Honeypot Solution for Edge Devices
At CROWSI we believe in the power of honeypots to protect against malicious threat actors. Due to this we developed an easy to use open-source honeypot platform, tailor made to protect edge device scenarios like connected vehicles or other connected devices.
CROWSI is built to provide early notifications of malicious activities as well as valuable insights while luring attackers away from actual assets.
What is a Honeypot?
Honeypots are decoy systems that are intended to be attacked. They mimic actual vulnerable systems, by this attracting attackers around your eco-system and luring them away from actual assets.
Typically honeypots are differentiated between low and high interaction honeypots, depending on how realisitc the decoy is and therefore on how much interaction the honeypot offers to attackers to keep them engaged.
Why to use Honeypots?
Early Notifications
As honeypots mimic attractive vulnerable systems, there is a high chance that attackers looking for a target start interacting with them before interacting with well protected assets. Therefore, by integrating a honeypot into the eco-system and connecting them to your security monitoring system, you’ll get early notifications of malicious actors. As honeypots don’t offer actual functionality this comes generally with a very low rate of false positives.
Creates Insights
Honeypots typically are designed to provide lots of data on the attacks that target them. Security teams can use this data to gain knowledge on the actual threat landscape, enabling them to learn on real attack procedures, actual effective countermeasures as well as needed configurations for other measures like Intrusion Detection Systems. These insights allow you to improve efficency of your cyber security activities.
Binds Resources
Luckily also attackers have limited resources. This means, whenever an attacker is attracted by a honeypot and starts interacting with it, the attacker needs to invest resources – resources which he cannot invest anymore in attacking actual assets. By this, honeypots lure attackers away from assets and therefore actually protect them, just by binding and wasting attackers resources.
CROWSI Overview
CROWSI is a Kubernetes based platform that can orchestrate and expose containerized honeypot applications via the open-source proxy Traefik. It allows you to add whatever application container that suits your scenario, while serving as default a low interaction container application that implements a HTTP server, logging details of incoming requests.
By integrating CROWSI into your edge device via another reverse proxy (like NGINX) on it, it allows you to mimic a badly protected app on your edge device or your backend to attackers. Whenever an attacker targets the edge device and starts interacting with the open port of the proxy, all his requests shall be forwarded to CROWSI, where the requests and activities will be logged in detail. Furthermore, via this forwarding we achieve the positive effect of shifting the main risks of vulnerable decoys to an isolated backend instead of incorporating them into your assets.
By then attaching CROWSI to your cyber security monitoring system and evaluating the CROWSI logs, you can leverage above mentioned benefits.
In order to make sure that only traffic that originates from your edge devices reaches the decoys, the Traefik proxy further implements a client authentication based on certificates of your edge devices, making sure that only relevant activities trigger your monitoring team.
To learn more, read our documentation or browse the source code on GitHub.
Why using CROWSI to protect your vehicle fleet?
Although suitable to protect any edge device scenario, CROWSI was originally developed to provide an easy and effective mean to enable propper vehicle security monitoring as required e.g. by the UN – R 155.
Check out our article on the big challenge of vehicle security monitoring and how CROWSI can help in this domain.
Managed Service
You don’t want to spend valuable internal resources on deploying and operating CROWSI on your own?
You need support or customization?
You are looking for additional high-interaction honeypot decoys?
Check out our planned managed service offering.