A honeypot is, essentially, a trap for hackers. By baiting the hacker away from real systems (and wasting their time with dummy files and mimics), the honeypot can glean important information about their origin and methods, as well as their reason for intruding. Often, a honeypot is a decoy computer system that's been seasoned with a few tempting vulnerabilities.
You might be familiar with the more defensive tactics employed by companies to keep their networks safe, like encryption and customer authentication, but a honeypot is different in that it actively invites cybercriminals to check it out. Of course, they do so at their own peril! In this guide, we'll take a look at some of the advantages of setting up a honeypot, as well as common honeypot variations.
How does a honeypot work?
A honeypot is a computer system that's been set up to entice hackers. This system might not look all that unusual to the undiscerning eye - it'll have applications and data, but it's all bait, and it's all being watched very closely. Because there's no reason for a regular user to access a honeypot, any traffic that does interact with the pot is immediately flagged.
You'll be able to infer a lot about the hacker in question once they've made contact and consequently repel their attack.
The honeypot system itself should seem as authentic as possible. It'll need to have sniffing and logging abilities, run all expected processes and applications, and contain a selection of files as bait. To make a honeypot that much more interesting to a would-be hacker, it's also a good idea to bake vulnerabilities into the system - like an outdated operating system, for example.
Why is it called a "honeypot"?
If you hear the word "honeypot" and think of Winnie the Pooh - you're not alone! Winnie would go to any lengths to steal his jar of honey, and "honeypot" subsequently became a slang term for something desirable. And it has since been used to describe someone desirable, too. Spies would sometimes cosy up to a target and strike up a romantic relationship, leveraging that affection to exert their influence, force the mark to hand over evidence, or simply encourage them to spill their secrets.
Why use a honeypot?
More often than not, honeypots are used by large companies, database administrators, and researchers. There's a lot to be gleaned from watching a hacker interact with a honeypot - and you don't have to put the rest of your network in danger to do so. A honeypot can inform about a hacker's modus operandi, their target within the system, as well as where they came from in the first place. Furthermore, a honeypot can highlight security flaws in an existing network.
And, as we mentioned before, a honeypot makes it that much easier to spot hacking attempts because they simply don't receive regular traffic. It can sometimes be difficult to determine if an attack is in progress when sifting through high volumes of traffic on a legitimate network. With a honeypot, that interference is eliminated, allowing the administrator to determine a threat level as well as any IP patterns.
Honeypots also make fantastic virtual training grounds for security staff. The real corporate network is in no danger because the honeypot is isolated, and it allows for close inspection and dissemination of a hacker's process.
Of course, there're all kinds of different honeypots, and they vary depending on how involved they are, their objectives, and what the "bait" is. Let's take a look at research and production honeypots first.
Research honeypots are more interested in the outside world than your network, and are predominately used to gather information about hacker methods, motives and trends, as well as malware strains. Armed with this data you can stay one step ahead of would-be attackers; you can improve existing security features and develop new patches. Because they're rather difficult to operate, you'll usually find research honeypots being used by government, military, and research groups.
Production honeypots do look inward to your internal network. These are the honeypots that corporations make use of to spot malicious intrusions and to subsequently bait the hacker away whilst learning what they can about them. They're relatively easy to set up and use, though they don't gather as much information as their researching cousins! However, production honeypots can still monitor and collect cybersecurity data from within the corporate network, and bolster security when positioned inside the network alongside production servers.
Next, we'll take a look at high-interaction and low-interaction honeypots!
Low-interaction honeypots take it easy. They're not as resource intensive and collect a basic amount of information about incoming threats - like where they're coming from and how serious they are. These honeypots can be set up quickly with a bit of knowhow and some TCP, IP protocols, and network services, and one physical system can host numerous virtual machines. There's not an overabundance of complicated code that goes into low-interaction honeypots, but this also means that they don't keep hackers occupied for long - and they don't gather as much useful information about their methods, either.
High-interaction honeypots, however, are the go-getters! These honeypots want the hacker to waste their time so that they can monitor them closely, gaining insight into their methods, motives, and any exploits being used. An organization using a high-interaction honeypot will come away with a detailed report of hacker trends, which is incredibly useful when it comes to proactively protecting their real network. As you might expect, high-interaction honeypots use more resources and require more time to set up, and need maintaining fairly often.
Honeypots come in all virtual shapes and sizes, too, depending on the threat they're designed to address. Below are some of the more common variations.
The cleverest email honeypots are placed in hidden locations. That way, no legitimate senders can reach the address or send it mail - just automated harvesters. So, any mail that lands in the inbox can be automatically labeled as spam. Then, all it takes is to block the messages and add the senders' IP to a deny list.
Basic firewalls can sometimes have trouble detecting SQL injections - and attackers don't shy away from this tactic. So, to prevent it, corporations may decide to use database firewalls, and some of these firewalls support honeypots. Any intruders will then come face to face with a false database, whilst the actual network remains secure.
Malware honeypots sniff out malware by making use of known attack vectors. Then, USB drives and other replication vectors can be inspected for modifications, either manually or with honeypots that emulate drives.