Honeypots can provide valuable insights into the threat landscape both in the open Internet and in your internal network. Deploying them correctly isn't always easy, just like interpreting activity on them.
This talk aims to convey the knowledge for everyone to start deploying their own honeypot infrastructure and benefit from it. It highlights considerations and pitfalls that can be encountered in the deployment of different honeypots and the supporting infrastructure. Furthermore, the talk showcases automation, aggregation and visualization of honeypot activity based on a production deployment.
The deployment of honeypots can be interesting for different reasons, for example for blue yeams to know if malicious activity is present in an internal network, or for researchers to get an overview of the broader threatscape, current malware payloads or ongoing credential stuffing campaigns.
As public honeypots tend to produce a large amount of logs, manual evaluation is a time-consuming and exhausting process. This is where automation, log aggregation and visualization comes in handy. Well designed dashboards can convey currently ongoing campaigns, most used credentials, or even accumulations of unusual behaviour at a glance, which will be illustrated with currently running production Splunk dashboards. Automation and management opportunities will be showcased on the basis of MISP and TheHive, which are integrated into the workflow as well.
The talk is structured to mirror the speakers' journey of deploying, customizing and vizualizing the currently running infrastructure including live examples, curious findings and entertaining slips from users as well as maintainers.
Alongside the talk, the showcased Splunk dashboards will be made available publicly, as well as extensions to automatically upload payloads from honeypots to MISP cases and two custom honeypots that are currently in use in the production deployment (mail & IP webcam honeypots).
 |
Matthias Meidinger Matthias Meidinger is a software engineer with focus on tooling and automation for the Labs department of VMRay. He is responsible for building infrastructure and developing tools that assist and enrich the workflow of threat researchers working in the Labs. With a heavy background in DevOps and automation, building pipelines, collecting and visualizing malicious data and actors is his main area of expertise. This is rounded off by network security and OSINT based on collected data. In his free time he enjoys playing CTFs and practising photography. |
Aseel Kayal (Check Point Software Technologies)
