A couple weeks ago, Nicholas Albright and myself from ThreatStream Labs offered a workshop at BSidesLV 2015 on Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open Source Tools. This was a packed class and we ended up having more attendees than the maximum class size. This made teaching the class a lot of fun and very interactive. In this blogpost we will recap some of what we did and provide the training materials so others can try them out.
The workshop was four hours long and consisted of ~2 hours of lecture and discussion and then ~2 hours of lab exercises. It covered details of our experience with using honeypots in the enterprise and using the Modern Honey Network (MHN) and several other open source tools to make this easy.
Here were the topics we discussed:
After the lecture/discussion portion of the class we did a lab consisting of four exercises. Before the workshop, Nicholas and I pre-deployed almost 70 servers on Digital Ocean. Half of these servers were designated to be MHN servers and had DNS entries, ngnix configured with HTTPS, real SSL certs, and Splunk pre-installed; the other half were designated as honeypot sensors and were simply barebones Linux boxes. The MHN Servers were 2GB ubuntu-12-04-x64 boxes and the sensors were 1GB ubuntu-12-04-x64 boxes. Each student in the class got root access to their own MHN server and their own honeypot server. They were then provided detailed instructions on how to take these servers and deploy MHN to one and several sensors (Dionaea + Kippo + Snort + p0f) to the other. After they started collecting real attacks/probes they integrated their MHN server with splunk as well as Elasticsearch, Logstash, and Kibana (ELK) and then they proceeded to create Kibana dashboards with their newly obtained honeypot data.
During the lab exercises, we had two students from two different organizations remotely login to their respective enterprise networks so they could start deploying MHN and honeypots immediately. This was unexpected, but we gladly helped them out. The fact that this was possible in that short amount of time shows how easy deploying honeypots can be if you have the right tools.
The slides we presented are available here:
The lab exercises are available here: Lab Exercises
If you wanted to run through all these exercises, here are the items that we did prior to the workshop (during deployment) that may not be obvious:
We plan to keep expanding the material for this class for future offerings. If you are interested in taking the next iteration of this course, please let us know by sending an email here: email@example.com.
Jason Trost is the VP of Threat Research at ThreatStream, Inc. and leads ThreatStream Labs, the research team. He has worked in security for more than ten years, and he has several years of experience leveraging big data technologies for security data mining and analytics. He is deeply interested in network security, DFIR, honeypots, big data and machine learning. He is currently focused on building highly scalable systems for processing, analyzing, and visualizing high speed network/security events in real-time as well as systems for analyzing massive amounts of malware. He is a regular attendee of Big Data and security conferences, and he has spoken at Blackhat, BSidesSF, BSidesLV, BSidesDC, FloCon, and Hadoop Summit. He has contributed to several security and big data related open source projects including the Modern Honey Network (MHN), BinaryPig, ElasticSearch, Apache Accumulo, and Apache Storm. He has held senior technical positions with the U.S. Department of Defense, Booz Allen Hamilton, and Endgame Inc. He holds a M.S. in Information Security from Georgia Institute of Technology and a B.S. in Computer Science from Florida State University.