Review and Analysis of Cowrie Artefacts and Their Potential to be Used Deceptively

Honeypots are progressively becoming a fundamental cybersecurity tool to detect, prevent and record new threats and attack methodologies used by attackers to penetrate systems. The current technology is advancing rapidly; with the use of virtualisation, and most recently, virtual containers, the deployment of honeypots has become increasingly easier. A varied collection of open source honeypots such as Cowrie are available today, which can be easily downloaded and deployed within minutes—with default settings. Cowrie is a medium-interaction secure shell (SSH) and Telnet honeypot intended to log brute force and shell interaction attacks. However, the current issue with the default Cowrie configuration is that it is easily detected by adversaries using automated scripts and tools. To increase Cowrie's deceptive capabilities, it is essential to understand, modify, and leverage all capabilities of the honeypot. However, this process is complex, because there are no standard frameworks to interpret the artefacts used by the Cowrie honeypot and how these artefacts link to the type of deceptiveness presented to the cyber-attacker. Therefore, there is a need for some type of infrastructure that can interpret these basic deception techniques and tools, and later developing them into feasible cybersecurity defence mechanisms. This study pursues to develop an understanding about its capabilities, and how these capabilities can be used to bait attackers. The resulting annotations can help cybersecurity defenders better understand the effectiveness of the Cowrie artefacts and how they can be used deceptively.

[1]  P. S. Avadhani,et al.  Honeypot System for Attacks on SSH Protocol , 2016 .

[2]  Deli Liu,et al.  Mimicry Honeypot: A Brief Introduction , 2012, 2012 8th International Conference on Wireless Communications, Networking and Mobile Computing.

[3]  Bhavna Arora,et al.  Honeypots and Its Deployment: A Review , 2019 .

[4]  Anne H. Soukhanov,et al.  The american heritage dictionary of the english language , 1992 .

[5]  F. Cohen The Use of Deception Techniques : Honeypots and Decoys , 2004 .

[6]  Martin Husák,et al.  Honeypots and honeynets: issues of privacy , 2017, EURASIP J. Inf. Secur..

[7]  Bhojan Anand,et al.  Honeynet Data Analysis and Distributed SSH Brute-Force Attacks , 2018 .

[8]  Craig Valli,et al.  Honeypots: How do you know when you are inside one? , 2006 .

[9]  Craig Valli,et al.  Finding evidence of wordlists being deployed against SSH Honeypots - implications and impacts , 2014 .

[10]  Yang Wang,et al.  Collecting Internet Malware Based on Client-side Honeypot , 2008, 2008 The 9th International Conference for Young Computer Scientists.

[11]  Tyrone S. Toland,et al.  Using Sports Plays to Configure Honeypots Environments to form a Virtual Security Shield , 2018, Computer and Network Security Essentials.

[12]  Naveen K. Chilamkurti,et al.  Detecting indicators of deception in emulated monitoring systems , 2018, Service Oriented Computing and Applications.

[13]  Zhuo Lu,et al.  Cyber Deception: Overview and the Road Ahead , 2018, IEEE Security & Privacy.

[14]  Thorsten Holz,et al.  Honeypots and Limitations of Deception , 2005, DFN-Arbeitstagung über Kommunikationsnetze.

[15]  Zhiguang Qin,et al.  Honeypot: a supplemented active defense system for network security , 2003, Proceedings of the Fourth International Conference on Parallel and Distributed Computing, Applications and Technologies.

[16]  Mahmoud T. Qassrawi,et al.  Deception Methodology in Virtual Honeypots , 2010, 2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing.

[17]  Lance Spitzner,et al.  Honeypots: catching the insider threat , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..