UK Honeynet Project 

Jamie and myself from the UK Honeynet Project plus Max Kilger and Thorsten Holz from the UNCC and German Honeynet Project Chapters were in Amsterdam this week for the first workshop held by the European Commission’s 7th Framework WOMBAT project (see previous posts for more details).

The workshop was held at Vrije University south of the city centre and included members of the WOMBAT consortium and invited guests who were active in the fields of honeynet deployments, malware analysis and large scale data collection. Over two days we were introduced to the three year WOMBAT project, its goals and members and a number of short presentations were given by the invited guests from the EU, US, Asia and Australia. David spoke about the Honeynet Project’s various data collection initiatives, including the Global Distributed Honeynet Project (GDH), and Max spoken about attacker profiling models. The proceedings will be published in the journals of IEEE Computer Society later in the year and we’ll post them when we are able to.

Overall an interesting event with lots of opportunity for collaboration and information sharing that will hopefully come to fruition. Of particular interest was the honeyclient work that the Polish CERT NASK were involved in, which was remarkably similar to our own recent activity on Evil Javascript and SpamMonkey that I gave a lightning talk on at CanSecWest08 last month. Like us, they hope to release their code as open source in the coming weeks and months, so we are look forward to seeing it.

I was in Vancouver last week as a backup speaker for CanSecWest08 . Once again, this was an good event, with plenty to keep me interested. It was also a great chance to catch up with Honeynet Project members, various friends in the security community and also to meet up with new people and exchange ideas. Kudos to Dragos for another excellent event, and also to Honeynet Project alumni Shane for winning the Pwn20wn contest for the second year in a row. Presentations should be on the web site shortly.

In the end, and for the first time ever, all the speakers made it to the event and I didn’t need to give a repeat performance of my PacSec07 GDH presentation. However, I did give a lightning talk entitled Evil Javascript and SpamMonkey that introduced a couple of projects the UK Honeynet Project team have been working on recently. You can find the slides here and hopefully we’ll be releasing the code and some sample results in the coming months.

The Honeynet Project holds an annual workshop every year, which is always an excellent opportunity for members from all around the world to get together in person and discuss their research.

For the first time, this year’s event was hosted by members of the Costa Rican Honeynet Project and held outside of the US, in Heredia, Costa Rica. Thirty five members of the Honeynet Project met for four days, including Jamie and David from the UK group. As part of the first day’s shared presentations, David updated the group on the current state of our Global Distributed Honeynet (GDH). The last two days were spent on various R&D tracks, of which the largest was the initial planning session for GDH Phase Two in 2008.

Overall the event was excellent, with many participants feeling that this was the best annual workshop yet, and hopefully we’ll see the fruits of our collective activities next year.

I was the first international speaker at PacSec07 in Tokyo last week, and gave our initial public talk about the first phase of our Global Distributed Honeynet (GDH) research.

The abstract for the talk was:

A review of Phase One of the Honeynet Project’s latest research
initiative, the deployment and operation of a global network of
distributed high interaction research honeypots. An overview of the
architecture, challenges faced, technical tools and new
analysis/reporting procedures developed. Discussion of observed
malicious activity during operation of eleven high interaction research
honeynets around the world for six months (Jan-Jun 2007), including
attacker activity, malware collection summary, etc. Sharing of practical
operational experiences gained to date, unsolved issues and goals for
the future.

GDH was the first (publicly declared) real world distributed high
interaction research honeynet with nodes on most continents, designed
and operated by the Honeynet Project. It enables the rapid deployment of
identical honeypots over wide ranges of IP network space, monitoring of
network activity and analysis of attacks against a range of distributed
systems. The techniques and operational experience should be useful to
many organizations interested in global sensor networks and better
understanding the threats posed to their networks. A “Know Your Enemy:
GDH” white paper and other supporting material will be released in 2008.

Slides will be available online from the both the PacSec07 and Honeynet Project web sites shortly, or they can be downloaded directly from here.

The presentation was an hour long, and hopefully provided an introduction to what GDH Phase One was, why and how we built and operated it, then summarized some of our initial results and plans for the future. The audience questions were of a good standard, as were follow-up discussions at the party afterwards. Any offline feedback or questions are also welcome.

Overall the conference was enjoyable, with good presentations in a number of areas and an interesting mix of both Japanese and international attendees (and the obligatory late night social activities). Hopefully we’ll see some spin off honeynet research in 2008 in a couple of areas. It was also great to have the opportunity to visit Tokyo and meet local security researchers, plus presenting to a Japanese audience with live translation was entertaining. I’d particularly like to thank Ryo Hirosawa and the other translators for all their last minute help with slide translation. Thanks once again guys!

You can find further coverage and some photographs of the event here:

Lance Spitzner was one of the keynote speakers at Hack-In-The-Box 2007 in Malaysia this week, and talked about some of the research we have been involved in recently (including the Honeynet Project’s Global Distributed Honeynet initiative - GDH, which David led). More details can be found at the conference web site.

Members of the UK Honeynet Project and Honeynet Project were again attendees at the 3rd Internet Security Operations and Intelligence workshop in Washington DC this week, which provided an another excellent opportunity to catch up with other researchers and discuss the latest online threats. Press coverage.

Mark Ryan Talabis from the Philippine / Hawaii Honeynet Project presented today at Blackhat USA 2007 (http://www.blackhat.com/html/bh-usa-07/bh-usa-07-speakers.html#Talabis). His presentation titled “The Security Analytics Project: Alternatives in Analysis” covered data analysis related topics, which is an area of honeynet research where progress is still sorely lacking, and it included coverage of some of recent UK Honeynet Project activity such as GDH and Honeysnap. Slides should eventually be available online at the Blackhat website. Some press coverage of his talk can be found here.

Arthur Clune presented on “Trends in Web Attacks” on behalf of the UK Honeynet Project at the 2007 Institutional Web Management Workshop, held at the University of York 16-18 July 2007. An on-line copy of Arthur’s presentation can be found here.