Honeypots: how security teams use bait to protect against cyber threats
A honeypot is a security mechanism designed to lure attackers in a specially crafted virtual trap. Honeypots intentionally appear to attackers as real computer systems that are affected by vulnerabilities that could be exploited to compromise them. They could be hardware- and software-based, and are important tools created to gather information about cyberattacks in the wild, as well as analyse tactics, techniques and procedures adopted by threat actors.
How are honeypots used?
Careful investigation of attacks against honeypots allows security experts to gather valuable information about attack chains. Gathered data can then be examined to improve security measures.
A honeypot can also be used to deflect or counteract attempted attacks against the organization that deployed it. While attackers are attempting to steal information and breach the honeypot, internal security staff can monitor their activity and protect legitimate production systems using efficient countermeasures.
Honeypots can also be used by organizations to monitor internal threats. Insider threats are difficult to discover, but using internal honeypots can allow security teams to detect malicious activities carried out by insiders or attackers who have already gained a foothold inside a network.
The use of internal honeypots against insiders is possible only when a limited number of employees within the organization are aware of the deployment of these systems.
How do honeypots work?
Like a real computer system, a honeypot runs applications and manages data, mimicking the behaviour of a legitimate target. A honeypot could mimic a company's ecommerce site, a ticketing system, or an application that could be targeted by threat actors. By studying the way the attackers breach into these systems, and their actions once inside a target network, it is possible to predict the attack pattern and implement countermeasures to make a legitimate system more resilient to intrusion.
A honeypot might intentionally run vulnerable services and applications, might have open ports, and might lack secure authentication mechanisms.
What are the types of honeypots?
Honeypots can be used in production environments as decoy systems or they can be deployed for research purposes. Production honeypots are usually deployed along with other security systems, such as intrusion detection systems (IDS). They can also be employed to deflect an attacker’s attention from the real system while collecting data on the intruder’s activity. On the other hand, research honeypots are only used for educational purposes.
Honeypots could be grouped into three categories based on the level of interaction allowed to the attackers:
- Pure honeypots are full-working production systems. They use a bug tap that has been installed on the honeypot's link to the network to track the attackers’ activities.
- High-interaction honeypots mimic a production system running a broad range of services that could be probed by attackers. They are configured to trick the attackers into probing a large number of services, thus wasting their time. High-interaction honeypots are more sophisticated than pure honeypots and are more difficult to detect. The drawback of these systems is that they are expensive to maintain. High-interaction honeypots could be implemented by running multiple virtual machines on a single physical system.
- Low-interaction honeypots mimic a limited set of services of a legitimate system, usually those most frequently targeted by hackers. These systems are quite simple and consume few resources.
Another classification of honeypots is based on the type of threats that they have been designed to attract. There are honeypot systems that are specifically designed to trap malware or spam campaigns, while others could be used to mimic back-end databases of web applications.
A useful tool for threat intelligence
The use of a honeypot is a strategic choice for the implementation of an effective cyber defence strategy. Having analyzed the principal patterns of attack, an organization can implement honeypots into the overall security of their infrastructure.
Honeypots can be set up to create a powerful and reliable source of threat intelligence, and the information collected by these systems could allow security teams to track threat actors and attack trends.
The intelligence gathered by honeypots allows security staff to gather information that is not available from security applications like intrusion detection system (IDS) and firewalls.
Popular honeypot solutions
Currently, there are many honeypot solutions on the web, and many of these systems are the result of open-source projects:
- One of the most popular projects is Honeyd, which is a low-interaction server-side honeypot. It is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems.
- APNIC Community Honeynet Project helps make the process of deploying a distributed honeynet easier. It consists of tools and scripts that allow for different types of honeypots to be deployed, facilitate collection of logs, and provide basic visualization.
- Capture-HPC is a high interaction client honeypot that helps find malicious servers on a network. The honeypot allows security teams to identify malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and observing its system state changes. If a system state change is detected, since no other activity occurs on the dedicated client machine, the server that Capture-HPC interacted with is classified as malicious.
- OWASP is also maintaining the Honeypot-Project that focuses on identifying emerging attacks against web applications and reporting them to the community in order to facilitate protection against such targeted attacks.
An small part of a wider security arsenal
Clearly, honeypots could not replace other security measures within an organization, as certain more sophisticated threats could not hit them while targeting its infrastructure.
Another scenario to consider is the poisoning of honeypots. Threat actors can intentionally use spoofed attack patterns as a diversionary tactic and feed bad information to the honeypots deployed by an organization.
Another risk related to the use of honeypots is that they can be used by attackers as an entry point within the organization. For this reason, it is essential to implement basic security solutions and stop attacks directed against these systems.
Honeypots are not a comprehensive security solution, but the benefits of using them within an organization far outweigh the risks, which is why honeypots are essential when implementing an efficient defence.