Modern Honey Network Internal Breach Monitoring & Detection with the Modern Honey Network Jason Trost Director of ThreatStream Labs FloCon 2015 January 1215 2015 | Portland, OR Enterprise Deployment DMZ Deployment Enterprise Network Modern Honey Network (MHN) Free and Open Source (GPLv3) PlaIorm for deploying and managing Honeypots. Makes deploying honeypots easy Includes APIs for leveraging all data collected Leverages: Python/Flask, hpfeeds, mnemosyne, honeymap, and MongoDB Sensors Supported: Dionaea, Conpot, Snort, Kippo, Glastopf, Amun, Wordpot, Shockpot, p0f Deploy honeypots on DMZ LAN Accessible by other DMZ hosts, but not exposed to the public Internet (reduces noise) Aims to catch compromises of DMZ hosts if they start scanning Meant to augment exisYng detecYon and monitoring technologies, not replace them Low Noise: Compromised systems, Lateral movement aZempts, misconfigured systems, misbehaving internal hosts, penetraYon testers Deploy alongside enterprise workstaYons and servers Configure to mimic real systems as much as possible including DNS entries Only discoverable by network probes or DNS zone transfers (i.e. don’t adverYse that they are there) Low Noise: Compromised systems, Lateral movement aZempts, misconfigured systems, misbehaving internal hosts, penetraYon testers Any interacYon with honeypots should be invesYgated Ingest Viz Architecture APIs syslog SIEM alerts hZps://github.com/threatstream/mhn Sensors report events in realYme via hpfeeds Events are enriched, indexed, and stored in MongoDB MHN Web app enables exploraYon and visualizaYon JSON APIs expose events for integraYon with other systems DMZ Internet Internal Network