Honeypots and the Attackers Bias

Due to an increased emphasis on discovering cyber attackers and their tactics, techniques, and procedures honeypot use has been on the rise over the last few decades. As new technologies evolve such as system virtualization and most recently virtual containers, deploying honeypots has become easier than ever. An assorted collection of open source honeypots exist today which can easily be downloaded, configured and deployed in a matter of minutes. This ease however includes the risk of honeypots being too simplistic, "rubber stamped" or perhaps known and detectable by the adversary. For this reason we explored a sample scope of available open source honeypots against varying attacker skill levels to determine the effectiveness. This sample included low to high interactive honeypots each with its own level of complexity in its deployment and ability to interact with an attacker. Low interactive honeypots are typically simplistic and in most cases a quick way to detect the probing or attempts by an adversary. High interactive are more engaging and represent, or in many cases are, real systems with a significant amount of network and operating system monitoring and log retrieval. We first explored different attacker bias profiles and how they ranked based on their overall threat classification in a proposed abstract model. Using this abstract model we then surveyed the sample honeypots to understand their abilities, functionality and how they compare against attackers from an interaction and successfulness perspective. Finally we empirically explored ways some of the sample honeypots are detectable through adversarial analysis and testing. The resulting observations are aimed for cyber defenders to better understand the effectiveness of open source honeypots and its intended application based on diverse attacker threats.