csquare-d/CICDecoy
GitHub: csquare-d/CICDecoy
一个基于 Kubernetes 和 GitOps 的欺骗即代码平台,通过 CI/CD 流水线自动化部署蜜罐并生成结构化威胁情报。
Stars: 1 | Forks: 0
# CI/CDecoy
**实现欺骗即代码的开源框架。**
[https://cicdecoy.systems](https://cicdecoy.systems/) · [文档](docs/getting-started.md) · [路线图](docs/ROADMAP.md)
CI/CDecoy 让安全团队能够定义、版本控制并持续部署网络欺骗资产:蜜罐、蜜标和诱饵服务。所有这些都使用 Kubernetes 上熟悉的 GitOps 工作流。每一次交互都会被捕获,并结合 MITRE ATT&CK 上下文进行丰富,最终输出为结构化的威胁情报。
```
apiVersion: cicdecoy.io/v1alpha1
kind: Decoy
metadata:
name: ssh-jumpbox-03
spec:
service: { type: ssh, port: 22 }
fidelity: { tier: 3, adaptive: { model: llama3 } }
identity: { hostname: "jump-03", profileRef: "sre-workstation" }
authentication:
mode: selective
credentials:
- { username: admin, password: "W3lcome2024!" }
telemetry:
sessionCapture: { fullTranscript: true, keystrokeTimings: true }
engage:
activity: EAC0001
goal: EG0001
hypothesis: "Adversaries targeting the DMZ will attempt SSH credential access."
```
```
cicdecoy deploy decoys/ --wait
cicdecoy sessions watch --annotated
```
## 为什么选择 CI/CDecoy
**诱饵即代码。** 诱饵是 Git 中的 YAML 清单,通过 CI/CD 进行部署。可审计、可复现、支持回滚。
**三个保真度层级。** 第一层信标记录连接。第二层脚本诱饵处理真实的交互。第三层自适应诱饵使用本地 LLM 进行连贯、开放式的 shell 会话,甚至能够迷惑人类操作员。
**内置 CTI 流水线。** 每次交互都会经过 MITRE ATT&CK 映射(70 多种技术)、工具签名(48 种工具)、行为评分、GeoIP 和杀伤链检测的丰富处理——不仅仅是记录,而是进行分类和评分。
**Kubernetes 原生。** 诱饵即为 CRD。支持 `kubectl get decoys`。Operator 负责处理调度、健康检查和生命周期。
**SIEM 集成。** 将丰富后的事件以 JSON、CEF、LEEF 或 ECS 格式发送到 Splunk、Elasticsearch、syslog 或 webhook,并支持重试、熔断机制和死信队列。
**MITRE Engage。** 将每个诱饵映射到 Engage 的活动、方法和目标。跟踪每个会话的情报价值。
## 功能对比
| 功能 | CI/CDecoy | 单协议蜜罐 | T-Pot | 商业产品 |
|---|---|---|---|---|
| **LLM 自适应响应** | 通过推理网关使用本地 LLM | 否 | 否 | 否 |
| **MITRE ATT&CK 映射** | 按会话自动映射 | 否 | 手动 | 自动 |
| **欺骗即代码** | 支持 GitOps 的 YAML 清单 | 否 | 否 | 否 |
| **Kubernetes 原生** | CRDs + Operator | 否 | 仅支持 Docker | 视情况而定 |
| **协议覆盖** | SSH + HTTP(计划支持更多) | 单一协议 | 通过套件支持约 20 种 | 广泛 |
| **杀伤链检测** | 实时 | 否 | 否 | 是 |
| **集成 CTI 流水线** | NATS + TimescaleDB | 日志文件 | ELK 技术栈 | 专有 |
| **成本** | 免费 (Apache 2.0) | 免费 | 免费 | $$$$ |
## 架构
```
graph TB
subgraph SRC["SOURCE CONTROL
Decoy-as-Code"] REPO[("Git Repository
Decoy Manifests
Profiles & Templates")] PR["Pull Request
Review & Approve
Deception Changes"] end subgraph CICD["CI/CD PIPELINE"] BUILD["Build
Container Images"] VALIDATE["Validate
Fidelity Tests
nmap · banners · timing"] STAGE["Staging
Deploy to test namespace
Interaction smoke tests"] PROMOTE["Promote
GitOps sync to production"] end subgraph K3S["K3S CLUSTER"] subgraph CTRL["Control Plane"] OP["Decoy Operator
CRD Controller"] GITOPS["ArgoCD / Flux
GitOps Reconciler"] end subgraph DECOYS["Decoy Fleet"] subgraph T1["Tier 1 — Beacon"] T1A["Port Listener
TCP/UDP"] T1B["Banner Service
SSH · HTTP · FTP"] end subgraph T2["Tier 2 — Scripted"] T2A["SSH Honeypot
Scripted Responses"] T2B["HTTP Webapp
Fake Login · API
(Planned)"] T2C["SMB Share
Honeytoken Files
(Planned)"] end subgraph T3["Tier 3 — Adaptive (LLM)"] T3A["SSH Server
Full Shell Emulation"] T3B["MySQL Server
Query Processing
(Planned)"] T3C["Web App
Dynamic Content
Generation (Planned)"] end end subgraph INFERENCE["LLM Inference Service"] GW["Inference Gateway
FastAPI"] PROMPT["Prompt Engine
Profile + State → Prompt"] CACHE["Response Cache
Common Commands"] FILTER["Output Filter
Leak Prevention"] MODEL["LLM Runtime
Local Model · vLLM / Ollama"] end subgraph BUS["Message Bus"] NATS["NATS / Kafka
Interaction Events"] end subgraph TOKENS["Honeytokens (Planned)"] HT1["AWS Creds
Canary Keys"] HT2["Kubeconfig
Fake Cluster"] HT3["DB Dump
Seeded Data"] end end subgraph CTI["CTI PIPELINE"] COLLECT["Collector
Ingest · Normalize
Deduplicate"] ENRICH["Enrichment
GeoIP · Threat Feeds
MITRE ATT&CK Mapping
Tool Identification"] ANALYZE["Session Analyzer
Behavioral Profiling
Intent Classification"] STORE[("TimescaleDB
Interaction Store")] end subgraph OUTPUT["CTI OUTPUT"] STIX["STIX 2.1
Bundles
(Planned)"] TAXII["TAXII Server
Intel Sharing
(Planned)"] SIEM["SIEM Export
Splunk · Elastic
Sentinel"] IOC["IOC Feed
IPs · Hashes
Domains · TTPs"] REPORT["Intel Reports
Human-Readable"] end subgraph DASH["DASHBOARD"] UI["Web UI"] MAP["Deployment
Topology"] REPLAY["Session
Replay"] INTEL["Threat
Intelligence"] end %% ── Source → Pipeline ── REPO --> PR PR --> BUILD BUILD --> VALIDATE VALIDATE --> STAGE STAGE --> PROMOTE %% ── Pipeline → Cluster ── PROMOTE --> GITOPS GITOPS --> OP %% ── Operator → Decoys ── OP --> T1 OP --> T2 OP --> T3 OP --> TOKENS %% ── Tier 3 → Inference ── T3A -. "command + state" .-> GW T3B -. "query + schema (planned)" .-> GW T3C -. "content generation (planned)" .-> GW GW --> PROMPT GW --> CACHE PROMPT --> MODEL MODEL --> FILTER FILTER -. "response" .-> GW %% ── All Decoys → Message Bus ── T1 -- "connection logs" --> NATS T2 -- "interaction logs" --> NATS T3 -- "full session data" --> NATS TOKENS -- "access alerts" --> NATS %% ── Bus → CTI Pipeline ── NATS --> COLLECT COLLECT --> ENRICH ENRICH --> ANALYZE ANALYZE --> STORE %% ── Store → Outputs ── STORE --> STIX STORE --> TAXII STORE --> SIEM STORE --> IOC STORE --> REPORT %% ── Dashboard ── STORE --> UI UI --> MAP UI --> REPLAY UI --> INTEL %% ── Styling ── classDef source fill:#2d3748,stroke:#4a5568,color:#e2e8f0,stroke-width:2px classDef pipeline fill:#1a365d,stroke:#2b6cb0,color:#bee3f8,stroke-width:2px classDef cluster fill:#1c4532,stroke:#276749,color:#c6f6d5,stroke-width:2px classDef tier1 fill:#744210,stroke:#975a16,color:#fefcbf,stroke-width:1px classDef tier2 fill:#7b341e,stroke:#9c4221,color:#feebc8,stroke-width:1px classDef tier3 fill:#553c9a,stroke:#6b46c1,color:#e9d8fd,stroke-width:2px classDef inference fill:#553c9a,stroke:#805ad5,color:#e9d8fd,stroke-width:2px classDef cti fill:#234e52,stroke:#2c7a7b,color:#b2f5ea,stroke-width:2px classDef output fill:#1a365d,stroke:#3182ce,color:#bee3f8,stroke-width:2px classDef dash fill:#322659,stroke:#553c9a,color:#e9d8fd,stroke-width:2px classDef bus fill:#975a16,stroke:#d69e2e,color:#fefcbf,stroke-width:2px class REPO,PR source class BUILD,VALIDATE,STAGE,PROMOTE pipeline class OP,GITOPS cluster class T1A,T1B tier1 class T2A,T2B,T2C tier2 class T3A,T3B,T3C tier3 class GW,PROMPT,CACHE,FILTER,MODEL inference class NATS bus class HT1,HT2,HT3 tier1 class COLLECT,ENRICH,ANALYZE,STORE cti class STIX,TAXII,SIEM,IOC,REPORT output class UI,MAP,REPLAY,INTEL dash ``` | 组件 | 用途 | 语言 | |-----------|---------|----------| | **Operator** | 将 Decoy CRD 协调为运行中的 pod | Python (kopf) | | **SSH 诱饵** | 集成 LLM 的第一至三层 SSH 蜜罐 | Python (asyncssh) | | **HTTP 诱饵** | 包含 7 个登录门户的第一至二层 HTTP 蜜罐 | Python (FastAPI) | | **推理网关** | 为第三层诱饵提供的共享 LLM 服务 | Python (FastAPI) | | **CTI 流水线** | 事件丰富、ATT&CK 映射、行为分析 | Python | | **仪表板** | 实时信息流、会话重放、MITRE 热力图 | React + FastAPI | | **CLI** | 部署、验证、重放、查询情报 | Go (cobra) | | **SIEM 转发器** | 导出到 Splunk、Elastic、syslog、webhook | Go | | **NATS JetStream** | 所有组件之间的事件路由 | — | | **TimescaleDB** | 时间序列事件存储 | — | ## 快速开始 ``` # 本地开发 — 无需 API keys docker compose up -d # Dashboard 位于 http://localhost:8080 | SSH decoy 位于端口 2222 # 或者在 Kubernetes 上 VERSION=$(curl -s https://api.github.com/repos/csquare-d/CICDecoy/releases/latest | grep tag_name | cut -d '"' -f 4) curl -LO "https://github.com/csquare-d/CICDecoy/releases/download/${VERSION}/cicdecoy-${VERSION}.tgz" helm install cicdecoy ./cicdecoy-${VERSION}.tgz \ --namespace cicdecoy-system --create-namespace --wait ``` 部署一个诱饵,观察其运行情况: ``` cicdecoy deploy decoys/examples/ssh-honeypot.yaml --wait cicdecoy sessions watch --annotated cicdecoy intel mitre --since 7d ``` 请查看 [入门指南](docs/getting-started.md) 获取完整的操作步骤。 ## CLI 功能亮点 ``` cicdecoy deploy # Deploy decoys from YAML
cicdecoy sessions watch # Real-time activity stream
cicdecoy sessions replay # Terminal replay with ATT&CK annotations
cicdecoy intel mitre # Technique frequency heatmap
cicdecoy intel export --format stix # Bulk STIX/CSV/JSON export
cicdecoy fleet scale --n 10 # Scale a decoy fleet
```
完整的命令参考请见 [docs/runbooks.md](docs/runbooks.md)。
## 路线图
| 版本 | 主题 | 亮点 |
|---------|-------|------------|
| **v0.2.0** | 运维就绪 | 威胁情报源(GreyNoise、abuse.ch)、蜜标触发器、SIEM 成熟度 |
| **v0.3.0** | 协议扩展 | MySQL/PostgreSQL 诱饵、K8s API 诱饵、HTTP 第三层诱饵、Hydra 自适应编排 |
| **v0.4.0** | 情报成熟度 | STIX/TAXII、攻击者指纹识别、攻击图可视化 |
| **v0.5.0** | 企业运营 | 集群自动轮换、Terraform 模块、多租户、TUI CLI |
| **v1.0.0** | 生产正式发布 | CRD v1、SOAR 连接器、CTF 模式、RDP/FTP/DNS 诱饵 |
完整路线图:[docs/ROADMAP.md](docs/ROADMAP.md)
## 文档
| 文档 | 描述 |
|----------|-------------|
| [架构概述](docs/architecture.md) | 组件映射图、数据流、安全模型 |
| [CRD 参考](docs/crd-reference.md) | 所有 5 个自定义资源(Decoy、DecoyTemplate、DecoyProfile、HoneyToken、DecoyFleet)的 Schema |
| [API 参考](docs/api-reference.md) | 仪表板 REST API —— 15 个 endpoint、SSE 流式传输、身份验证 |
| [数据库 Schema](docs/database-schema.md) | TimescaleDB 表、索引、保留策略、查询模式 |
| [运维手册](docs/runbooks.md) | 部署、监控、故障排除、导出情报、SIEM 设置 |
| [欺骗即代码规范](docs/specifications/deception-as-code-spec.md) | DaC 理念和五大原则 |
| [消息总线规范](docs/specifications/message-bus-spec.md) | NATS 主题层级、stream 配置、传递保证 |
| [诱饵清单 Schema](docs/specifications/decoy-manifest-schema.md) | 诱饵清单和配置文件的编写指南 |
| [适配器契约](docs/specifications/adapter-contract.md) | 如何集成第三方蜜罐 |
| [SIEM 转发规范](docs/specifications/siem-forwarding-spec.md) | CEF、LEEF、ECS 输出的格式规范 |
| [入门指南](docs/getting-started.md) | 首次部署操作步骤 |
| [生产环境部署](docs/production-deployment.md) | 安全加固、扩展、备份、监控 |
| [Falco 设置](docs/falco-setup.md) | 容器逃逸检测集成 |
| [Profile 编写](docs/guides/profile-authoring.md) | 为第三层诱饵创建 OS 个性化 Profile |
| [路线图](docs/ROADMAP.md) | 包含完成状态的版本化功能路线图 |
| [贡献指南](CONTRIBUTING.md) | 开发环境设置、测试、贡献准则 |
## 许可证
Apache License 2.0。详见 [LICENSE](LICENSE)。
Decoy-as-Code"] REPO[("Git Repository
Decoy Manifests
Profiles & Templates")] PR["Pull Request
Review & Approve
Deception Changes"] end subgraph CICD["CI/CD PIPELINE"] BUILD["Build
Container Images"] VALIDATE["Validate
Fidelity Tests
nmap · banners · timing"] STAGE["Staging
Deploy to test namespace
Interaction smoke tests"] PROMOTE["Promote
GitOps sync to production"] end subgraph K3S["K3S CLUSTER"] subgraph CTRL["Control Plane"] OP["Decoy Operator
CRD Controller"] GITOPS["ArgoCD / Flux
GitOps Reconciler"] end subgraph DECOYS["Decoy Fleet"] subgraph T1["Tier 1 — Beacon"] T1A["Port Listener
TCP/UDP"] T1B["Banner Service
SSH · HTTP · FTP"] end subgraph T2["Tier 2 — Scripted"] T2A["SSH Honeypot
Scripted Responses"] T2B["HTTP Webapp
Fake Login · API
(Planned)"] T2C["SMB Share
Honeytoken Files
(Planned)"] end subgraph T3["Tier 3 — Adaptive (LLM)"] T3A["SSH Server
Full Shell Emulation"] T3B["MySQL Server
Query Processing
(Planned)"] T3C["Web App
Dynamic Content
Generation (Planned)"] end end subgraph INFERENCE["LLM Inference Service"] GW["Inference Gateway
FastAPI"] PROMPT["Prompt Engine
Profile + State → Prompt"] CACHE["Response Cache
Common Commands"] FILTER["Output Filter
Leak Prevention"] MODEL["LLM Runtime
Local Model · vLLM / Ollama"] end subgraph BUS["Message Bus"] NATS["NATS / Kafka
Interaction Events"] end subgraph TOKENS["Honeytokens (Planned)"] HT1["AWS Creds
Canary Keys"] HT2["Kubeconfig
Fake Cluster"] HT3["DB Dump
Seeded Data"] end end subgraph CTI["CTI PIPELINE"] COLLECT["Collector
Ingest · Normalize
Deduplicate"] ENRICH["Enrichment
GeoIP · Threat Feeds
MITRE ATT&CK Mapping
Tool Identification"] ANALYZE["Session Analyzer
Behavioral Profiling
Intent Classification"] STORE[("TimescaleDB
Interaction Store")] end subgraph OUTPUT["CTI OUTPUT"] STIX["STIX 2.1
Bundles
(Planned)"] TAXII["TAXII Server
Intel Sharing
(Planned)"] SIEM["SIEM Export
Splunk · Elastic
Sentinel"] IOC["IOC Feed
IPs · Hashes
Domains · TTPs"] REPORT["Intel Reports
Human-Readable"] end subgraph DASH["DASHBOARD"] UI["Web UI"] MAP["Deployment
Topology"] REPLAY["Session
Replay"] INTEL["Threat
Intelligence"] end %% ── Source → Pipeline ── REPO --> PR PR --> BUILD BUILD --> VALIDATE VALIDATE --> STAGE STAGE --> PROMOTE %% ── Pipeline → Cluster ── PROMOTE --> GITOPS GITOPS --> OP %% ── Operator → Decoys ── OP --> T1 OP --> T2 OP --> T3 OP --> TOKENS %% ── Tier 3 → Inference ── T3A -. "command + state" .-> GW T3B -. "query + schema (planned)" .-> GW T3C -. "content generation (planned)" .-> GW GW --> PROMPT GW --> CACHE PROMPT --> MODEL MODEL --> FILTER FILTER -. "response" .-> GW %% ── All Decoys → Message Bus ── T1 -- "connection logs" --> NATS T2 -- "interaction logs" --> NATS T3 -- "full session data" --> NATS TOKENS -- "access alerts" --> NATS %% ── Bus → CTI Pipeline ── NATS --> COLLECT COLLECT --> ENRICH ENRICH --> ANALYZE ANALYZE --> STORE %% ── Store → Outputs ── STORE --> STIX STORE --> TAXII STORE --> SIEM STORE --> IOC STORE --> REPORT %% ── Dashboard ── STORE --> UI UI --> MAP UI --> REPLAY UI --> INTEL %% ── Styling ── classDef source fill:#2d3748,stroke:#4a5568,color:#e2e8f0,stroke-width:2px classDef pipeline fill:#1a365d,stroke:#2b6cb0,color:#bee3f8,stroke-width:2px classDef cluster fill:#1c4532,stroke:#276749,color:#c6f6d5,stroke-width:2px classDef tier1 fill:#744210,stroke:#975a16,color:#fefcbf,stroke-width:1px classDef tier2 fill:#7b341e,stroke:#9c4221,color:#feebc8,stroke-width:1px classDef tier3 fill:#553c9a,stroke:#6b46c1,color:#e9d8fd,stroke-width:2px classDef inference fill:#553c9a,stroke:#805ad5,color:#e9d8fd,stroke-width:2px classDef cti fill:#234e52,stroke:#2c7a7b,color:#b2f5ea,stroke-width:2px classDef output fill:#1a365d,stroke:#3182ce,color:#bee3f8,stroke-width:2px classDef dash fill:#322659,stroke:#553c9a,color:#e9d8fd,stroke-width:2px classDef bus fill:#975a16,stroke:#d69e2e,color:#fefcbf,stroke-width:2px class REPO,PR source class BUILD,VALIDATE,STAGE,PROMOTE pipeline class OP,GITOPS cluster class T1A,T1B tier1 class T2A,T2B,T2C tier2 class T3A,T3B,T3C tier3 class GW,PROMPT,CACHE,FILTER,MODEL inference class NATS bus class HT1,HT2,HT3 tier1 class COLLECT,ENRICH,ANALYZE,STORE cti class STIX,TAXII,SIEM,IOC,REPORT output class UI,MAP,REPLAY,INTEL dash ``` | 组件 | 用途 | 语言 | |-----------|---------|----------| | **Operator** | 将 Decoy CRD 协调为运行中的 pod | Python (kopf) | | **SSH 诱饵** | 集成 LLM 的第一至三层 SSH 蜜罐 | Python (asyncssh) | | **HTTP 诱饵** | 包含 7 个登录门户的第一至二层 HTTP 蜜罐 | Python (FastAPI) | | **推理网关** | 为第三层诱饵提供的共享 LLM 服务 | Python (FastAPI) | | **CTI 流水线** | 事件丰富、ATT&CK 映射、行为分析 | Python | | **仪表板** | 实时信息流、会话重放、MITRE 热力图 | React + FastAPI | | **CLI** | 部署、验证、重放、查询情报 | Go (cobra) | | **SIEM 转发器** | 导出到 Splunk、Elastic、syslog、webhook | Go | | **NATS JetStream** | 所有组件之间的事件路由 | — | | **TimescaleDB** | 时间序列事件存储 | — | ## 快速开始 ``` # 本地开发 — 无需 API keys docker compose up -d # Dashboard 位于 http://localhost:8080 | SSH decoy 位于端口 2222 # 或者在 Kubernetes 上 VERSION=$(curl -s https://api.github.com/repos/csquare-d/CICDecoy/releases/latest | grep tag_name | cut -d '"' -f 4) curl -LO "https://github.com/csquare-d/CICDecoy/releases/download/${VERSION}/cicdecoy-${VERSION}.tgz" helm install cicdecoy ./cicdecoy-${VERSION}.tgz \ --namespace cicdecoy-system --create-namespace --wait ``` 部署一个诱饵,观察其运行情况: ``` cicdecoy deploy decoys/examples/ssh-honeypot.yaml --wait cicdecoy sessions watch --annotated cicdecoy intel mitre --since 7d ``` 请查看 [入门指南](docs/getting-started.md) 获取完整的操作步骤。 ## CLI 功能亮点 ``` cicdecoy deploy
标签:BOF, DLL 劫持, GitOps, 大语言模型, 威胁情报, 子域名突变, 开发者工具, 日志审计, 构建工具, 欺骗防御, 网络安全, 蜜罐, 证书利用, 请求拦截, 逆向工具, 隐私保护