ADVERTISEMENT

Honeypots: how security teams use bait to protect against cyber threats

Arrested hacker criminal in handcuffs
Pierluigi Paganini
Pierluigi Paganini Contributor
Apr 28, 2021 Updated: 28 September 2021 3 min read
Figure 1 - Source Apriorit.com

How are honeypots used?

How do honeypots work?

What are the types of honeypots?

  • Pure honeypots are full-working production systems. They use a bug tap that has been installed on the honeypot's link to the network to track the attackers’ activities.
  • High-interaction honeypots mimic a production system running a broad range of services that could be probed by attackers. They are configured to trick the attackers into probing a large number of services, thus wasting their time. High-interaction honeypots are more sophisticated than pure honeypots and are more difficult to detect. The drawback of these systems is that they are expensive to maintain. High-interaction honeypots could be implemented by running multiple virtual machines on a single physical system.
  • Low-interaction honeypots mimic a limited set of services of a legitimate system, usually those most frequently targeted by hackers. These systems are quite simple and consume few resources.
ADVERTISEMENT

A useful tool for threat intelligence

  • One of the most popular projects is Honeyd, which is a low-interaction server-side honeypot. It is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems.
  • APNIC Community Honeynet Project helps make the process of deploying a distributed honeynet easier. It consists of tools and scripts that allow for different types of honeypots to be deployed, facilitate collection of logs, and provide basic visualization.
  • Capture-HPC is a high interaction client honeypot that helps find malicious servers on a network. The honeypot allows security teams to identify malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and observing its system state changes. If a system state change is detected, since no other activity occurs on the dedicated client machine, the server that Capture-HPC interacted with is classified as malicious.
  • OWASP is also maintaining the Honeypot-Project that focuses on identifying emerging attacks against web applications and reporting them to the community in order to facilitate protection against such targeted attacks.

An small part of a wider security arsenal

ADVERTISEMENT