

Ask HN: Would you pay for honeypot logs? - fabulist

Howdy,<p>I&#x27;m considering launching a subscription service that helps you strengthen your network&#x27;s security by providing logs of real-world attacks, gathered from a network of honeypots. The logs would be searchable by protocol, vulnerability, and  perhaps more, enabling your IT staff to develop IDS and firewall rulesets from in-the-wild attacks.<p>Would you pay for this? How much?<p>I&#x27;d also love to hear from anyone who thinks this isn&#x27;t feasible.<p>Thanks in advance,
fabulist
======
mdisraeli
I work within the security operations team of a major global service company,
working with private businesses, local, regional and civil government.

Our main pain point is never information - we can get that in spades. Our pet
Unix engineer is constantly finding interesting new feeds for us, and I spend
a notable amount of time each week keeping up to date with latest developments
and any new information sources that crop up.

The challenge is translating this information into sound, actionable,
intelligence that measurably provides value to our business and customers. Raw
logs of random honeypots are of no interest to us, and if we wanted such a
thing we could roll our own relatively easily.

Honeypots based outside of our organization would only be of interest in a few
limited scenarios: Firstly, when a major new vulnerability lands it would be
invaluable to know right from the start what sort of attacks are being seen in
the wild. Ideally it would also be able to look back in time and discover if
this zero-day being exploited prior to the vulnerability. Secondly, what we
couldn't do is set up honeypots in multiple different sectors and compare
attack profiles - eg, between a hospitality company and say a local council.

In both those cases though, what we would want is the results of the analysis
and expert recommendations, not the raw logs.

As others have already suggested, what we would be very interested in is
honeypots-as-a-service: Being able to drop a fake finance server into our
estate and detect access attempts. Create a fake company division website and
see who tries to attack it and how. Be alerted to targeted attacks before they
actually entire the production estate.

Something I'm fond of saying is that whenever an investigation or assessment
is performed, what actually earns you the money is the report at the end. That
report and the actionable intelligence within is your product, not the tool
you use to generate it.

------
meowface
I work in security for a large financial firm and demo enterprise products
like these pretty frequently.

My answer to this would be a simple "no". Obtaining and structuring honeypot
logs is not hard, and is basically a solved problem. This falls under the
greater umbrella of "threat intelligence", and there are a ton of open source
and enterprise solutions for threat intelligence feeds and collection. You
would have extremely contentious competition, plus odds are a lot of what
you're doing can also be done by an in-house analyst with some Python skills
and access to public and private feeds.

Some sort of significant value would have to be added on top of the logs, and
no, not just categorizing or grouping or ranking the logs.

If it's still honeypots you're interested in, then a better idea may be to
offer an "active defense" honeypot service to get early warning on targeted
attackers. This can include things like decoy/trap email accounts, web and
network services, documents, and more.

Some startups are in this space, but it's a pretty immature field. It also has
a lot of problems because many top managers and execs feel very uncomfortable
with the idea. My own company has discussed it before but management has
declined due to legal concerns, and also the concern that baiting an attacker
may make you more of a target.

But I feel this area may be ripe for disruption. Get a few of the big names
doing things like this and it's easy to convince smaller companies in the same
vertical to do it as well. Actually, some big names may already be doing it,
but if they are they're probably hush-hush about it.

In summary: honeypots sitting open on the Internet offer some interesting
intelligence, but the honeypot you run and the honeypot anyone else runs will
generate roughly the same intelligence and logs. And a lot of these logs are
already converted into network indicators and rolled into hundreds of threat
intelligence feeds that many security departments are already consuming. You
won't be able to generate a lot of value by running and processing your own
personal honeypots, in fact I would consider it a massive waste of time from a
product or service perspective (though running one certainly is educational
and can be fun).

But a honeypot sitting within an enterprise network/domain can be very useful
and very valuable to a company. If you provide such a service, I would
recommend it as a software suite set up by the client, definitely not as a
cloud service.

------
czbond
I would suggest startups are the wrong area. Startups barely have money to pay
for staff and often don't know or care about their security risk. They also
tend to use tools which allay some of that risk (eg: Stripe, etc for credit
cards, non-storage of PCI-Compliant data). Mid-Sized companies often have
sensitive data, older techniques, and/or budget - and can be convinced of
their risk. I would suggest going the routes of medium size business up to
lower Fortune 3000 companies. Reason, the CISO position is increasingly going
to those in security with Penetration background rather than other areas of
sercurity (eg: physical, Identity & Access, etc). You might look at a strategy
similar to [http://Phishme.com](http://Phishme.com) which is selling into
larger accounts.

[my background: used to implement and sell security into Fortune 1000 account
and SMB's]

~~~
jonifico
Do you have any ideas as to how to gather budget to release a business on a
bigger scale?

~~~
czbond
Security is an odd area. In selling (and implementing products), as well as
helping a friend launch his Cloud security business - the market has a huge
issue for startups if your approach it incorrectly. As opposed to areas ripe
for SaaS penetration, security solving traditional or incremental problems
face a large resistance because buyers/stakeholders "won't get fired for
choosing Netegrity/Oracle/<largeco>" if something goes wrong. They can always
blame it on the consultant implementation team. Plus, there's a large risk to
an organization using a new player to solve an old problem. Phishme (not
associated, but have friends who know them) took a new approach (email
phishing) which wasn't offered by large players. We found this out a hard way
in a startup, along with long sales cycles and requirements. For a security
offering, the Mach37 accelerator can be a good place to start.

------
tptacek
I can't answer about whether I'd buy it (I'm not in that market) but you
should know that the competition in the space you're considering is, or at
least was, pretty fierce. Vendors you should look at include iDefense,
TippingPoint, Arbor, and Symantec.

------
sswaner
I think this would be a tough sell in enterprise environments because the
analysis of log data takes time and analysts are likely to say they have
enough data from their own logs. They would also get stuck on the differences
between the honeypot environment and their own network.

That said, it would be valuable if I wanted to blacklist certain IP addresses.

You may also consider a data sharing service that would provide access to
anonymized log data shared among subscribers, this would allow subscribers to
get data from real systems. Some vendors market similar services (such as
RSA's eFraud Network).

------
lazyant
This service may be useful to security companies and security researchers or
analysts, and for them it shouldn't be hard to get this type of data.

A better service would be to embed somehow honeypots into the client's
infrastructure and deduce customized actions in a mostly automated, semi-
supervised way.

The problem with security logs (and logs in general) is that they are hard to
take specific actions on. I don't even recommend installing an IDS like Snort
to most people; you see lots of automated intrusion attempts, almost all just
fishing for a vulnerability in an application that you don't even have , now
what, are you going to dedicate someone to go through them and see if the
infrastructure is vulnerable to them?

~~~
jenscow
> dedicate someone to go through them and see if the infrastructure is
> vulnerable to them?

No - Somebody has just done that for you, for free.

------
cik
This is a space I spend an enormous amount of time in, so it sounded
interesting.... then I didn't get it.

Honeypot logs aren't really interesting - since I don't care what happens
inside them. Now, if you could embed your honeypots as a service with
companies, and get them to accept data sharing, that's more interesting. If
you can somehow integrate the results or share things with Team Cymru or
VXShare, it becomes a lot more interesting.

But the thing is - I already get a lot of that value from cuckoosandbox - and
more recently elastic-cuckooo. [https://github.com/drainware/elastic-
cuckoo](https://github.com/drainware/elastic-cuckoo).

------
kentf
I would use Tilt to quickly test to see if people would buy into the concept.
[https://www.tilt.com/campaigns/new?sell=1](https://www.tilt.com/campaigns/new?sell=1)

~~~
fabulist
Checking it out, thanks

------
bluedino
Charge for them to be searchable. That way, people can lookup strings or
patterns being sent to their server and see what attacks they match up
against.

------
rmsaksida
It'd be more interesting if there was service which analyzed the client's logs
and recommended specific action (per client), with the unique insight gained
by your honeypot network. Something like an API which you hooked up with your
infrastructure, fed logs into it, and got periodical security recommendations
and alerts in return.

------
sauere
Is the eMail in your profile active and working? I have something for you

~~~
fabulist
Yes

------
tzakrajs
Honeypots have high value when embedded in high value networks.

------
n0body
no, can't say i would. i don't see what the benefit would be

~~~
fabulist
Good to know. :)

------
fabulist
This has been very interesting, thank you all for your feedback.

------
colechristensen
Honeypot logs? No.

Analysis and consumables pulled from the logs? Maybe.

Say you provided block lists for smtp/ssh/http which were actively updated,
firewall rules, log filters, packet capture filters, &c to help find and
prevent some of the illicit traffic on my own network.

For example, when shellshock was around several people posted grep strings to
tease attack attempts out of apache logs.

~~~
huhtenberg
> Analysis and consumables pulled from the logs? Maybe

But this exists already in a form of RBL/PBL/XBL/etc. Not that it cannot be
done better, e.g. for smoother integration into existing perimeter security
systems, but it exists nonetheless and it's free.

~~~
s_q_b
Agree with cz. Put that in a box that plugs into a wall and gets warm and sell
it tor 30k to enterprise companies, and you could have a product.

------
WorldCitizen
I'm broke

