Ask HN: Would you pay for honeypot logs?
Howdy,
I'm considering launching a subscription service that helps you strengthen your network's security by providing logs of real-world attacks, gathered from a network of honeypots. The logs would be searchable by protocol, vulnerability, and perhaps more, enabling your IT staff to develop IDS and firewall rulesets from in-the-wild attacks.
Would you pay for this? How much?
I'd also love to hear from anyone who thinks this isn't feasible.
Thanks in advance, fabulist
25 comments
[ 3.2 ms ] story [ 73.7 ms ] threadAnalysis and consumables pulled from the logs? Maybe.
Say you provided block lists for smtp/ssh/http which were actively updated, firewall rules, log filters, packet capture filters, &c to help find and prevent some of the illicit traffic on my own network.
For example, when shellshock was around several people posted grep strings to tease attack attempts out of apache logs.
But this exists already in a form of RBL/PBL/XBL/etc. Not that it cannot be done better, e.g. for smoother integration into existing perimeter security systems, but it exists nonetheless and it's free.
[my background: used to implement and sell security into Fortune 1000 account and SMB's]
That said, it would be valuable if I wanted to blacklist certain IP addresses.
You may also consider a data sharing service that would provide access to anonymized log data shared among subscribers, this would allow subscribers to get data from real systems. Some vendors market similar services (such as RSA's eFraud Network).
A better service would be to embed somehow honeypots into the client's infrastructure and deduce customized actions in a mostly automated, semi-supervised way.
The problem with security logs (and logs in general) is that they are hard to take specific actions on. I don't even recommend installing an IDS like Snort to most people; you see lots of automated intrusion attempts, almost all just fishing for a vulnerability in an application that you don't even have , now what, are you going to dedicate someone to go through them and see if the infrastructure is vulnerable to them?
No - Somebody has just done that for you, for free.
Honeypot logs aren't really interesting - since I don't care what happens inside them. Now, if you could embed your honeypots as a service with companies, and get them to accept data sharing, that's more interesting. If you can somehow integrate the results or share things with Team Cymru or VXShare, it becomes a lot more interesting.
But the thing is - I already get a lot of that value from cuckoosandbox - and more recently elastic-cuckooo. https://github.com/drainware/elastic-cuckoo.
Our main pain point is never information - we can get that in spades. Our pet Unix engineer is constantly finding interesting new feeds for us, and I spend a notable amount of time each week keeping up to date with latest developments and any new information sources that crop up.
The challenge is translating this information into sound, actionable, intelligence that measurably provides value to our business and customers. Raw logs of random honeypots are of no interest to us, and if we wanted such a thing we could roll our own relatively easily.
Honeypots based outside of our organization would only be of interest in a few limited scenarios: Firstly, when a major new vulnerability lands it would be invaluable to know right from the start what sort of attacks are being seen in the wild. Ideally it would also be able to look back in time and discover if this zero-day being exploited prior to the vulnerability. Secondly, what we couldn't do is set up honeypots in multiple different sectors and compare attack profiles - eg, between a hospitality company and say a local council.
In both those cases though, what we would want is the results of the analysis and expert recommendations, not the raw logs.
As others have already suggested, what we would be very interested in is honeypots-as-a-service: Being able to drop a fake finance server into our estate and detect access attempts. Create a fake company division website and see who tries to attack it and how. Be alerted to targeted attacks before they actually entire the production estate.
Something I'm fond of saying is that whenever an investigation or assessment is performed, what actually earns you the money is the report at the end. That report and the actionable intelligence within is your product, not the tool you use to generate it.
My answer to this would be a simple "no". Obtaining and structuring honeypot logs is not hard, and is basically a solved problem. This falls under the greater umbrella of "threat intelligence", and there are a ton of open source and enterprise solutions for threat intelligence feeds and collection. You would have extremely contentious competition, plus odds are a lot of what you're doing can also be done by an in-house analyst with some Python skills and access to public and private feeds.
Some sort of significant value would have to be added on top of the logs, and no, not just categorizing or grouping or ranking the logs.
If it's still honeypots you're interested in, then a better idea may be to offer an "active defense" honeypot service to get early warning on targeted attackers. This can include things like decoy/trap email accounts, web and network services, documents, and more.
Some startups are in this space, but it's a pretty immature field. It also has a lot of problems because many top managers and execs feel very uncomfortable with the idea. My own company has discussed it before but management has declined due to legal concerns, and also the concern that baiting an attacker may make you more of a target.
But I feel this area may be ripe for disruption. Get a few of the big names doing things like this and it's easy to convince smaller companies in the same vertical to do it as well. Actually, some big names may already be doing it, but if they are they're probably hush-hush about it.
In summary: honeypots sitting open on the Internet offer some interesting intelligence, but the honeypot you run and the honeypot anyone else runs will generate roughly the same intelligence and logs. And a lot of these logs are already converted into network indicators and rolled into hundreds of threat intelligence feeds that many security departments are already consuming. You won't be able to generate a lot of value by running and processing your own personal honeypots, in fact I would consider it a massive waste of time from a product or service perspective (though running one certainly is educational and can be fun).
But a honeypot sitting within an enterprise network/domain can be very useful and very valuable to a company. If you provide such a service, I would recommend it as a software suite set up by the client, definitely not as a cloud service.