Project Lorelei

An Introduction to Project Lorelei

Project Lorelei began in 2014 with a singular purpose: understand what attackers, researchers, and organizations are doing in, across, and against cloud environments. It does this by deploying low interaction honeypots—or computers that do not solicit services—globally and recording telemetry about connections and incoming attacks to better understand the tactics, techniques, and procedures used by bots and human attackers.

Over the years, Project Lorelei’s impact has been two-fold: First, it has enabled us to provide a rational, objective assessment of attacker behaviors and their potential impacts. This helps establish relationships with other internet-scale researchers to create forums for collaboration and confirmation when new threats arise. Second, insights extracted from Lorelei have raised awareness about the depth and breadth of determined attackers, opportunistic attackers, organizational misconfigurations, and what security researchers are poking for on the internet. You can explore these insights in Rapid7 studies such as The Attacker’s Dictionary, and our Quarterly Threat Reports, and see them put into practice with groundbreaking Attacker-Based Analytics in our InsightIDR product.

How It Works

The Lorelei honeypot framework is a modern take on the seminal attacker detection tool: Each Lorelei node is a lightweight, configurable agent that is centrally deployed using well-tested tools and controlled from a central administration portal. Virtually any honeypot code can be deployed to Lorelei agents, and all agents send back full packet captures for post-interaction analysis. Currently, we have deployed over 150 honeypots worldwide, across 5 continents.

All interaction and packet capture data is synchronized to a central collector, and all real-time logs are fed directly into Rapid7 products for live monitoring and historical data mining. When an unsolicited connection attempt is made to one of our honeypots, it often calls for further analysis.