Recent findings have revealed a significant oversight in the way SSH honeypots detect cyber threats, with many missing the majority of post-login activity by attackers. This revelation, stemming from a study conducted by researchers at the Czech Technical University, highlights a critical gap in current cybersecurity deception strategies.
Findings from the Latest Honeypot Study
The study, entitled “Ghost Without Shell: Measuring Non-Interactive SSH Attacks on Honeypots,” uncovers that attackers predominantly use automated, non-interactive commands rather than engaging with traditional shell sessions. This approach allows them to execute commands instantaneously and disconnect, bypassing many existing honeypot detection methods.
Over a 15-day period, the researchers deployed eleven high-interaction SSH honeypots across various cloud platforms, recording 177,622 authenticated sessions. An overwhelming majority, 99.23%, were non-interactive, with a mere 0.10% involving interactive shell access. File transfer attempts were similarly rare, accounting for just 0.67% of the activity.
Implications for Deception Technology
These findings challenge the foundational assumption that attackers engage in interactive shell activity once logged in. Many modern honeypots are designed to simulate shell environments, measuring success by the duration of attacker engagement or the number of issued commands. However, the study suggests these metrics are no longer relevant in the face of current attack methodologies.
The research highlights that attackers often authenticate, execute a single command via SSH’s exec mode, and disconnect almost immediately. These actions are typically automated for reconnaissance purposes, utilizing commands like uname, whoami, uptime, and nproc to quickly assess the target environment.
Adapting to Evolving Cyber Threats
With over 9,000 unique command strings identified, the study found that a small subset dominated, indicating coordinated automated campaigns. Verification probe commands, designed to test whether a system is genuine or a honeypot, were particularly notable. Attackers employed methods such as base64 decoding or arithmetic operations to verify system responses, exploiting vulnerabilities in LLM-based honeypots that might produce inaccurate outputs.
The study’s results underscore the need for a shift in cybersecurity tactics. SSH honeypots should adapt to support non-interactive command execution and provide accurate responses to automated probing. Success metrics should focus on a system’s ability to mimic a real host under automated scrutiny, rather than on simulating human-like interactions.
The increasing reliance on automation and large-scale scanning by attackers necessitates updated deception strategies. Without these changes, SSH honeypots risk becoming outdated, providing a limited view of the evolving threat landscape.
This shift in attacker behavior underscores the urgency for cybersecurity defenses to evolve, emphasizing the importance of aligning deception strategies with current attack patterns to maintain effective threat detection capabilities.
