Lightweight On-Demand Honeypot Deployment for Cyber Deception

Honeypots that are capable of deceiving attackers are an effective tool because they not only help protect networks and devices, but also because they collect information that can lead to the understanding of an attacker’s strategy and intent. Several trade-offs must be considered when employing honeypots. Systems and services in a honeypot must be relevant and attractive to an adversary and the computing and manpower costs must fit within the function and budget constraints of the system.

It is infeasible to instigate a single, static configuration to accommodate every type of system or target every possible adversary. The work we describe in this paper demonstrates a novel approach, introducing new capabilities to the Cyber Deception Experimentation System (CDES) to realize selective and on-demand honeypot instantiation. This allows honeypot resources to be introduced dynamically in response to detected adversarial actions. These honeypots consist of kernel namespaces and virtual machines that are invoked from an “at-rest” state. We provide a case study and analyze the performance of CDES when placed inline on a network. We also use CDES to start and subsequently redirect traffic to different honeynets dynamically. We show that these mechanisms can be used to swap with no noticeable delay. Additionally, we show that Nmap host-specific scans can be thwartedduring a real scan, so that probes are sent to a honey node instead of to the legitimate node.