A Practical Honeypot-Based Threat Intelligence Framework for Cyber Defence in the Cloud
Darren Malvern Chin, Bilal Isfaq, Simon Yusuf Enoch
TL;DR
Cloud environments require adaptive defenses because static firewalls lag against zero-day threats. The paper proposes an automated, cloud-native honeypot framework that updates firewall rules in real time using deception telemetry and MITRE ATT&CK-aligned detection. The authors demonstrate an Azure-native pipeline that uses Cowrie honeypots, Azure Monitor/Sentinel, and Logic Apps to map attacker behavior to ATT&CK techniques and automatically enforce network-level mitigations, achieving a mean time to block of 0.86 seconds and categorizing over 12k SSH attempts. The results indicate enhanced SOC visibility, reduced attacker dwell time, and a scalable defense model suitable for modern cloud infrastructures.
Abstract
In cloud environments, conventional firewalls rely on predefined rules and manual configurations, limiting their ability to respond effectively to evolving or zero-day threats. As organizations increasingly adopt platforms such as Microsoft Azure, this static defense model exposes cloud assets to zero-day exploits, botnets, and advanced persistent threats. In this paper, we introduce an automated defense framework that leverages medium- to high-interaction honeypot telemetry to dynamically update firewall rules in real time. The framework integrates deception sensors (Cowrie), Azure-native automation tools (Monitor, Sentinel, Logic Apps), and MITRE ATT&CK-aligned detection within a closed-loop feedback mechanism. We developed a testbed to automatically observe adversary tactics, classify them using the MITRE ATT&CK framework, and mitigate network-level threats automatically with minimal human intervention. To assess the framework's effectiveness, we defined and applied a set of attack- and defense-oriented security metrics. Building on existing adaptive defense strategies, our solution extends automated capabilities into cloud-native environments. The experimental results show an average Mean Time to Block of 0.86 seconds - significantly faster than benchmark systems - while accurately classifying over 12,000 SSH attempts across multiple MITRE ATT&CK tactics. These findings demonstrate that integrating deception telemetry with Azure-native automation reduces attacker dwell time, enhances SOC visibility, and provides a scalable, actionable defense model for modern cloud infrastructures.