© 2015 ThreatStream Inc.
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourced Honeynet
© 2015 ThreatStream Inc.
whoami
• Jason Trost
• Director of ThreatStream Labs
• Previously at Sandia, DoD, Booz Allen, Endgame Inc.
• Big advocate of open source and open source contributor– Binary Pig – large-scale static analysis using Hadoop
– Apache Accumulo – Pig integration, pyaccumulo, Analytics
– Apache Storm
– Elasticsearch plugins
– Honeynet Project
© 2015 ThreatStream Inc.
ThreatStream
• Cyber Security company founded in 2013 and venture backed by Google Ventures, Paladin Capital Group, Institutional Venture Partners, and General Catalyst Partners.
• SaaS based enterprise security software that provides actionable threat intelligence to large enterprises and government agencies.
• Our customers hail from the financial services, retail, energy, and technology sectors.
© 2015 ThreatStream Inc.
Agenda
• Intro to Honeypots
• Modern Honey Network (MHN)
• MHN Community
• Crowdsourcing Security Data through MHN
• Lessons Learned Building MHN
• Announcement
• Demos
© 2015 ThreatStream Inc.
Honeypots
• Software systems designed to mimic vulnerable servers and desktops
• Used as bait to deceive, slow down, or detect hackers, malware, or misbehaving users
• Designed to capture data for research, forensics, and threat intelligence
© 2015 ThreatStream Inc.
Why Honeypots?
• Cheapest way to generate threat intelligence feeds around malicious IP addresses at scale
• Internal deployment– Behind the firewall– Low noise IDS sensors
• Local External deployment– Who is attacking me?– Outside the firewall and on your IP space
• Global External deployment– Rented Servers, Cloud Servers, etc– Who is attacking everyone?– Global Trends
© 2015 ThreatStream Inc.
What is Modern Honey Network
• Open source platform for managing honeypots, collecting and analyzing their data
• Makes it very easy to deploy new honeypots and get data flowing
• Leverages some existing open source tools– hpfeeds– nmemosyne– honeymap– MongoDB– Dionaea, Conpot, Snort, Kippo, p0f– Glastopf, Amun, Wordpot, Shockpot
© 2015 ThreatStream Inc.
MHN Server Architecture
Mnemosyne
Webapp REST APIhoneymap
MHN Server
wordpot
shockpot p0f
snort
conpot dionaea
Sensors
hpfeeds
suricata
KippoAmun
Glastopf
hpfeeds-logger
IntegrationsUsers 3rd party apps
© 2015 ThreatStream Inc.
MHN Community
• MHN is also a community of MHN Servers that contribute honeypot events
• MHN Servers and their honeypots are operated by different individuals and organizations
• Sharing data back to the community is optional
• Anyone that does share can get access to aggregated data on attackers
• Currently working on a way to share more granular event data
© 2015 ThreatStream Inc.
MHN Community
MHN Servers
Honeypots/Sensors
MHN Project
Stats on Attackers
Events
© 2015 ThreatStream Inc.
MHN Community Stats
269,746,704 Events1.2M Events/day2,959 Honeypots~300 MHN Servers
42 Countries 6 Continents
© 2015 ThreatStream Inc.
MHN Community: Events per Sensor
Sensors Events Submitted
2,191 100+
1,660 1,000+
963 10,000+
381 100,000+
62 1,000,000+
2 10,000,000+
© 2015 ThreatStream Inc.
MHN Community: Project
• github.com/threatstream/mhn
– 12 contributors
– 76 Forks
– 459 Stars
• modern-honey-network Google Group:
– 64 Members
– 135 Topics
– 461 Messages
© 2015 ThreatStream Inc.
Crowdsourcing Security Data
• Diverse perspectives (cloud providers vs. residential ISPs vs. commercial broadband)– Different Attackers
– Different Locations/Timezones
• Diverse data collection
• Distribute the costs in terms of $$$, management time, and energy
• Provide useful data to the community, esp. for research
© 2015 ThreatStream Inc.
Lessons Learned Building a Community
• We've found that lots of people like honeypots, especially if you give them a cool real-time visualization of their data and make it easy to setup
• Lots of organizations will share their data with you if it is part of a community
• And lots of companies will deploy honeypots as additional network sensors, especially if you make it easy to deploy/manage/integrate with their existing security tools.
© 2015 ThreatStream Inc.
Lessons Learned Building a Community (cont.)
• There will be many n00bs, help them and be patient
• Be willing to provide help beyond the scope of just your project (within reason)
– network/firewall troubleshooting
– misconfigured systems
– etc.
• Courtesy can be lost in translation (literally)
© 2015 ThreatStream Inc.
Lessons Learned Building a Community (cont.)
• Create a FAQ ASAP and populate it, this saves so much time, esp. if a teacher happens to make your project part of their college class assignment.
• Make it clear that users must provide logs if they want assistance
• Be appreciative of those who report bugs
• Encourage participation and asked questions
© 2015 ThreatStream Inc.
Announcement: MHN Splunk App
• Open source (LGPL) release of MHN App for Splunk
• New integration option during the MHN installation
• Enables more advanced analysis, exploration, dashboards, and alerting in Splunk
• Provides pivots to VirusTotal, TotalHash, and Dshield
• Uses Splunk’s Common Information Model (CIM)
© 2015 ThreatStream Inc.
Open Source @ ThreatStream
• github.com/threatstream/mhn
• github.com/threatstream/mhn-splunk
• github.com/threatstream/hpfeeds-logger
• github.com/threatstream/shockpot
© 2015 ThreatStream Inc.
Thanks
• The Honeynet Project
• Andrew Morris
• David Cowen
• Andrew Hay
• Matt Bromiley
• Miguel Ercolino
• github.com/ch40s
• github.com/zeroq
• github.com/tweemeterjop
• github.com/sidra-asa
• Keith Faber
• Mike Sconzo
• Roxy Dehart
• Lenny Zeltser
• Andrew Hay
• Eric Brinkster
• github.com/karlnewell
• github.com/exabrial
• github.com/hink
• github.com/aabed