Like bees to a honeypot – a journey through honeypots

Matthias Meidinger (VMRay)
partner message

ANY.RUN - Interactive malware analysis sandbox

http://any.run/

Get fast results in real-time! Intuitive interface. Convenient for any level analysts.

Join for free and start your malware hunting!

partner message

Avira Cloud Sandbox API. Completely private, unlimited-scale, automated malware analysis service

https://oem.avira.com/en/solutions/cloud-sandbox-api

Avira’s Cloud Sandbox API is built to ensure data privacy.

Receive detailed, file-specific threat intelligence reports containing actionable intelligence.

Supports MITRE ATT&CK™ framework.

partner message

Do APT Mercenary Groups Pose Real Threat to Companies?

https://businessresources.bitdefender.com/apt-as-a-service-webinar

Learn about the recent Bitdefender investigation of a new attack attributed to a sophisticated actor offering advanced-persistent-threats-as-a-service.

Access the investigation

partner message

Be a part of the cyber resilience story - explore careers at

https://careers.opentext.com/

Join the cybersecurity and data protection team at Carbonite + Webroot, OpenText companies.

partner message

We don’t just talk about sharing. We do it every day

https://www.cyberthreatalliance.org/our-sharing-model/

Find out more about how threat intelligence sharing and collaboration through the Cyber Threat Alliance can function as a force multiplier to improve defenses across the ecosystem.

partner message

Map Malicious Infrastructures with Pure Signal™ Intelligence

https://partners.team-cymru.com/pure-signal-trial

Elite analyst teams use Team Cymru’s Pure Signal platform to access 50+ data types, including global network flow, PDNS, malware and more.

Start your 2-week trial now!

partner message

What is cyber threat intelligence (CTI) and how is it used?

Join the VB2020 Threat Intelligence Practitioners’ Summit (TIPS)

Join the VB2020 Threat Intelligence Practitioners’ Summit, sponsored by the Cyber Threat Alliance,

to hear from leading industry voices on how CTI sharing can function as a force multiplier to strengthen defenses across the ecosystem.

partner message

Kaspersky Threat Intelligence Portal - find cyberthreats in files, URLs, IPs and domains

https://opentip.kaspersky.com/

Know which alerts or incidents pose real threats, and prioritize them fast and effectively based on impact and risk levels.

partner message

No-Cost Threat Detection for ISPs and Hosting Providers

https://partners.team-cymru.com/nimbus-threat-monitor

Partner with Team Cymru and get near-real-time threat detection, powered by our world-class IP Reputation data.

Join us now!

partner message

Outsource your Unwanted Software/PUA Work for Free

https://appesteem.com/avs

AppEsteem’s feeds sort out the good apps from the Deceptors.

Our criteria are widely accepted. We’ll help with your disputes.

All for Free. Giving you more time to fight real malware.

partner message

Do you want to know how IT security products score in independent tests?

https://www.av-comparatives.org/enterprise/latest-tests/

AV-Comparatives is an ISO certified independent organization offering systematic testing that checks whether security software lives up to its promises.

Results are available for free!

partner message

Defeating Application Fraud - Learn How

https://www.shapesecurity.com/solutions

We protect more accounts from fraud than everyone else in the world combined.

Shape Security is now part of F5 (www.f5.com)

partner message

30+ years of experience in the anti-malware industry

www.virusbulletin.com

Virus Bulletin is so much more than just a great conference.

Check out our website to see what more we have to offer.

partner message

DNSDB®: The DNS Super Power for Security Teams

https://www.farsightsecurity.com/get-started-guide/

Farsight Security DNSDB®: the world's largest real-time and historical database of DNS resolutions.

Get your free DNSDB API key and use it in our newly updated web GUI, DNSDB Scout and your own environments.

Contextualize everything DNS related with one API key - DNSDB.

partner message

Tired of home office and in urgent need of some networking?

https://www.amtso.org/newsletter/

Join the AMTSO community and meet security vendors, testers, journalists, and researchers to discuss cybersecurity trends, tests and standards!

Honeypots can provide valuable insights into the threat landscape both in the open Internet and in your internal network. Deploying them correctly isn't always easy, just like interpreting activity on them.

This talk aims to convey the knowledge for everyone to start deploying their own honeypot infrastructure and benefit from it. It highlights considerations and pitfalls that can be encountered in the deployment of different honeypots and the supporting infrastructure. Furthermore, the talk showcases automation, aggregation and visualization of honeypot activity based on a production deployment.

The deployment of honeypots can be interesting for different reasons, for example for blue teams to know if malicious activity is present in an internal network, or for researchers to get an overview of the broader threatscape, current malware payloads or ongoing credential stuffing campaigns.

As public honeypots tend to produce a large amount of logs, manual evaluation is a time-consuming and exhausting process. This is where automation, log aggregation and visualization comes in handy. Well designed dashboards can convey currently ongoing campaigns, most used credentials, or even accumulations of unusual behaviour at a glance, which will be illustrated with currently running production Splunk dashboards. Automation and management opportunities will be showcased on the basis of MISP and The Hive, which are integrated into the workflow as well.

The talk is structured to mirror the speakers' journey of deploying, customizing and visualizing the currently running infrastructure including live examples, curious findings and entertaining slips from users as well as maintainers.

Alongside the talk, the showcased Splunk dashboards will be made available publicly, as well as extensions to automatically upload payloads from honeypots to MISP cases and two custom honeypots that are currently in use in the production deployment (mail & IP webcam honeypots).
Matthias Meidinger
VMRay Matthias Meidinger is a software engineer with focus on tooling and automation for the Labs department of VMRay. He is responsible for building infrastructure and developing tools that assist and enrich the workflow of threat researchers working in the Labs. With a heavy background in DevOps and automation, building pipelines, collecting and visualizing malicious data and actors is his main area of expertise. This is rounded off by network security and OSINT based on collected data. In his free time he enjoys playing CTFs and practising photography.
arrow left Back

Like bees to a honeypot – a journey through honeypots

Matthias Meidinger (VMRay)
Honeypots can provide valuable insights into the threat landscape both in the open Internet and in your internal network. Deploying them correctly isn't always easy, just like interpreting activity on them.

This talk aims to convey the knowledge for everyone to start deploying their own honeypot infrastructure and benefit from it. It highlights considerations and pitfalls that can be encountered in the deployment of different honeypots and the supporting infrastructure. Furthermore, the talk showcases automation, aggregation and visualization of honeypot activity based on a production deployment.

The deployment of honeypots can be interesting for different reasons, for example for blue teams to know if malicious activity is present in an internal network, or for researchers to get an overview of the broader threatscape, current malware payloads or ongoing credential stuffing campaigns.

As public honeypots tend to produce a large amount of logs, manual evaluation is a time-consuming and exhausting process. This is where automation, log aggregation and visualization comes in handy. Well designed dashboards can convey currently ongoing campaigns, most used credentials, or even accumulations of unusual behaviour at a glance, which will be illustrated with currently running production Splunk dashboards. Automation and management opportunities will be showcased on the basis of MISP and The Hive, which are integrated into the workflow as well.

The talk is structured to mirror the speakers' journey of deploying, customizing and visualizing the currently running infrastructure including live examples, curious findings and entertaining slips from users as well as maintainers.

Alongside the talk, the showcased Splunk dashboards will be made available publicly, as well as extensions to automatically upload payloads from honeypots to MISP cases and two custom honeypots that are currently in use in the production deployment (mail & IP webcam honeypots).
Matthias Meidinger
VMRay Matthias Meidinger is a software engineer with focus on tooling and automation for the Labs department of VMRay. He is responsible for building infrastructure and developing tools that assist and enrich the workflow of threat researchers working in the Labs. With a heavy background in DevOps and automation, building pipelines, collecting and visualizing malicious data and actors is his main area of expertise. This is rounded off by network security and OSINT based on collected data. In his free time he enjoys playing CTFs and practising photography.