LARGfeed + Icarus Expansion

Since the last time we updated you on the Icarus Project was in February, it seems like a good time for an expansion pack.

The next development is enhancing the attacker database logging to enable the creation of the LARGfeed. The honeypot now reports back to a central server that processes attack data and produces a threat feed. The feed started out as a flat file that Firepower can ingest and now also available in STIX format which allows us to include a wealth of information about the attacker besides just their IP.

In essence, LARGnet now has a security threat feed tailored for our membership.

During the pilot we ingested this feed into our Firepower Management Center and only monitored without blocking the contents. The process automated easily and my software is currently coded to keep an offending IP on the list for 15 days. If an IP attacks us a minimum of once every 2 weeks, it stays in the threat feed. The Firepower Management Center has a configurable TTL (days) for attacker information that defaults to 90 days.

The pilot was a success so we now block IPs in the feed instead of just monitoring. As of this writing the automated honeypot->feed->FMC system blocks over 1500 threats/day with no false positives since all IPs in the feed have previously attacked us. While possible a legitimate IP ends up blocked, the onus is on them to figure out why attacks are originating from that address.

I included the ability remove entries from the threat feed as a necessary part of the testing process but so far there I haven’t needed to unblock anything.

The beauty of this list is that most IPS, like Firepower, give you the option to add additional threat feeds.

Contact us at support@largnet.ca to get access to the feed!