Like bees to a honeypot - A journey through Honeypot deployments

Honeypots can provide valuable insights into the threat landscape both in the open internet as well as your internal network. Deploying them right isn’t always easy, just like interpreting activity on them.
This talk aims to convey the knowledge for everyone to start deploying their own Honeypot infrastructure and benefit from it. It highlights considerations and pitfalls that can be encountered in the deployment of different honeypots and the supporting infrastructure. Furthermore, the talk showcases automation, aggregation and visualization of Honeypot activity based on a production deployment.

This talk aims to give an overview of different kinds of Honeypots, aggregation techniques and currently developed projects.
The deployment of Honeypots can be interesting for different reasons, for example Blue Teams to know if malicious activity is present in your internal network, or Researchers to get an overview over the broader threatscape, current Malware payloads or ongoing credential stuffing campaigns.

As public Honeypots tend to produce a large amount of logs, manual evaluation is a time consuming and exhausting process. This is where log aggregation and visualization comes in handy. Well designed dashboards can convey currently ongoing campaings, most used credentials or even accumulations of unusual behaviour in a glance, which will be illustrated with currently running production Splunk-Dashboards.

The talk is structured to mirror the speakers’ journey of deploying, customizing and vizualizing the currently running infrastructure including live examples, curious findings and entertaining slips from Honeypot users.

With the talk I’ll be releasing configuration examples for different Honeypots, configurations for log aggregation and Visualisations as well as an extension for the Cowrie Honeypot that integrates it with MISP.