Skip to content
Cedric HEBERT edited this page Jul 5, 2024 · 1 revision

One of the most potent features of cloud-active-defense is its ability to re-route an attacker to a honeypot after successful detection.

Where traditional honeypots are waiting to be discovered, here the honeypot is directly coming to the attacker. This means that this honeypot needs to imitate the protected application, and brings the following benefits:

  • Since the redirection is done after detection, the attacker can never be sure whether what is on screen is the real application or the fake one.
  • Since all redirected requests are malicious, you can log them extensively and gather useful information about whe attackers' knowledge and methods.
  • If your honeypot is a copy of your application, and that an attacker finds a vulnerability of the copy, you should be able to see it in the logs and patch the real application faster.

Testing diversion

Let's start by checking how diversion works.

Use the following configuration in cad-default.json:

{
  "filters": [
    {
      "decoy": {
        "key": "x-cloud-active-defense",
        "separator": "=",
        "value": "ACTIVE"
      },
      "inject": {
        "store": {
          "inResponse": ".*",
          "as": "header"
        }
      }
    },
    {
    "decoy": {
      "key": "/forbidden"
    },
    "detect": {
      "seek": {
        "inRequest": ".*",
        "withVerb": "GET",
        "in": "url"
      },
        "alert": {
          "severity": "LOW",
          "whenSeen": true
        },
          "respond": [{
          "source": "ip",
          "behavior": "divert",
          "delay": "now",
          "duration": "1m"
        }]
      }
    }
  ]
}

Divert to Exhaust

  1. visit http://localhost:8000, you should see the "Welcome" message
  2. visit http://localhost:8000/forbidden. As per the config, you should be detected, your IP should be redirected for 1 minute.
  3. go back to http://localhost:8080, you should see "Exhaust" instead of "Welcome". You have been redirected.
  4. try to login with [email protected]/bob on http://localhost:8080/login. Notice how the access is denied. Notice how your login request was logged in the console.

Divert to Clone

  1. wait until the diversion to Exhaust expires (timer was set to 1 minute in the configuration)
  2. visit http://localhost:8000, you should see the "Welcome" message
  3. login with [email protected]/bob on http://localhost:8080/login. You should see the dashboard page.
  4. visit http://localhost:8000/forbidden. As per the config, you should be detected, your IP should be redirected for 1 minute.
  5. go back to http://localhost:8080, you should still see the dashboard, but on the bottom right you should see the string "Clone". You have been redirected.
  6. delete your SESSION cookie and refresh. The homepage should display "Clone".

If you refresh after 1 minute, the homepage should be back to displaying "Welcome".

Of course, when using diversion, there should be no difference to the attacker with the protected application. In the demo mode, the clone and exhaust announce themselves as such for test purposes only. In this mode, it can make sense to set the 'delay' response option to 'now'. Since the new target is supposed to be impossible or hard to distinguish from the real application, the attacker should not be able to determine that the session was now re-routed.

Creating an Exhaust honeypot

TBD.

Creating a Clone honeypot

TBD.

Clone this wiki locally