Abstract – Honey-pots, Honey-nets, and Honey-systems are entrapment devices to capture the continuous barrage of cyber-attacks to the IT infrastructure of companies, and institutions. Threat intelligence is important component of defense against cyber-attacks. Threat intelligence includes the malware, scripts and other artifacts that the attackers use for launching cyber-attacks as well as the mode of attack, the attacker capabilities, and behavioral aspects. Once a honey-system is deployed, the attackers leave their signature and various tools into the honey-system and their behavior is logged. This data then can be further analyzed to generate threat intelligence which can then be used to decide the defensive techniques. This thesis presents simple and easily deployable Honey-pot systems ranging from client side Honey-pots, Honey-tokens to various server side Honey-pots. Our deployments have been able capture various tools used by the attackers to target weakly defended machines. Besides understanding of tools used by the attackers, we can glean the knowledge about zero-day attack vectors. If poorly designed, honey-systems might compromise the systems being defended. In view of that, we have designed, implemented and deployed honey-systems that offer a good level of security. From the post-mortem data analysis, we have been able to obtain a good amount of intelligence on what kind of attacks and attackers are targeting our systems at IIT Kanpur, and also outside. The major contributions in this thesis includes:
1. An approach to create a malware like Gooligan and Honey-token based post exploitation techniques to identify breached devices.
2. Lightweight models of Honey-pots with live monitoring web interfaces.
3. A Honey-client for identifying malicious web servers that captures drive-by-download based attacks targeting Linux based machines.