Attracting sophisticated attacks to secure systems: A new honeypot architecture

The number of attacks on IT systems has increased extremely during the last few years. Among the multitude of attack vectors, particularly sophisticated attacks have increased dramatically, which now also increasingly affect small-and medium-sized companies. In comparison to other attacks, these attacks comprise some special features, e.g., the involvement of professional attackers as well as a high knowledge of the offender about the target itself (employees, installed systems, etc.). In order to use a honeypot for the analysis of these sophisticated attacks, it is necessary that a realistic system and user behavior is simulated in an automated way, so that even professional hackers can be deceived. As attacks often begin with a specially created spear phishing e-mail, honeypots must be able to process e-mails. Furthermore, the behavior of the honeypot (in particular, the simulated user respectively employee) is very important when trying to analyze the attack in depth. Following these ideas, we propose a new architecture for a honeypot capable of deluding even professional attackers with high knowledge about the target environment and therefore allowing a comprehensive analysis of the attacker.