This summer, I worked as an intern at Expanse, on the team that builds our data collection technology. The team performs scanning of the whole Internet to discover unprotected assets so that we can help our customers keep their networks safe from would-be attackers. My summer project was to build a device to actually detect the activity of malicious actors on the Internet: a honeypot.
Honeypots can range in sophistication, from simple listeners that do not send back any responses to advanced tools that move down exploit chains to try and gather as much information about an attacker’s strategies as possible. Expanse already had simple listeners in place, but those wouldn’t tell us anything about actual banners; just that someone attempted a connection. Just as protocol-validated scanning is better than just checking for open ports, establishing a connection and collecting incoming data is better than logging connection attempts.
The main problem that honeypots can solve for Expanse is better understanding the traffic going around the Internet. By better understanding what kinds of vulnerabilities attackers are trying to exploit, we can further improve our scanning to try and detect potentially vulnerable assets that belong to our clients, and notify them before they can be affected by those attacks. Because attackers are always improving their tactics, we also need to constantly work on improving our scanning. The honeypot can expose anything that we might be missing.
Another application of the honeypot is to validate our own scanning. We have methods of testing our scanners locally, but the honeypots provide real-world monitoring: are we seeing the banners we expect to be sending? Are our scans appearing where and when they should? This kind of validation can expose problems that might not be detected as quickly in other ways.
Overall, this has been an extremely exciting project for me. As an intern at Expanse, I was very happy that I could build something so meaningful and so central to Expanse’s mission; something that will be used by the company once I leave. I wrote it in Go, which I was very excited to learn on the job. I even collaborated with a couple of people on other teams, especially our Cyber Research Engineering group, as they had some prior experience building honeypots.
During my internship, I participated in all team activities: sprint planning and other agile ceremonies, meetings, etc. Everyone on my team helped me succeed when there were tasks I struggled with, and helped me learn so many new things — from using Infrastructure as Code and Docker to Google Cloud Storage and BigQuery.
Last and definitely not least, we had quite a few “mandatory fun” events where we played board games like Codenames (word of advice: don’t be on the same team as my manager, as his team always picks the assassin card). All in all, I’ve had a great remote experience, and this internship at Expanse really made for a wonderful summer in quarantine.
I’m looking forward to applying what I learned in my career going forward, and honored to have contributed to Expanse’s mission of making the Internet a safer place.