Objective & context
We used “honeypots” in the cloud: deploying deceptive software stacks to track adversaries. The honeypots are servers that mimic vulnerable services to attract viruses. The honeypots monitor all interactions from an attacker; once these are collected, we can use data visualization techniques to get more insights and sometimes even allow the organization to prevent attacks that have not yet happened.
Each member of our unit has to deploy and maintain its own honeypot, using variations of the open-source TPOT project. Several well-maintained open-source honeypots are used to mimic SSH, Telnet, HTTP/S, and FTP. They mimic standard servers, client stations, printers and even IoT devices.
An ELK stack is used to visualize and organize data showing relevant information such as: the top attacking countries or IP addresses, the most-used passwords for attempted attacks, a world map of the attacks, number of attacks per protocol and many more.
Health monitoring is assured by the Docker stack, making the honeypot self-healing if scaled.
AKKA addressed the challenge from different angles to ensure optimal results:
- Threat Hunting: New attacks will be blocked much faster. We can visualize and actively identify threats, and quantify if the client is being heavily targeted.
- Monitoring: Each attack is logged to allow security teams to develop appropriate solutions and counter measures for clients.