SlideShare a Scribd company logo

Lessons Learned from Building and Running MHN, the World's Largest Crowdsourced Honeynet

Download as PPTX, PDF
Jason Trost
Jason Trost

Honeypots are really useful for collecting security data for research, especially around botnets, scanning hosts, password brute forcers, and other misbehaving systems. They are also the cheapest way collect this data at scale. Deploying many types of honeypots across geo-diverse locations of the Internet improves the aggregate data quality and provides a holistic view. This provides insight into both global trends of attacks and network activity as well as the behaviors of individual malicious systems. For these reasons, we started the Modern Honey Network, which is both an open source (GPLv3) project and a community of hundreds of MHN servers that manage and aggregate data from thousands of heterogeneous honeypots (Dionaea, Kippo, Amun, Conpot, Wordpot, Shockpot, and Glastopf) and network sensors (Snort, Suricata, p0f) deployed by different individuals and organizations as a distributed sensor network. The project has turned into the largest crowdsourced honeynet in the world consisting of thousands of diverse sensors deployed across 35 countries and 5 continents worldwide. Sensors are operated by all sorts of people from hobbyists, to academic researchers, to Fortune 1000 companies. In this talk we will discuss our experience in starting this project, analyzing the data, and building a crowdsourced global sensor network for tracking security threats and gathering interesting data for research. We've found that lots of people like honeypots, especially if you give them a cool realtime visualization of their data and make it easy to setup; lots of organizations will share their data with you if it is part of a community; and lots of companies will deploy honeypots as additional network sensors, especially if you make it easy to deploy/manage/integrate with their existing security tools.

Internet
1 of 32
© 2015 ThreatStream Inc. Lessons Learned from Building and Running MHN, the World's Largest Crowdsourced Honeynet
© 2015 ThreatStream Inc. whoami • Jason Trost • Director of ThreatStream Labs • Previously at Sandia, DoD, Booz Allen, Endgame Inc. • Big advocate of open source and open source contributor – Binary Pig – large-scale static analysis using Hadoop – Apache Accumulo – Pig integration, pyaccumulo, Analytics – Apache Storm – Elasticsearch plugins – Honeynet Project
© 2015 ThreatStream Inc. ThreatStream • Cyber Security company founded in 2013 and venture backed by Google Ventures, Paladin Capital Group, Institutional Venture Partners, and General Catalyst Partners. • SaaS based enterprise security software that provides actionable threat intelligence to large enterprises and government agencies. • Our customers hail from the financial services, retail, energy, and technology sectors.
© 2015 ThreatStream Inc. Agenda • Intro to Honeypots • Modern Honey Network (MHN) • MHN Community • Crowdsourcing Security Data through MHN • Lessons Learned Building MHN • Announcement • Demos
© 2015 ThreatStream Inc. Honeypots • Software systems designed to mimic vulnerable servers and desktops • Used as bait to deceive, slow down, or detect hackers, malware, or misbehaving users • Designed to capture data for research, forensics, and threat intelligence
© 2015 ThreatStream Inc. Why Honeypots? • Cheapest way to generate threat intelligence feeds around malicious IP addresses at scale • Internal deployment – Behind the firewall – Low noise IDS sensors • Local External deployment – Who is attacking me? – Outside the firewall and on your IP space • Global External deployment – Rented Servers, Cloud Servers, etc – Who is attacking everyone? – Global Trends
© 2015 ThreatStream Inc. Why Honeypots?
© 2015 ThreatStream Inc. What is Modern Honey Network • Open source platform for managing honeypots, collecting and analyzing their data • Makes it very easy to deploy new honeypots and get data flowing • Leverages some existing open source tools – hpfeeds – nmemosyne – honeymap – MongoDB – Dionaea, Conpot, Snort, Kippo, p0f – Glastopf, Amun, Wordpot, Shockpot
© 2015 ThreatStream Inc. MHN Server Architecture Mnemosyne Webapp REST APIhoneymap MHN Server wordpot shockpot p0f snort conpot dionaea Sensors hpfeeds suricata KippoAmun Glastopf hpfeeds-logger Integrations Users 3rd party apps
© 2015 ThreatStream Inc. MHN Community • MHN is also a community of MHN Servers that contribute honeypot events • MHN Servers and their honeypots are operated by different individuals and organizations • Sharing data back to the community is optional • Anyone that does share can get access to aggregated data on attackers • Currently working on a way to share more granular event data
© 2015 ThreatStream Inc. MHN Community MHN Servers Honeypots/Sensors MHN Project Stats on Attackers Events
© 2015 ThreatStream Inc. Data Sharing
© 2015 ThreatStream Inc. MHN Community Stats 269,746,704 Events 1.2M Events/day 2,959 Honeypots ~300 MHN Servers 42 Countries 6 Continents
© 2015 ThreatStream Inc. MHN Community: Events per Sensor Sensors Events Submitted 2,191 100+ 1,660 1,000+ 963 10,000+ 381 100,000+ 62 1,000,000+ 2 10,000,000+
© 2015 ThreatStream Inc. MHN Community: Project • github.com/threatstream/mhn – 12 contributors – 76 Forks – 459 Stars • modern-honey-network Google Group: – 64 Members – 135 Topics – 461 Messages
© 2015 ThreatStream Inc. Sensors Added Daily
© 2015 ThreatStream Inc. Cumulative Sensor Growth Unique Sensors Deployed: 2,959
© 2015 ThreatStream Inc. Events 269,746,704 Events Total, ~1.2M Events/Day
© 2015 ThreatStream Inc. Events 230,589,522 non-rfc1918 Events Total
© 2015 ThreatStream Inc. Events by Honeypot
© 2015 ThreatStream Inc. Events By Honeypot
© 2015 ThreatStream Inc. Events By Attacker Country
© 2015 ThreatStream Inc. Events By Attacker Country
© 2015 ThreatStream Inc. Crowdsourcing Security Data • Diverse perspectives (cloud providers vs. residential ISPs vs. commercial broadband) – Different Attackers – Different Locations/Timezones • Diverse data collection • Distribute the costs in terms of $$$, management time, and energy • Provide useful data to the community, esp. for research
© 2015 ThreatStream Inc. Lessons Learned Building a Community • We've found that lots of people like honeypots, especially if you give them a cool real-time visualization of their data and make it easy to setup • Lots of organizations will share their data with you if it is part of a community • And lots of companies will deploy honeypots as additional network sensors, especially if you make it easy to deploy/manage/integrate with their existing security tools.
© 2015 ThreatStream Inc. Lessons Learned Building a Community (cont.) • There will be many n00bs, help them and be patient • Be willing to provide help beyond the scope of just your project (within reason) – network/firewall troubleshooting – misconfigured systems – etc. • Courtesy can be lost in translation (literally)
© 2015 ThreatStream Inc. Lessons Learned Building a Community (cont.) • Create a FAQ ASAP and populate it, this saves so much time, esp. if a teacher happens to make your project part of their college class assignment.  • Make it clear that users must provide logs if they want assistance • Be appreciative of those who report bugs • Encourage participation and asked questions
© 2015 ThreatStream Inc. Announcement: MHN Splunk App • Open source (LGPL) release of MHN App for Splunk • New integration option during the MHN installation • Enables more advanced analysis, exploration, dashboards, and alerting in Splunk • Provides pivots to VirusTotal, TotalHash, and Dshield • Uses Splunk’s Common Information Model (CIM)
© 2015 ThreatStream Inc. Demos
© 2015 ThreatStream Inc. Open Source @ ThreatStream • github.com/threatstream/mhn • github.com/threatstream/mhn-splunk • github.com/threatstream/hpfeeds-logger • github.com/threatstream/shockpot
© 2015 ThreatStream Inc. Thanks • The Honeynet Project • Andrew Morris • David Cowen • Andrew Hay • Matt Bromiley • Miguel Ercolino • github.com/ch40s • github.com/zeroq • github.com/tweemeterjop • github.com/sidra-asa • Keith Faber • Mike Sconzo • Roxy Dehart • Lenny Zeltser • Andrew Hay • Eric Brinkster • github.com/karlnewell • github.com/exabrial • github.com/hink • github.com/aabed
© 2015 ThreatStream Inc. Questions ? ?

Recommended

Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Jason Trost
 
Honeypots
HoneypotsHoneypots
HoneypotsJ. Scott Christianson
 
Modern Honey Network (MHN)
Modern Honey Network (MHN)Modern Honey Network (MHN)
Modern Honey Network (MHN)Jason Trost
 
Honeypot
Honeypot Honeypot
Honeypot Sushan Sharma
 
All about Honeypots & Honeynets
All about Honeypots & HoneynetsAll about Honeypots & Honeynets
All about Honeypots & HoneynetsMehdi Poustchi Amin
 
Honeynet architecture
Honeynet architectureHoneynet architecture
Honeynet architectureamar koppal
 
Honeypot ppt1
Honeypot ppt1Honeypot ppt1
Honeypot ppt1samrat saurabh
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active DefenseGreg Foss
 

Recommended

Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Jason Trost
 
Honeypots
HoneypotsHoneypots
HoneypotsJ. Scott Christianson
 
Modern Honey Network (MHN)
Modern Honey Network (MHN)Modern Honey Network (MHN)
Modern Honey Network (MHN)Jason Trost
 
Honeypot
Honeypot Honeypot
Honeypot Sushan Sharma
 
All about Honeypots & Honeynets
All about Honeypots & HoneynetsAll about Honeypots & Honeynets
All about Honeypots & HoneynetsMehdi Poustchi Amin
 
Honeynet architecture
Honeynet architectureHoneynet architecture
Honeynet architectureamar koppal
 
Honeypot ppt1
Honeypot ppt1Honeypot ppt1
Honeypot ppt1samrat saurabh
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active DefenseGreg Foss
 
Seminar Report on Honeypot
Seminar Report on HoneypotSeminar Report on Honeypot
Seminar Report on HoneypotAmit Poonia
 
Honeypot honeynet
Honeypot honeynetHoneypot honeynet
Honeypot honeynetSina Manavi
 
Honeypots.ppt1800363876
Honeypots.ppt1800363876Honeypots.ppt1800363876
Honeypots.ppt1800363876Momita Sharma
 
Honeypots
HoneypotsHoneypots
HoneypotsSARANYA S
 
honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its typesVishal Tandel
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network SecurityKirubaburi R
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesamit kumar
 
What are Honeypots? and how are they deployed?
What are Honeypots? and how are they deployed?What are Honeypots? and how are they deployed?
What are Honeypots? and how are they deployed?HusseinMuhaisen
 
Honeypot2
Honeypot2Honeypot2
Honeypot2KirtiGoyal25
 
Virtual honeypot
Virtual honeypotVirtual honeypot
Virtual honeypotElham Hormozi
 
Honeypots
HoneypotsHoneypots
HoneypotsJayant Gandhi
 
Honey po tppt
Honey po tpptHoney po tppt
Honey po tpptArya AR
 
Honeypots and honeynets
Honeypots and honeynetsHoneypots and honeynets
Honeypots and honeynetsRasool Irfan
 
Honeypots
HoneypotsHoneypots
HoneypotsGaurav Gupta
 
Honeypot
HoneypotHoneypot
HoneypotAkhil Sahajan
 
Honeypots
HoneypotsHoneypots
HoneypotsSARANYA S
 
Honeypots (Ravindra Singh Rathore)
Honeypots (Ravindra Singh Rathore)Honeypots (Ravindra Singh Rathore)
Honeypots (Ravindra Singh Rathore)Ravindra Singh Rathore
 
Honeypot
HoneypotHoneypot
HoneypotSajan Sahu
 
Honeypot
HoneypotHoneypot
HoneypotShashwat Shriparv
 
Honeypots
HoneypotsHoneypots
HoneypotsRushikesh Kulkarni
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnetOWASP
 
Anomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceAnomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceJason Trost
 

More Related Content

What's hot

Seminar Report on Honeypot
Seminar Report on HoneypotSeminar Report on Honeypot
Seminar Report on HoneypotAmit Poonia
 
Honeypot honeynet
Honeypot honeynetHoneypot honeynet
Honeypot honeynetSina Manavi
 
Honeypots.ppt1800363876
Honeypots.ppt1800363876Honeypots.ppt1800363876
Honeypots.ppt1800363876Momita Sharma
 
honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its typesVishal Tandel
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network SecurityKirubaburi R
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesamit kumar
 
What are Honeypots? and how are they deployed?
What are Honeypots? and how are they deployed?What are Honeypots? and how are they deployed?
What are Honeypots? and how are they deployed?HusseinMuhaisen
 
Honey po tppt
Honey po tpptHoney po tppt
Honey po tpptArya AR
 
Honeypots and honeynets
Honeypots and honeynetsHoneypots and honeynets
Honeypots and honeynetsRasool Irfan
 

What's hot (20)

Seminar Report on Honeypot
Seminar Report on HoneypotSeminar Report on Honeypot
Seminar Report on Honeypot
 
Honeypot honeynet
Honeypot honeynetHoneypot honeynet
Honeypot honeynet
 
Honeypots.ppt1800363876
Honeypots.ppt1800363876Honeypots.ppt1800363876
Honeypots.ppt1800363876
 
Honeypots
HoneypotsHoneypots
Honeypots
 
honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its types
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network Security
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantages
 
What are Honeypots? and how are they deployed?
What are Honeypots? and how are they deployed?What are Honeypots? and how are they deployed?
What are Honeypots? and how are they deployed?
 
Honeypot2
Honeypot2Honeypot2
Honeypot2
 
Virtual honeypot
Virtual honeypotVirtual honeypot
Virtual honeypot
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Honey po tppt
Honey po tpptHoney po tppt
Honey po tppt
 
Honeypots and honeynets
Honeypots and honeynetsHoneypots and honeynets
Honeypots and honeynets
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Honeypot
HoneypotHoneypot
Honeypot
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Honeypots (Ravindra Singh Rathore)
Honeypots (Ravindra Singh Rathore)Honeypots (Ravindra Singh Rathore)
Honeypots (Ravindra Singh Rathore)
 
Honeypot
HoneypotHoneypot
Honeypot
 
Honeypot
HoneypotHoneypot
Honeypot
 
Honeypots
HoneypotsHoneypots
Honeypots
 

Viewers also liked

Mirai botnet
Mirai botnetMirai botnet
Mirai botnetOWASP
 
Anomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceAnomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceJason Trost
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
R-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat IntelligenceR-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat IntelligenceJason Trost
 
SANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat IntelligenceSANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat IntelligenceJason Trost
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
MIRAI: What is It, How Does it Work and Why Should I Care?
MIRAI: What is It, How Does it Work and Why Should I Care?MIRAI: What is It, How Does it Work and Why Should I Care?
MIRAI: What is It, How Does it Work and Why Should I Care?Memoori
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoringchrissanders88
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoringchrissanders88
 

Viewers also liked (11)

Mirai botnet
Mirai botnetMirai botnet
Mirai botnet
 
Anomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceAnomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat Intelligence
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
R-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat IntelligenceR-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat Intelligence
 
Honeywall roo 1
Honeywall roo 1Honeywall roo 1
Honeywall roo 1
 
SANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat IntelligenceSANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat Intelligence
 
Honeypot Basics
Honeypot BasicsHoneypot Basics
Honeypot Basics
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
MIRAI: What is It, How Does it Work and Why Should I Care?
MIRAI: What is It, How Does it Work and Why Should I Care?MIRAI: What is It, How Does it Work and Why Should I Care?
MIRAI: What is It, How Does it Work and Why Should I Care?
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoring
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
 

Similar to Lessons Learned from Building and Running MHN, the World's Largest Crowdsourced Honeynet

Modern Honey Network at Bay Area Open Source Security Hackers
Modern Honey Network at Bay Area Open Source Security HackersModern Honey Network at Bay Area Open Source Security Hackers
Modern Honey Network at Bay Area Open Source Security HackersJason Trost
 
S2DS London 2015 - Hadoop Real World
S2DS London 2015 - Hadoop Real WorldS2DS London 2015 - Hadoop Real World
S2DS London 2015 - Hadoop Real WorldSean Roberts
 
Hortonworks sqrrl webinar v5.pptx
Hortonworks sqrrl webinar v5.pptxHortonworks sqrrl webinar v5.pptx
Hortonworks sqrrl webinar v5.pptxHortonworks
 
DV 2016: Beyond the Web - Measurement of Today's Channel Hopper
DV 2016: Beyond the Web - Measurement of Today's Channel HopperDV 2016: Beyond the Web - Measurement of Today's Channel Hopper
DV 2016: Beyond the Web - Measurement of Today's Channel HopperTealium
 
Big Data Analytics to Enhance Security
Big Data Analytics to Enhance SecurityBig Data Analytics to Enhance Security
Big Data Analytics to Enhance SecurityData Science Thailand
 
Make Streaming Analytics work for you: The Devil is in the Details
Make Streaming Analytics work for you: The Devil is in the DetailsMake Streaming Analytics work for you: The Devil is in the Details
Make Streaming Analytics work for you: The Devil is in the DetailsDataWorks Summit/Hadoop Summit
 
Real-Time AI Streaming - AI Max Princeton
Real-Time AI Streaming - AI Max PrincetonReal-Time AI Streaming - AI Max Princeton
Real-Time AI Streaming - AI Max PrincetonTimothy Spann
 
Manage the Velocity of Change with Cloud Computing
Manage the Velocity of Change with Cloud Computing Manage the Velocity of Change with Cloud Computing
Manage the Velocity of Change with Cloud Computing Janine Sneed
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissanceCloudera, Inc.
 
Fighting cyber fraud with hadoop v2
Fighting cyber fraud with hadoop v2Fighting cyber fraud with hadoop v2
Fighting cyber fraud with hadoop v2Niel Dunnage
 
TCFPro24 Building Real-Time Generative AI Pipelines
TCFPro24 Building Real-Time Generative AI PipelinesTCFPro24 Building Real-Time Generative AI Pipelines
TCFPro24 Building Real-Time Generative AI PipelinesTimothy Spann
 
Introducing the SnapLogic Integration Cloud
Introducing the SnapLogic Integration CloudIntroducing the SnapLogic Integration Cloud
Introducing the SnapLogic Integration CloudDarren Cunningham
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibilitydianadvo
 
2016 Cybersecurity Analytics State of the Union
2016 Cybersecurity Analytics State of the Union2016 Cybersecurity Analytics State of the Union
2016 Cybersecurity Analytics State of the UnionCloudera, Inc.
 
ISCA Slides - Barun Kumar v1.0
ISCA Slides - Barun Kumar v1.0ISCA Slides - Barun Kumar v1.0
ISCA Slides - Barun Kumar v1.0Barun Kumar
 
Open Blueprint for Real-Time Analytics in Retail: Strata Hadoop World 2017 S...
Open Blueprint for Real-Time Analytics in Retail: Strata Hadoop World 2017 S...Open Blueprint for Real-Time Analytics in Retail: Strata Hadoop World 2017 S...
Open Blueprint for Real-Time Analytics in Retail: Strata Hadoop World 2017 S...Grid Dynamics
 
System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on CloudTu Pham
 
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014kevintsmith
 
Harness Your Code, Unleash Your Creativity: Your Team's Pragmatic Guide to Se...
Harness Your Code, Unleash Your Creativity: Your Team's Pragmatic Guide to Se...Harness Your Code, Unleash Your Creativity: Your Team's Pragmatic Guide to Se...
Harness Your Code, Unleash Your Creativity: Your Team's Pragmatic Guide to Se...Aggregage
 

Similar to Lessons Learned from Building and Running MHN, the World's Largest Crowdsourced Honeynet (20)

Modern Honey Network at Bay Area Open Source Security Hackers
Modern Honey Network at Bay Area Open Source Security HackersModern Honey Network at Bay Area Open Source Security Hackers
Modern Honey Network at Bay Area Open Source Security Hackers
 
S2DS London 2015 - Hadoop Real World
S2DS London 2015 - Hadoop Real WorldS2DS London 2015 - Hadoop Real World
S2DS London 2015 - Hadoop Real World
 
Hortonworks sqrrl webinar v5.pptx
Hortonworks sqrrl webinar v5.pptxHortonworks sqrrl webinar v5.pptx
Hortonworks sqrrl webinar v5.pptx
 
DV 2016: Beyond the Web - Measurement of Today's Channel Hopper
DV 2016: Beyond the Web - Measurement of Today's Channel HopperDV 2016: Beyond the Web - Measurement of Today's Channel Hopper
DV 2016: Beyond the Web - Measurement of Today's Channel Hopper
 
Big Data Analytics to Enhance Security
Big Data Analytics to Enhance SecurityBig Data Analytics to Enhance Security
Big Data Analytics to Enhance Security
 
Make Streaming Analytics work for you: The Devil is in the Details
Make Streaming Analytics work for you: The Devil is in the DetailsMake Streaming Analytics work for you: The Devil is in the Details
Make Streaming Analytics work for you: The Devil is in the Details
 
Real-Time AI Streaming - AI Max Princeton
Real-Time AI Streaming - AI Max PrincetonReal-Time AI Streaming - AI Max Princeton
Real-Time AI Streaming - AI Max Princeton
 
Manage the Velocity of Change with Cloud Computing
Manage the Velocity of Change with Cloud Computing Manage the Velocity of Change with Cloud Computing
Manage the Velocity of Change with Cloud Computing
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity Renaissance
 
Fighting cyber fraud with hadoop v2
Fighting cyber fraud with hadoop v2Fighting cyber fraud with hadoop v2
Fighting cyber fraud with hadoop v2
 
TCFPro24 Building Real-Time Generative AI Pipelines
TCFPro24 Building Real-Time Generative AI PipelinesTCFPro24 Building Real-Time Generative AI Pipelines
TCFPro24 Building Real-Time Generative AI Pipelines
 
Introducing the SnapLogic Integration Cloud
Introducing the SnapLogic Integration CloudIntroducing the SnapLogic Integration Cloud
Introducing the SnapLogic Integration Cloud
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
 
2016 Cybersecurity Analytics State of the Union
2016 Cybersecurity Analytics State of the Union2016 Cybersecurity Analytics State of the Union
2016 Cybersecurity Analytics State of the Union
 
ISCA Slides - Barun Kumar v1.0
ISCA Slides - Barun Kumar v1.0ISCA Slides - Barun Kumar v1.0
ISCA Slides - Barun Kumar v1.0
 
Open Blueprint for Real-Time Analytics in Retail: Strata Hadoop World 2017 S...
Open Blueprint for Real-Time Analytics in Retail: Strata Hadoop World 2017 S...Open Blueprint for Real-Time Analytics in Retail: Strata Hadoop World 2017 S...
Open Blueprint for Real-Time Analytics in Retail: Strata Hadoop World 2017 S...
 
PA SB DC Cyber Brief
PA SB DC Cyber Brief PA SB DC Cyber Brief
PA SB DC Cyber Brief
 
System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on Cloud
 
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
 
Harness Your Code, Unleash Your Creativity: Your Team's Pragmatic Guide to Se...
Harness Your Code, Unleash Your Creativity: Your Team's Pragmatic Guide to Se...Harness Your Code, Unleash Your Creativity: Your Team's Pragmatic Guide to Se...
Harness Your Code, Unleash Your Creativity: Your Team's Pragmatic Guide to Se...
 

Recently uploaded

Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolinonuriaiuzzolino1
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptxAsmae Rabhi
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxgalaxypingy
 

Recently uploaded (20)

Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolino
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
 

Lessons Learned from Building and Running MHN, the World's Largest Crowdsourced Honeynet

  • 1. © 2015 ThreatStream Inc. Lessons Learned from Building and Running MHN, the World's Largest Crowdsourced Honeynet
  • 2. © 2015 ThreatStream Inc. whoami • Jason Trost • Director of ThreatStream Labs • Previously at Sandia, DoD, Booz Allen, Endgame Inc. • Big advocate of open source and open source contributor – Binary Pig – large-scale static analysis using Hadoop – Apache Accumulo – Pig integration, pyaccumulo, Analytics – Apache Storm – Elasticsearch plugins – Honeynet Project
  • 3. © 2015 ThreatStream Inc. ThreatStream • Cyber Security company founded in 2013 and venture backed by Google Ventures, Paladin Capital Group, Institutional Venture Partners, and General Catalyst Partners. • SaaS based enterprise security software that provides actionable threat intelligence to large enterprises and government agencies. • Our customers hail from the financial services, retail, energy, and technology sectors.
  • 4. © 2015 ThreatStream Inc. Agenda • Intro to Honeypots • Modern Honey Network (MHN) • MHN Community • Crowdsourcing Security Data through MHN • Lessons Learned Building MHN • Announcement • Demos
  • 5. © 2015 ThreatStream Inc. Honeypots • Software systems designed to mimic vulnerable servers and desktops • Used as bait to deceive, slow down, or detect hackers, malware, or misbehaving users • Designed to capture data for research, forensics, and threat intelligence
  • 6. © 2015 ThreatStream Inc. Why Honeypots? • Cheapest way to generate threat intelligence feeds around malicious IP addresses at scale • Internal deployment – Behind the firewall – Low noise IDS sensors • Local External deployment – Who is attacking me? – Outside the firewall and on your IP space • Global External deployment – Rented Servers, Cloud Servers, etc – Who is attacking everyone? – Global Trends
  • 7. © 2015 ThreatStream Inc. Why Honeypots?
  • 8. © 2015 ThreatStream Inc. What is Modern Honey Network • Open source platform for managing honeypots, collecting and analyzing their data • Makes it very easy to deploy new honeypots and get data flowing • Leverages some existing open source tools – hpfeeds – nmemosyne – honeymap – MongoDB – Dionaea, Conpot, Snort, Kippo, p0f – Glastopf, Amun, Wordpot, Shockpot
  • 9. © 2015 ThreatStream Inc. MHN Server Architecture Mnemosyne Webapp REST APIhoneymap MHN Server wordpot shockpot p0f snort conpot dionaea Sensors hpfeeds suricata KippoAmun Glastopf hpfeeds-logger Integrations Users 3rd party apps
  • 10. © 2015 ThreatStream Inc. MHN Community • MHN is also a community of MHN Servers that contribute honeypot events • MHN Servers and their honeypots are operated by different individuals and organizations • Sharing data back to the community is optional • Anyone that does share can get access to aggregated data on attackers • Currently working on a way to share more granular event data
  • 11. © 2015 ThreatStream Inc. MHN Community MHN Servers Honeypots/Sensors MHN Project Stats on Attackers Events
  • 12. © 2015 ThreatStream Inc. Data Sharing
  • 13. © 2015 ThreatStream Inc. MHN Community Stats 269,746,704 Events 1.2M Events/day 2,959 Honeypots ~300 MHN Servers 42 Countries 6 Continents
  • 14. © 2015 ThreatStream Inc. MHN Community: Events per Sensor Sensors Events Submitted 2,191 100+ 1,660 1,000+ 963 10,000+ 381 100,000+ 62 1,000,000+ 2 10,000,000+
  • 15. © 2015 ThreatStream Inc. MHN Community: Project • github.com/threatstream/mhn – 12 contributors – 76 Forks – 459 Stars • modern-honey-network Google Group: – 64 Members – 135 Topics – 461 Messages
  • 16. © 2015 ThreatStream Inc. Sensors Added Daily
  • 17. © 2015 ThreatStream Inc. Cumulative Sensor Growth Unique Sensors Deployed: 2,959
  • 18. © 2015 ThreatStream Inc. Events 269,746,704 Events Total, ~1.2M Events/Day
  • 19. © 2015 ThreatStream Inc. Events 230,589,522 non-rfc1918 Events Total
  • 20. © 2015 ThreatStream Inc. Events by Honeypot
  • 21. © 2015 ThreatStream Inc. Events By Honeypot
  • 22. © 2015 ThreatStream Inc. Events By Attacker Country
  • 23. © 2015 ThreatStream Inc. Events By Attacker Country
  • 24. © 2015 ThreatStream Inc. Crowdsourcing Security Data • Diverse perspectives (cloud providers vs. residential ISPs vs. commercial broadband) – Different Attackers – Different Locations/Timezones • Diverse data collection • Distribute the costs in terms of $$$, management time, and energy • Provide useful data to the community, esp. for research
  • 25. © 2015 ThreatStream Inc. Lessons Learned Building a Community • We've found that lots of people like honeypots, especially if you give them a cool real-time visualization of their data and make it easy to setup • Lots of organizations will share their data with you if it is part of a community • And lots of companies will deploy honeypots as additional network sensors, especially if you make it easy to deploy/manage/integrate with their existing security tools.
  • 26. © 2015 ThreatStream Inc. Lessons Learned Building a Community (cont.) • There will be many n00bs, help them and be patient • Be willing to provide help beyond the scope of just your project (within reason) – network/firewall troubleshooting – misconfigured systems – etc. • Courtesy can be lost in translation (literally)
  • 27. © 2015 ThreatStream Inc. Lessons Learned Building a Community (cont.) • Create a FAQ ASAP and populate it, this saves so much time, esp. if a teacher happens to make your project part of their college class assignment.  • Make it clear that users must provide logs if they want assistance • Be appreciative of those who report bugs • Encourage participation and asked questions
  • 28. © 2015 ThreatStream Inc. Announcement: MHN Splunk App • Open source (LGPL) release of MHN App for Splunk • New integration option during the MHN installation • Enables more advanced analysis, exploration, dashboards, and alerting in Splunk • Provides pivots to VirusTotal, TotalHash, and Dshield • Uses Splunk’s Common Information Model (CIM)
  • 29. © 2015 ThreatStream Inc. Demos
  • 30. © 2015 ThreatStream Inc. Open Source @ ThreatStream • github.com/threatstream/mhn • github.com/threatstream/mhn-splunk • github.com/threatstream/hpfeeds-logger • github.com/threatstream/shockpot
  • 31. © 2015 ThreatStream Inc. Thanks • The Honeynet Project • Andrew Morris • David Cowen • Andrew Hay • Matt Bromiley • Miguel Ercolino • github.com/ch40s • github.com/zeroq • github.com/tweemeterjop • github.com/sidra-asa • Keith Faber • Mike Sconzo • Roxy Dehart • Lenny Zeltser • Andrew Hay • Eric Brinkster • github.com/karlnewell • github.com/exabrial • github.com/hink • github.com/aabed
  • 32. © 2015 ThreatStream Inc. Questions ? ?

Editor's Notes

  1. more than 10 years experience in security, primarily on building distributed systems, big data analytics, and most recently data science
  2. In this talk, when I say honeypot, I am referring to low interaction honeypots.
  3. Local vs. Global Deployment: is this IP scanning/attacking everyone or just my network?
  4. Anyone go to Derby Con? did you see Katherine Trame and David Sharpe’s talk? They are from GE-CIRT team. This is a slide they presented that showed the types of attacks that their team responded to over the past 3 years. Internet facing assets represented the vast majority of incidents they responded to. IMO, this makes a strong case for honeypots.
  5. automates the install process for each honeypot: install dependencies, install honeypot, run under supervisord, get data flow going to MHN server using HPFeeds. Makes them manageable. GNU Lesser General Public License (LGPL)
  6. Start with sensors hpfeeds -> honeymap hpfeeds to mnemosyne hpfeeds to hpfeeds-logger for integrations web app for uses to manage, deploy and explore the data REST APIs for building apps and automation around MHN
  7. MHN is also a community of MHN Servers that contribute honeypot events. Anyone can install MHN and then start deploying honeypots. If they opt to share their data, it is contributed to the community and they can get access to the data.
  8. Sharing data back to the community is optional Anyone that does share can get access to aggregated data on attackers Currently working on a way to share more granular event data
  9. 428 MHN Servers – 413 /24’sand 286 /16’s  this should put a bound on DHCP related changes 428 MHN Servers, 42 countries, 6 continents (did IP geo on the MHN server IPs) 2,959 Sensors, 35 countries, 5 continents (self reported IP GEO from maxmind)
  10. Anyone want to speculate why there was a surge in sensors add here. Here’s a hint: this was Sept 30 and Oct 1.  ShellShock
  11. As you can see, Shell Shock is what caused the MHN project to really take off.
  12. forgive the drop off in late november, we had a collection outage the huge spike is from dionaea sensors, and this is actually not from the surge in sensors added. This was 2 weeks later. We investigated, and if you look at the attack Ips…
  13. 39M events from one sensor. Thanks! 269,746,704 – 39,157,182 = 230,589,522
  14. vast majority of the events that come in are from Dionaea, then Kippo and Amun
  15. notice the rfc1918 spike is gone
  16. The countries of origin for the events is primarily USA, China, France, Hong Kong, and Taiwan. This is not attribution, this is just stats on the aggregated data we collected.
  17. * crowdsourcing was coined in 2005. * wikipedia: Crowdsourcing is the process of obtaining needed services, ideas, or content by soliciting contributions from a large group of people, and especially from an online community, rather than from traditional employees or suppliers. * ThreatStream is a big believer in Crowdsourcing, especially for security data. Our optic platform leverages this concept to enable companies to share diverse threat intelligence with each other. Our MHN project leverages it to collect and share global hoeypot data.
  18. Many many people I’ve spoken to have set this up primarily for the ThreatMap it provides them
  19. we were all beginners once There will be many n00bs, help them and be patient Be willing to provide help beyond the scope of just your project (within reason) network troubleshooting misconfigured systems etc Courtesy can be lost in translation (literally) – lots of international users and it seems like they use Google translate to create their help emails.
  20. It was submitted to Splunkbase and is waiting for approval
  21. ThreatStream is big on open source contributions. If you go to our Github page, you will see 24 publicly shared open source projects (10 are original projects, 14 are forks we’ve made and contributed our changes back). Expect more to come. Here are the main projects that we authored related to MHN. MHN – the main mhn project mhn-splunk – the MHN Splunk App hpfeeds-logger – the generic hpfeeds logger to enable integrations with Splunk and ArcSight shockpot
  22. Thanks to these contributors, supporters, and vocal users. We appreciate your help and support. I would highly recommend making a donation to the Honeynet Project. MHN relies on many of their packages and they do awesome work.