Virtualized Honeypots For Threat Hunting and Malware Analysis On A University: A Case Study

Threats against information systems evolve and shift over time. In this paper, we present an analysis of active tactics, techniques, and procedures employed by threat actors against a portable virtualized honeypot. This study is an exercise of implementing multiple previously available tools to work together to create a new system. The new system allowed the researchers to gain insight into modern attacker behavior, specifically against a university network. The honeypot was deployed on an externally facing university network. We were able to capture and positively identify old and unreported ransomware and viruses. We describe our approach in the configuration and deployment of the honeypot network and a Security Incident and Event Management (SIEM) framework for real-time analysis and visualization of attacker behavior. Through analysis and reporting, we determined that threat actors relied on modified variations of publicly available cybersecurity tools and known malware and ransomware. This paper details examples of the configuration of the SIEM, examples of malware captured, and a description of what the group did with captured malware to help protect other information systems around the world. The novelty of this approach is to actively capture, neutralize, and report what attackers are doing live. We discuss mitigations for these attacks, provide a solution to slow some of the real-time attacks, and suggest further research building from this study. Fewer organizations choose to run honeypots because they are not sure of what to do with them. This study explains one of the major benefits of deciding to host a system that invites attackers in.