Beekeeper: Accelerating Honeypot Analysis with LLM-driven Feedback

Honeypots are decoy resources intended to entice adversaries and collect threat intelligence in the process. The amount and quality of the collected insights strongly correlate with the honeypot’s credibility to the adversary. However, the development of medium to high interaction honeypots, so, environments that offer at minimum a shell to the attacker, is laborious and complex. Additionally, getting feedback on a honeypot is often expensive and time-consuming, slowing down development and discouraging investment into honeypots. Therefore, we propose Beekeeper: a modular framework that combines static tests, known attack sequences, and automated, large language model based querying to investigate medium to high interaction honeypots. Afterward, the results are analyzed to provide feedback on the current state of the system and recommendations on how to improve key characteristics of the honeypot. To demonstrate the framework’s functionalities, we deploy Beekeeper with two medium and one high interaction systems and highlight how feedback and recommendations change after an initial set of improvements is implemented for each honeypot.