Rapid7 Research

Project Heisenberg

Furthering our understanding of the attacker mindset

An Introduction to Project Heisenberg

Project Heisenberg began in 2014 with a singular purpose: understand what attackers, researchers, and organizations are doing in, across, and against cloud environments. It does this by deploying low interaction honeypots—or computers that do not solicit services—globally and recording telemetry about connections and incoming attacks to better understand the tactics, techniques, and procedures used by bots and human attackers.

Over the years, Project Heisenberg’s impact has been two-fold: First, it has enabled us to provide a rational, objective assessment of attacker behaviors and their potential impacts. This helps establish relationships with other internet-scale researchers to create forums for collaboration and confirmation when new threats arise. Second, insights extracted from Heisenberg have raised awareness about the depth and breadth of determined attackers, opportunistic attackers, organizational misconfigurations, and what security researchers are poking for on the internet. You can explore these insights in Rapid7 studies such as Off the Chain: Observing Bitcoin Nodes on the Public Internet, The Attacker’s Dictionary, and our Quarterly Threat Reports, and see them put into practice with groundbreaking Attacker-Based Analytics in our InsightIDR product.

 

How It Works

Project Heisenberg

The Heisenberg honeypot framework is a modern take on the seminal attacker detection tool: Each Heisenberg node is a lightweight, configurable agent that is centrally deployed using well-tested tools and controlled from a central administration portal. Virtually any honeypot code can be deployed to Heisenberg agents, and all agents send back full packet captures for post-interaction analysis. Currently, we have deployed over 150 honeypots worldwide, across 5 continents.

All interaction and packet capture data is synchronized to a central collector, and all real-time logs are fed directly into Rapid7 products for live monitoring and historical data mining. When an unsolicited connection attempt is made to one of our honeypots, it often calls for further analysis.

 

Heisenberg Honeypot Technology

Ready to see this research put into practice? Explore intruder traps and Attacker-Based Analytics with a free trial of InsightIDR.

Start 30-Day Trial
Partner With Us

The path to a more secure world starts with sharing knowledge. Contact our researchers to get involved.

Learn More
Whiteboard Wednesday
In this video, Bob Rudis, Chief Data Scientist at Rapid7, introduces you to the two foundational projects of Rapid7 Labs’ research—Sonar and Heisenberg.
Watch Now
Bitcoin Research
With blockchain’s increasing popularity comes attractiveness to attackers, increased surface area for attacks, and growing challenges for defenders. Are bitcoin nodes behaving badly? Our researchers used Project Heisenberg to find out.
Read the Full Report
Attacker-Based Research
In the Attacker’s Dictionary, our researchers employ Project Heisenberg to delve into the passwords opportunistic attackers use to compromise RDP endpoints.
Read the Full Report