Thread | Brutkey

There are lots of ways to "do honeypots", and if you'd like to do a bit of what I do on a daily basis (though in a different way) def take a look at this project: https://lightscope.isi.edu/

Clever idea! Decent-ish dashboards.

Do not use the blocklists. Lots of overlaps with our Benign lists.

Buttered Jorts
@ajn142@infosec.exchange

@hrbrmstr@mastodon.social since they explicitly call out ID’ing “malicious” behavior from IPs y’all have classified as “benign” any thoughts on the reason for that difference?

hrbrmstr 🇺🇦

🇬🇱

🇨🇦

@hrbrmstr@mastodon.social

@ajn142@infosec.exchange rly good q. our folks who were at BH/DC met with the dev and we're gonna sync up on the project so I'll report back.

If they're using static "benign" lists, that could be it. We re-verify all benign actor IP lists quarterly, and some actors are dynamic (RDNS, etc) by nature.

Buttered Jorts
@ajn142@infosec.exchange

@hrbrmstr@mastodon.social cool, I figure y’all both have reasons for why you classify the way you do, and it seemed interesting to understand why.