A Qualitative Empirical Analysis of Human Post-Exploitation Behavior

Honeypots are a well-studied defensive measure in network security. This work proposes an effective low-cost honeypot that is easy to deploy and maintain. The honeypot introduced in this work is able to handle commands in a non-standard way by blocking them or replying with an insult to the attacker. To determine the most efficient defense strategy, the interaction between attacker and defender is modeled as a Bayesian two-player game. For the empirical analysis, three honeypot instances were deployed, each with a slight variation in its configuration. In total, over 200 distinct sessions were captured, which allows for qualitative evaluation of post-exploitation behavior. The findings show that attackers react to insults and blocked commands in different ways, ranging from ignoring to sending insults themselves. The main contribution of this work lies in the proposed framework, which offers a low-cost alternative to more technically sophisticated and resource-intensive approaches.