MHN is an enterprise ready honeypot management system which enables organizations to create a fully functional active-defense network in minutes.
Welcome to my talk on MHN, the Modern Honey Network, an open source honeynet management platform built by ThreatStream. So who am I? My name is Jason Trost. I'm a senior analytics engineer at ThreatStream, formerly of Endgame, Booz Allen Hamilton, Department of Defense, and Sandia National Labs. My background is primarily in doing big data security analytics. I'm a big advocate of open source, and an open source contributor. Here are some projects I've worked on in the past-- Binary Pig, a framework for doing large-scale malware static analysis using Hadoop, Apache Accumulo, which is a large-scale key value store built by the National Security Agency. I wrote it's Pig integration, the Python integration, and built some analytics on top of it. Apache Storm, and then I've built some Elasticsearch plugins. So who's ThreatStream? ThreatStream is a cyber security company founded in 2013, and recently closed a series A round with Google Ventures and Paladin Capital Group. We have a SaaS-based enterprise security product that provides actionable intelligence to large enterprises and government agencies. Our customers hail from the financial services, retail, energy, and technology sectors. Here's the agenda for my talk. I'm going to go over the background of why honeypots are useful, and why we think MHN is necessary. I'll talk about the problem that MHN aims to solve. I'm going to talk about what MHN is. I'm going to go over the architecture for MHN, and all the open source components that are plugged together to make this system. I'm going to give a brief demo. And then I'm going to wrap up. So, a background. Honeypots can be very, very useful. Especially if you deploy them behind your firewall, you can catch compromised hosts that are internally scanning your network, or hosts where you have a malicious insider doing something they shouldn't be. They're poking around the network, you can catch them. So they kind of can act as an early warning system. They also are useful if you deploy them outside your network, especially at scale. So if you can deploy them outside your network, gather intelligence from them, and then also kind of combine honeypot data from other organizations across the internet, it's pretty useful. So for one, it's useful for threat feeds. Two, you can build reputation engines based on which IPs are performing scans at any given time, which IPs are doing things they really shouldn't be. You can look for attack trends, so which ports are being attacked, what times of day, et cetera. And then lastly, if you have this-- if you have honeypots deployed at scale, you can see is this IP attacking just me, or others. Is this a targeted attack that I'm kind of picking up on early, or is this just someone scanning the entire internet, and I just happened to be one of those networks they're scanning at this moment. So what's the problem with this? Well the problem is deploying and managing honeypots is difficult. These activities are a lot harder than they should be. So installing honeypot packages, Honeynet Project has some great packages and some great sensors. But a lot of them are kind of hard to install. Managing these honeypots sensors once they're set up, setting up data flows, analyzing the collected data and actually making it actionable. And then because of this, we believe honeypots are not as used as much as they could be in production. We really hope to change that with MHN. So what is MHN? MHN is the Modern Honey Network. It's an open source platform for managing honeypots, collecting and analyzing their data. It makes it easy to deploy honeypots and get the data flowing very quickly. We built it using some existing open source tools, and we also added our own. So we're using hpfeeds, which is a framework for doing a collection of basically sensor data, primarily focused on honeypots. Nmemosyne is a project for collecting data via hpfeeds, and indexing that data into MongoDB. honeymap is a project for collecting data from hpfeeds and visualizing that data in real time. And then we use MongoDB for storage and search of the data. And right now, we support Dionaea, Conpot, and Snort. Snort is not a honeypot, but it is a very useful network sensor that we've integrated into the project anyway. Soon, we hope to integrate Suricata, another useful network sensor, Kippo, and some other honeypots. So what is honeypot management? MHN automates management tasks that were pretty difficult, arguably, before we built this. Deploying new honeypots, setting up the data flows using hpfeeds, storage and indexing the resulting data, correlating the data with IP Geo, and then real-time visualization. Here's the architecture for MHN. Starting on the left-hand side, we have sensors deployed either on your network or on the internet, such as on cloud host environments, such as Amazon AWS. They produce data. That data flows back to an hpfeeds' collector. hpfeeds-- the hpfeeds' collector is forking the data to Mnemosyne for storage and indexing of the data in MongoDB. And it's also sending the data to Honeymap for real-time visualization of that data. Next, we have a web app that we built on top of MongoDB. And we've built some REST APIs that expose this data so third-party applications can be built on top of this system. ThreatStream currently has a third-party application that's built on top of MHN. Our optic platform, which is our SaaS-based threat management platform, uses MHN as one of our threat feeds. So we have tens of honeypots deployed across the internet. And those are collecting useful data, and our optic system is using this data, using the REST APIs that MHN exposes. Now I'm going to walk through a demo of the MHN web application. So this is the dashboard page. This is the first page you get to after you've logged into your MHN application. The dashboard shows the attacks going on in the last 24 hours, the top attacking IPs, and the top attacked ports. All of this data is also accessible via an API. The next piece of the UI that I want to show you is the map. This is based on the Honeymap Project from the Honeynet Project. This shows data coming in from hpfeeds in real time, and visualized on the screen. The attackers show up as red, and the honeypots show up as yellow. So anytime something touches your honeypot, things light up. As you can also see at the bottom, it has a scrolling log of activity. So you can see just a little bit more details than you can on the map. Hovering over one of these red blips shows you just a little bit more information. And then same with the yellow. The next piece I wanted to show you is the attacks report. This is a tabular representation of the attack data as it comes in. So let's just refresh this, and we'll see the newest ones. So you can see, it's mostly coming in from-- for this page, it's mostly coming in from China. We have a little bit coming in from the US. It also shows you the destination port, the protocol, the type of honeypot that was scanned. It also allows you to do some pretty basic filtering, such as only show me information from a certain date, only show me information from a certain deployed honeypot, or only show me information from this specific honeypot that I have deployed. Here's the Deployment page. So this is how you would start the process of deploying a new honeypot on a new machine. So let's deploy an Ubuntu Dionaea box. So what this allows you to do is view the script that we're actually going to use to deploy. So if you wanted to make modifications to the script, you could. And then next, all you need to do is copy and paste this command into a terminal, and it will deploy this specific Dionaea sensor, and get it all configured with your MHN server. So I'm going to go ahead and actually do that now. And as you can see, this is finished. Let's clear the screen. Let's go over and check and make sure that it's actually there. So if I refresh the Sensors page, I should now see MHN Honeypot It has no events associated with it. So let's click that, and let's generate some events. So on another terminal, just from my local machine, I have a simple while [? abash ?] while loop that's going to run wget on that machine's IP, and just discard its output. And then do this every two seconds. So start that. And this should generate some events coming from the honeypot. So let's refresh this. And as you can see, we have some events coming in. Let's also go to the map and see if we can see anything show up on the map. As you can see, the attacker, which is me, sitting in Atlanta, Georgia, is attacking the machine that's sitting in New York City, which is accurate, because that's where this DigitalOcean honeypot is deployed. That concludes my demo. And now I'm going to go back to the presentation. MHN is open source under the GPL Version 3 license. You can find all the code on github.com/threatstream/MHN. Future work, we want to add support for more sensors. Suricata is another IDS sensor that we feel is pretty useful. Glastopf, Shiva, and Kippo are all honeypots that we want to deploy. We want to make a CEF output plug-in as part of the API to allow really easy integration with SIEMs, such as ArcSight. We want to have better support for Redhat and Centos sensors. Right now, we support Ubuntu very well, but our Redhat and Centos support is not as good. We want to build on that. And then lastly, we want to build more search and data exploration options for the Attacks Report page, just so you can kind of sift through this data in unique ways. Here's my contact info if you'd like to get in touch with me. Thank you.