manuka: A modular OSINT honeypot for blue teamers
Manuka is an Open-source intelligence (OSINT) honeypot that monitors reconnaissance attempts by threat actors and generates actionable intelligence for Blue Teamers. It creates a simulated environment consisting of staged OSINT sources, such as social media profiles and leaked credentials, and tracks signs of adversary interest, closely aligning to MITRE’s PRE-ATT&CK framework. Manuka gives Blue Teams additional visibility of the pre-attack reconnaissance phase and generates early-warning signals for defenders.
Although they vary in scale and sophistication, most traditional honeypots focus on networks. These honeypots uncover attackers at Stage 2 (Weaponization) to 7 (Actions on Objectives) of the cyber kill chain, with the assumption that attackers are already probing the network.
Manuka conducts OSINT threat detection at Stage 1 (Reconnaissance) of the cyber kill chain. Despite investing millions of dollars into network defenses, organizations can be easily compromised through a single Google search. One recent example is hackers exposing corporate meetings, therapy sessions, and college classes through Zoom calls left on the open Web. Enterprises need to detect these OSINT threats on their perimeter but lack the tools to do so.
Manuka is built to scale. Users can easily add new listener modules and plug them into the Dockerized environment. They can coordinate multiple campaigns and honeypots simultaneously to broaden the honeypot surface. Furthermore, users can quickly customize and deploy Manuka to match different use cases. Manuka’s data is designed to be easily ported to other third-party analysis and visualization tools in an organization’s workflow.
Designing an OSINT honeypot presents a novel challenge due to the complexity and wide range of OSINT techniques. However, such a tool would allow Blue Teamers to “shift left” in their cyber threat intelligence strategy.
- Sources: Possible OSINT vectors such as social media profiles, exposed credentials, and leaked source code.
- Listeners: Servers that monitor sources for interactions with attackers.
- Hits: Indicators of interest such as attempted logins with leaked credentials and connections on social media.
- Honeypots: Groups of sources and listeners that are organized into a single Campaign which analyzes and tracks hits over time.
The framework itself consists of several Docker containers which can be deployed on a single host.
- manuka-server: Central Golang server that performs CRUD operations and ingests hits from listeners.
- manuka-listener: Modular Golang server that can perform different listener roles.
- manuka-client: React dashboard for Blue Team to manage Manuka’s resources.
These containers are orchestrated through a single docker-compose command.
Copyright (C) 2020 spaceraccoon