TechTarget.com/searchsecurity

https://www.techtarget.com/searchsecurity/definition/honey-pot

What is a honeypot? How it protects against cyberattacks

By Scott Robinson

A honeypot is a network-attached system set up as a decoy to lure cyberattackers and to help organizations detect, deflect and study hacking attempts bad actors use to gain unauthorized access to IT. The function of a honeypot is to represent itself on the internet as a potential target for attackers -- usually a server or other high-value asset -- and to gather information and notify defenders of any attempts by unauthorized users to access the honeypot.

Honeypot systems often use hardened operating systems with extra security measures to minimize their exposure to threats. They're usually configured so they appear to offer attackers exploitable vulnerabilities. For example, a honeypot system might appear to respond to Server Message Block protocol requests used by a ransomware attack and represent itself as an enterprise database server storing consumer information.

Large enterprises and companies involved in cybersecurity research commonly use honeypots to identify and defend against attacks from advanced persistent threat actors. Honeypots are an important tool large organizations can use to mount an active defense against attackers. They are also useful for cybersecurity researchers who want to learn more about the tools and techniques attackers use.

The cost of maintaining a honeypot can be high, partly because of the specialized skills required to implement and administer a system that exposes an organization's network resources while preventing attackers from gaining access to any production systems.

How do honeypots work?

Generally, a honeypot operation consists of a computer, applications and data that simulate the behavior of a real system that would be attractive to attackers, such as a financial system, internet of things (IoT) devices, or a public utility or transportation network. It appears as part of a network but is isolated and closely monitored. Because there's no reason for legitimate users to access a honeypot, any attempts to communicate with it are considered hostile.

Honeypots are often placed on the network in a demilitarized zone (DMZ). This keeps them isolated from the main production network while still being part of it. In the DMZ, a honeypot can be monitored from a distance while attackers access it, minimizing the risk of the main network being breached.

Honeypots can also be put outside the external firewall, facing the internet, to detect attempts to enter the internal network. The exact placement of the honeypot varies depending on how elaborate it is, the traffic it aims to attract and how close it is to sensitive resources inside the corporate network. Regardless of the placement, it will always be isolated from the production environment.

Viewing and logging activity in the honeypot provides insight into the level and types of threats a network infrastructure faces while distracting attackers from assets of real value. Cybercriminals can hijack honeypots and use them against the organization deploying them. Cybercriminals have also been known to use honeypots to gather intelligence about researchers or organizations, act as decoys and spread misinformation.

Virtual machines are often used to host honeypots. That way, if they're compromised by malware, for example, the honeypot can be quickly restored. Two or more honeypots on a network form a honeynet, while a honey farm is a centralized collection of honeypots and analysis tools.

Both open source and commercial offerings are available to help deploy and administer honeypots. Products include standalone honeypot systems and honeypots packaged with other security software and marketed as deception technology. GitHub has an extensive list of honeypot software that can help beginners understand how honeypots are used.

What are honeypots used for?

Honeypots capture information from unauthorized intruders who are tricked into accessing them because they appear to be a legitimate part of the network. Security teams deploy these traps as part of their network defense strategy. Honeypots are also used to research cyberattackers' behavior and interactions with networks.

Spam traps are similar to honeypots. They're email addresses or other network functions set up to attract spam web traffic. Spam traps are used in Project Honey Pot, which is a web-based network of honeypots embedded in website software. Its purpose is to harvest and collect the Internet Protocol (IP) addresses, email addresses and related information on spammers so web administrators can minimize the amount of spam on their sites. The group's findings are also used for research by law enforcement to combat unsolicited bulk mailing offenses.

However, honeypots aren't always used as a security measure. Anyone can use them for network reconnaissance, including hackers. For instance, a Wi-Fi Pineapple lets users create a Wi-Fi honeypot. Wi-Fi Pineapples are relatively cheap because consumer devices can be used to create a fake Wi-Fi network that mimics a real one in the vicinity. Unsuspecting individuals mistakenly connect to the fake Wi-Fi network, and the honeypot operator can then monitor their traffic. Wi-Fi Pineapples also have legitimate uses, such as penetration testing where ethical hackers are hired to identify vulnerabilities in a network.

Types of honeypots

Based on design and deployment, there are two main types of honeypots: research and production.

• Research honeypots closely analyze hacker activity to discover how they develop and progress to learn how to better protect systems against them. Data placed in a honeypot with unique identifying properties can also help analysts track stolen data and identify connections between different participants in an attack.
• Production honeypots are usually deployed inside production networks alongside production servers. They act as a decoy, drawing intruders away from the production network as part of the intrusion detection system (IDS). A production honeypot is designed to appear as a real part of the production network and contains information to attract and occupy hackers by tying up their time and resources. This approach ultimately gives administrators time to assess the threat level and mitigate any vulnerabilities in their production systems.

Honeypots can be classified as pure, high-interaction or low-interaction:

• Pure honeypots are full-fledged production systems that monitor a honeypot's link to the network. They're the most complex and difficult to maintain, but they also appear most realistic to attackers, complete with mock confidential files and user information.
• High-interaction honeypots imitate the activities of the production systems, hosting a variety of services and capturing extensive information. The goal of a high-interaction honeypot is to entice an attacker to gain root -- or administrator-level -- access to the server and then monitor the attacker's activity.
• Low-interaction honeypots simulate the network's most common attack vectors: the services attackers frequently request. Therefore, they're less risky and easier to maintain. They don't point malicious users to the root system. The downside of this type of honeypot is that it's more likely to look fake to an attacker. Low-interaction honeypots are good for detecting attacks from bots and malware.

Honeypots can be used to mimic several types of networks and technologies, including the following:

• Enterprise databases.
• Industrial and other control systems.
• Malware attack vectors and replication vectors, such as Universal Serial Bus drives.

There are several types of specialized honeypot technologies, such as the following:

• Malware honeypots. These honeypots mimic malware attack vectors or places where malware attacks and replicates.
• Spam honeypots and email honeypots. These can detect spammers' methods, monitor their activity and block spam.
• Database honeypots. These create decoy databases to mislead attackers using methods that firewalls sometimes miss, like Structured Query Language injections.
• Client honeypots. These actively seek out malicious servers behind client attacks instead of passively waiting for connections. They use virtualization to establish themselves on the server and watch for suspicious modifications to the honeypot.
• Spider honeypots. These are designed to trap web crawlers by creating web pages and links only they can access.
• Honeybots. These offer some privileged access to a decoy device, as allowing full access can be risky and might enable the attacker to hack more than just the fake device.
• Honeynet. This is a network of honeypots.

Where honeypots should and should not be used

The placement of honeypots is a strategic choice. Several deployments are particularly useful and effective. These include the following:

• On the perimeter of a network. They can detect and analyze intrusions before internal network security is breached.
• Within the network. They can be used as a second line of defense against hackers who manage to breach the network perimeter.
• Near high-value subnets. They can divert attackers to less critical systems.
• Within IoT networks. They can help an organization understand how attackers are exploiting IoT devices.
• In cloud environments. They can be used to monitor and secure cloud-based infrastructure.

Less advantageous placements, including the following, should be avoided:

• In plain sight. If a honeypot is too obvious, the hacker might ignore it or use it to mislead the organization using it.
• On a critical computer system. If a honeypot is compromised, high-value data could be placed at risk.
• Near public-facing systems. If a honeypot is placed near mail servers or web apps without sufficient containment, the attacker could potentially expand their attack surface.

Benefits and risks of honeypots

Honeypots provide significant benefits, but they also come with disadvantages and risks.

Benefits

• Real data collection. Honeypots collect data from actual attacks and other unauthorized activities, providing analysts with useful information.
• Fewer false positives. Ordinary cybersecurity detection technologies can generate alerts that include numerous false positives. However, honeypots reduce the number of false positives because there's no reason for legitimate users to access them.
• Cost-effectiveness. Honeypots can be good investments because they only interact with malicious activities and don't require high-performance resources to process large volumes of network traffic looking for attacks.
• Encryption circumvention. Honeypots capture malicious activity, even if an attacker is using encryption.

Disadvantages

• Limited data. Honeypots only collect information when an attack occurs. Zero attempts to access the honeypot means there's no data to analyze.
• Isolated network. Malicious traffic is only collected when an attack targets the honeypot network; if attackers suspect a network is a honeypot, they will avoid it.
• Distinguishable. Honeypots are often distinguishable from legitimate production systems, which means experienced hackers can often differentiate a production system from a honeypot system by using system fingerprinting techniques.
• Put production systems at risk. Although production systems are isolated from the real network, they do eventually connect in some way to enable administrators to collect the information they contain. A high-interaction honeypot is generally considered riskier than a low-interaction one because it aims to entice hackers to gain root access.

Overall, honeypots help researchers understand threats in network systems, but production honeypots shouldn't be a replacement for a standard IDS. If a honeypot isn't configured correctly, it can be used to gain access to real production systems or as a launchpad for attacks against other target systems.

What is a honeynet?

A honeynet consists of two or more honeypots on a network. Having an interconnected network of honeypots can be helpful. It enables organizations to track how an attacker interacts with one resource or network point, and it also monitors how they move among points on the network and interact with multiple points at one time. The goal is to get hackers to believe they've successfully breached the network, so having more fake network destinations makes the setup more convincing.

The term deception technology describes the more complex implementations of honeypots and honeynets, often packaged with other technology, such as next-generation firewalls, IDSes and secure web gateways. Deception technology includes automated features that let a honeypot respond in real time to potential attackers.

Cyberthreats continue to evolve, and honeypots can help organizations keep up with the ever-changing threat landscape. Even though it's impossible to predict and prevent every attack, honeypots can help ensure an organization is prepared and are perhaps the best way to catch an attacker in the act. They are also a good place for cybersecurity professionals to gather information.

With the surging costs associated with cyberattacks and data breaches, cyber insurance can save organizations money in the event of an incident. Learn how cyber insurance works and how to navigate the marketplace.