIG DATA ANALYTICS(hostname vs ip)
(n=5000)

11. Small Cluster

12. CLUSTER1
(n=5000)

15. CLUSTER2
(n=5000)

17. CLUSTER3
(n=5000)

20. "TO BE SPOTTED" does matter?
• Yes
• The attacker will create next malware which avoids
to be run on the honeypots/malware analytics
system/sandboxes

21. CONCLUSION
• Make your Honey pot "human-y" ≒ dirty
• Make your Honey pot "random"
• Use an IP address which does not related with you
– Cloud service should be good

22. THANK YOU
@Sh1n0g1
https://shinosec.com