Google Cloud Functions Honeypot

Engage Goals: EGO0003 Elicit

Engage Approach: EAP0001 Collect

Engage Actions: EAC0015 Information Manipulation, EAC0018 Security Controls

Name of Element: Google Cloud Functions Honeypot

Description of Element:

Deploy a decoy Google Cloud Function that appears to perform a sensitive operation (e.g., accessing a database, processing payment information) but, in reality, only logs invocation attempts and attacker-supplied data.

Technical Context:

Placement: Within a Google Cloud project, alongside other legitimate Cloud Functions.

Utilize the gcloud functions deploy command with a runtime such as Node.js or Python. Configure the function’s entry point to log invocation details (timestamp, request headers, payload) to Cloud Logging. Optionally, return a deceptive response to the attacker to prolong engagement. Implement appropriate security measures (e.g., IAM permissions, VPC Service Controls) to prevent the honeypot from being abused.

Other:

Att&ck/Engage Mapping: T1059 Command and Scripting Interpreter, E1501 Honeytrap

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense