Threat intelligence is big buisness and provides a pulse into what the cybersecurity landscape looks like at any given time. There a lots of offerings available from threat intel providers that support any level from the hobbiest all the way to massive enterprise grade information. Even though a lot of this data is available, it got some of my friends and I thinking. How can we set up our own threat intel feeds on the cheap with only what we have laying around?
Sounds like we need a build on a budget
Rolling Your Own
In order to do any analysis, we first need some data to work with. Since we are on a budget we are on our own in getting this data. So we will have to setup a system to log a large amount of network activity on a box. Now there are a couple of popular honeypots available on Github, but on a quick search I couldn’t find one that could handle multiple ports with multiple client connections, while being rapidly configurable (let me know if you find one!). So I spent a few hours writing my own. Now I’ll be the first to admit it was written very quickly with no real planning and its not the prettiest thing in the world with some serious flaws, but after having it running for 6 months nonstop it seems to do the job. You can checkout the code and try it on your own at https://github.com/anthok/ItsNotSocketScience.
The tool will open up a bunch of ports that can be easily changed by modifying the JSON config file. At the time of writing this, I never got around to actually coding up the UDP part so don’t use it! The real meat and potatoes of the tool is it’s ability to create logs for every connection for every IP on all ports specified in the config. Below is an example of the log file structure.
root@hostname:ls -lh logs/tcp/1433/ total 16K -rw-r--r-- 1 root root 45 Jul 28 02:00 22.214.171.124 -rw-r--r-- 1 root root 1.7K Jul 28 02:02 126.96.36.199 -rw-r--r-- 1 root root 45 Jul 28 02:00 188.8.131.52 -rw-r--r-- 1 root root 42 Jul 28 02:04 184.108.40.206
And here is an example of an indiviual log file from 9200 (Elasticsearch).
root@hostname:~/logs/tcp/9200# cat 220.127.116.11 18.104.22.168,9200,b'GET /_nodes HTTP/1.1\r\nhost: 22.214.171.124:9200\r\naccept: application/json\r\nConnection: close\r\n\r\n',2020-11-22T14:52:30
If the same IP attempts to reconnect to the same port, then the log will just append to that IPs log file (new line seperated)
In that picture you will notice the //COMMA//, the reason for this is because the log files are CSV and a payload with a comma would really mess some stuff up for us. So as an easy hack we just replace all
Surf’s Up, Pipeline Time
Now that we have our tool to log network connections, now we need to put it together in a pipeline for continious montioring. Below is an example implementation where the monitoring tool is running on 3 seperate Digital Ocean nodes (doesn’t have to be DO!, just an example)
Then using the Elastic stack we can use Filebeats to ship all logs in our
logs folder to Logstash and then to Elasticsearch.
I have no doubt that there will be some people who at this point are confused and are wondering why even bother doing all this? Honestly the point of all this isn’t to develop the most sophisicated threat feed in the world or even come close but instead to just enjoy the process.
Here a few screenshots of some the possible visualizations that can be made once the data starts flowing!
The Threat Map
Daily IPs on a port
Monitoring a single IP realtime over a day
Is it even possible to find anything interesting using this method? YES - Head on over to https://www.archcloudlabs.com/projects/tracking_cryptominer_domains/ who proves that even this low budget hackjob can actually produce results! He uses the exact setup covered in this blog but using only a single Digital Ocean node.