What: LLM-based honeynet with dynamic adaptability

Why: Why use 50 instances when you can use 1, with added flexibility?

Traditional honey nets offer static infrastructure and static responses. In DAHN, the infrastructure is abstracted, with lambda/gpt API (prompts stipulated) returning seemingly native responses to the threat actor, depending on the complexity index defined by the administrator. In other words, responses are dynamically crafted to entrap and retain threat actors, internal and external, in this environment for as long as possible, giving them a balance of false hope and realistic obstacles as they pass through our simulated layers of defense. Our AI-powered honey net mimics a given corporate environment to create a fictitious digital twin and embeds a controlled-level of simulated vulnerabilities/weaknesses to attract, distract, learn from, and attribute threat actors. The outputs are decoys, diversion, fingerprints, IoCs and IoAs, attributes, TTPs and behaviors, and used to augment threat detection and cyber defense strategies.

The tool comes with 3 main components:

1. The detection fingerprinter analyzes traffic and matches with malicious fingerprints to decide which traffic to route to the honeynet.
2. The honeynet leverages on AI/LLM to simulate cli-responses from a fleet of machines that resembles the corporate environment. A series of networked machines are lined up virtually to contain the adversary and distract the adversary from the real targets. An attack-path-mapper presents a visual on the progress and current stage at which the adversary is at, which the blue team can monitor live.
3. The intel component collects TTPs, behaviors, fingerprints from the observed adversaries and converts them into internal intel for actions. There’s also a blue team module that can adaptively influence the adversaries’ movements. For instance, if the blue team wants to see TTPs and IoAs relating to databases, this module releases prompts to simulate vulnerable database instances to steer and lure the attacker into attempting to exploit. The intel module would then capture the on-demand and related behavioral attributes.

We simulate the exploitation of a session manager.

On the left, we see the exploited session that bypasses authentication (simulated), and on the right, a benign session.

Because the exploited session runs in a known-malicious ja3 signature, dahn's fingerprinter routes that session to the honeynet (indicated with grey banner). In other words, legitimate sessions will interact with the intended service (indicated with blue banner), while malicious sessions matching our known-bad fingerprint signatures will be routed transparently to our digital twin/honeynet.

The attacker might perform some enumeration activities, such as the ones listed below, and the responses are generated by LLM in a realistic manner (granted, more work needs to be done).

From host 1, the attacker is seen to have found an unguarded FTP service and has pivoted over.

Once in, the attacker performs another round of enumeration and found AWS keys. Of course, the key generated here is deceptive.

Attacker validates that the keys authenticate fine and attempts to enumerate:

Under the hood, the blue team sees the attacker activities in real-time and is able to influence the attack path - for instance, if the blue team wants to capture TTP relating to databases, they can inject a "vulnerable" database service at any given point in time.

In the management console above, we see the fingerprint of the current attacker, beacon data from the AWS keys used earlier, an attack path, options for blue team influence (ie injecting vulnerable service), as well as LLM-generated insights that is then fed-back to the fingerprinter for actions (ie, more comprehensive filtering/routing or behaviorial-based blocking).

Going back to the attacker's session, and having a vulnerable DB service injected by the blue team earlier, when the attacker performs the same nmap enumeration, the attacker now sees a new vulnerable DB service being spun up. We also see here that dahn understands that this is a vulnerable DB service and thus allows the attacker to successfully exploit it. We then collect intel on the attacker's toolset and behavior which would help in crafting defenses and attribution.

Input your chatgpt API key into config.json.

sudo apt install nodejs
sudo npm install node-fetch
node --experimental-modules server.mjs

low cost

• Infrastructure is lightweight
• “Infrastructure” is also dynamic
• Scalability is abstracted
• Amplification on effort vs time wasted by adversaries

adaptive

• Depending on how the attack progresses and what kinds of intel we want to collect, we shape the honeynet on-the-fly
• Supports prompt as code where snippets of modular prompt can be injected, for instance, on a CVE.
• Adaptive yet consistent and realistic, with defense simulation (to-be)
• No need to code out every granular scenario.

internal intel

• Generates very relevant intel without paying the price of lessons learnt
• Intel generated is automatically fed-back to the fingerprinter to redirect malicious actors to the honeynet.
• Insights provided are translated into actionables

• Dynamic generation of network map based on organization profile, naming convention, and assets.
• Dynamic generation of decoys (canary API)
• Moving to private/other GPT models
• More robust fingerprinting engine with combined attributes
• Building on service manager
• Add in session aggregation for blue team monitoring
• Excluder to migrate false positive sessions back to legitimate services
• Make it harder to break the gpt-disguise