Deploying & monitoring honeypots on GCP with Kibana

One of my favourite areas of cybersecurity is SIEM (Security Incident Event Management). In 2017 I wrote a medium post on how I got a role in cyber security, one of my recommendations was using the Elastic Stack as a SIEM as a start-off point for those looking to understand log analysis and how to investigate incidents. But one of the main gripes people had was, where can they get data to work on in their home environments. This post will focus on setting up a honeypot that already utilises the ELK Stack…

What is a honeypot?

Honeypot is a system, whose sole purpose is to attract potential intruders and record their activity, to further analyse and investigate security breaches. In practice, a lot of devices can be classified as honeypots. By being enticing (i.e open ssh ports, unsecured S3 buckets etc), it is possible to generate logs from this into a SIEM platform like Graylog or Elastic and perform some threat intel. More often, honeypots 🤝 bot networks.

Why even have a honeypot?

For companies, having a honeypot can be a useful data resource and also an excellent threat hunting exercise to understand the threat landscape and which IPs to block on their internal networks based on honeypot activities. It is also possible to build personalised honeypots mimicking a companies environment to further entice attackers by hosting a fake active directory for example. Understanding who wants to attack you, will also help you…