A honeypot is a network-attached system set up as a decoy to lure cyber attackers and detect, deflect and study hacking attempts to gain unauthorized access to information systems. The function of a honeypot is to represent itself on the internet as a potential target for attackers -- usually, a server or other high-value asset -- and to gather information and notify defenders of any attempts to access the honeypot by unauthorized users.
Honeypot systems often use hardened operating systems (OSes) where extra security measures have been taken to minimize their exposure to threats. They are usually configured so they appear to offer attackers exploitable vulnerabilities. For example, a honeypot system might appear to respond to Server Message Block (SMB) protocol requests used by the WannaCry ransomware attack and represent itself as an enterprise database server storing consumer information.
Large enterprises and companies involved in cybersecurity research are common users of honeypots to identify and defend against attacks from advanced persistent threat (APT) actors. Honeypots are an important tool that large organizations use to mount an active defense against attackers or for cybersecurity researchers who want to learn more about the tools and techniques attackers use.
The cost of maintaining a honeypot can be high, in part because of the specialized skills required to implement and administer a system that appears to expose an organization's network resources, while still preventing attackers from gaining access to any production systems.
Generally, a honeypot operation consists of a computer, applications and data that simulate the behavior of a real system that would be attractive to attackers, such as a financial system, internet of things (IoT) devices, or a public utility or transportation network. It appears as part of a network but is actually isolated and closely monitored. Because there is no reason for legitimate users to access a honeypot, any attempts to communicate with it are considered hostile.
Honeypots are often placed in a demilitarized zone (DMZ) on the network. That approach keeps it isolated from the main production network, while still being a part of it. In the DMZ, a honeypot can be monitored from a distance while attackers access it, minimizing the risk of the main network being breached.
Honeypots may also be put outside the external firewall, facing the internet, to detect attempts to enter the internal network. The exact placement of the honeypot varies depending on how elaborate it is, the traffic it aims to attract and how close it is to sensitive resources inside the corporate network. No matter the placement, it will always have some degree of isolation from the production environment.
Viewing and logging activity in the honeypot provides insight into the level and types of threats a network infrastructure faces while distracting attackers from assets of real value. Cybercriminals can hijack honeypots and use them against the organization deploying them. Cybercriminals have also been known to use honeypots to gather intelligence about researchers or organizations, act as decoys and spread misinformation.
Virtual machines (VMs) are often used to host honeypots. That way, if they are compromised by malware, for example, the honeypot can be quickly restored. Two or more honeypots on a network form a honeynet, while a honey farm is a centralized collection of honeypots and analysis tools.
Both open source and commercial offerings are available to help with deploying and administering honeypots. Products include standalone honeypot systems, as well as honeypots packaged with other security software and marketed as deception technology. GitHub has an extensive list of honeypot software that can help beginners get an idea of how honeypots are used.
Honeypots are used to capture information from unauthorized intruders that are tricked into accessing them because they appear to be a legitimate part of the network. Security teams deploy these traps as part of their network defense strategy. Honeypots are also used to research the behavior of cyber attackers and the ways they interact with networks.
Spam traps are also similar to honeypots. They are email addresses or other network functions set up to attract spam web traffic. Spam traps are used in Project Honey Pot, which is a web-based network of honeypots embedded in website software. Its purpose is to harvest and collect the Internet Protocol (IP) addresses, email addresses and related information on spammers so web administrators can minimize the amount of spam on their sites. The group's findings are used for research as well and by law enforcement to combat unsolicited bulk mailing offenses.
Honeypots aren't always used as a security measure. Anyone can use them for network reconnaissance, including hackers. For instance, a Wi-Fi Pineapple lets users create a Wi-Fi honeypot. Wi-Fi Pineapples are relatively cheap because consumer devices are used to create a fake Wi-Fi network that mimics a real one in the vicinity. Unsuspecting individuals mistakenly connect to the fake Wi-Fi network, and the honeypot operator can then monitor their traffic. Wi-Fi Pineapples also have legitimate uses, such as for penetration testing (pen testing), where ethical -- or white hat -- hackers are hired to identify vulnerabilities in a network.
Based on design and deployment, there are two main types of honeypots: production and research.
Honeypots can be classified as pure, high-interaction or low-interaction:
Honeypots can be used to mimic several types of networks and technologies. A few examples are the following:
There are several types of specialized honeypot technologies, such as the following:
Honeypots and other deception technology are used in a variety of ways. Find out about the full array of incident response tools that are available, how a honeypot can be deployed in the cloud and how one pharmaceutical company is using deception tools.
Top incident response tools to boost network protection
Learn where your environment is at risk with an AWS honeypot
Honeypots provide significant benefits, but they also come with disadvantages and risks.
Overall, honeypots help researchers understand threats in network systems, but production honeypots should not be a replacement for a standard IDS. If a honeypot is not configured correctly, it can be used to gain access to real production systems or as a launchpad for attacks against other target systems.
A honeynet consists of two or more honeypots on a network. Having an interconnected network of honeypots can be useful. It enables organizations to track how an attacker interacts with one resource or network point, and it also monitors how an intruder moves among points on the network and interacts with multiple points at one time. The goal is to get hackers to believe that they have successfully breached the network, so having more fake network destinations makes the setup more convincing.
The term deception technology has been used to describe the more complex implementations of honeypots and honeynets, often packaged with other technology, such as next-generation firewalls (NGFWs), IDSes and secure web gateways. Deception technology includes automated features that let a honeypot respond in real time to potential attackers.
Cyber threats continue to evolve, and honeypots can help organizations keep up with the ever-changing threat landscape. Even though it's impossible to predict and prevent every attack, honeypots provide useful information to ensure an organization is prepared and are perhaps the best way to catch an attacker in the act. They are a good place for cybersecurity professionals to gather information as well.
Learn more about responding to cyber threats in our ultimate guide to cybersecurity incident response.
24 Feb 2021