August 17, 2015
-
Jason Trost
,

Deploying, Managing, and Leveraging Honeypots in the Enterprise Using Open Source Tools

<p>A couple weeks ago, <a href="https://twitter.com/nma_io" target="_blank">Nicholas Albright</a> and <a href="https://twitter.com/jason_trost">myself</a> from ThreatStream Labs offered a workshop at <a href="https://www.bsideslv.org/" target="_blank">BSidesLV 2015</a> on <a href="https://bsideslv2015.sched.org/event/669041273f9b9a0dc948ea533b1d17d9#.VdIKjBNVhBc" target="_blank">Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open Source Tools</a>. This was a packed class and we ended up having more attendees than the maximum class size. This made teaching the class a lot of fun and very interactive. In this blogpost we will recap some of what we did and provide the training materials so others can try them out.</p><p>The workshop was four hours long and consisted of ~2 hours of lecture and discussion and then ~2 hours of lab exercises. It covered details of our experience with using honeypots in the enterprise and using the <a href="https://github.com/Pwnlandia/mhn" target="_blank">Modern Honey Network (MHN)</a> and several other open source tools to make this easy.</p><h2>Workshop Outline</h2><p>Here were the topics we discussed:</p><ul><li>Intro to Honeypots<ul><li>Why Honeypots</li><li>Low Interaction vs High Interaction</li></ul></li><li>Enterprise Integration of Honeypot Sensors<ul><li>Enterprise Use Cases</li><li>Leveraging Honeypot Data</li><li>Deployment Decisions</li><li>Honeypot Profile Tuning</li><li>Honeypot Maintenance and Management</li><li>Honeypot Data Analytics</li><li>Honeypot Enterprise Integration<ul><li>Data Aggregation</li><li>Dashboards and Reporting</li><li>Alerting</li><li>Data Exploration and Analysis</li></ul></li><li>Intro to Modern Honey Network (MHN)</li><li>SIEM Integration Scenarios</li></ul></li><li>Useful Honeypots for Enterprise Use<ul><li>Dionaea and Amun</li><li>Kippo</li><li>Conpot</li><li>Web App Honeypots</li><li>NoSQL Honeypots</li><li>p0f/Snort/Suricata</li></ul></li></ul><h2>Lab Exercises</h2><p>After the lecture/discussion portion of the class we did a lab consisting of four exercises. Before the workshop, Nicholas and I pre-deployed almost 70 servers on <a href="https://www.digitalocean.com/?refcode=8a81a7023a79" target="_blank">Digital Ocean</a>. Half of these servers were designated to be MHN servers and had DNS entries, ngnix configured with HTTPS, real SSL certs, and Splunk pre-installed; the other half were designated as honeypot sensors and were simply barebones Linux boxes. The MHN Servers were <a href="https://www.digitalocean.com/features/linux-distribution/ubuntu/" target="_blank">2GB </a><span><a href="https://www.digitalocean.com/features/linux-distribution/ubuntu/" target="_blank">ubuntu-12-04-x64</a> boxes and the sensors were <a href="https://www.digitalocean.com/features/linux-distribution/ubuntu/" target="_blank">1GB </a><span><a href="https://www.digitalocean.com/features/linux-distribution/ubuntu/" target="_blank">ubuntu-12-04-x64</a> boxes.</span></span> Each student in the class got root access to their own MHN server and their own honeypot server. They were then provided detailed instructions on how to take these servers and deploy MHN to one and several sensors (Dionaea + Kippo + Snort + p0f) to the other. After they started collecting real attacks/probes they integrated their MHN server with splunk as well as <a href="https://www.elastic.co/products/elasticsearch" target="_blank">Elasticsearch</a>, <a href="https://www.elastic.co/products/logstash" target="_blank">Logstash</a>, and <a href="https://www.elastic.co/products/kibana" target="_blank">Kibana</a> (ELK) and then they proceeded to create Kibana dashboards with their newly obtained honeypot data.</p><p>During the lab exercises, we had two students from two different organizations remotely login to their respective enterprise networks so they could start deploying MHN and honeypots immediately. This was unexpected, but we gladly helped them out. The fact that this was possible in that short amount of time shows how easy deploying honeypots can be if you have the right <a href="https://github.com/Pwnlandia/mhn" target="_blank">tools</a>.</p><p><img alt="" src="https://cdn.filestackcontent.com/C6PmQY63Re28NtTOPFxb" style="height: 424px; width: 701px;"/></p><h2>Workshop Materials</h2><p>The slides we presented are available <a href="http://www.slideshare.net/jasontrost/deploying-managing-and-leveraging-honeypots-in-the-enterprise-using-open-source-tools" target="_blank">here</a>:</p><p><iframe allowfullscreen="" frameborder="0" height="569" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/key/vWZOj7emejpnlv" style="border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;" width="700"></iframe></p><p><span>The lab exercises are available here: <a href="http://bit.ly/honey-labs" target="_blank">Lab Exercises</a></span></p><p><a href="http://bit.ly/honey-labs" target="_blank"><img alt="" src="https://cdn.filestackcontent.com/FYi9WdVESmOMyMOmnOCu" style="width: 310px; height: 400px;"/></a></p><p>If you wanted to run through all these exercises, here are the items that we did prior to the workshop (during deployment) that may not be obvious:</p><ol><li>register a domain name (ex: mhn-server.com).</li><li>buy an SSL certificate (we used a wildcard cert so we could have many sub-domains just for the class, but this is not necessary).</li><li>configure ngninx for HTTPS for all web based services (see attached config files -- you will need to change "/etc/ssl/private/wildcard.mhn-server.com.pem" to whatever your cert path is).</li><li>installed Splunk on the MHN server (this is straightforward, we just wanted to save time).</li></ol><p>We plan to keep expanding the material for this class for future offerings. If you are interested in taking the next iteration of this course, please let us know by sending an email here: <a href="mailto:info+mhn+class@threatstream.com">info+mhn+class@threatstream.com</a>.</p><p>Lastly, if any of this material interests you... ThreatStream Labs is looking for exceptional <a href="https://www.anomali.com/company/careers">Security Research Engineers</a> and <a href="https://www.anomali.com/company/careers">Threat Researchers</a>.</p><p>--Jason<br/> <a href="https://twitter.com/jason_trost" target="_blank">@jason_trost</a></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.
__wf_reserved_heredar