As organizations operationalize diverse network sensors of various
types, from passive sensors to DNS sinkholes to honeypots, there are
many opportunities to combine this data for increased contextual
awareness for network defense and threat intelligence analysis. In this
presentation, we discuss our experiences by analyzing data collected
from distributed honeypot sensors, p0f, snort/suricata, and botnet
sinkholes as well as enrichments from PDNS and malware sandboxing. We
talk through how we can answer the following questions in an automated
fashion: What is the profile of the attacking system? Is the host
scanning/attacking my network an infected workstation, an ephemeral
scanning/exploitation box, or a compromised web server? If it is a
compromised server, what are some possible vulnerabilities exploited by
the attacker? What vulnerabilities (CVEs) has this attacker been seen
exploiting in the wild and what tools do they drop? Is this attack part
of a distributed campaign or is it limited to my network?