A couple weeks ago, Nicholas Albright and myself from ThreatStream Labs offered a workshop at BSidesLV 2015 on Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open Source Tools. This was a packed class and we ended up having more attendees than the maximum class size. This made teaching the class a lot of fun and very interactive. In this blogpost we will recap some of what we did and provide the training materials so others can try them out.
The workshop was four hours long and consisted of ~2 hours of lecture and discussion and then ~2 hours of lab exercises. It covered details of our experience with using honeypots in the enterprise and using the Modern Honey Network (MHN) and several other open source tools to make this easy.
Here were the topics we discussed:
- Intro to Honeypots
- Why Honeypots
- Low Interaction vs High Interaction
- Enterprise Integration of Honeypot Sensors
- Enterprise Use Cases
- Leveraging Honeypot Data
- Deployment Decisions
- Honeypot Profile Tuning
- Honeypot Maintenance and Management
- Honeypot Data Analytics
- Honeypot Enterprise Integration
- Data Aggregation
- Dashboards and Reporting
- Data Exploration and Analysis
- Intro to Modern Honey Network (MHN)
- SIEM Integration Scenarios
- Useful Honeypots for Enterprise Use
- Dionaea and Amun
- Web App Honeypots
- NoSQL Honeypots
After the lecture/discussion portion of the class we did a lab consisting of four exercises. Before the workshop, Nicholas and I pre-deployed almost 70 servers on Digital Ocean. Half of these servers were designated to be MHN servers and had DNS entries, ngnix configured with HTTPS, real SSL certs, and Splunk pre-installed; the other half were designated as honeypot sensors and were simply barebones Linux boxes. The MHN Servers were 2GB ubuntu-12-04-x64 boxes and the sensors were 1GB ubuntu-12-04-x64 boxes. Each student in the class got root access to their own MHN server and their own honeypot server. They were then provided detailed instructions on how to take these servers and deploy MHN to one and several sensors (Dionaea + Kippo + Snort + p0f) to the other. After they started collecting real attacks/probes they integrated their MHN server with splunk as well as Elasticsearch, Logstash, and Kibana (ELK) and then they proceeded to create Kibana dashboards with their newly obtained honeypot data.
During the lab exercises, we had two students from two different organizations remotely login to their respective enterprise networks so they could start deploying MHN and honeypots immediately. This was unexpected, but we gladly helped them out. The fact that this was possible in that short amount of time shows how easy deploying honeypots can be if you have the right tools.
The slides we presented are available here:
The lab exercises are available here: Lab Exercises
If you wanted to run through all these exercises, here are the items that we did prior to the workshop (during deployment) that may not be obvious:
- register a domain name (ex: mhn-server.com).
- buy an SSL certificate (we used a wildcard cert so we could have many sub-domains just for the class, but this is not necessary).
- configure ngninx for HTTPS for all web based services (see attached config files -- you will need to change "/etc/ssl/private/wildcard.mhn-server.com.pem" to whatever your cert path is).
- installed Splunk on the MHN server (this is straightforward, we just wanted to save time).
We plan to keep expanding the material for this class for future offerings. If you are interested in taking the next iteration of this course, please let us know by sending an email here: email@example.com.