Researchers have been using network telescopes and honeypots for twenty years to capture malicious activity spreading on the Internet. One notorious example is the UCSD Network Telescope within CAIDA, which has enabled the passive detection, identification and quantification of numerous malware propagation, including Blaster, Sasser, Conficker, and, more recently, the Mirai botnet and its sub-variants. Honeypots, which are enabled to respond and interact with unsolicited incoming traffic, have also been used to elucidate how infection behaves after the device has been compromised. By design, network telescopes are constrained to a single geographical region of operation. The logical topology is also often bound to a single IP address block. On the other hand, the advent of cloud computing enables the launching of virtually unlimited compute instance fleets across many different regions of the world in minutes. This presentation introduces the Cloud Telescope: a reproducible and ephemeral cloud-native architecture for globally distributed capture of cybernetic activity. The Cloud Telescope comprises a Terraform infrastructure-as-code architecture currently compatible with Amazon Web Services in their twenty-six commercially available regions. We present the Cloud Telescope’s architecture alongside with the results from three experiments conducted in 2023: 1) The proof-of-concept pilot deployment for thirty days using 26 sensors in May, for which we collected and analysed 20 million network events. 2) The full-scale, semi-interactive, botnet-centric experiment with 260 sensors, 10 per AWS region, for which we collected 10 billion network events, and 3) a five-month fully passive observation that started in October, for which results are yet being accounted. Result analysis includes traffic breakdown by protocol: TCP, UDP, ICMP, by transport-layer port, and for two selected application protocols: Telnet and HTTP. We provide a geographical analysis of the most active attacking countries and ASN, and an analysis of traffic distribution affecting each sensor fleet in each AWS region. For experiment number 2, we were able to describe Mirai infection patterns, the commands that are executed upon infection and the most active countries providing infrastructure for botnet payload propagation.

The presentation will be organized as follows:

Section 1: Foundations

Section 1 focuses on the fundamental aspects of passive cyber threat intelligence acquisition.

1 - Internet Background Radiation
This introduces the Internet Background Radiation as the unsolicited, often malicious traffic affecting any device directly connected to the Internet. Benign scanners such as Censys and Shodan are also defined here.

2 - Network Telescopes
This focuses on a quick but consistent explanation of how Network Telescopes have been deployed since 2003 to collect samples of the Internet Background Radiation.

3 - Honeypots and honeynets
Honeypots are quickly introduced/defined here to define similarities and differences between passive traffic collection performed by network telescopes and honeypots as counterparts.

4 - Cloud Telescope
We then present the Cloud Telescope as a new approach to extend Network Telescopes and Honeypots functionality.

Section 2: The Cloud Telescope
Section two describes the cloud telescope as a modern approach to acquire cyber threat intelligence through Internet Background Radiation analysis.
It splits into the following subsections:

2.1 Ephemeral Architecture: The cloud telescope exists as a Terraform architecture. We show that anyone can launch it from the Terraform architecture we published at https://github.com/lucasbeiler/ibr-iac

2.2 Costs: The use of affordable t3.nano EC2 instances acquired within the spot pricing model allows for a 26-sensor observation to operate under a total cost of less than $90 US Dollars per month.

2.3 Deployment details: We show the most relevant aspects of the Cloud Telescope fleet deployment and management, including how tcpdump is used for the capture and how data is moved from the EC2 instance to a centralized global bucket for further analysis.

Section 3 - Experiments and results
The third section focuses on demonstrating how cyber threat intelligence is actually extracted and enriched from the multi-gigabyte PCAP recordings, the GeoIP Library and other open-source intelligence sources.

Experiment 1:
- 30 days
- Fully passive sensors
- 26 sensors, one per AWS commercially available region
- 20 million network events
- 70$ UD Dollars
- Traffic breakdown by port, source and destination

Experiment 2:
- 45 days
- Application layer responders on ports 23 and 80
- 260 sensors, 10 per AWS region
- 10 billion network events
- Expensive due to the high-level responders: ~$2,000/month
- Basic traffic breakdown plus botnet activity quantification

Experiment 3:
- Fully passive
- 5 month long
- 500 million network events.

Conclusion and takeaways, including positioning the cloud telescope as a unique approach individuals, companies, and governments could use to acquire cyber threat intelligence on Internet-wide threats.