Network Security Operations Intelligence Reporting

Essay details

Please note! This essay has been submitted by a student.

Table of Contents

  • Executive Summary
  • Introduction
  • Background
  • Attacker Exploits
  • Recommendation
  • Conclusion

Executive Summary

The Honeypot is an intentionally vulnerable or fake system designed as a trap for potential attackers. It is one of the effective defensive systems as a security measure in an IT environment. Traditionally honeypots are used on the external facing side of the network. However, usage cases do exists for internal honeypots. They are mainly used to detect the attacks aside from Intrusion Detection System/Firewall and to gather data on adversaries’ activities. By analyzing the data collected from honeypot, the organisation can plan the mitigation strategies for cyber-attacks against their infrastructure.

AI-Written & Human-Edited Essay for only $7 per page!

AI-Powered Writing

Expert Editing Included

Any subject

Try AI Essay Now

In this report, the investigation of malicious activities captured from Cowrie SSH (Secure Socket Shell) honeypot. Statistical analysis performed by Splunk and Tableau software which is used to search, analyse and visualize the data generated from Cowrie Honeypot. Each session is logged to a tty log file when an attacker has initiated a session. Python playlog. py script used to play the tty log and watched what the attacker is doing in each session. The analysis shows that 2440 IP addresses from 108 countries, including success and failure attempt with a total of 83395 counts captured from the logs in Cowrie Honeypot SSH login.

Some of the websites banned some of the IP addresses and recommend doing the same to blacklist the IP addresses to protect from future attacks. Linux system comes with default root account which is the main administrator account. Hackers tried to brute force the root password and gain access to the Cowrie Honeypot system. By creating a separate user account to use regularly and switch to root account if required. Disable the root login via SSH will decrease and prevent the hacker gain the root account and getting full control of the system. The hacker used port scanning techniques to find the services running in the system. By port scanning, the attacker can find the information like what services are running, what users own those services, whether anonymous logins are supported and whether certain network services require authentication. The best countermeasure to prevent this is to configure firewalls and other tools such as PortSentry to identify port scans and drop all the packets from the source IP address for a period of time. Adversaries successfully logged in using the username root and password 123456789. Using dictionary attack it was easy for the attackers to try the insecure password. By using not a simple password or using a passphrase can overcome the dictionary attack.


Deploying honeypots is one of the top security mechanisms to trap the attacker, a form of deception security. Cyber-attacks against computer network cost corporations and governments billions of dollars each year. With the different types of methods to secure the network such as IDS/IPS systems, penetration testing, DMZ’s and other variety of tools, it is assumed that the vulnerabilities will always exist and they will be exploited by the attackers. Honeypot is a computer security mechanism set to detect, deflect or in some manner, counteract attempts at unauthorised use of information systems. A Honeypot is expected to get probed, attacked and potentially exploited. Honeypots do not fix anything. They provide us with additional, valuable information. Cowrie honeypots are medium interaction SSH and Telnet designed to log brute force attacks and the shell interaction performed by the attacker. This intelligence report is based on investigating a brute force attack on Cowrie honeypot system.


Honeypots are classified based on their deployment (use/action) and based on their level of involvement. Production honeypots and research honeypots. Production honeypots are easy to use and placed inside the production network. Research honeypots are to study hackers criminal attack patterns and motives. These honeypots do not add direct value to a specific organisation, instead, they are used to research the threats that organisations face and to learn how to better protect against those threats [3]. Honeypots can be implemented according to the level of interaction. Low, medium and high interaction honeypots. Low interaction honeypots emulate some important services like SSH, HHTP, and FTP. They are easy to be discovered by attackers and they do provide the lowest level of security overall. The key feature of medium interaction honeypots is application layer virtualisation. It is still a software instance running on an operating system but it will blend so well with the operating system that it will be very hard to be discovered by the attackers. Medium interaction honeypots like Cowrie honeypots are placed with other servers in the production network. The configuration process is simpler than a high-interaction honeypot but the maintenance required is more demanding than a low-interaction honeypot.

The main characteristics of a high interaction honeypot is that it will be using a real operating system and hardware, but it will be operated, monitored and analysed as being a honeypot system. Cowrie honeypots appear legitimate and have the same files and folders similar to Linux system i. e. , /etc and /bin, so the attacker can be explored using basic commands. Cowrie, an SSH honeypot created by Michel Oosterhof and can be downloaded from GitHub. Cowrie has a file system that is similar to Debian 5. 0 installation and can make changes to files. These features are key so that the attacker has the same feeling that they are on the real system. Among independent researchers analyzing SSH brut-force attacks has been very popular. Features such as rates of attempts and similarities of guesses across attackers from different areas. The log files are in JSON format with the time stamp. AnalysisTo study the trends in types of attacks used by the adversaries I performed statistical analysis using Splunk-SIEM software and played the tty logs to find the intruder did in real-time using playlog. py script used in Cowrie from Github.

Common username and password for successful login was root and 123456789. Dictionary attack used to exploit the vulnerable SSH protocol.

Attacker Exploits

There was a common behaviour of the attackers observed once they successfully logged in.

  • Find out the computer configuration information
  • Find out the information about the user, system and network
  • Transfer file and try to execute the scripts on the honeypot
  • Delete the log files and hide the processes they begin withFiles transferred

After analyzing the tty log file using playlog, the attacker copied files to the honeypot system. Notable files are ssh1. txt, real. txt, y. txt. I found that from particular IP address (195. 22. 126. 16, location - Poland) copied ssh1. txt multiple times and try to run kind of a pearl script.


After analyzing tty logs, I came to study the attackers TTPs and following recommendations need to be implemented to protect SSH service.

  • Iptables rules to defend against the SSH attack: Set up a good firewall is key in securing any operating system. Most Linux distribution includes iptables as a standard firewall.
  • Change the configuration option within SSH to deny root login over SSH: there is no possibility for the attacker to brute-force using the root account so that they don’t have full access to the machine.
  • Port scan detection: The hackers find open ports on the system by doing port scanning. Close the unnecessary services, employ TCP Wrappers and utilize PortSentry offered by Psionic.
  • PortSentry is an attack detection tool which monitors stealth scan
  • Enable SSH public key authentication: If disabling SSH password authentication the attackers won’t be able to do brute force attack
  • Block IP address after too many failed SSH login attempt: By enabling this will prevent brute force attack if the attacker tries different username and password few times
  • Block the above-listed IP addresses: By using Intrusion Prevention System or firewalls the IP addresses that tried to interact with the honeypot system need to be blocked. So that the attackers cannot interact in the future
  • Update the SSH packages: Make sure the operating system patches are up to date, in particular with security and SSH packages
  • Set up alerts (FIM – File Integrity Monitoring) with your SIEM: This added layer of protection will alert if unauthorised changes happen in the system.
  • Secure Passwords: Update the password that doesn’t have dictionary words and using a passphrase the use of dictionary attacks can be avoided.


Implementation of Cowrie Honeypots allowed the collection of a high set of attack data’s. By analyzing the log files I manage to find the way attackers gain access. They brute-force their way into the system by guessing simple username and passwords. After gaining access to the machine they tried to familiarize the system, transfer the files to run and install tools and tried to hide their attacks. With the collective evidence and the source of threats, how the attacker tried to exploit the system provided valuable information to the network and system administrator how then can act to harden their security posture.

Get quality help now

Sir. Ken

Verified writer

Proficient in: Sociology of Media and Communication, Anthropology

4.8 (192 reviews)
“This is an exceptional writer. Listened to instructions very well and produced paper before the deadline. ”

+75 relevant experts are online

More Related Essays

banner clock
Clock is ticking and inspiration doesn't come?
We`ll do boring work for you. No plagiarism guarantee. Deadline from 3 hours.


This feature is still in progress, but don't worry – you can place an order for an essay with our expert writers

Hire writer

We use cookies to offer you the best experience. By continuing, we’ll assume you agree with our Cookies policy.