Adli Wahid 0:00 So it is absolutely an important tool set, or toolkit in any security researchers toolbox, basically, if you want to understand a certain kind of attack. So let's say I'm wondering, what sort of attacks do Windows systems get, then I will configure my honeypot to emulate some of the services that are offered by windows. I may weaken it a bit just to give a chance for people to actually come in and see what they will do once they have access to a system, and from there, I can collect malware samples. I can have network traffic depending on what you want to do. These things are very, very useful. In addition, if you're talking about honey pot within an enterprise, these are very useful detection, detection tool, which means that maybe you have done a lot to secure your organization. You have the firewalls, you have the ideas and whatnot. But what else can go wrong, right? So you put honey pots within the network, just in case, you know, people are able to bypass those security controls that you have put in place. George Michaelson 1:04 You're listening to ping, a podcast by APNIC discussing all things related to measuring the Internet. I'm your host, George Michaelson, this time, I'm talking to Adli Wahid from APNIC. Adli is the senior Internet Security Specialist here, and has management of the APNIC Honeynet and our relationship with the security incident security response and related community in his hands, we've discussed Adli's work before, on ping, as well as the global cyber Alliance Honeynet with Leslie Daigle, a very similar project. This time, Adli is reviewing what's been happening across 2025 as seen by the Honeynet, and the future plans for this community investment in security and threat analysis. Adli, welcome back to ping. Adli Wahid 1:55 Thank you. GGM, nice to meet you again. George Michaelson 1:57 So it's been a while since you were on PING last year, spoke to us last year, I believe, Adli Wahid 2:03 yeah, about a year ago. Can't remember exactly when, but yes, we did. We did have a chat about the project last year. George Michaelson 2:09 Now I've known you for, Geez, it's going to be 11 years now that you've been working in APNIC as our security specialist and the frontline agent out there fighting the forces of badness in the world. How about we talk a little bit about where we're at, what's actually happening in the world, what's the state of play? Adli Wahid 2:29 Well, a lot is going on in security, obviously, GGM, so I got my 10 Year Celebration last year at APNIC. On one hand, we are seeing more or less the same issues at play, and people are struggling with you know how to patch their machines, you know how to improve security. We're getting a lot of requests to help folks to organize security within organizations, how to coordinate security, and so on and so forth. The main reason for that is that there has not been any slowdown in terms of attacks that are out there leading to breaches of information. You know, ransomware is still keeping people awake at night, just difficulties in dealing with vendors who don't really care so much about security. Unfortunately, until today, George Michaelson 3:14 so you were previously on the board of FIRST, which is an international organization aimed at looking at this problem. It's the incident response community, isn't it? Adli Wahid 3:25 Yes. So FIRST, it's the forum of incident response and security teams. It is a global organization of CSIRTS around the world. What's very interesting is that many of the members from our region consist of national CERTs [George: right] Whereas in Europe or in the United States, you have membership that comprises of those from the enterprises, like the banks and the hospitals. George Michaelson 3:46 So it's quite a classic divide culturally between the Asia Pacific region, Europe and America, that they tend to go to private industry, private sector solutions, and we tend to see the need for structural behavior inside the state. I think there's more concern about the potential strategic risks to state enterprise. It's maybe also because we just have more legacy monopoly telco in play here. We have an awful lot more people that are still essentially using centralized, centrally managed networking. I don't know. What do you think? Adli Wahid 4:17 The way I see it is that I feel that here in the Asia Pacific region first of all, there is a gap those who have the means to do security and those who don't. Perhaps, you know people who are working for banks or financial institutions or the oil and gas organization, they invest in security because their peers in Europe or in the States [George: yeah] focus on security. George Michaelson 4:37 They're in an international community where industry best practices to do this, then they just know that if they want to do financial services in Europe, they have to be active in this space. Adli Wahid 4:47 That's right, yeah. And for a lot of economies in our region, the starting point of having anything security at the national level begins with the National CERT. It is a bit more top down-ish, [George: yeah] So. A lot of my work in the beginning has been focusing on national CERTs. And there are now many national CERTs who are like, Okay, we need to now expand this idea of doing security to the smallest unit within the country. George Michaelson 5:14 You can kind of see this as low hanging fruit. The National CERT talks to the oil sector, the industry FinTech that are ready to do it and already doing it. They build critical mass, and then they go out to the smaller ISPs, the education sector, small industry, and say, Hey guys, you need to lift your game up a bit Adli Wahid 5:33 Absolutely. And some of the CERTS that we work with GGM, especially in the Pacific island nations, or even in some of the Least Developing countries, the CERT are not that big, you know, just two or three people doing pretty much everything. So they really need to increase the pace so that organizations within the country have some capabilities, and, most importantly, start to do security or invest in security. George Michaelson 5:56 But that's actually been an initiative APNIC has been undertaking for a number of years now, isn't it going into regional, remote, small island communities in the Pacific and helping them bootstrap some sense of ownership of the problem in their own territory? Adli Wahid 6:11 And I think we are seeing some good results. Obviously, you can look at, you know, more CERTS exist within our region, and some of them have become members of FIRST and APCERT as well. So we are making the links so that the small communities get access to the bigger communities, so there's more knowledge sharing, more information exchanges and whatnot. At the same time, I think through some of the activities that we do at APNIC conferences, like the security track, we've been trying to link the CERT communities and the telcos and I space communities, telling them that you guys really need to George Michaelson 6:40 bridge the gap between them. Adli Wahid 6:42 Yeah, bridge the gap. We are all friends. We need to help one another. If we are not talking to one another, then, you know, there could be some victims out there, [George: yeah], who are struggling, who are being attacked, like the hospitals, like the schools, where they don't have any expertise whatsoever. So George Michaelson 6:56 You were on the board, but you're now. You're no longer on the board, but you're working in community building and education areas in first, I believe Adli Wahid 7:04 I stepped down in 2018 just because, you know, there's so much to do at APNIC itself, so I don't need any additional responsibility. However, I still do engage with some of the working group or some of the initiatives, like the fellowship program, where they have new teams joining FIRST. So I do help. You know, the fancy word is mentor, but basically just, you know, helping out, connecting people and whatnot. And every now and then, I volunteer to help the program committee for the annual conference that happens in June. George Michaelson 7:32 I have to say, people, if you're listening to this, you need to invite Adli to a workshop where you role play bad things happening in public communication. He is brilliant. He goes through all the stages of dress up on a video link, from naive techie all the way to President of the country in a full on military uniform to get us in the vibe for doing the work. He's brilliant at hosting those kinds of workshops. But listen Adli. The reason we're here is kind of a bit more for measurement, and you have a long baseline activity that you've been doing in APNIC around capturing traffic that's out there that we wouldn't want to see. Can we talk a little bit about this? Adli Wahid 8:12 Yeah, sure. So I assume that you're talking about my Honeynet project. George Michaelson 8:15 I am. Adli Wahid 8:17 Yeah. So we've been running the project for how long now? Maybe six, seven years already it's in production. George Michaelson 8:25 How many nodes do you have in this? Adli Wahid 8:27 As of last year, we hit 400 nodes. [George: Wow!] around the region. Yeah, that's quite a bit. I mean, we started with like 20. I remember, still remember. George Michaelson 8:36 So for people who aren't in the security space, can you just describe a little bit. What is the idea between a node in a Honeynet and the Honeynet as a whole? What are we really talking about here? Adli Wahid 8:46 Okay, so honeypots, the node that we are running, basically accept connections of other systems on the Internet. Maybe they try to attack the nodes in different ways, with 400 nodes that we have, or sensors. Actually, that's the word that we use, we have a Honeynet. So these are all connected, and they're all sending data to a single location where we can process filter. George Michaelson 9:07 So a honeypot would look to somebody out on the network who's sending packets and probing. It would look like a badly run machine. It would have open ports that it can connect to. It would have responses that say I'm running very old software with lots and lots of holes and opportunistic bugs, it would present a login prompt where you could log in on virtually any password. It would look like a badly run machine. And we're not saying people should deliberately go and put up real badly run machines, but a honey pot looks like a badly run machine. And it's not just that. It's like the front door. These systems will actually pretend to give you web pages, pretend to give you a login, won't they? Adli Wahid 9:48 So it is absolutely an important tool set, or toolkit in any security researchers, you know, toolbox, basically, if you want to understand a certain kind of attack. So let's say I'm wondering what sort of. Tags do Windows systems get? Then I will configure my honeypot to emulate some of the services that are offered by windows. I may weaken it a bit just to give a chance for people to actually come in and see what they will do once they have access to a system. And from there, I can collect malware samples. I can have network traffic depending on what you want to do. These things are very, very useful. In addition, if you're talking about honey pot within an enterprise, these are very useful detection, detection tool, which means that maybe you you have done a lot to secure your organization. You have the firewalls, you have the ideas and whatnot. But what else can go wrong, right? So you put honey pots within the network, just in case, you know, people are able to bypass those security controls that you have put in place. George Michaelson 10:44 So it's kind of like a device that you would have on your own network that would see if someone had opportunistically attacked a real system you ran and were now looking for other targets inside your network. So you could use it both to measure badness out in the world. And to measure, has somebody put a bad thing inside me? Adli Wahid 11:05 That's right. So the Honeynet that we run are honeynets that are out there on the on the wild world, the wild Internet, basically. So we get a lot of hits. However, there is a use case for honey pots to be running inside organization for detection purposes. And we do this in some of our training as well, which I will speak later on. George Michaelson 11:22 These things don't get turned off and on. They're not like nine to five services, right? You're running these continuously, Adli Wahid 11:28 yep, 24/7 365, all the time. Yeah. George Michaelson 11:32 And they're producing reams and reams of data. What do you actually do? Do you have a method of collecting this data and processing this data. Adli Wahid 11:41 Yeah. So when you run honey pots, especially if you run honey pots in a large scale like we do, you have to think about how to collect all this data that the honey pots are collecting or seeing, and have some mechanism to, you know, process them. So we have a database. We use Elasticsearch, basically, to collect all this data, and from there, you know, we do some manual work to process all of it. We automate then by sending this data to other systems, you know? And the thing is, the more honey pots that you have, the more data that you will collect. And you have to really know what to do and how to deal with them, so that they become useful and you can pick out the interesting bits, [George: yeah] so that you can action them. And that's what we do as well. We're not just collecting data. For the sake of collecting data, we want to action some of these observations so that people can take care of fix some of the problems that we're seeing. George Michaelson 12:27 Yeah, one of the federated outcomes that people might not know about is that we take feed from your honey pot facility and integrate it into the DASH system, along with origin AS and member data, so people can see inside their dashboard their own health. They can get a handle on whether there are packet flows originating from them into the wider world. It's a nice thing to do, but you also federate with other people as well, don't you? There's really quite a big community of honey pots out there. Adli Wahid 12:57 Absolutely. So I think GGM and maybe those who are listening is aware of this problem of reporting abuses or reporting incidents, right? We have to use every possible ways to reach out to folks to tell them that there is a potential issue here that you have to look into or fix. On one hand, our members, so anything that we see from our members get sent to DASH and DASH will actually now there's a feature in DASH that can alert the members. They can sign up for alerts. So every time the IP address or the ASN showed up in our honeypot, which they shouldn't because there's nothing in our honeypot to begin with, they should take action and maybe investigate, and we can provide maybe additional data set as well if they really want to find out what's going on. But the basis of this whole thing is that, well, we shouldn't see any traffic from you to begin with, but also we share with other organizations, especially if we need to have data to be sent to other parts of the world. So we work with Shadow Server Foundation. They take feeds from us on a daily basis. We've been doing it with them for, I think, almost five years, and they are also supported by the APNIC foundation. So you know, it's a good collaboration, and hopefully, when they send out these feeds to other organizations in other parts of the world, the global community can benefit from our findings or data collection. And one more thing that we do, and maybe it's hard to see how useful this is, but there is a tool that many security teams use, called MISP. So MISP is the M I S P, yeah, so it's a trend sharing platform is open source and free and developed by a group called circle in Belgium. Those who are using this tool have the ability to subscribe to our feeds. They can just tick the box and automatically they get data from us. So I don't know how many users of MISP are out there, but there is definitely a lot that can take data from us as well. [George: Yeah] by doing this, we hope that whatever we see gets out there, whether it's search, telcos, ISPs, the more eyes on this thing that we're seeing. You know, maybe we can help improve the Internet in the long term. George Michaelson 14:52 What's 2025 been like so far? What's kind of the state of the world as we're speaking? Are things on the rise? Are there trends emerging here? Adli Wahid 15:01 So for the kinds of honey pots that we are running, so we still are doing the majority honey pots that emulate Linux based systems, we are seeing, again, more or less the same thing, but in an increasing number, right, George Michaelson 15:13 Right. The weather is rainy. The amount of rain is rising. It's not that we've got amazing lightning storms or new forms of attack that are really radically different. It's just the continued trend that we always had has just got more intense, Adli Wahid 15:29 Absolutely so just more things to deal with, and a lot of traffic, definitely a lot of hits from more or less the same things, which sometimes makes me wonder if we as a community are not responding as quickly as we can, or people have given up, basically thinking that, you know, there's much we can do, we do our best as much as we can, but at the same time, it means as well that, you know, the criminals do get away with doing things. [George: Yep], I'm still seeing attacks that we saw maybe, you know, three or four years ago, they went quiet for a bit. [George: Yeah], maybe they took a break, maybe a whole day spend their money, and now they're back in action. George Michaelson 16:04 So an attack like Mirai that we saw at scale all those years ago, there is still a continuing trend of Mirai bots out there. There are still attacks of that kind of system. Adli Wahid 16:15 There is still a lot of those, you know. And I'm seeing, you know, maybe two or three common theme. One is that these are coming from machines that were never fixed. You know, devices that were never fixed, they hit us every day, and you know, all the reports that are being sent out, hopefully, you know, they reach the right people there, but no action has been taken. Secondly, we see a lot of new systems being hit by this as well, which means that, you know, there are many devices out there, maybe recently sold that has the same vulnerability that can be exploited by Mirai. George Michaelson 16:44 So you're saying that even though we've known for almost a decade about the risks in the supply chain behind software on smart devices, you are seeing new devices being plugged in that are basically broken and crackable day one of being turned on. Adli Wahid 17:01 Yeah, sometimes, you know, the issue is very basic, GGM. You know, a lot of these devices, the IoT is, especially the routers and the modems, they come to the consumer with telnet turned on. George Michaelson 17:11 Public facing telnet. Adli Wahid 17:12 There we go. So admin/admin, or something like that. So they don't, they don't stand a chance, because these bots will find them in a matter of seconds. George Michaelson 17:22 Do you have a sense for how long it takes a new device on an IP address to be pinged actively on the net? If I plugged a device in without any firewall in front of it, how long after I turn it on before it starts to see attack traffic? Adli Wahid 17:35 Only less than 10 minutes. Less than 10 minutes, George Michaelson 17:38 Oh, you're kidding, 10 minutes to secure a device. Adli Wahid 17:41 You should try it, yeah? And I think this is where people are discussing the same, the same topic, you know, wherever I go, there's still, you know, this finger pointing and blame game, yeah, telcos are like, you know, it's not our job, you know, the customers bring in their own devices, you know, it's not our responsibility. And the customers being customers, and say, We don't know any better, you know, it should help us. George Michaelson 18:00 Yeah, you can kind of see why. In that situation, a national regulatory approach may well be appealing to a state that's worried about risk on its overall surface, because somebody has to stand up and say, Okay, guys, we're all going to have to wear some pain here. This is the minimum standard. It really does take someone acting, doesn't it Adli Wahid 18:20 Absolutely. And you know, there have been some good, I know, some nice stories as well. I think last year there was an ISPs that received alerts from us, and they're like, oh, okay, we didn't know about this problem before. And I think from now on, when, when we procure the devices for the customers, we're going to look into the security thing and maybe enhance the security before we give it to them so that, you know, they won't get compromised. George Michaelson 18:42 So we might start to see different approaches to dealing with this emerging in the market, in the way people attach to the network. And we may also have to start going deep down into the supply chain, talking to people who are releasing code to make sure they're on top of this kind of thing. Adli Wahid 18:59 Yeah, that's right. So I think there's been a struggle. When we talk about the supply chain, if it comes from the vendor, then I think it's very tricky. The vendor has to fix the problem before they release the product. Also, it is the responsibilities of, you know, whoever is purchasing, for example, you know, if you're making big purchases, like telcos and, you know, ISPs, there should be somebody probably in the organization that should look into this, because you are now going to be supplying this item to government, to hospitals, to users, and if they are compromised, then it could mean, you know, security breaches, more security breaches or DDoS attack, George Michaelson 19:31 right? And I mean that loss of service, given the importance the centrality of Internet to delivery of service nowadays, this really could affect public service delivery. This could go directly to emergency services, hospital, banking, education. This is big stuff. Adli Wahid 19:47 It's big stuff. I mean, think about all these cameras that are recording, you know, images in sensitive areas, if they are compromised. I mean, maybe the botnets do not really care about those images at the moment, but, you know, they just using it for. Doing DDoS attacks, or, you know, spreading malware and whatnot, George Michaelson 20:02 right? But a state actor that was adversarial would be looking at this, rubbing their hands with glee for the opportunistic things they can do, Adli Wahid 20:10 right, right? And imagine the business that can they can get out of this to say that, you know, we have, you know, a lot of cameras, this amount of camera at this facility. You know, who would like to have access to it? You know, it's 50, $50 per hour, or something like that. George Michaelson 20:22 So that is still taking place. There's still an underground economy, and people trading data in this kind of space. Adli Wahid 20:29 Oh, yeah, we know that for sure, especially if you look at the ransomware incidents that have occurred in the last few months. You know that's it is still a story where you know information is being shared in the underground world. You know people are being threatened or being blackmailed for money and whatnot, same old story. George Michaelson 20:45 So looking ahead, what do you see in coming years? What's kind of on the horizon here? Adli Wahid 20:51 So there's a couple of things that we are working on. GGM this year. We will not focus so much on increasing the numbers of sensors. I think we have a good number. We'll probably try to go up to 500 but we are now doing some work in maybe changing some of the honey pots to emulate something else. So right now, as I said, we are emulating a lot of Linux systems, but maybe we go maybe some web honey pods, or some windows honey pots, George Michaelson 21:16 yep. So increase the surface of measurement to get a sense of the different classes of attacks that are taking place, Adli Wahid 21:22 that's right. And before doing that, we also have to sort of upgrade the back end as well, because I suspect once we start emulating Windows machine, more windows machine or the web, we are going to get more more data, more traffic, George Michaelson 21:33 right? So there's actually a capital investment that you have to take care of to manage this framework. It's kind of like a community benefit that APNIC is providing into the region, but it's not zero cost by any means, is it? Adli Wahid 21:46 That's true, so someone has to pay for it. In other words, in terms of collaboration, maybe last time I mentioned that we are not looking for organization to help host sensors anymore. We can do that ourselves. But there are a few people in our region, few groups in our region that works on honeypot, so we are looking at some collaboration in terms of maybe sharing training contents, or developing training contents together, because there's a lot of interest for folks to do honey pots, and it's nice if you know there's a community that they can work together with. George Michaelson 22:16 Yeah, community building has this long term impact, [Adli: right] You're kind of providing capability out in the field. So it's not all telephone calls terminating in Adli. There's a bunch of people who can be helping. And I think it's nice to put the energy into building more engagement in a wider community. That's a nice piece of work, [Adli: yeah], so a bit of capital investment, a bit of new technology to change the things that you can measure and see, diverse attacks in web and in Windows, perhaps, and a bit of community building. Are you doing other things? Is there more training initiatives coming? Adli Wahid 22:50 Yes. So we are going to be doing a couple of training this year. So far. We have one training in Bangladesh in May, at the Phoenix conference. We also have some content already on the academy. So if people are interested to play with some of the honey pots that we have, there is a lab there. George Michaelson 23:07 This is self managed, self paced learning. Adli Wahid 23:09 self managed, self paced learning that they can go and try things out. So that's there, but yeah, there will be a couple of workshops this year focusing on on honey pots and about that community engagement, GGM, one area that we want, we are interested to work with folks is enhancing or developing new tools that can be deployed as honeypots. A lot of people out there who are deploying honeypots, I know, including us, we use free and open source software that is available on the Internet developed by other folks. So we are keen to maybe increase the amount of tools that are available and also enhance the tools. So maybe working with students or people who can code to develop some new tools or enhance some of the ones that we are using. George Michaelson 23:49 So this might come up as hackathon ideas at regional NOG conferences, or it might be software development projects with students, late stage students, master students, things like that. That's a really nice initiative. Adli Wahid 24:01 We'll try. We'll try to do our best, definitely. George Michaelson 24:04 Well, the one thing that we're not seeing is that there's likely to be a reduction in risk in the global Internet. I mean, it feels like you're saying this is a problem that is going to be with us for the foreseeable future. Adli Wahid 24:15 That's true, and I think it's not simply because that people are not doing enough. People are doing a lot, and there's more awareness, absolutely, and there's more engagements, you know, more more regulations in security. But I think the scale of the problem, and there's multiple angles to it, right? I was talking to some friends from the LEA community, and they're like, we are having a hard time to find and, you know, make arrest of the criminals, right? And people are thinking that we're not doing our job, but not realizing that this is actually a global problem. It is very difficult, very challenging, to collect information, to go after the criminals. George Michaelson 24:50 It actually goes all the way down to accuracy of registration in public records, around use of resources, in accuracy of announcement. It. It goes down to things like filters and firewalls that you have in your network. I think to this point that when you host the honey pot, you actually get exposure to the bad things in you, as well as your surface of risk from the outside world. I think we need more people to take on board that there may be measures they have to take about themselves. Maybe we have to start people filtering internal traffic and stop it going out into the world. Adli Wahid 25:24 One of the activities that we do with some of the new research, is engaging their constituency. And I see a lot of messaging on you know, you have to do your bit to secure your organization. Right to secure your enterprise. You can put a honey pot within the organization, but you also need some firewalls, some IDS, some investment in anti virus software security policies. So we are sort of going back to square one, where actually you need to secure yourself first and make some investment. And no more of this talks about we don't have any budget to the security because it is not optional anymore. George Michaelson 25:57 This is a component of spend that goes directly to your own surface of risk and your risk to other people. It really has become something that's mandatory to implement, isn't it? Adli Wahid 26:07 Yeah, George Michaelson 26:08 That's really great. Adli, thank you. Adli Wahid 26:10 Thank you. George Michaelson 26:10 If you've got a story or research to share here on ping, why not get in contact by email to ping@apnic.net or via the APNIC social media channels, also remember the measurement@apnic.net mailing lists on orbit is there to discuss and share relevant collaborative opportunities, grants and funding opportunities, jobs and graduate placings, or to seek feedback from the Community on your own measurement projects, be sure to check out the APNIC website for all your resource and community needs until next time you.