Fake SSH Server with Interactive Honeytrap

Engage Goals: EGO0003 Elicit

Engage Approach: EAP0001 Collect

Engage Actions: EAC0015 Information Manipulation, EAC0018 Security Controls

Name of Element: Fake SSH Server with Interactive Honeytrap

Description of Element:

Deploy a fake SSH server that mimics a legitimate one but presents an interactive shell environment with fabricated system information and files. This can be used to engage attackers, gather information about their skills and intentions, and waste their time.

Technical Context:

Placement: Deployed on a host exposed to the internet or within a DMZ.

Utilize Kippo with customized shell profiles and scripts to mimic a specific Linux distribution and create a believable environment. Implement fail2ban to block repeated brute-force attempts and integrate with a security information and event management (SIEM) system to centralize log analysis and alert on suspicious activities.

Other:

Att&ck/Engage Mapping: T1021 Remote Services, E1501 Honeytrap

Fake SSH Server with Interactive Honeytrap

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense