Splunk Introduces “DECEIVE” an AI-Powered Honeypot to Track Cyber Threats

Splunk has unveiled DECEIVE (DECeption with Evaluative Integrated Validation Engine), an innovative, AI-augmented honeypot that mimics real-world systems to lure and study cyber attackers.

By leveraging advanced artificial intelligence, DECEIVE provides organizations with a powerful means of tracking, analyzing, and understanding malicious activities in real time, offering actionable insights into attacker tactics and techniques.

Revolutionizing Cybersecurity with DECEIVE

Traditional honeypots require significant effort to simulate realistic environments; they must be seeded with credible data and software to effectively engage attackers.

DECEIVE eliminates this challenge by using AI to create highly believable, customizable system simulations.

This new approach allows enterprises to detect and investigate cyber threats while proactively maintaining minimal overhead.

DECEIVE is designed to emulate a Linux server accessible via the SSH protocol, logging all user activity, analyzing attacker behavior, and categorizing sessions as benign, suspicious, or malicious.

The lightweight and intuitive design is particularly useful for cybersecurity research, training, and internal testing.

Key Features Include:

• AI-Powered Realism: DECEIVE uses AI to simulate operating environments based on user-configurable prompts, making tailored honeypots easy to deploy.
• Comprehensive Logging: All username, password, and command inputs, as well as AI-generated responses, are logged to offer complete session insights.
• Intelligence-Driven Analysis: Sessions are automatically classified into benign, suspicious, or malicious based on attacker actions.
• Cross-Platform Support: Initially developed for macOS 15 (Sequoia), DECEIVE also runs on most UNIX-like systems, including Linux and Windows (via Windows Subsystem for Linux).

Getting Started with DECEIVE

To set up DECEIVE, users can follow these steps:

1. Clone the Repository:
   Fetch the latest version of DECEIVE from its GitHub repository with this command:

git clone https://github.com/splunk/DECEIVE

2. Install Dependencies:
   Ensure Python3 is installed, and use the following command to install the required Python modules:

pip3 install -r requirements.txt

3. Generate SSH Host Keys:
   Create the necessary SSH TLS keypair with this command:

ssh-keygen -t rsa -b 4096 -f SSH/ssh_host_key

4. Configure the Honeypot:
   • Copy the configuration template:

cp SSH/config.ini.TEMPLATE SSH/config.ini

4. Edit the SSH/config.ini file to define system behavior, including the usernames and passwords attackers may attempt to use.
5. Customize the SSH/prompt.txt file to describe the system being emulated. For example, you can specify:
   “You are a video game developer’s system containing realistic source and asset files.”
6. Start the Server:
   Launch the honeypot by running the following command from the SSH directory:

python3 ./ssh_server.py

The server will listen for SSH connections on the configured port, silently logging all activity.

Splunk emphasizes that DECEIVE is a proof-of-concept and not yet production-grade. While the tool is invaluable for threat analysis, it must be deployed cautiously, as it logs sensitive information, such as usernames and passwords, for research purposes.

The project is open-source and available under the MIT license, encouraging contributions from the cybersecurity community. Developers and researchers can access the code, suggest improvements, or adapt DECEIVE to meet specific use cases.

The launch of DECEIVE underscores Splunk’s commitment to enhancing defensive cybersecurity measures.

By flipping the script and studying attackers in action, organizations can stay a step ahead in the ever-evolving threat landscape.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free