Honeypots for Active Defense

DerbyCon V - Unity

Presented by: Greg Foss (ˀ)
Date: Friday September 25, 2015
Time: 14:00 - 14:50
Location: Track 2
Track: Fix Me

A Practical Guide to Deploying Honeynets within the Enterprise. InfoSec analysts are all somewhat familiar with honeypots. When they are given the proper attention, care and feeding, they produce invaluable information and can be a critical asset when it comes to defending the network. This intel has been primarily used by security researchers and organizations with advanced defensive capabilities to study their adversaries and learn from their actions. But what about the rest of us? Honeypots are a lot of work to configure, maintain, and monitor, right? Not exactly, when deployed and monitored properly, honeypots and honey tokens are a simple way to alert on anomalous activity inside the network. But how can an organization that is not focused on research gain valuable threat intelligence using honeypots and actively defend their network using indicators generated from? The answer is honeypots for active defense. There are currently many open source security tool distributions that come pre-loaded with honeypots among other useful tools, however the honeypot software is often not deployed in an effective manner. This session will discuss techniques to leverage honeypots in ways that will not overburden the security team with massive logs to sift through and focuses efforts on correlating active threat data observed in the honeypots with the production environment. When deploying honeypots effectively, this can give security analysts one additional mechanism to tip them off to nefarious activity within their network.

Greg Foss


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats