UK Honeynet Project 

The Honeynet Project holds an annual workshop every year, which is always an excellent opportunity for members from all around the world to get together in person and discuss their research.

For the first time, this year’s event was hosted by members of the Costa Rican Honeynet Project and held outside of the US, in Heredia, Costa Rica. Thirty five members of the Honeynet Project met for four days, including Jamie and David from the UK group. As part of the first day’s shared presentations, David updated the group on the current state of our Global Distributed Honeynet (GDH). The last two days were spent on various R&D tracks, of which the largest was the initial planning session for GDH Phase Two in 2008.

Overall the event was excellent, with many participants feeling that this was the best annual workshop yet, and hopefully we’ll see the fruits of our collective activities next year.

I was the first international speaker at PacSec07 in Tokyo last week, and gave our initial public talk about the first phase of our Global Distributed Honeynet (GDH) research.

The abstract for the talk was:

A review of Phase One of the Honeynet Project’s latest research
initiative, the deployment and operation of a global network of
distributed high interaction research honeypots. An overview of the
architecture, challenges faced, technical tools and new
analysis/reporting procedures developed. Discussion of observed
malicious activity during operation of eleven high interaction research
honeynets around the world for six months (Jan-Jun 2007), including
attacker activity, malware collection summary, etc. Sharing of practical
operational experiences gained to date, unsolved issues and goals for
the future.

GDH was the first (publicly declared) real world distributed high
interaction research honeynet with nodes on most continents, designed
and operated by the Honeynet Project. It enables the rapid deployment of
identical honeypots over wide ranges of IP network space, monitoring of
network activity and analysis of attacks against a range of distributed
systems. The techniques and operational experience should be useful to
many organizations interested in global sensor networks and better
understanding the threats posed to their networks. A “Know Your Enemy:
GDH” white paper and other supporting material will be released in 2008.

Slides will be available online from the both the PacSec07 and Honeynet Project web sites shortly, or they can be downloaded directly from here.

The presentation was an hour long, and hopefully provided an introduction to what GDH Phase One was, why and how we built and operated it, then summarized some of our initial results and plans for the future. The audience questions were of a good standard, as were follow-up discussions at the party afterwards. Any offline feedback or questions are also welcome.

Overall the conference was enjoyable, with good presentations in a number of areas and an interesting mix of both Japanese and international attendees (and the obligatory late night social activities). Hopefully we’ll see some spin off honeynet research in 2008 in a couple of areas. It was also great to have the opportunity to visit Tokyo and meet local security researchers, plus presenting to a Japanese audience with live translation was entertaining. I’d particularly like to thank Ryo Hirosawa and the other translators for all their last minute help with slide translation. Thanks once again guys!

You can find further coverage and some photographs of the event here:

The November edition of Elsevier’s Network Security publication contains the second part of an article on web application attacks written by David Watson of the UK Honeynet Project and can be downloaded as part of their current free online trial (as can a previous article on Honeynets as Counter-intelligence tools).

In his weekly “Dork Talk” column in the Guardian, this week Stephen Fry talks about the Storm worm. He cites the Honeynet Project amongst other sources (in particular, he’s citing the recent fast flux paper though he doesn’t quote it explicitly) and refers to us “the good guys”, thus, as I am a regular Guardian reader, making my day.

The article is not technical and, as you would expect from Fry, very well written. A good one to pass on to relatives, managers and other interested but not techy types.

The Honeynet Project released a new Know Your Enemy: “Behind the Scenes of Malicious Web Servers” white paper today, which follows up on recent publications about malicious web sites and attacks against common web clients.

Abstract:

“In this paper, we increase our understanding of malicious web servers through analysis of several web exploitation kits that have appeared in 2006/07: WebAttacker, MPack, and IcePack. Our discoveries will necessitate adjustments on how we think about malicious web servers and will have direct implications on client honeypot technology and future studies.”

Lots of cross over with recent UKHP activity and well worth a read.

The October edition of Elsevier’s Network Security publication contains part one of an article on web application attacks written by David Watson of the UK Honeynet Project, with the second part to follow in November.

The line-up for this years PacSec07 conference in Tokyo on November the 29th was announced today, and will include a presentation on deploying and operating a global distributed honeynet by David Watson of the UK Honeynet Project. This presentation will follow up on previous EuSec and CanSec lightning talks about GDH and will hopefully coincide with the release of more public information about the GDH research initiative.

David Watson was interviewed this week by BBC News, for piece on identity theft and attacks against Internet users.