Honeypot systems are currently used not only by researchers trying to find new types of threats but also by organizations to protect their corporate networks. However, the data received from Honeypot sensors needs to be analyzed manually and then interpreted by an analyst, a process that seriously complicates the practical use of Honeypots in an enterprise’s security infrastructure. Moreover, in order to identify a threat detected by a Honeypot in other segments of the corporate network, incident investigation procedures are required. As part of this project, you will be asked to solve the practical problem of processing the data collected by Honeypot sensors as indicators of compromise in order to check the other sections of the corporate network outside the Honeypot.
The data obtained by Honeypot sensors requires manual analysis and interpretation, and in most cases cannot be used in automated tools to identify the threat in other segments of the network. It is necessary to create and demonstrate a set of data that can be used as indicators of compromise (IoC) and which is received in an automated mode. The use of this data by other automated tools should not lead to false positives.
The program created as a result of this research should be able to do the following at the proof-of-concept (POC) level:
— Generate data on the status of changes that can be used as indicators of compromise based on an analysis of the threat functioning inside a virtual machine (telemetry: VM + its traffic);
— Identify a sufficient number of indicators from among the obtained data to detect the threat on the other hosts in the corporate network;
— Write an indicator generator which, based on the telemetry received from the virtual machine, exports it in the STIX format;
— Prepare a description of the methods for obtaining indicators that includes a process for reducing false positives.
In order to evaluate the quality of the research work, tests on a prepared VM will be conducted: an IoC will be obtained from the actions of a specific malicious code, which will subsequently be checked against another VM where the malicious code is already present.