The next step in the installation process is to determine which events the honeypot program will monitor. These can include login attempts, file changes and other activity. Admins must set up an alternative logging method, because hackers can change log files if they know where to look for them. To prevent this, log files should be out of sight and in a place hackers wouldn't think to look, such as in the Windows logging tool or some other cloud logging services that store the information outside of the honeypot.

Honeypots were all the rage in the 90's - A raft of tools (and even a world-wide alliance) sprung up extolling their virtues but they never managed to live up to their hype. They were largely relegated to researchers and tinkerers on the fringes. At the same time, we have the Verizon DBIR telling us that most companies are first informed by 3rd parties that they are breached. This is a stupid situation to be in.Well deployed honeypots can be invaluable tools in the defenders arsenal, and don't need to look anything like the honeypots of old. From application layer man-traps, to booby-trapped documents. From network-level deception, to cloud based honeypottery, we are bringing honeypots back!During this talk, we will discuss and demonstrate the current state of the art regarding honeypots. We will explore the factors that limit adoption (and will discuss how to overcome them.) We will demonstrate new techniques to make your honeypots more "hacker-discoverable" & will share data from running actual honeypots in real organizations. We will also discuss (and release) OpenCanary, our new open source honeypot (along with supporting scripts and utilities).Over the past few years, honeypots have gotten a bit of a bad rap. We will give you tools, techniques and takeaways, to move them from geeky time-wasters, to the most useful pieces of kit you will deploy.

Ransomware, snooping and attempted shutdowns: The state of this honeypot shows what hackers do to sy

In this presentation, hear the findings of new academic research into ransomware in which we analyzed more than 1,300 samples captured in the wild from 2006 and 2014 from 15 malware families - including Calelk, Cryptolocker, CryptoWall, Gpcode, Filecoder, Kevtor, Reveton, Seftad, Urausy and Winlock. Our results indicate that (while ransomware authors have made some advancements in encryption, deletion and communication techniques over those eight years) the real impact on victims who don't pay is typically still both nondestructive and preventable. Even the very small set of truly destructive zero-day ransomware samples with sophisticated encryption capabilities we identified can be detected and stopped.First, learn how ransomware appears to have changed - and stayed the same - from 2006 and 2014, including constants, commonalities and advancements across 15 ransomware families in that timeframe. For example, we verified the widely held belief that ransomware attacks have been increasing in volume in recent years. In fact, they grew by more than 500% from 2012-13. However, the majority have not been sufficiently increasing in sophistication in that timeframe to truly take victims data or hardware hostage. Discover previously undocumented aspects of ransomware attacks with a focus on distinctive and common behaviors among different families.Second, see a comparison of the threatened impacts vs. the real impacts of the studied ransomware, demonstrating that the vast majority is essentially bluffing its own destructive capabilities in order to extract funds from the victim who is afraid of losing personal and/or valuable data or equipment. More than 94% of ransomware in our multi-year study simply attempted to lock the victims desktop and demand ransom, or used very similar and superficial approaches to encrypt or delete the victims files.Third, delve into the inner workings of rare destructive ransomware to ascertain key attributes in the code and execution of its instructions that make it both effective and detectible. Hear about the API calls, file system activity and decoy files that consistently surface from different malware families in the wild. Take a look at the various charging methods adopted by different ransomware families including Bitcoin, Moneypak, Paysafecar and Ukash cards. More than 88% of ransomware samples used prepaid online payment systems.Finally, understand why detecting and stopping advanced ransomware attacks is not as difficult as others have reported. In fact, by scanning for unusual behavior in file system activities, such as I/O requests you can detect even relatively sophisticated ransomware. By protecting the Master File Table (MFT) in the New Technology File System (NTFS) file system on Windows machines, you can prevent most zero-day ransomware attacks. These findings contradict some security community discussions that suggest the impossibility of detecting or stopping these types of attacks due to the use of sophisticated, destructive techniques.

(I stated on this blog years ago that the US govt might keep us from having TEMPEST defenses so they have a sneaky way of spying on us. Leaked NSA catalog shows they use passive and active emanation attacks that TEMPEST might stop. Sneaky, sneaky.) 2ff7e9595c