Recently I have wanted to pursue malware analysis at a greater level, the issues I found however was collecting malware samples. This lead me to much research and finally landing on Modern Honey Network.
One of the most effective methods to collect malware samples from the wild is by deploying a honeypot.
In the past I had used T-Pot an all in one honeypot produced by T-Mobile. This is a highly effective honeypot that outputs the stats and threat into an appealing graph using grafana. This method while easy to implement and deploy however has a number of limitations. These largely came down to the restrictive environment that I found T-Pot to be. In terms of gathering malware samples, T-Pot was somewhat limiting when attempting to collect binary data from Dionaea.
I had again in the past used MHN but had never deployed it into a "production environment". Anyone wishing to delve further into the world of malware should seriously consider MHN as a framework to base the collection of samples.
MHN boasts an attractive user interface and makes deploying honeypots a breeze, while offers a number of deploy scripts that can be installed on your nodes.
List of currently available honeypots
Once your MHN master server is up and running you can simply copy the required script and paste it into the terminal on your nodes. This make deploying honeypots incredibly easy, you also have the option of manually deploying honeypots, however I have not felt or seen the requirement of this as the automated scripts work very well.
Another added bonus of MHN is the live threat map that is included, this allows for visual metrics, this is similar to both Check Point & Kaspersky.
The attack report bundles the incoming data from the honeypots and makes it easy to access and understand. While many of these honeypot can be ran as stand alone appliance, retrieving data from them could be considered cumbersome.
This option is fantastic in terms of malware analysis as it offer the ability to track live threats easily, and offers the information to further pursue the malicious payload.
In many cases the MD5 signature provided can be compared against VirusTotal, in some cases there may be very little information provided, so again by utilizing the MD5 signature you can uses VirusBay to request the samples you are after.
This was a brief overview into the MHN and my personal utilization of this framework. While my honeypot network is in its infancy there will be a huge amount more content to follow as it expands and grows.