- 1.1 Current Technologies Deployed
We currently have several honeynets deployed. However, most of
these are deployed for the purpose of testing the latest Honeywalls and provide
feedback and bug reports to the Honeywall CDROM developers. We have at least two
Roo 1.x-202's deployed and one Roo 2.x-55 (Roo 2.X is the next generation disributed
version, more information below). In addition, we have at least one more Honeywall
deployed for testing incident purpose capabilities. Instead of being used for honeypot
deployments, the Honeywall CDROM in this case is put in front of compromised,
production systems, and then used to isolate and analyze the compromised computer.
- 2.1 Unique Findings
From an attacker perspective, our findings are limited, as our primary goal in the
past six months has been testing of technology and providing feedback. However, in one
interesting case, an established honeynet that had been on a Speakeasy
DSL network for 2 years (averaging 150-200 scans a day) was moved to a Comcast
business cable network which is now averaging 30-50 scans a day. In addition,
The honeynet used for testing incident response is analyzing various compromises,
such as the Nugache AIM P2P bot.
- 2.2 Trends
Almost all the activity we are seeing is active is criminaly motivated, to make
money. We currently have several research projects going on in the area of fraud
and identify theft, especially credit card.
3.0 Lessons Learned
- 3.1 Successes
Investment in infrastructure is paying off, as it dramatically increases
communication and coordination with other members. The biggest benenfits
we have seen are the new internal Plone server for communication, and
transitioning to SVN code repository.
- 3.2 Mistakes Made
One of the challenges we are facing is the complexity of attackers and
threats today. Several years ago it was relatively easy to capture
and analyze cyber threats. You simply stuck out a honeypot and the bad guys
came. Now adays they use a variety of multiple vectors, advanced tools, and are always
adapting and changing. As ROI (Return on Investment) has become one of the
primary motives, in some cases it can be assumed that threats have their own
research and development departments to advanced their technology. One example of these
advances is in the time and effort we now put in our Know Your Enemy whitepapers. Several
years ago it would only take us several weeks to capture, analzye, document, and
publish a KYE paper. Now, on average it takes 3-6 months to put together such a
paper together, including a 5 week review process.
4.0 New Tools
We are putting a huge investment of time and effort into developing our tools
and new technology. First, we are attempting to make it much easier to deploy and
manage large scale honeynet deployments. This can expotentially increase the ability
to capture information. However, even more important, we are focusing long term on
data analysis. We need a much better way to easily identify critical information and
analyze it. Also, we want a way to make our information more accessible to the softer
sciences, such as characterization, statistical analysis, and economics.
- 4.1 Lacking Functionality
One of the greatest weakneses we currently have is our ability for data analysis.
This is an extremely difficult area. We do not share the same problem as most
organizations. We collect comparitively little data, and most of it is unauthorized or
malicious activity. However, we currently are facing two big challenges. The first is
quickly and easily identifing critical data. The second is honeynets collect indepth
data, including every packets and payloads, system data (Sebek), etc. The challenge
is taking this data, from multiple honeynets, and presenting it in a cohesive format
so different people can easily extract different value from the information. Currently
multiple organizations in the Honeynet Research Alliance are developing their own
tools to address this issue.
- 4.2 New Tools
Unified Data Analysis Framework (UDAF):
This is a new framework focused on making data analysis much easier. It is a modular
data acquisition and analysis API. Analysis tools built using the UDAF will be easily
extended, and share common data formats. It will also lessen the number of conflicting
or obscure dependencies that an analyst might need to chase down before installing a
new tool. This way organizations do not have to depend on a single data analysis tool,
but can choose whatever one best suites their requirements. UDAF will also include
visual programming tools to make rapid application development possible. The goal is
to have this framework built into the new Honeywall CDROM Roo 2.X.
This tool will be one of the first to leverage the new UDAF. Its goal is to be protocol
aware, with the ability to analyze and give statistical summaries and overviews. For
example, it can analyze IRC traffic, reporting on relationships between nicks and channels
and their usage.
Honeywall CDROM Roo 2.X:
This will be the next (and hopefully last) major release of the Honeywall CDROM. Its being
redesigned for fully distributed capabilities, with a focus on distributed management, data
collection, and analysis. Its planned that once this is released, we will focus all of our
development efforts on data analysis. We are capturing all sorts of great data, now we need
to learn how can we best leverage it.
5.0 Papers and Presentations
- 5.1 New Papers
Work on "KYE: Honeywall". This is a new paper that replace 3 of the older
KYE papers that document different generations of the Honeywall. We will consolidate
all of this into a single paper that will be updated with future releases. Expected
release should be the same time as the new CDROM version Roo 2.X.
- 5.3 Presentations
Oman, December 18, 2005
DOE, Richland, Washington. March 14/15 2006. Two day workshop with over 20 Honeynet
Project / Research Alliance members.
- Structure Changes
We are currently reviewing our By-laws to better define how our organization
is governed, including elections, roles and responsibilities, how policies are
developed and modified, etc. As our organization continues to grow, so to must
our internal governance. In addition, we have invested a great deal in our own
infrastructure, with both an internal sever for communication and an updated
- Complete and publish new by-laws and new Board of Director elections
- Release new KYE papers, including "KYE: Honeywall CDROM"
- Release Unified Data Analysis base and Honeysnap
- Release Honeywall CDROM Roo 2.x with updated documentation
- Complete several research projects in financial fraud
We highly recommend you take a moment to review the status reports
from all the other Alliance members organizations. Their status
reports for this 6 month period can be found below.