Lessons Learned from Building and Running MHN, the World's Largest Crowdsourced Honeynet

© 2015 ThreatStream Inc.

Lessons Learned from Building and Running MHN, the World's Largest Crowdsourced Honeynet


whoami

• Jason Trost

• Director of ThreatStream Labs

• Previously at Sandia, DoD, Booz Allen, Endgame Inc.

• Big advocate of open source and open source contributor– Binary Pig – large-scale static analysis using Hadoop

– Apache Accumulo – Pig integration, pyaccumulo, Analytics

– Apache Storm

– Elasticsearch plugins

– Honeynet Project


ThreatStream

• Cyber Security company founded in 2013 and venture backed by Google Ventures, Paladin Capital Group, Institutional Venture Partners, and General Catalyst Partners.

• SaaS based enterprise security software that provides actionable threat intelligence to large enterprises and government agencies.

• Our customers hail from the financial services, retail, energy, and technology sectors.


Agenda

• Intro to Honeypots

• Modern Honey Network (MHN)

• MHN Community

• Crowdsourcing Security Data through MHN

• Lessons Learned Building MHN

• Announcement

• Demos


Honeypots

• Software systems designed to mimic vulnerable servers and desktops

• Used as bait to deceive, slow down, or detect hackers, malware, or misbehaving users

• Designed to capture data for research, forensics, and threat intelligence


Why Honeypots?

• Cheapest way to generate threat intelligence feeds around malicious IP addresses at scale

• Internal deployment– Behind the firewall– Low noise IDS sensors

• Local External deployment– Who is attacking me?– Outside the firewall and on your IP space

• Global External deployment– Rented Servers, Cloud Servers, etc– Who is attacking everyone?– Global Trends


Why Honeypots?


What is Modern Honey Network

• Open source platform for managing honeypots, collecting and analyzing their data

• Makes it very easy to deploy new honeypots and get data flowing

• Leverages some existing open source tools– hpfeeds– nmemosyne– honeymap– MongoDB– Dionaea, Conpot, Snort, Kippo, p0f– Glastopf, Amun, Wordpot, Shockpot


MHN Server Architecture

Mnemosyne

Webapp REST APIhoneymap

MHN Server

wordpot

shockpot p0f

snort

conpot dionaea

Sensors

hpfeeds

suricata

KippoAmun

Glastopf

hpfeeds-logger

IntegrationsUsers 3rd party apps


MHN Community

• MHN is also a community of MHN Servers that contribute honeypot events

• MHN Servers and their honeypots are operated by different individuals and organizations

• Sharing data back to the community is optional

• Anyone that does share can get access to aggregated data on attackers

• Currently working on a way to share more granular event data


MHN Community

MHN Servers

Honeypots/Sensors

MHN Project

Stats on Attackers

Events


Data Sharing


MHN Community Stats

269,746,704 Events1.2M Events/day2,959 Honeypots~300 MHN Servers

42 Countries 6 Continents


MHN Community: Events per Sensor

Sensors Events Submitted

2,191 100+

1,660 1,000+

963 10,000+

381 100,000+

62 1,000,000+

2 10,000,000+


MHN Community: Project

• github.com/threatstream/mhn

– 12 contributors

– 76 Forks

– 459 Stars

• modern-honey-network Google Group:

– 64 Members

– 135 Topics

– 461 Messages


Sensors Added Daily


Cumulative Sensor Growth

Unique Sensors Deployed: 2,959


Events

269,746,704 Events Total, ~1.2M Events/Day


Events

230,589,522 non-rfc1918 Events Total


Events by Honeypot


Events By Honeypot


Events By Attacker Country


Events By Attacker Country


Crowdsourcing Security Data

• Diverse perspectives (cloud providers vs. residential ISPs vs. commercial broadband)– Different Attackers

– Different Locations/Timezones

• Diverse data collection

• Distribute the costs in terms of $$$, management time, and energy

• Provide useful data to the community, esp. for research


Lessons Learned Building a Community

• We've found that lots of people like honeypots, especially if you give them a cool real-time visualization of their data and make it easy to setup

• Lots of organizations will share their data with you if it is part of a community

• And lots of companies will deploy honeypots as additional network sensors, especially if you make it easy to deploy/manage/integrate with their existing security tools.


Lessons Learned Building a Community (cont.)

• There will be many n00bs, help them and be patient

• Be willing to provide help beyond the scope of just your project (within reason)

– network/firewall troubleshooting

– misconfigured systems

– etc.

• Courtesy can be lost in translation (literally)


Lessons Learned Building a Community (cont.)

• Create a FAQ ASAP and populate it, this saves so much time, esp. if a teacher happens to make your project part of their college class assignment.

• Make it clear that users must provide logs if they want assistance

• Be appreciative of those who report bugs

• Encourage participation and asked questions


Announcement: MHN Splunk App

• Open source (LGPL) release of MHN App for Splunk

• New integration option during the MHN installation

• Enables more advanced analysis, exploration, dashboards, and alerting in Splunk

• Provides pivots to VirusTotal, TotalHash, and Dshield

• Uses Splunk’s Common Information Model (CIM)


Demos


Open Source @ ThreatStream

• github.com/threatstream/mhn

• github.com/threatstream/mhn-splunk

• github.com/threatstream/hpfeeds-logger

• github.com/threatstream/shockpot


Thanks

• The Honeynet Project

• Andrew Morris

• David Cowen

• Andrew Hay

• Matt Bromiley

• Miguel Ercolino

• github.com/ch40s

• github.com/zeroq

• github.com/tweemeterjop

• github.com/sidra-asa

• Keith Faber

• Mike Sconzo

• Roxy Dehart

• Lenny Zeltser

• Andrew Hay

• Eric Brinkster

• github.com/karlnewell

• github.com/exabrial

• github.com/hink

• github.com/aabed


Questions

? ?

Internet

Lessons Learned from Building and Running MHN, the World's Largest Crowdsourced Honeynet