Setting Up a Honeypot in AWS and Analyzing Cyber Attacks (Check pinned comment for 2022 update)

Cyber Golden Retriever

20 Feb 202223:55

Summary

TLDRThis video provides a step-by-step guide on building a honeypot in AWS. It begins by explaining what a honeypot is and its benefits for analyzing attack patterns, usernames, and IP sources. The tutorial covers prerequisites such as an SSH client and AWS account, launching and configuring an EC2 instance, installing the honeypot software from GitHub, setting custom security rules, and accessing the web portal to monitor attacks via Kibana. Finally, it demonstrates how to safely terminate the instance to stop billing. The guide balances practical AWS skills with cybersecurity insights, making it accessible for beginners and useful for learning real-world attack analysis.

Takeaways

😀 A honeypot is a decoy system designed to be intentionally vulnerable to attract and analyze attackers.
😀 Setting up a honeypot allows you to monitor attack patterns, attempted usernames/passwords, and the source IPs of attackers.
😀 Prerequisites for this tutorial include having an SSH client and an AWS account with billing enabled.
😀 Using AWS EC2 ensures the honeypot is isolated from your home or enterprise network, preventing lateral movement by attackers.
😀 The EC2 instance setup involves selecting a region, instance type, storage size, tags, and creating a key pair for SSH access.
😀 SSH access requires adjusting permissions on the key file and optionally specifying a non-traditional port (64295) for security.
😀 The honeypot software is installed by cloning the 'teapot-ce' repository from GitHub and running its installation script with appropriate configuration.
😀 Security groups must be updated to allow your IP to access SSH (64295) and the web portal (64297), while exposing other ports (1–64000) to attackers.
😀 The honeypot web portal provides a dashboard to monitor live attacks, including attack types, sources, and frequency.
😀 Once finished, terminate the EC2 instance to stop incurring AWS charges and de-provision resources safely.
😀 Using a larger instance type (t2.xlarge) and sufficient storage ensures smooth operation and proper logging of attack data.
😀 Different AWS regions capture different attack traffic, so choosing the right region affects the data collected by the honeypot.

Q & A

What is the purpose of setting up a honeypot in the cloud?
-The purpose of setting up a honeypot is to intentionally create a vulnerable system that attracts cyber attackers. This allows users to study attack patterns, capture malicious activities, and understand threat vectors without putting their primary network at risk.
How do you access the EC2 instance via SSH?
-To access the EC2 instance via SSH, you need to use an SSH client like the terminal (on Linux/macOS) or PuTTY (on Windows). You will connect by using the EC2 instance's public IP and the SSH key pair you configured during the instance setup.
Why is it important to update the system before installing the honeypot?
-Updating the system ensures that all security patches and software dependencies are current. This reduces the risk of vulnerabilities and ensures that the honeypot runs smoothly on a secure, up-to-date system.
What is the significance of the 'teapot' honeypot mentioned in the script?
-'Teapot' is the name of the honeypot repository used in this video tutorial. It is designed to simulate a vulnerable system that will attract cyberattacks. The installation process involves cloning this repository and running its setup to deploy the honeypot.
What steps are involved in installing the honeypot on the EC2 instance?
-After SSHing into the EC2 instance, you need to update the system and install necessary packages like Git. Then, you clone the honeypot repository using the command `git clone https://github.com/telecom-security/teapot-ce.git`, and finally, run the installation script to set up the honeypot.
How do you monitor the attacks on the honeypot?
-Once the honeypot is set up, you can monitor incoming attacks through the web portal. By accessing the dashboard at the specified port (64297), you can view the attack data, including sources, types, and frequencies of the attacks.
Why should you leave the honeypot running for a period of time?
-Leaving the honeypot running for a longer period increases the chances of capturing more attacks. The longer the honeypot is active, the more diverse the data you'll gather on different attack methods and origins, helping you to analyze real-world threat activity.
What is Kibana and how is it used in this setup?
-Kibana is an open-source data visualization tool that integrates with Elasticsearch to analyze data. In this setup, Kibana is used to visualize and analyze attack data collected by the honeypot, providing detailed insights into attack trends and patterns.
What happens when you terminate the EC2 instance running the honeypot?
-Terminating the EC2 instance stops the honeypot from running and de-provisions the resources associated with it. This halts further charges and stops the honeypot from attracting more attacks.
How do you ensure you're not charged for the EC2 instance after you're done with the honeypot?
-To avoid ongoing charges, navigate to the EC2 instance in the AWS console, select the region where the instance is running, and terminate the instance. This stops the instance and removes it from your active resources list, preventing further billing.