Security technologies

Detecting unknown threats: a honeypot how-to

Catching threats is tricky business, especially in today’s threat landscape. To tackle this problem, for many years сybersecurity researchers have been using honeypots – a well-known deception technique in the industry. Dan Demeter, Senior Security Researcher with Kaspersky’s Global Research and Analysis Team and head of Kaspersky’s honeypot project, explains what honeypots are, why they are recommended for dealing with external threats, and how you can set up your own simple SSH-honeypot. This post offers a condensed version of his presentation alongside the video, which you can view below.

What are honeypots?

A honeypot is a special piece of software that emulates a vulnerable device. Those devices can be from a wide variety of types, such as smart light bulbs, home security DVRs, fridges, microwaves, etc. Deployed publicly on the Internet, honeypots mimick real devices, and, in essence, function like traps for the attackers targeting such devices. Sometimes honeypots also allow defenders to attract and identify new, previously unknown attacks and exploits.

Who needs to set up honeypots? Why?

To protect an organization and its network, the IT security department usually deploys a variety of protection mechanisms, such as EDR, firewall rules or security policies. However, from our experience, these mechanisms might not be enough. Even before they shifted to remote work, organizations had used many vulnerable devices exposed to the Internet that they did not know about. With the shift to remote work, the number of remote stations has increased, and so has the number of exposed network devices, making corporate networks even more vulnerable. Honeypots help strengthening corporate defense system – being planted in key parts of the network they serve as decoys to register external attacks, and capture the threats that were used. This provides an opportunity to further analyze an attack against an organization and learn how to fend it off.

What is Kaspersky’s honeypot project and how can organizations participate?

Honeypot systems require high visibility: the higher – the better, as that helps to cover a wider attack surface. That’s why it is important to collaborate with ISPs, security service vendors or research groups on the Internet to detect new attacks. Kaspersky is continuously improves and strengthens its partnerships with various research groups and ISPs around the world to enhance detection capabilities. Kaspersky offers Honeypots-as-a-Service: we provide the entire infrastructure, our partners only needing to set up and deploy honeypot nodes in their networks. These are connected together and to our honeypot infrastructure. Kaspersky monitors them, analyzes, and aggregates the data, identifies the attacks, and offers its partners statistics (such as most common usernames and passwords used, attacker IPs, types of attacks, etc.), as well as any other artefacts that might be of interest to them. To join Kaspersky’s honeypot project, email to

To learn how to set up an SSH-honeypot to deal with attackers who are seeking to bruteforce your logins and passwords, watch the full video with Dan Demeter, where he answers basic questions about honeypots.

Detecting unknown threats: a honeypot how-to

Your email address will not be published. Required fields are marked *



Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

APT trends report Q1 2023

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

Tomiris called, they want their Turla malware back

We continued to track Tomiris as a separate threat actor over three new attack campaigns between 2021 and 2023, and our telemetry allowed us to shed light on the group. In this blog post, we’re excited to share what we now know of Tomiris with the broader community, and discuss further evidence of a possible connection to Turla.

Subscribe to our weekly e-mails

The hottest research right in your inbox