Setting SSH Honeypot Detection

A honeypot deployed within a customer enterprise network can be used to detect network activity generated by malware attempting to infect or attack other machines in a local area network. Attempted SSH login honeypots are used to supplement detection of lateral spread events. A honeypot can be deployed on a customer Traffic Collector from which event information is sent to the Juniper ATP Appliance Core for processing. Customers can place a honeypot on any local network they desire.

A malicious actor attempting to perform brute force SSH entry, or execute targeted SSH access to a “root” account, will also be detected by the Juniper ATP Appliance SSH Honeypot feature.

Results of SSH Honeypot detections are displayed on the Central Manager Web UI Incidents page, and included in generated Reports.

Data sent to the Juniper ATP Appliance GSS for honeypot detection events include “Threat Target” and a detailing of all attempted “SSH sessions” (including username and password) with timestamps.

A honeypots can operate on a Juniper ATP Appliance All-in-One system or on a Traffic Collector-only device, as long as the host has enough physical interfaces. Each honeypot uses two interfaces, one externally-facing interface for internet/intranet traffic and one for internal host-to-guest communication. This means that each honeypot will use the eth3 interface for all outbound traffic.