»Operating large-scale honeypot sensor networks«
2018-10-17, 09:30–10:15, Europe

The talk will cover practical experiences in operating large scale honeypot sensor networks especially in the context of the SISSDEN project and provide a status update of the sensor network as maintained by the project: https://sissden.eu

The rise of IoT related attacks as demonstrated so effectively by Mirai and its variants as well as incidents such as Wannacry, (Not)Petya have reinforced the case for using honeypots as effective tools for detecting, collecting and analysing Internet-wide threats. Our ability to respond and mitigate a new threat relies on obtaining not just a global picture of an incident but also on obtaining new malware samples for analysis. Thus it is critical to have the capability to quickly deploy new honeypot sensors at scale. The talk will cover The Shadowserver Foundation’s efforts at building, deploying and maintaining such large-scale honeypot networks. It will describe the unique challenges encountered and lessons learned whilst attempting to automate the process as much as possible. We will introduce the honeypot deployment framework (and update on it) developed as part of an ongoing EU Horizon 2020 Project - SISSDEN (https://sissden.eu), which enables a rapid deployment across hundreds of locations worldwide. It also attempts to standardize existing honeypots to adapt them to the framework. Data collected from this deployment is shared with the security community (90+ National CERTs, 4000+ network owners etc) as part of the free daily Shadowserver victim remediation feeds. It is envisioned that this framework will additionally enable a "honeypot-as-a-service" offering to trusted parties.