Data transforming your sewage into signatures - lessons learnt from building a hybrid honeypot named Amber
From BruCON 2017
What happens when you collect a bunch of good data, under good pretences only to realise that the findings that you were expecting are completely wrong? Before you quit infosec and retreat to a farm, allow me to tell you about how I data transformed my data sewage into useful signatures. This talk will lay some ground work as to how honeypots relate to traditional security controls and how they differ, especially with regards to what they 'cost' to run. Then we will look at how a very cheap honeypot can be built, and how value can be derived from its simplistic output. Finally, I will look at how you can find further value in large data sets (the data set here was collected by the honeypot but the concepts can be applied to anything else) by looking past the obvious and factorising, or transforming the data. Did I mention that there will be drinking involved?