Splunking The Modern Honey Network: Community Data (Part 4)

February 21, 2017 | David Greenwood

Over the last 3 weeks, I’ve looked at: ingesting Modern Honey Network data into Splunk, adding context to MHN data using threat feeds, and creating alerts using MHN data.

In this post I am going to give you a brief insight into the data that was reported back from the MHN honeypots in January 2017.

About MHN Community Data

The MHN Server reports anonymised attack data back to a central Anomali datastore. You can control what data from your honeypots is shared. After some analysis we also incorporate some MHN Community data into a threat feed in our Anomali Threatstream platform. Hint: you can find it in the App Store.

We provide access to the MHN Community data for those who are sharing honeypot data with us. You can read more about gaining access to the data here.

MHN Community Data Stats

Overview

There were almost 85 million distinct honeypot events. We saw peak attack volume on January 1st where 4.32 million events were reported. This fell to an 1.8 million on the January 6th (the 3rd lowest volume by day — only January 30th and 31st saw fewer events).

Honeypot Types

Digging slightly deeper, the p0f honeypots produce the most events.

The table above shows events received by each distinct p0f honeypot. You’ll notice one p0f honeypot accounts for almost 11 million events alone — over 30% of all p0f events (there were 35.2 million p0f events in total).

Honeypot Source IPs

The source IP seen most across our honeypot network in January 2017 was 144.217.68.19 (almost 322,000 distinct events across 50+ honeypots). However, looking at individual attack data, 309,000 of these were against a single honeypot.

There are a number of internal IPs (10.x) in the top 20 shown below which are probably the result of local honeypot testing (note: a single internal IP is likely reporting data from a high number of distinct sources).

Digging deeper on the top IP, 144.217.68.19, in the Threatstream platform the IP is listed as an IOC by 4 threat feeds reported as a phishing IP, brute force IP, and a scanning IP (unsurprising it is reported as a scanning IP given number of events).

Further reading

The MHN documentation is the perfect starting point if you’re interested in gaining access to the MHN Community data or want to learn more about how data sharing work.

Exploring The Modern Honey Network

This is the last in the series of Splunking the Modern Honey Network posts. You can find them all, and all our previous MHN posts on the Anomali Blog.

David Greenwood
About the Author

David Greenwood

Get the latest threat intelligence news in your email.