A honeypot is a trap that an IT security professionals lays for a malicious hacker. A honeypot is a decoy computer system for trapping hackers or tracking unconventional or new hacking methods. It’s a sacrificial computer system that’s intended to attract cyberattacks, like a decoy. The goal is to deceive and attract a hacker who attempts to gain unauthorized access to network. In other words, honeypot is an information tool that can help you understand existing threats to your business and spot the emergence of new threats.
For a honeypot to work, the system should appear to be legitimate. It should run processes a production system is expected to run, and contain seemingly important dummy files.
In terms of objectives, there are two types of honeypots:
- Research: These honeypots gather information about attacks. They gather information about attacker trends, malware strains, and vulnerabilities that are actively being targeted by adversaries.
- Production: These honeypots are focused on identifying active compromise on your internal network and tricking the attacker. Production honeypots sit with the rest of your production servers and run services that would typically run in your environment.
The honeypot looks like a real computer system, with applications and data, fooling cybercriminals into thinking it’s a legitimate target. Honeypots are made attractive to attackers by building in deliberate security vulnerabilities. For example, a honeypot might have ports that respond to a port scan or weak passwords. Once the hackers are in, they can be tracked, and their behavior assessed for clues on how to make the real network more secure. (Source: kaspersky.com)
Different Types of Honeypot Technologies
- Email trap (spam trap): These honeypots place a fake email address in a hidden location where only an automated address harvester will be able to find it. Since the address isn’t used for any purpose other than the spam trap, it’s 100% certain that any mail coming to it is spam. This type of honeypot can detect and recognize this test and successfully block the massive volume of spam that follows.
- Decoy database: Activities such as SQL injections can often go undetected by firewalls. This honeypot can be set up to monitor software vulnerabilities and spot attacks exploiting insecure system architecture or using SQL injection, SQL services exploitation, or privilege abuse.
- Malware: This honeypot mimics software apps and APIs to invite malware For example, if a machine is infected by malware that spreads via USB, the honeypot will trick the malware to infect the emulated device.
- Spider: It is intended to trap webcrawlers (‘spiders’) by creating web pages and links only accessible to crawlers. Detecting crawlers can help you learn how to block malicious bots, as well as ad-network crawlers.
- Client: These honeypots actively seek out malicious servers that attack clients, monitoring for suspicious and unexpected modifications to the honeypot.
- Honeynets: A honeynet is a network that can consist of multiple honeypots. In other words, a honeypot is an individual machine (or VM), whereas a honeynet is a series of networked honeypots.
Source: kaspersky.com and rapid7.com
Types of Honeypot Based on Complexity
- Pure: It is a physical server configured in such a way as to lure in attackers. It contains “confidential” data and user information, and is full of sensors. Special monitoring software keeps an eye on the connection between the honeypot and the rest of the network. Because these are full-fledged machines, they make for a more realistic-looking target to attackers.
- High-interaction: This is similar to a pure honeypot in that it runs a lot of services. This honeypot uses virtual machines to keep potentially compromised systems isolated. Multiple virtual honeypots can be run on a single physical device. This makes it easier to scale up to multiple honeypots and to sandbox compromised systems and then shut them down and restart them, restored to a pristine state. This type of honeypot allows the deploying organization to see attacker behaviors and techniques. High-interaction honeypots are resource-intensive and come with maintenance challenges.
- Mid-interaction: These honeypots work to stall or confuse attackers so that organizations have more time to figure out how to properly react to an attack.
- Low-interaction: This type of honeypot is the most commonly deployed in a production environment. In fact, this honeypot is a VM that only runs a limited set of services representing the most common attack vectors, or the attack vectors that the team building the honeypot is most interested in.
Source: kaspersky.com and rapid7.com
Benefits of Honeypots
- Honeypots can be a good way to expose vulnerabilities in major systems.
- With a honeypot, you can learn about how the attacker entered the system, from where, what’s being deleted or added, keystrokes of a person typing, and what malware is being used.
- As attackers move throughout your environment, they conduct reconnaissance, scan your network, and seek misconfigured and vulnerable devices. At this stage, they are likely to trip your honeypot, alerting you to investigate and contain attacker access. Honeypot allows you to respond before an attacker has the chance to successfully exfiltrate data from your environment.
- Modern honeypots are not only easy to download and install, but can provide accurate alerts around dangerous misconfigurations and attacker behavior.
- Honeypots don’t make great demands on hardware; it’s possible to set up a honeypot using old computers that you don’t use anymore. As for software, a number of ready-written honeypots are available from online repositories.
- If you don’t have an automated file monitoring system, you can instead creating a honeypot with fake files, folders and then monitor regularly as, say, an alternative to preventing ransomware.
- Honeypots test whether your team knows what to do if a honeypot reveals unexpected activity. Can your team investigate the alert and take appropriate countermeasures?
- Honeypots have a low false positive That’s in stark contrast to traditional intrusion-detection systems (IDS) which can produce a high level of false alerts.
This section is abbreviated from varonis.com and kaspersky.com and rapid7.com