HoneyNED chapter had a busy 2017

22 Dec 2017 Rogier Spoor chapter honeyned report

This is a contribute by HoneyNED chapter from the Netherlands about all their 2017 activities.

As the end of the year has come, we from HoneyNED, the Dutch Honeynet chapter, want to share what has happened during the year. We have worked on several projects in the honey space and a few members represented our chapter at the annual Honeynet workshop hosted in Australia. In this post, we will discuss what honeypots have been deployed, what projects are in the pipeline and what will be the focus in 2018. But let’s start by thanking the Honeynet community for all knowledge sharing, collaboration and code-sharing.

Honeypots

Since a while we have  multiple Cowrie SSH honeypots deployed, this year we were able to obtain a non-profit license from Splunk for 10GB a day which was an incredible acquisition as we were able to start collecting and analysing all the logs in one central solution. Together with a grant from Amazon on their EC2 platform,  we’re able to easily deploy multiple honeypots.

As we now have a good basis for collecting the data, we created a docker compose file which automated the installation and configuration of Cowrie honeypots and logging to Splunk so we could expand more quickly in the future.

Image 1: Honeypot activity of the last 3 months. Every color is a different honeypot

Sometimes some of them stopped unexpectedly as the data shows. Currently we restart the  honeypots manually, the idea is to make this automatic soon. We are being informed that a sensor is down via an alert sent from Splunk to our Slack channel, as seen in image 2.

Image 2: Slack alert from Splunk

With the help of the Tango Intelligence app some interesting statistics are available.

Image 3: High level overview of the last 30 days

Image 4: Top 10 users and passwords from October till the 19th of December

Image 5: Scanning location overview of the last 30 days

Lastly, we are grouping together scans by hashing the commands and listing the different countries, IP’s and via lookup which ISP the scanning IP belongs to.

Image 6: Scan correlations

Other projects

Next to our honeypots  some different projects are running within the chapter. A small subset:

  • URL shortening honeypot
  • Setting up MISP has been completed to share information with a broader community
  • Temporary mail service
  • Phish Catcher
  • Pastebin Scraping
  • Collect more data :)

Workshop

We had a blast!! Three members from our chapter got the opportunity to attend the annual workshop, this year held in Canberra. Ben Whitham did a very good job in organizing the whole thing and he really deserves all the credits for that. For us it was a very fruitful meeting, met old friends and made some new ones. We hope we can work together on some projects the upcoming year. We really hope the data sharing breakout session will lead to some concrete plans and implementation of a collaborative data sharing platform. Our offer to develop a Gollum to MISP plugin still stands!

Roadmap

For 2018, we want to keep working on promoting Honeynet and our chapter, sharing intelligence with peers and the community and continue to deploy honeypots and work on projects together.

Have a great and safe 2018!

The HoneyNED Chapter