It's still a bit early to say that the hype around artificial intelligence is over. It's more accurate to say that the wheat is being separated from the chaff. In the field of digital honeypots, no one will deny that AI can and will make a real difference there.
A noob might mistake a "honeypot" for an irresistible treat of the bear Winnie the Pooh. In IT security, such irresistible targets for attackers are called honeypots. They are decoys that cleverly deceive and mislead attackers. There is not just one type, but a range of different honeypot concepts, each for a different task. One could say that Deutsche Telekom's globally recognized platform T-Pot is like the "Swiss Army knife" in the world of these digital traps. It comes equipped with tools for many typical scenarios. T-Pot includes several honeypots. The latest members of the family are called Beelzebub and Galah, and they have one thing in common: They use artificial intelligence, specifically the so-called Large Language Models (LLM).
More Than Just Trend Surfing
Let’s just do something with AI? That's not the point here. To understand the significant role, you first need to know that conventional honeypots follow one of three concepts. As low-interaction honeypots, they merely simulate basic services or interfaces to attract attackers. They are easy to integrate in an existing computer system and easy to maintain. The less interaction possible, the less accurate the picture of the tactics, techniques, and methods used by attackers. This simple concept is particularly well-suited for detecting automated attacks. And because such honeypots are so easy to use, T-Pot has so far focused primarily on these examples.
Medium- or even high-interaction honeypots or honeynets are more complex and costly to manage. This makes them hungry for resources. They not only simulate complete operating systems but also contain real vulnerabilities within a realistic environment where attackers can "let loose." This requires more storage space, computing power, network resources, and also carries a higher risk. Such traps must also be capable of running a variety of services and applications, leading to higher management effort. The downside? Since they are more realistic and offer a larger attack surface, there is a higher risk that an attacker could compromise the honeypot system and possibly penetrate the actual network.
That's how these tactics are perceived by the opposing side
How challenging are the different concepts for their challengers? The simpler the concept, the shorter the dwell time. This is probably the best way to put it. To attackers, a low-interaction honeypot appears like a static movie set. It looks deceptively real at first glance. Imagine perhaps a street with houses. Windows and doors of these houses might even open and close. And behind the windows, there seem to be furnished rooms. But anyone who steps over a threshold will see that behind the facade, there are only supports and scaffolding. The house and everything else in the set is merely a visually appealing illusion.
It's the same with an attack on a simple decoy. It may look like a real detail of the company's network at first glance. The simulated systems respond as expected to simple queries from the attacker. But if he delves deeper, he will only receive generic feedback. Or system and error messages repeat and, upon closer inspection, do not match the real requests. Then the attacker quickly realizes that he has fallen for a ruse and looks for other vulnerabilities.
However, the ideal image of such honeypots looks different. I want to keep the attackers engaged for as long as possible. So that they lose sight of their intended target – be it a corporate network or an industrial production environment. During their stay, I gather information about the attack. I learn about strategies, tools used. That's why I note down all interactions in a list. The more there are, the more valuable the insights gained from them. All this requires that the illusion of a "real system" is perfect. That the attacker remains motivated, even has small successes. So that he continues and leaves the "real systems" alone.
Enter AI
With a high-interaction honeypot, I achieve this. The price: these diverse possibilities to interact with the simulated systems arise partly through connections to real services. This is exactly the crux, besides complexity and resource hunger.
And this is where AI comes into play as a real game-changer. With this support, I get the advantages of medium- and high-interaction operational models, but only bear the lower effort of low-interaction honeypots. At the same time, I avoid the most significant disadvantages of each. To stick with the image of a static film set: Artificial intelligence is capable of turning it into a lively film set. With actors, extras, and even small special effects. And in all roles: the AI itself.
Take Galah, who owes his abilities to large AI language models. Galah responds to web requests and is essentially a highly specialized chatbot. His dynamic and realistic responses engage attackers significantly longer. He doesn't just output the expected result but pretends as if the request has had an effect. This gives the attacker the impression of peeling away layers of an onion to reach the holy grail of their target. In reality, they are merely engaging in a dialogue with the bot.
Beelzebub follows a similar approach and plays to its strengths particularly in the area of protocols. For example, the so-called SSH protocol, which can be used for remote maintenance of networked devices, servers, and even entire data centers. Anyone who taps into Beelzebub does not capture sensitive information but essentially gets a heap of nonsense. Without noticing it at first glance.
Conclusion
The future of honeypots is clearly enhanced by artificial intelligence. Traditional concepts often offer only static defense or are too complex and costly to operate. AI-supported systems like Galah and Beelzebub simulate a much more dynamic environment. This way, attackers stay engaged longer and generate more valuable data about their tactics and tools. The effort and risks of traditional high-interaction honeypots are a thing of the past.
More about AI-supported honeypots at the Mobile World Congress in Barcelona from March 3 to 6, 2025. At the Deutsche Telekom booth, we will show use cases of our models. But we will also demonstrate where artificial intelligence is already helping to make us and our customers safer today.
