7MS #730: Baby's First Project Swarm
Show notes
Hey friends! Still your grieving pal over here, but also your swarming friend and Protecting My Network Edge host — because this week I've been tinkering with something called Project Swarm and I've got my diapers on regarding it, but I really, really like what I see so far. Then, fair warning, I flip on the tangent light and verbally barf up some personal stuff at the end. I'll make the hand-off super clear, so if you want your free security podcast to do exactly what you want and nothing else — totally fair, and you won't offend me by hopping off. Here's what we cover:
- What is Project Swarm? This comes to us from our friends over at GreyNoise. It centers around little sensors you deploy to the edges of your network that you can dress up to look like just about anything — attracting flies to the honey, if you catch my drift. You get more enumeration, insight, and logging into whatever shenanigans those flies are using to poke at your edge.
- Setup was refreshingly easy: You need a very low-powered VM or hardware device (my understanding is it even works on a Raspberry Pi) mapped to a public IP, plus a free GreyNoise account. You generate an API key, copy-paste a one-line install, and off it goes. I threw mine on a tiny Ubuntu VM.
- The part where I didn't read the flipping manual: Mid-install my SSH connection dropped and I'm going "what the heck?!" Turns out the installer intentionally moves your real SSH to some arbitrary high port — so you can run a fake SSH honeypot on 22 while your legit connection lives elsewhere. Once I spotted the new port in the console, a quick firewall tweak and I was back in.
- Profiles give me level 14 giggidies: Once your sensor checks in, you assign it a profile. Vulnerable WordPress, Tomcat, a Cisco AnyConnect VPN, FTP honeypot, SSH honeypot — kind of all the honeypots. I went with a vulnerable WordPress instance. My one complaint: you can only assign one profile per sensor. My dream scenario of an SSH honeypot AND an FTP AND a vulnerable Tomcat all on one box will have to wait (or maybe that'd look too suspicious and scare the baddies off — who knows).
- The results were wild: Within a couple days I had thousands of connections, several flagged as malicious and tied to known botnets. I could see source IPs, malicious labels, whether they were residential or company or Google, and even download raw packet captures. There's clearly more telemetry to dig into (what people tried to spray into the login portal, etc.) — I meant to go deeper before recording and didn't, so consider this a "to be continued."
- Why do I care, since I'm not defending some huge infrastructure? Honestly it started as a brain break. But I've been testing a ton of external networks lately and nearly every company site is WordPress — which now powers around 43% of the internet. Running my own WordPress honeypot gives real oomph to those "your out-of-date WordPress is a big deal" conversations, where I can say "I run a WordPress honeypot and here's the aggressive password spraying and plugin/theme enumeration I'm seeing right now."
- See it, don't just hear it: I show the actual portal, sensor config pages, and more over on 7MinSec.club this week. Why not both, right? It's like that meme. GreyNoise also has a Project Swarm user webinar coming up — check their events page. And to be crystal clear: they are not a sponsor, this is all free, and I just think it's clever.
- Life update (the tangent portion): About the time you hear this, I'll be on my way to my dad's funeral, where I'm sharing some words and singing a song. I've been practicing like a madman per advice from my music director friend and guitar teacher — including a little brain hack of focusing hard on my fingers to stay a half-step removed from the emotion. And if I cry my face off up there? Who cares. This isn't America's Got Talent; it's the gesture. I'll be honest, 2026 has been a rough one, but I promised two bright spots and here they are: my son Cam (about to finish paramedic school) has been keeping grandpa's spirit alive by wearing my dad's shirts, sunglasses, and Apple watch, and getting a Cessna tattoo with my dad's actual handwriting and birth year. And you all — the kind words, the offers to talk, the shared stories — reminded me there are a whole lot of good people out there. Thank you for that.
- One more thing on the horizon: My brain's been a squirrel on pixie sticks, but for whatever reason I've been happily grinding the CARTP as a little vacation for my mind. I might take a swing at the exam this week — start it in the evening, grind a few hours, sleep, finish in the morning (I'm too old for 24 hours straight). I might pass, I might fail spectacularly. Either way I'll keep you posted, and if I get the cert, that's probably next week's topic!