ADAPT: Adaptive Camouflage Based Deception Orchestration For Trapping Advanced Persistent Threats

Abstract

Honeypots serve as a valuable deception technology, enabling security teams to gain insights into the behaviour patterns of attackers and investigate cyber security breaches. However, traditional honeypots prove ineffective against advanced adversaries like APT groups due to their evasion tactics and awareness of typical honeypot solutions. This paper emphasises the need to capture these attackers for enhanced threat intelligence, detection, and protection. To address this, we propose the design and deployment of a customized honeypot network based on adaptive camouflaging techniques. Our work focuses on orchestrating a behavioral honeypot network tailored for three APT groups, with strategically positioned attack paths aligning with their Tactics, Techniques, and Procedures, covering all cyber kill chain phases. We introduce a novel approach, deploying a camouflaged chatterbox application within the honeypot network. This application offers a regular chat interface while periodically tracking attacker activity by enabling periodic log transfers. Deployed for 100 days, our orchestrated honeypot recorded 13,906,945 hits from 4,238 unique IP addresses. Our approach categorizes attackers, discerning varying levels of sophistication, and identifies attacks from Hong Kong with similarities to known Chinese threat groups. This research significantly advances honeypot technology and enhances the understanding of sophisticated threat actors’ strategies in real operating networks.