A Practical Honeypot-Based Threat Intelligence Framework for Cyber Defence in the Cloud

TL;DR

This paper presents an automated, honeypot-based threat intelligence framework for cloud environments that dynamically updates firewalls in real time, significantly improving response speed and threat classification accuracy.

Contribution

It introduces a novel integrated system combining deception sensors, cloud automation, and MITRE ATT&CK detection to enhance cloud security defenses.

Findings

Average MTTR of 0.86 seconds for threat mitigation

Classified over 12,000 SSH attempts across multiple tactics

Reduced attacker dwell time and improved SOC visibility

Abstract

In cloud environments, conventional firewalls rely on predefined rules and manual configurations, limiting their ability to respond effectively to evolving or zero-day threats. As organizations increasingly adopt platforms such as Microsoft Azure, this static defense model exposes cloud assets to zero-day exploits, botnets, and advanced persistent threats. In this paper, we introduce an automated defense framework that leverages medium- to high-interaction honeypot telemetry to dynamically update firewall rules in real time. The framework integrates deception sensors (Cowrie), Azure-native automation tools (Monitor, Sentinel, Logic Apps), and MITRE ATT&CK-aligned detection within a closed-loop feedback mechanism. We developed a testbed to automatically observe adversary tactics, classify them using the MITRE ATT&CK framework, and mitigate network-level threats automatically with minimal human intervention. To assess the framework's effectiveness, we defined and applied a set of attack- and defense-oriented security metrics. Building on existing adaptive defense strategies, our solution extends automated capabilities into cloud-native environments. The experimental results show an average Mean Time to Block of 0.86 seconds - significantly faster than benchmark systems - while accurately classifying over 12,000 SSH attempts across multiple MITRE ATT&CK tactics. These findings demonstrate that integrating deception telemetry with Azure-native automation reduces attacker dwell time, enhances SOC visibility, and provides a scalable, actionable defense model for modern cloud infrastructures.