Sweetening the Pot

WWU seniors Robert Crocker and Shaine Metz spend a lot of time thinking about crime.

It’s a central focus of their degrees: Both majors in computer science and cybersecurity, Crocker and Metz are working with other students to develop “honeypots” that lure cyber criminals into sharing their dirty tricks and teaching students how to prevent future cyberattacks.

Like spies who use sexual and romantic subterfuge to manipulate their victims, honey pots present themselves as ripe data targets for hackers. As the bad guys try to break in, programmers are watching their progress and taking note of how to prevent real attacks on more vulnerable assets.

Honeypots are a big part of the research work Crocker and Metz are doing in Western’s Cybersecurity Program, based at the WWU Center at Olympic College Poulsbo. They’re focusing on protecting military-grade devices that are connected to the internet; the Internet-of-Things is coming under increasingly frequent and sophisticated cyberattacks.

“Different sectors are being targeted by attacks all the time,” says Crocker, of Lynnwood, “and from the perspective of a security analyst, you’d see behaviors in traffic that would indicate some sort of malicious action is happening. But it’s happening in real time and real systems are at stake.”

By design, honeypots only appear to provide access to vulnerable data—they’re not connected to protected networks. But the data collected from honeypots enables students to develop and test new defensive strategies and tools to prevent, detect, and respond to attacks.

“One of the benefits of developing the honeypot,” says Metz, of Bellingham, “is that you can see through copious amounts of research how different assets and systems are being attacked—or would be attacked—without any real threat to your assets.”

WWU’s honeypot work is getting noticed by colleges and universities around Washington, who are interested in using Western’s system to teach their own cyber security students how to build honeypots, and organizations like the U.S. Navy, who want to put the students’ skills to work.

The honeypot project at the Cyber Range began with students themselves, says Erik Fretheim, director of the Cybersecurity Program at WWU.

“Over just a handful of years, they have built a lasting resource for the Washington state community and beyond that is self-sustaining,” Fretheim says. “Our Cyber Range is fueled by the talent and hard work of our students and faculty, and with their success, attracts more partners, more talent, and more problems to be solved. It’s gratifying to see so many of our computer science graduates propelled into the most consequential reaches of our state’s and the world’s most innovative sectors,” says Fretheim.

The honeypots are just one project going on at Western’s Cyber Range, a self-contained, controlled computer network designed as a safe space for cybersecurity training. As the Washington State Educational Cyber Range, it’s an open education resource managed by Western that supports cybersecurity education programs throughout the state.

One of the few educational cyber ranges in the nation, the range runs on servers donated by The Boeing Co. It supports students in cybersecurity programs throughout the state and gives advanced computer science and cybersecurity students unparalleled collaboration opportunities with major global employers, colleges, and branches of the United States military.

Based in Poulsbo, the WWU Cyber Range is also a national leader in the Public Infrastructure Security Cyber Education System, or PISCES, in which students help small government agencies identify cyberattacks. Cybersecurity students have helped prevent the installation of ransomware, spotted phishing attempts, identified unprotected systems on networks and prevented other nefarious or hazardous activities.

Though they’re not well covered in the mainstream media, honeypots have been a staple of cybersecurity platforms for decades.

In 1991, a computer security expert at AT&T Bell Laboratories named Bill Cheswick discovered a criminal hacker trying to steal a copy of a password file. To preempt this, Cheswick and coworkers developed a chroot jail (picture a virtual Roach Motel) which allowed them to watch this attacker for several months.

Honeypots, and groups of honeypots called honeynets, continue to evolve as new threats emerge and attackers become more sophisticated. Few organizations are willing to expose their live systems to attacks, even for research purposes, because of the risk of damage and downtime disrupting their operations. So the data collected at the WWU Cyber Range is a treasure trove for researchers, companies, data analysts and others.

Honeypots can detect and analyze attacks and attackers, and they can create ruses to divert attackers. More importantly, honeypots can also be modular, says Vipul Kumar, director of the WWU Cyber Range, allowing student teams to build upon existing honeypots and honeynets through research and refinement over the long-term.

This iterative, research-reliant approach to development may be why, at WWU’s Cyber Range, the honeypot program has grown and developed in such a short time.

Though they may not have realized it at the time, four WWU students—Lyndsey Pettit and Justin Costello, both graduates in cybersecurity, and computer science grads Rebecca Sharp and Cole Monpas—planted the seed for what would become the enormously productive honeypot program at WWU with a senior capstone project in 2022.

“We spent the entire school year working on it,” says Pettit, who is now a cybersecurity analyst at Work Right NW. “In the early days, there was a lot of troubleshooting and learning as we went. Once we got going, we were able to research honeypot types, figuring out which ones would be the most beneficial based on region, traffic, and data availability. We created dashboards so we could test them, and eventually went on to build a guide for future development.”

The team ultimately chose to build the honeypot with an automated machine learning tool called TPOT, whose open-source framework is in line the WWU Cyber Range’s mission of being an open and collaborative environment. Additionally, TPOT’s modular nature allowed the team to easily scale future honeypots as needed, with an eye on the long-term sustainability of the project.

“With support from our cloud administrator, Paul Haithcock, the four students managed to deploy a proof-of-concept version of the honeypot in the Cyber Range,” Kumar says. “Honeypots by nature are prone to attack from bad actors across the world, so we had to take extraordinary measures to make sure the students had a safe and secure environment to host their honeynet inside the cyber range datacenter.”

The system has been collecting valuable real-time attack data since it went live in the summer of 2022.

One recent week, the honeypots were attacked about 1 million times—about 150,000 times a day. About a quarter of the attacks came from Russia, and another quarter from the U.S. About a third came from the Netherlands, China or Germany.

That first honeypot student project laid the groundwork for the next cohorts of cybersecurity students. “It was nice to be able to put together the guide and build a foundation for what this would become for the cyber range,” says Pettit, who plans to eventually open her own cybersecurity practice.

The team integrated the honeypot stack into the cyber range as a virtual lab accessible to partners, such as Eastern Washington University, Central Washington University, Bellevue College, Highline College, Green River College and others. The state Legislature recently allocated $769,000 to Western’s Cyber Range to support partnerships like this.

At Central, for example, cybersecurity instructor Deborah Wells uses the honeypot stack developed at Western to give students a better understanding of what a real cyber attack could look like.

“It’s such a phenomenal way to learn how an attacker thinks,” says Wells, who also works in cybersecurity for BECU. “It is really like the ‘raw traffic’ that can provide a true picture for the student and what they should be looking for during their monitoring.” The success of the honeypot project has also raised the visibility of the WWU Cyber Range, Kumar says.

“Everyone who works with it immediately understands its rarity and value,” Kumar says. “When students and faculty come in to use the honeypot stack, they interact with the whole Cyber Range platform, which leads to further collaboration and innovation.”

Parallel to the work done by the original core team, Crocker and Metz are part of two additional student groups completing capstone projects on use cases for the U.S. Navy’s Undersea Warfare Center at Keyport.

Their project, “Matryoshka Honeypots,” looks at advancing honeypot technology using innovative, experimental techniques to nest additional honeypots within the 20-plus that are already in the network. Thus, the Russian doll metaphor.

Developing honeypot stacks sophisticated enough to deploy with the U.S. Navy and higher education institutions requires large investments of time, expertise and funds. Annual enterprise licenses for similar services can run in the hundreds of thousands of dollars, but this is beside the point for WWU’s Cyber Range, whose mission is to accelerate the adoption of cyber security education, training, workforce development and continued education within the state, regionally and nationally.

“In line with our mission, we provide the cyber range cloud platform and all the services, including the honeypot stack, virtual internet, our web security and secure software development labs, and others at no cost to K-12 schools, or community colleges and universities within Washington,” Kumar says. “We are building a strong community composed of academic, government and industry partners all coming together to advance cybersecurity in the state. The WWU CISS program and Cyber Range together form a strong moat and represent a competitive and strategic advantage for WWU and the state, which has inherent value in and of itself.”

After Metz and Crocker graduate in the spring, a new team will move in and build on top of their research, continuing to collaborate with partners at the Navy, at partner colleges, and beyond.

“We’re really looking forward to seeing what the incoming student teams will take on and achieve after us. It’s exciting. We had the torch passed to us by Lyndsey and her team, and now we get to do the same,” Crocker says.