Colby DeRodeffChief Technology Officer

Modern Honey Network (MHN)Open Source Honeynet Management Platform

Jason Trost@jason_trost

jason.trost [AT] threatstream [DOT] com

Who am I

• Jason Trost (@jason_trost)

• Director of ThreatStream Labs

• Formerly at Endgame, Booz Allen, Dept. of Defense, Sandia Nat’l Labs

• Background in Big Data Security Analytics

• Big advocate of open source and open source contributor

– Binary Pig – framework for large-scale static analysis using Hadoop

– Apache Accumulo – Pig integration, Python integration, Analytics

– Apache Storm

– Elasticsearch plugins

– Honeynet Project

www.threatstream.com © 2014 threatstream Confidential 2

ThreatStream

• Cyber Security company founded in 2013 and venture backed by Google Ventures and Paladin Capital Group.

• SaaS based enterprise security software that provides actionable threat intelligence to large enterprises and government agencies.

• Our customers hail from the financial services, retail, energy, and technology sectors.

www.threatstream.com © 2014 threatstream Confidential 3

Agenda

• Background

• The Problem

• What is MHN

• MHN Architecture

• Demo

• Wrap-up

www.threatstream.com © 2014 threatstream Confidential 4

Background

• Honeypots can be very useful

– Esp. if deployed behind your firewall

– Catch internal scanning hosts

– Early warning system

• Honeypot and network sensor data is useful, esp. at scale

– Threat feeds

– Reputation engine

– Attack trends

– Is this IP only attacking me? Or others?

www.threatstream.com © 2014 threatstream Confidential 5

The Problem

• Deploying/Managing Honeypots is difficult

• These activities are harder than they should be:

– Installing Honeypot packages

– Managing Honeypot sensors

– Setting up data flows

– Analyzing the collected data

• Because of this, honeypots are not used as much as they could be in production

• We hope to change that

www.threatstream.com © 2014 threatstream Confidential 6

What is MHN

• Modern Honey Network

• Open source platform for managing honeypots, collecting and analyzing their data

• Makes it very easy to deploy new honeypots and get data flowing

• Leverages some existing open source tools

– hpfeeds

– nmemosyne

– honeymap

– MongoDB

– Dionaea, Conpot, Snort, Kippo

– Glastopf, Amun, and Wordpot

www.threatstream.com © 2014 threatstream Confidential 7

Honeypot Management

• MHN Automates management tasks

• Deploying new honeypots

• Setting up data flows using hpfeeds

• Store and index the resulting data

• Correlate with IP Geo data

• Real-time visualization

www.threatstream.com © 2014 threatstream Confidential 8

Architecture

www.threatstream.com © 2014 threatstream Confidential 9

Mnemosyne

Webapp

REST API

honeymap

MHN

3rd party apps

snort conpot dionaea

snort conpot dionaea

snort conpot dionaea

Sensors

hpfeeds

Kippo

Kippo

Kippo

Glastopf

Glastopf

Glastopf

Amun

Amun

Amun

Demo

www.threatstream.com © 2014 threatstream Confidential 10

Open Source (GPLv3)

github.com/threatstream/MHN

www.threatstream.com © 2014 threatstream Confidential 11

?Questions

www.threatstream.com © 2014 threatstream Confidential 12

Contact

• Jason Trost

• @jason_trost

• jason.trost [AT] threatstream [DOT] com

• github.com/jt6211

www.threatstream.com © 2014 threatstream Confidential 13