The Honeynet Project publishes status reports every six months to keep the public informed of our research and activities. We use the same format outlined in the Honeynet Research Alliance charter. This is the status report for May, 2006.

1.0 Deployments

• 1.1 Current Technologies Deployed
  We currently have several honeynets deployed. However, most of these are deployed for the purpose of testing the latest Honeywalls and provide feedback and bug reports to the Honeywall CDROM developers. We have at least two Roo 1.x-202's deployed and one Roo 2.x-55 (Roo 2.X is the next generation disributed version, more information below). In addition, we have at least one more Honeywall deployed for testing incident purpose capabilities. Instead of being used for honeypot deployments, the Honeywall CDROM in this case is put in front of compromised, production systems, and then used to isolate and analyze the compromised computer.

2.0 Findings

• 2.1 Unique Findings
  From an attacker perspective, our findings are limited, as our primary goal in the past six months has been testing of technology and providing feedback. However, in one interesting case, an established honeynet that had been on a Speakeasy DSL network for 2 years (averaging 150-200 scans a day) was moved to a Comcast business cable network which is now averaging 30-50 scans a day. In addition, The honeynet used for testing incident response is analyzing various compromises, such as the Nugache AIM P2P bot.
• 2.2 Trends
  Almost all the activity we are seeing is active is criminaly motivated, to make money. We currently have several research projects going on in the area of fraud and identify theft, especially credit card.

3.0 Lessons Learned

• 3.1 Successes
  Investment in infrastructure is paying off, as it dramatically increases communication and coordination with other members. The biggest benenfits we have seen are the new internal Plone server for communication, and transitioning to SVN code repository.
• 3.2 Mistakes Made
  One of the challenges we are facing is the complexity of attackers and threats today. Several years ago it was relatively easy to capture and analyze cyber threats. You simply stuck out a honeypot and the bad guys came. Now adays they use a variety of multiple vectors, advanced tools, and are always adapting and changing. As ROI (Return on Investment) has become one of the primary motives, in some cases it can be assumed that threats have their own research and development departments to advanced their technology. One example of these advances is in the time and effort we now put in our Know Your Enemy whitepapers. Several years ago it would only take us several weeks to capture, analzye, document, and publish a KYE paper. Now, on average it takes 3-6 months to put together such a paper together, including a 5 week review process.

4.0 New Tools
We are putting a huge investment of time and effort into developing our tools and new technology. First, we are attempting to make it much easier to deploy and manage large scale honeynet deployments. This can expotentially increase the ability to capture information. However, even more important, we are focusing long term on data analysis. We need a much better way to easily identify critical information and analyze it. Also, we want a way to make our information more accessible to the softer sciences, such as characterization, statistical analysis, and economics.

• 4.1 Lacking Functionality
  One of the greatest weakneses we currently have is our ability for data analysis. This is an extremely difficult area. We do not share the same problem as most organizations. We collect comparitively little data, and most of it is unauthorized or malicious activity. However, we currently are facing two big challenges. The first is quickly and easily identifing critical data. The second is honeynets collect indepth data, including every packets and payloads, system data (Sebek), etc. The challenge is taking this data, from multiple honeynets, and presenting it in a cohesive format so different people can easily extract different value from the information. Currently multiple organizations in the Honeynet Research Alliance are developing their own tools to address this issue.
• 4.2 New Tools
  Unified Data Analysis Framework (UDAF): This is a new framework focused on making data analysis much easier. It is a modular data acquisition and analysis API. Analysis tools built using the UDAF will be easily extended, and share common data formats. It will also lessen the number of conflicting or obscure dependencies that an analyst might need to chase down before installing a new tool. This way organizations do not have to depend on a single data analysis tool, but can choose whatever one best suites their requirements. UDAF will also include visual programming tools to make rapid application development possible. The goal is to have this framework built into the new Honeywall CDROM Roo 2.X.

  Honeysnap: This tool will be one of the first to leverage the new UDAF. Its goal is to be protocol aware, with the ability to analyze and give statistical summaries and overviews. For example, it can analyze IRC traffic, reporting on relationships between nicks and channels and their usage.

  Honeywall CDROM Roo 2.X: This will be the next (and hopefully last) major release of the Honeywall CDROM. Its being redesigned for fully distributed capabilities, with a focus on distributed management, data collection, and analysis. Its planned that once this is released, we will focus all of our development efforts on data analysis. We are capturing all sorts of great data, now we need to learn how can we best leverage it.

5.0 Papers and Presentations

• 5.1 New Papers
  Work on "KYE: Honeywall". This is a new paper that replace 3 of the older KYE papers that document different generations of the Honeywall. We will consolidate all of this into a single paper that will be updated with future releases. Expected release should be the same time as the new CDROM version Roo 2.X.
• 5.2
• 5.3 Presentations
  Oman, December 18, 2005
  DOE, Richland, Washington. March 14/15 2006. Two day workshop with over 20 Honeynet Project / Research Alliance members.

6.0 Organizational

• Structure Changes
  We are currently reviewing our By-laws to better define how our organization is governed, including elections, roles and responsibilities, how policies are developed and modified, etc. As our organization continues to grow, so to must our internal governance. In addition, we have invested a great deal in our own infrastructure, with both an internal sever for communication and an updated code repository.

7.0 Goals

• Complete and publish new by-laws and new Board of Director elections
• Release new KYE papers, including "KYE: Honeywall CDROM"
• Release Unified Data Analysis base and Honeysnap
• Release Honeywall CDROM Roo 2.x with updated documentation
• Complete several research projects in financial fraud

8.0 Misc
We highly recommend you take a moment to review the status reports from all the other Alliance members organizations. Their status reports for this 6 month period can be found below.

• Spanish Honeynet Project
• Phillipine Honeynet Project
• South California Honeynet Project
• Italian Honeynet Project
• Chinese Honeynet Project
• Greek Honeynet Project
• UK Honeynet Project
• Florida Honeynet Project
• West Point Honeynet Project
• Pakistan Honeynet Project
• GA Tech Honeynet Project
• Portuguese Honeyent Project
• German Honeynet Project
• French Honeynet Project
• Brazillian Honeynet Project
• Japanese Honeynet Project