A honeypot is a network-attached system set up as a decoy to lure cyberattackers and to detect, deflect or study hacking attempts in order to gain unauthorized access to information systems. The function of a honeypot is to represent itself on the internet as a potential target for attackers -- usually a server or other high-value target -- and to gather information and notify defenders of any attempts to access the honeypot by unauthorized users.
Honeypot systems often use hardened operating systems and are usually configured so that they appear to offer attackers exploitable vulnerabilities. For example, a honeypot system might appear to respond to Server Message Block (SMB) protocol requests used by the WannaCry ransomware attack, and may represent itself as an enterprise database server storing consumer information.
Honeypots are most often used by large enterprises and by companies involved in cybersecurity research, to identify and defend attacks from advanced persistent threat actors. Honeypots can be an important tool for large organizations to take an active defense stance against attackers, or for cybersecurity researchers who want to learn more about the tools and techniques that attackers use.
The cost of maintaining a honeypot can be high, in part because of the specialized skills required to implement and administer a system that appears to expose the organization's network resources while still preventing attackers from gaining access to any production systems.
How a honeypot works
Generally, a honeypot operation consists of a computer, applications and data that simulate the behavior of a real system and appears as part of a network; however, the honeypot is actually isolated and closely monitored. Because there is no reason for legitimate users to access a honeypot, any attempts to communicate with a honeypot should be considered hostile.
Viewing and logging this activity can help improve security by providing insight into the level and types of threat a network infrastructure faces while distracting attackers away from assets of real value. Researchers suspect that some cybercriminals use honeypots themselves to gather intelligence about researchers, act as decoys and to spread misinformation.
Virtual machines are often used to host honeypots, so if it is compromised by malware, for example, the honeypot can be quickly restored. Two or more honeypots on a network form a honeynet, while a honeyfarm is a centralized collection of honeypots and analysis tools.
Types of honeypots
Based on design and deployment, there are two main types of honeypots: production or research. Research honeypots perform close analysis of hacker activity and aim to discover how hackers develop and progress in order to learn how to better protect systems against them. Data placed in a honeypot with unique identifying properties can also help analysts track stolen data and identify connections between different participants in an attack.
Production honeypots are usually deployed inside production networks alongside production servers; the honeypot plays the role of a decoy as part of the production network intrusion detection system (IDS). A production honeypot is designed to appear real and contains information to attract and occupy hackers to tie up their time and resources, ultimately giving administrators time to assess and mitigate any vulnerabilities in their actual production systems.
Honeypots can be classified as pure, high-interaction or low-interaction. A pure honeypot is a full-fledged production system that uses a tap on the honeypot's link to the network. A high-interaction honeypot imitates the activities of the production systems that host a variety of services and captures extensive information. A low-interaction honeypot simulates only the services that attackers frequently request; therefore, they are less risky and easier to maintain. The goal of a high-interaction honeypot is to entice an attacker to gain root access on the server and then monitor their activity.
Advantages and disadvantages of a honeypot
Although they require significant resources, honeypots provide significant advantages as well. Some of the benefits of using a honeypot include:
- Collect real data: Honeypots collect data from actual attacks and other unauthorized activities, providing analysts with a rich source of useful information.
- Reduce false positives: Ordinary cybersecurity detection technologies generate alerts that can include a significant volume of false positives, but honeypots reduce this volume because there is no reason for legitimate users to access them.
- Cost-effective: Honeypots can be good investments because they do not require high-performance resources to process large volumes of network traffic looking for attacks, because they only interact with malicious activities.
- Encryption: Honeypots capture malicious activity, even if an attacker is using encryption.
However, honeypots do hold several disadvantages. The most pressing issues include:
- Data: Honeypots only collect information when an attack occurs. Zero attempts to access the honeypot means there is no data to analyze.
- Honeypot network: Malicious traffic that has been captured is only collected when an attack targets the honeypot network; if attackers suspect a network is a honeypot, they will avoid it.
- Distinguishable: Honeypots are often distinguishable from legitimate production systems, which means experienced hackers can often differentiate a production system from a honeypot system using system fingerprinting techniques.
Overall, honeypots help researchers understand threats in network systems, but production honeypots should not be seen as a replacement for a standard IDS. If a honeypot is not configured correctly, it can be used to gain access to real production systems or be used as a launch pad for attacks against other target systems.
Continue Reading About honeypot (computing)
- Discover how honeypots helped researchers at Cybereason learn about Industrial Control System attackers