The Honeynet Project's cumulative-analysis paper has finally been published. The methodology is rigorous; the findings are consistent with what individual operators have been observing; the aggregate picture is more informative than any individual data set.
A walk through what it shows.
What the paper covers
The paper analyses approximately 24 months of honeynet data from multiple operators across several countries. The data set:
- About 100,000 distinct compromise events.
- Roughly 30 different honeynet deployments contributing.
- Both low-interaction (Honeyd-style) and high-interaction (real systems) data.
The analysis covers attacker behaviour, the distribution of attack types, the temporal patterns, and specific case studies.
The headline findings
Three things stand out.
The threat-actor population's distribution is roughly consistent across operators. The pattern I observed — about 60% automated, 25% moderately skilled, 12% commercially motivated, 3% genuinely capable — is approximately what other operators see. The aggregate confirms that this is not idiosyncratic to my deployment.
Compromise time is decreasing. A new public IP that exposes vulnerable services is now compromised within hours of going live. The window has shrunk from days in 2000 to hours in 2002. The attacker infrastructure has matured.
Attacker patience is bimodal. Most compromises are quick (under 5 minutes of attacker interaction). A small fraction are very long (multiple sessions over weeks). The middle ground — sustained but bounded engagement — is rare. Defenders should optimise for the two extremes.
The case studies
The paper includes several detailed case studies. The two I found most useful:
A six-week careful-attacker engagement. Multiple sessions, gradual capability deployment, surgical persistence. The pattern matches my own captures closely.
A botnet-installation incident. A compromised honeypot was used to install a Trinoo-style daemon and added to a control infrastructure. The honeynet captured the full deployment sequence, including the connection to the master.
Both case studies are sanitised but specific. The level of detail is exactly what the field needs.
What defenders should take
Three practical things.
Off-host monitoring is essential. The skilled-attacker case studies all rely on off-host monitoring for capture. On-host monitoring would have been defeated by the attackers' tradecraft.
Outbound filtering is the highest-leverage defence. The case studies confirm that outbound restrictions disrupt most attacks. The specific point I have been making continues to hold.
Compromise dwell time is the variable that matters. The paper's data suggests most attackers leave quickly; the rare cases that stay are the ones that produce the most damage. Defenders should optimise for finding the long-stayers, not just for preventing initial compromise.
A small reflection
The paper is the academic-practitioner cooperation work I have been hoping to see at scale. Multiple operators contributing real data, careful analysis, public publication. The cumulative output is more useful than any individual operator's data.
For my own work: a contribution to the next paper is overdue. I will work on the sanitisation over the next few months.
More as the year develops.