Using a honeypot/honeyservice/honeytoken is one of the simplest and most impactful security actions one can take. Thinkst Canary has proven this over a number of years and continues to lead the field. Taking inspiration from what Thinkst has done and combining this with their idea of “honey tokens” for cloud services, I wrote metatrapd a couple of years back. Finally I’m making this public, maybe it will be useful to someone.

Release: https://github.com/staaldraad/metatrapd

What does it do?

In its most basic function, metatrapd turns the cloud metadata service (169.254.169.254) into a honeypot service. This allows alerting on any access to this service, working as an effective indicator of compromise in cloud environments.

One of the first things attackers do when compromising a cloud instance is to access the cloud metadata service. Typically through either a code execution or a server side request forgery (SSRF) vulnerability. This is because this service may allow access to cloud credentials, which can then be used for lateral movement in the cloud environment. Since this is the first place attackers look, it makes sense to alert on this access, providing one of the earliest possible indicators of compromise.

metatrapd allows setting up a tripwire on the metadata service, but it also allows hardening the metadata service. In the case that the metadata service is not used by anything on the instance, metatrapd can block all access (and still alert on access attempts). If the metadata service is necessary, metatrapd can be deployed in proxy mode, where it allows access to the metadata service but alerts on any access. It is also possible to allow-list specific binaries on the host, allowing trusted/expected services to use the metadata service as normal. Lastly, metatrapd allows adding authentication to the metadata service, something that is missing in most cases.

Installation

metatrapd can be run as a stand-alone binary or as a service. This is fully documented in the repository. The service runs with minimal permissions and aims to not introduce an additional attack surface.

Example usage

The README.md contains more information on advanced usage.

Block and alert

Running in full alerting mode, with blocking. In this mode any access to the metadata service will cause an alert to trigger. metatrapd can either trigger an alert directly to slack, trigger slack alerts from a central location, through a webhook, or create on host logs that are fed to a SIEM through normal syslog forwarding.

Proxy mode

Another example is to use proxy mode with alerting. In proxy mode, access to the metadata service is still allowed, however every URI accessed will be logged (and optionally alerted on). This provides the option to fully audit metadata service usage, something that is not usually possible. In this use-case, it typically makes sense to disable direct alerting (slack/webhook) and to use log forwarding to detect malicious access via SIEM logs.

Source Code

The full source code and binaries are available on GitHub: https://github.com/staaldraad/metatrapd. Releases are built on GitHub and are fully auditable. Produced binaries are signed and can be verified via the minisign public key found in the repository.