honeypot (honey pot)

A honeypot is a computer system that is set up to act as a decoy to lure cyberattackers, and to detect, deflect or study attempts to gain unauthorized access to information systems. Generally, it consists of a computer, applications, and data that simulate the behavior of a real system that appears to be part of a network but is actually isolated and closely monitored. All communications with a honeypot are considered hostile, as there's no reason for legitimate users to access a honeypot. Viewing and logging this activity can provide an insight into the level and types of threat a network infrastructure faces while distracting attackers away from assets of real value.

Download this free guide

Download Your Guide to the ISACA CISM Certification

Take a closer look at the ISACA Certified Information Security Manager certification, including the value it provides security professionals, how it compares to other security professionals, and what the CSX program offers

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Based on their design and deployment, honeypots are classified as either production or research honeypots. Research honeypots are run to enable close analysis of hacker activity and how attacks develop and progress in order to learn how to better protect systems against them. Data placed in a honeypot with unique identifying properties can also help analysts track stolen data and identify connections between different participants in an attack.

Production honeypots are placed inside a production network with other production servers in the role of a decoy as part of a network intrusion detection system (IDS). They are designed to appear real and contain information or a resource of value with which to attract and occupy hackers. This ties up the attacker's time and resources, hopefully giving administrators time to assess and mitigate any vulnerabilities in their actual production systems. The information gathered from the honeypot can also be useful in catching and prosecuting those behind an attack. Researchers suspect that some cybercriminals also use honeypots to gather intelligence about researchers, act as decoys and to spread misinformation.

High-interaction honeypots imitate the activities of a production system and capture extensive information -- pure honeypots are full-fledged production systems using a tap on the honeypot's link to the network. The goal of high-interaction honeypots is for the attacker to gain root access on the machine, and then study what he or she does. An attacker with root access has access to all commands and files on a system, so this type of honeypot carries the greatest risk but also has the greatest potential for collecting information. Low-interaction honeypots simulate only the services frequently targeted by attackers and so are less risky and less complex to maintain. Virtual machines are often used to host honeypots so the honeypot can be restored more quickly if it is compromised. Two or more honeypots on a network form a honeynet, while a honeyfarm is a centralized collection of honeypots and analysis tools.

Honeypots do help in understanding the threats network systems face, but production honeypots should not be seen as a replacement for a standard IDS. If not configured correctly they can be used to access the real production system or be used as a launch pad for attacks against other systems.