Augmenting Netflow with the Honeypot Data for Internal Breach Monitoring and Detection
-
Upload
jason-trost -
Category
Data & Analytics
-
view
709 -
download
0
Transcript of Augmenting Netflow with the Honeypot Data for Internal Breach Monitoring and Detection
Modern Honey Network
Internal Breach Monitoring & Detection with the Modern Honey Network
Jason Trost Director of ThreatStream Labs
FloCon 2015 January 12-‐15 2015 | Portland, OR
Enterprise Deployment DMZ Deployment
Enterprise Network
Modern Honey Network (MHN) -‐ Free and Open Source (GPLv3) PlaIorm for deploying and managing Honeypots. -‐ Makes deploying honeypots easy -‐ Includes APIs for leveraging all data collected -‐ Leverages: Python/Flask, hpfeeds, mnemosyne, honeymap, and MongoDB -‐ Sensors Supported: Dionaea, Conpot, Snort, Kippo, Glastopf, Amun, Wordpot, Shockpot, p0f
-‐ Deploy honeypots on DMZ LAN -‐ Accessible by other DMZ hosts, but not exposed to the public Internet (reduces noise) -‐ Aims to catch compromises of DMZ hosts if they start scanning -‐ Meant to augment exisYng detecYon and monitoring technologies, not replace them -‐ Low Noise: Compromised systems, Lateral movement aZempts, misconfigured systems, misbehaving internal hosts, penetraYon testers
-‐ Deploy alongside enterprise workstaYons and servers -‐ Configure to mimic real systems as much as possible including DNS entries -‐ Only discoverable by network probes or DNS zone transfers (i.e. don’t adverYse that they are there) -‐ Low Noise: Compromised systems, Lateral movement aZempts, misconfigured systems, misbehaving internal hosts, penetraYon testers -‐ Any interacYon with honeypots should be invesYgated
Ingest Viz
Architecture
APIs
syslog SIEM alerts
hZps://github.com/threatstream/mhn -‐ Sensors report events in real-‐Yme via hpfeeds -‐ Events are enriched, indexed, and stored in MongoDB -‐ MHN Web app enables exploraYon and visualizaYon -‐ JSON APIs expose events for integraYon with other systems
DMZ Internet Internal Network