Security technologies

Detecting unknown threats: a honeypot how-to

Catching threats is tricky business, especially in today’s threat landscape. To tackle this problem, for many years сybersecurity researchers have been using honeypots – a well-known deception technique in the industry. Dan Demeter, Senior Security Researcher with Kaspersky’s Global Research and Analysis Team and head of Kaspersky’s honeypot project, explains what honeypots are, why they are recommended for dealing with external threats, and how you can set up your own simple SSH-honeypot. This post offers a condensed version of his presentation alongside the video, which you can view below.

What are honeypots?

A honeypot is a special piece of software that emulates a vulnerable device. Those devices can be from a wide variety of types, such as smart light bulbs, home security DVRs, fridges, microwaves, etc. Deployed publicly on the Internet, honeypots mimick real devices, and, in essence, function like traps for the attackers targeting such devices. Sometimes honeypots also allow defenders to attract and identify new, previously unknown attacks and exploits.

Who needs to set up honeypots? Why?

To protect an organization and its network, the IT security department usually deploys a variety of protection mechanisms, such as EDR, firewall rules or security policies. However, from our experience, these mechanisms might not be enough. Even before they shifted to remote work, organizations had used many vulnerable devices exposed to the Internet that they did not know about. With the shift to remote work, the number of remote stations has increased, and so has the number of exposed network devices, making corporate networks even more vulnerable. Honeypots help strengthening corporate defense system – being planted in key parts of the network they serve as decoys to register external attacks, and capture the threats that were used. This provides an opportunity to further analyze an attack against an organization and learn how to fend it off.

What is Kaspersky’s honeypot project and how can organizations participate?

Honeypot systems require high visibility: the higher – the better, as that helps to cover a wider attack surface. That’s why it is important to collaborate with ISPs, security service vendors or research groups on the Internet to detect new attacks. Kaspersky is continuously improves and strengthens its partnerships with various research groups and ISPs around the world to enhance detection capabilities. Kaspersky offers Honeypots-as-a-Service: we provide the entire infrastructure, our partners only needing to set up and deploy honeypot nodes in their networks. These are connected together and to our honeypot infrastructure. Kaspersky monitors them, analyzes, and aggregates the data, identifies the attacks, and offers its partners statistics (such as most common usernames and passwords used, attacker IPs, types of attacks, etc.), as well as any other artefacts that might be of interest to them. To join Kaspersky’s honeypot project, email to

To learn how to set up an SSH-honeypot to deal with attackers who are seeking to bruteforce your logins and passwords, watch the full video with Dan Demeter, where he answers basic questions about honeypots.

Detecting unknown threats: a honeypot how-to

Your email address will not be published. Required fields are marked *



APT trends report Q3 2021

The APT trends reports are based on our threat intelligence research and provide a representative snapshot of what we have discussed in greater detail in our private APT reports. This is our latest installment, focusing on activities that we observed during Q3 2021.

Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

Subscribe to our weekly e-mails

The hottest research right in your inbox