Most defenders only learn what attackers can do after recovering from a successful attack. Evaluating forensic evidence can tell you a lot. While this is still useful, wouldn’t it be better to learn from your adversaries without risking your production systems or sensitive data? There is a way. Use some bait and watch. Honeypots to the rescue! Josh Pyorre will tell you in his presentation how this works.
Honeypots and honeypot networks can assist security researchers in understanding different attacker techniques across a variety of systems. This information can be used to better protect our systems and networks, but it takes a lot of work to sift through the data. Installing a network of honeypots to provide useful information should be an easy task, but there just isn’t much to tie everything together in a useful manner. I will demonstrate how I have leveraged existing honeypot frameworks and applications with tools such as ElasticSearch and Logstash, python scripts, third party API’s and other various techniques to process and automate the analysis of attack data. All the code and instructions will be made available for others to work with. Some of my more recent security-related blog posts illustrate the information you can retrieve by using honeypot systems:
We recommend Josh’s talk for everyone running infrastructure (regardless on which hosting platform) and applications exposed to the Internet.
Josh Pyorre is a security analyst with OpenDNS. Previously, he was a threat analyst at NASA, where he was part of the team to initially help build the Security Operations Center. He has also done some time at Mandiant. His career in computer security has spanned 15 years, with interests involving network, computer and data security and a continuing goal to maintain and improve the security of as many systems, data and networks as possible. Josh has presented at Defcon, multiple Bsides across the USA, Source Boston, Source Seattle and DerbyCon. He was also recently on an episode of Security Weekly.