Meet Lukas Rist, our new Chief Research Officer

28 Dec 2016 Roberto Tanara cro research

Back in November, the Honeynet Project announced the appointment of a new Chief Research Officer: Lukas Rist took the role after a long and successful tenure by David Watson. The research office will also be supported by Maximilian Hils and Cornelius Aschermann.

Lukas is a German living in Norway: after working on Symantec’s malware sandbox solution, he switched to the team running the back-end systems. Among others, he’s responsible for a system analyzing between 500k to one million potentially malicious samples per day, producing the behavioral data used by Symantec analysts for threat hunting.

DDOS alerting service

24 Nov 2016 Rogier Spoor ddos-honeypot

SIDN Fund offers financial support for DDOS alerting service

Within our HoneyNED chapter two people are working on DDOS detection techniques by using honeypot technology. The knowledge about which DDOS attacks are ‘running’ and which sites are under attack is interesting for a broader audience than our HoneyNED chapter. We’ve decided to start creating a public DDOS alerting service and applied for financial support here for by SIDN Fund.

SIDN Fund stands for ‘a strong internet for all’ and provides financial support to ideas and projects that aim to make the internet stronger or that use the internet in innovative ways. By doing so, SIDN Fund wants to help increase the social impact of the internet in the Netherlands. SIDN Fund is an independent foundation established by SIDN, the foundation for internet domain registration in the Netherlands.

Email analysis with SpamScope

02 Nov 2016 Fedele Mantuano email spam spamscope

SpamScope (https://github.com/SpamScope/spamscope) is a fast and advanced tool for email analysis developed by Fedele Mantuano (@fedelemantuano).  The analysis engine it’s based on Apache Storm and Streamparse.

Why use Apache Storm?

Apache Storm works with streams, and in this case we analyze a stream of email messages.  Apache Storm allows you to start small and scale horizontally as you grow. Simply add more workers, that can be on different hosts.

An application is designed as a “topology” in the shape of a directed acyclic graph (DAG) with spouts and bolts acting as the graph vertices. Together, the topology acts as a data transformation pipeline.

Initial analysis of four million login attempts

09 Sep 2016 Johnny Vestergaard analysis heralding honeypot

Introduction

This blog post is a follow up to an earlier article, where I set out to conceive a system that could deliver the data needs to answer 5 specific questions.

The setup

To provide the data needed for this analysis, my setup consisted of 4 VPS situated respectively at Amazon EC2, Azure, MeeBox and a Danish ISP end-user connection. Even though the same 4 VPS were used throughout the data collection, 6 different IP addresses were used for the honeypots - the reason for this was that one of the honeypots had a dynamically assigned IP address. As mentioned in an earlier article all honeypots were running Heralding. The technical setup was automated with ansible.

A new and improved version of Rumal

05 Sep 2016 Roberto Tanara gsoc gsoc2016 rumal thug

Thug is a client honeypot that emulates a real web browser, fetches and executes any internal or external JavaScript, follows all redirects, downloadable files just like any browser would do, and collects the results in a mongodb collection. The purpose of this tool is to study, analyse and locate exploit kits and malicious websites. Thug’s analysis can be difficult to navigate or understand and this is where Rumal comes in. Rumal’s function is to be Thug’s GUI, providing users with trees, graphs, maps, tables and intuitive representations of Thug’s data.

Introduction to CuckooML: Machine Learning for Cuckoo Sandbox

26 Aug 2016 Roberto Tanara cuckoo gsoc

CuckooML is a GSOC 2016 project by Kacper Sokol that aims to deliver the possibility to find similarities between malware samples based on static and dynamic analysis features of binaries submitted to Cuckoo Sandbox. By using anomaly detection techniques, such mechanism is able to cluster and identify new types of malware and can constitute an invaluable tool for security researchers.

It’s all about data..

Malware datasets tend to be relatively large and sparse. They are mostly made of categorical and string data, hence there is a strong need for good feature extraction approaches to obtain numerical vectors that can be feed into machine learning algorithms [e.g. Back to the Future: Malware Detection with Temporally Consistent Labels; Miller B., et al.]. Another common problem is concept drift, the continuous variation of malware statistical properties caused by never ending arms race between malware and antivirus developers. Unfortunately, this makes fitting the clusters even harder and requires the chosen approach to be either easy to re-train or be adaptable to the drift, with the latter option being more desirable.

The Honeynet Project Partners With DigitalOcean To Drive Internet Security Research

27 Jul 2016 Roberto Tanara

DigitalOcean, a leading cloud computing platform, announced its support of The Honeynet Project with donation of Web infrastructure and support services. The partnership will allow The Honeynet Project to continue its mission of ongoing research and education surrounding Internet security and risk prevention. “We’re incredibly grateful to DigitalOcean for their support,” said Faiz Shuja, CEO of The Honeynet Project. “As an open source research organization, this donation will prove extremely valuable in supporting our members working to make the Internet a safer place.” The Honeynet Project is a leading international 501c3 non­profit security research organization,dedicated to investigating the latest attacks and developing open source security tools to improve Internet security. Founded in 1999, The Honeynet Project has contributed to fight against malware and malicious hacking attacks and has the leading security professional among members and alumni. Our mission reads “to learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned”. DigitalOcean’s simple approach to cloud infrastructure enables software developers like those involved with The Honeynet Project to build new technologies that analyze and moderate online behaviors. These technologies are in place across the world to protect individuals, companies, and other entities from malware and other malicious attacks. “We want to ensure that The Honeynet Project has continued success in their mission,” says Nick Vigier, Security Director of DigitalOcean. “Our ongoing partnership with top security researchers made this collaboration a natural decision. We are strong believers in the project and we’re happy to do our part to increase awareness of threats on the Internet.” The Honeynet Project intends to use the enhanced resources donated by DigitalOcean to continue building new technologies that benefit the online community.

GSoC 2016 Student Selection Officially Announced

30 Apr 2016 David Watson gsoc

At the end of February we were very happy to announce that The Honeynet Project had once again been selected to be a mentoring organization in Google Summer of Code (GSoC) 2016.

Since then, there as been a flurry of activity: GSoC 2016 student applications opened on March 14th at 19:00 UTC and closed on March 25th at 19:00 UTC. We received 54 student project applications, and our 24 mentors and org admins were hard at work in the following weeks assessing them and the students who applied. This is always the busiest part of GSoC for us, and with some significant changes to the GSoC program and supporting systems we suspected it might be one of the busiest times ever. But in fact, this year actually went pretty smoothly for us. We actually faced fewer difficult selection decisions than normal, which was a bit of a surprise.

Heralding - the credentials catching honeypot

23 Mar 2016 Johnny Vestergaard heralding honeypot

Sometimes (actually, most times) you don’t need advanced deception technology, but rather just a simple tool to answer some simple questions. I was recently in that situation, and needed the answers to the following questions:

  • Which protocols does my adversary try to brute-force?

  • Which username and password did he use?

  • At which speed did he brute-force?

  • From where did he proxy from?

  • What time of day did he brute-force?

To answer these questions, I needed a tool that would output something similar to:

Honeynet Project accepted as mentoring org in GSoC 2016!

29 Feb 2016 David Watson gsoc

As I blogged two weeks ago, after some great student projects between 2009 and 2015, The Honeynet Project had applied again this year to be a mentoring organization in Google Summer of Code (GSoC) 2016.

After a few anxious days of waiting, Google today published the official list of accepted GSoC 2016 mentoring orgizations. The great news if that we have been accepted once again. Hurrah!

GSoC 2016 student applications open on March 14th at 19:00 UTC and close on March 25th at 19:00 UTC.