What is a honeypot?
A honeypot is a computer or computer system consisting of applications and data intended as bait to catch bad guys. They are set up to look like real systems with exploitable vulnerabilities. The only difference is that they are actually isolated from the rest of the network and are carefully monitored. Hackers don’t know this. Thus they are attracted to them like bees to nectar. So where’s the catch?
Honeypots help to detect attacks, deflect them from more valuable targets, and gather information about cybercriminals and their tactics. They can reveal:
- The hacker’s IP address and location. This may reveal their location or identity, unless the hacker is using a VPN or a proxy server;
- The type of passwords hackers used to access it. Maybe they used leaked passwords and it’s time to update your passwords to unique and strong ones;
- The technique used to break into your honeypot, which can reveal your system and web servers’ vulnerabilities;
- Where your stolen files went. Honeypots can store data with unique identifying properties, which (when stolen) could help their owners find where the data ended up. It could also help identify the connections between different hackers.
Therefore, honeypots are great deceptive tools used by large enterprises and security researchers. The FBI’s use of honeypots is also widely known. There are many honeypot configurations that are mostly free and open source. Some can simulate servers and help you analyze the data as well, eliminating the need for a big research team.
Types of honeypots
Honeypots can be categorized by who uses them and what their primary goal is.
Research honeypots are mostly used by security researchers, militaries and governments. They are very complex and provide vital information needed to study and analyze hackers’ activities and their progress within the honeypot. This helps researchers identify security loopholes and find new ways to protect against them.
Production honeypots are usually used by enterprises. They are usually set up inside a production system and are used as part of an intrusion detection system (IDS) that helps to monitor malicious activity. They are less complex and provide less information.
Honeypot systems can also be classified as:
- Pure honeypots, which are full production systems that don’t require any other software. In other words, they are production servers made into honeypots, and they are connected to the rest of the network. They are the most believable but also the riskiest and the most expensive ones.
- High-interaction honeypots are non-emulated operating systems. They imitate production systems and usually have a lot of services and data. Thus they require a lot of resources to function. Such honeypots are usually run on virtual machines (VM) as this allows multiple honeypots to run on a single device. This also makes it easier to sandbox compromised systems, shut them down, and restore them.
- Low-interaction honeypots emulate only the most ‘wanted’ system or service. They require fewer resources and are also mostly used on VMs. Thus they are less risky and easier to maintain. On the other hand, they are easier for hackers to identify and are better used to detect malware spread by botnets and worms.
Researchers or enterprises might use multiple honeypots to form a honeynet. They can also go as far as having a centralized collection of honeypots and analysis tools – a honey farm. Using honeynets or honey farms makes bait more believable as hackers can travel from one server to another the way they might in a real system.
Are they foolproof?
No matter how good honeypots sound, they have some limitations and vulnerabilities.
- They only collect data when there’s an attack.
- They aren’t very secretive. Experienced hackers can use fingerprinting techniques to identify a honeypot. As a result, they will avoid it and could potentially turn their attention to a more valuable network or server.
- They cannot detect attacks outside of their systems.
- If they aren’t configured correctly, especially a pure honeypot, it may act as a gateway to other systems and networks.
- Like any other operating system, they may have technological vulnerabilities like weak firewalls and weak encryption, or could simply fail to identify attacks. Honeypots simply aren’t perfect.