Honeypots

Project Objectives

In this individual project, you will both use an existing off-the-shelf honeypot and create your own.

Part 1 Requirements - Off the Shelf Honeypot

For the first part of the project, you are going to deploy an existing honeypot, expose it on the Internet in a controlled manner, and use it to collect information.

First, pick a freely available honeypot. Examples include.

  1. Dionaea - Malware Trap
  2. Cowrie - SSH Honeypot (also see http://www.micheloosterhof.com/cowrie/)
  3. Anything on the Awesome Honeypots list
  4. Anything available via TPot, a universal installer that includes dockerized containers of many Linux honeypots.
  5. Anything available via HoneyDrive, a Linux distribution with pre-installed honeypots.

Second, install your chosen honeypot on a local virtual machine, either directly, or via TPot, HoneyDrive, or some other wrapper. Learn how to configure and use your honeypot.

Third, decide on how you wish to deploy this honeypot. Questions to consider include:

  • Hosting: Do you want to run it on the VMware host in the lab or in the cloud via Amazon Web Services?
  • Networking:
    • What ports does your honeypot need to be exposed to the Internet on?
    • What specific communication pattern does the firewall need to permit? (assuming deny all other communication)
    • If we lock down the honeypot server completely, how will you obtain your results?
    • Do you want a public IP for your honeypot, or port forwarding from some other IP? What are the implications for the IP address of hosting a honeypot there?

Fourth, run your honeypot for at least a week! Write a short report that includes the following information:

  1. The name of the honeypot you used
  2. What features the honeypot provides
  3. How you configured your specific installation (honeypot features, network configuration, etc)
  4. The data that your honeypot has collected, including an explanation of what the results mean in plain English. (i.e. don't just copy and paste the output file, put your name up top, and call it a day).

Part 2 Requirements - Honeypot Implementation

For the second part of the project, you are going to implement a honeypot yourself.

Requirements

There are three high-level requirements of your new honeypot:

  1. For a dumb/lazy/excessively automated attacker, your honeypot needs to appear to be a viable target system.
  2. The attacker needs to be able to do something to or with your honeypot, such that the attacker has revealed malicious intent beyond background internet port scanning
  3. Your honeypot needs to have a “marketing use case” whereby running the honeypot and examining its results could yield some benefit to a defender.

Project Proposal Requirements

Write a short proposal (less than 1 page) describing the honeypot you intend to build. In it, answer the following questions:

  1. What are you modeling? A software daemon? (Database, SMB file share, NTP server, etc…) An Internet of Things (IOT) appliance?
  2. What level of interaction will your honeypot permit with the attacker? (Low-to-medium, presumably)
  3. What level of emulation fidelity will your honeypot support? Or, in other words, how hard will the attacker have to work to identify the honeypot as not a real device?
  4. In your development, how are you going to compare your system against the real thing?
  5. How would an attacker identify what they have connected to? (Is the attacker looking for something in particular? Or casting a wide net?)
  6. What is the attacker going to do to or with your honeypot?
  7. What will you learn from your honeypot about the attacker?

Project Deliverables

  1. Project proposal document (< 1 page)
  2. The code
  3. Documentation for installation + configuration + interpreting results
  4. Documentation providing a technical comparison between real system and honeypot
    1. Port scan
    2. Services provided
    3. Interactions possible with the services
  5. Documentation covering detailed use case scenarios
    1. What is the attacker going to do to or with your honeypot?
    2. What will you learn from your honeypot about the attack?

Grading

This is an individual project. The grading breakdown is:

  • Off-the-shelf honeypot installation and report - 40%
  • Your custom honeypot implementation and documentation - 60%

Schedule

Your goal should be to have the off-the-shelf honeypot installed and collecting data in week "1", develop your own honeypot in weeks "2-3", and write up both sets of results at the end.

Submission

Submit all files to the Canvas CMS site.

Make sure that your submission includes all of the following project deliverables:

  1. Your report on the off-the-shelf honeypot usage and results
  2. Your report on your own custom honeypot usage and results
  3. Your source code and usage documentation for your custom honeypot