A honeypot is a computer system that is set up to act as a decoy to lure cyberattackers, and to detect, deflect or study attempts to gain unauthorized access to information systems. Generally, it consists of a computer, applications, and data that simulate the behavior of a real system that appears to be part of a network but is actually isolated and closely monitored. All communications with a honeypot are considered hostile, as there's no reason for legitimate users to access a honeypot. Viewing and logging this activity can provide an insight into the level and types of threat a network infrastructure faces while distracting attackers away from assets of real value.
Based on their design and deployment, honeypots are classified as either production or research honeypots. Research honeypots are run to enable close analysis of hacker activity and how attacks develop and progress in order to learn how to better protect systems against them. Data placed in a honeypot with unique identifying properties can also help analysts track stolen data and identify connections between different participants in an attack.
Production honeypots are placed inside a production network with other production servers in the role of a decoy as part of a network intrusion detection system (IDS). They are designed to appear real and contain information or a resource of value with which to attract and occupy hackers. This ties up the attacker's time and resources, hopefully giving administrators time to assess and mitigate any vulnerabilities in their actual production systems. The information gathered from the honeypot can also be useful in catching and prosecuting those behind an attack. Researchers suspect that some cybercriminals also use honeypots to gather intelligence about researchers, act as decoys and to spread misinformation.
High-interaction honeypots imitate the activities of a production system and capture extensive information -- pure honeypots are full-fledged production systems using a tap on the honeypot's link to the network. The goal of high-interaction honeypots is for the attacker to gain root access on the machine, and then study what he or she does. An attacker with root access has access to all commands and files on a system, so this type of honeypot carries the greatest risk but also has the greatest potential for collecting information. Low-interaction honeypots simulate only the services frequently targeted by attackers and so are less risky and less complex to maintain. Virtual machines are often used to host honeypots so the honeypot can be restored more quickly if it is compromised. Two or more honeypots on a network form a honeynet, while a honeyfarm is a centralized collection of honeypots and analysis tools.
Honeypots do help in understanding the threats network systems face, but production honeypots should not be seen as a replacement for a standard IDS. If not configured correctly they can be used to access the real production system or be used as a launch pad for attacks against other systems.