Tag Archives: Honeypots

Brain dump of DFIR and network security research ideas

Posted on 2013-03-03 | Leave a comment
Maybe I could get more of these done with this.

Maybe I could get more of these done with this.

I’ve seen several people talk about lacking ideas for research projects, often around DFIR or network security. Personally, I have the opposite problem: endless ideas for projects, often with the barest hint of a start, but not enough time to pursue them all. So I thought I’d publish a bit of a brain dump. I actually have made good progress on a few of these, and I have concrete plans around others (beyond just “wouldn’t it be cool if…”), but in any case I’d love to see other people pick them up and run with them.

If you do happen to get interested in any of the following, I wouldn’t mind a quick note to touch base to see about possibilities for collaboration or at least an acknowledgement in whatever you publish. Don’t interpret that as any sort of requirement, though; ideas have no value without execution, so all the hard work hasn’t even begun.

  • Malware
    • Classification across a large corpus
    • Automated IOC extraction and publication
  • Threat Actors
    • Profiling systems, particularly based on OSINT
    • Underanalyzed crime groups (e.g. drug cartels involvement in malware, spam, and fraud)
    • Hacktivism motivations and methods
  • Passwords
    • Cracking lab setups
    • Useful entropy calculations
  • Quantitative analysis of incidents
    • DDOS attacks (hard to get numbers on these)
    • Defacements and low-level leaks
  • Active Defense
    • Honeypots and honeyclients
    • Vocabulary or taxonomy on various methods
    • Callback Trojans in documents
    • C2 / RAT vulnerability research

→ Leave a comment

Posted in Notes

Tagged , , , , , , , ,

Forensic Challenge 10: Attack Visualization

Posted on 2011-11-02 | Leave a comment

I noticed with happiness yesterday that the Honeynet Project released Forensic Challenge 10. But unlike other challenges that focused on finding the right answers (hopefully including building some new tools), this one uses the data from FC5 but asks participants to create new visualizations of the attack.

This will present some interesting challenges, I think, since the data consist of system and server logs rather than network data per se. But I also think that these projects work best as a team effort, so I poked at Twitter and pulled together a few folks who’d like to get involved in a collaboration. (Anyone else who might have an interest in working with us, please let me know.) And maybe I’ll finally get some use out of that Visualizing Data book on my desk or even my old GraphViz scripts.

→ Leave a comment

Posted in Links

Tagged , , , ,

Virtual OpenBSD

Posted on 2011-04-03 | 3 Comments

'Through the dust and ashes' by Carl JonesHey, OpenBSD. Haven’t seen you in a while, how’s life treating you? Say, you’re looking good these days. Guess Theo hasn’t been too rough on you, eh?

What? Windows? No, we broke up a long time ago. You knew that was never going to go anywhere, right? Everybody knew that, but I owed somebody a favor… anyway, that’s the past, baby.

So as long as we’re catching up, I’ve got this new project going, growing plants. I hear you have a bit of a green thumb yourself?

Listen, I have to run for a bit, but maybe I can Twitter you sometime?

I couldn’t stay away. OpenBSD just offers so much: a highly-audited base operating system, and a well-organized setup that just makes sense for sysadmins and hackers alike. So when my new virtual machine lab at home needed a host for a low-interaction honeypot setup, I immediately realized that it provided the perfect setup.

And honestly, who doesn’t love an update process that involves recompiling the entire operating system — kernel and userland?!

→ 3 Comments

Posted in Updates

Tagged , , ,