content/en-gb/images/repository/isc/2020/how-honeypots-work.jpg

The definition of a honeypot

One honeypot definition comes from the world of espionage, where Mata Hari-style spies who use a romantic relationship as a way to steal secrets are described as setting a ‘honey trap’ or ‘honeypot’. Often, an enemy spy is compromised by a honey trap and then forced to hand over everything he/she knows.

In computer security terms, a cyber honeypot works in a similar way, baiting a trap for hackers. It's a sacrificial computer system that’s intended to attract cyberattacks, like a decoy. It mimics a target for hackers, and uses their intrusion attempts to gain information about cybercriminals and the way they are operating or to distract them from other targets.

How honeypots work

The honeypot looks like a real computer system, with applications and data, fooling cybercriminals into thinking it's a legitimate target. For example, a honeypot could mimic a company's customer billing system - a frequent target of attack for criminals who want to find credit card numbers. Once the hackers are in, they can be tracked, and their behavior assessed for clues on how to make the real network more secure.

Honeypots are made attractive to attackers by building in deliberate security vulnerabilities. For instance, a honeypot might have ports that respond to a port scan or weak passwords. Vulnerable ports might be left open to entice attackers into the honeypot environment, rather than the more secure live network.

A honeypot isn't set up to address a specific problem, like a firewall or anti-virus. Instead, it's an information tool that can help you understand existing threats to your business and spot the emergence of new threats. With the intelligence obtained from a honeypot, security efforts can be prioritized and focused.

Different types of honeypot and how they work

Different types of honeypot can be used to identify different types of threats. Various honeypot definitions are based on the threat type that's addressed. All of them have a place in a thorough and effective cybersecurity strategy.

Email traps or spam traps place a fake email address in a hidden location where only an automated address harvester will be able to find it. Since the address isn't used for any purpose other than the spam trap, it's 100% certain that any mail coming to it is spam. All messages which contain the same content as those sent to the spam trap can be automatically blocked, and the source IP of the senders can be added to a denylist.

A decoy database can be set up to monitor software vulnerabilities and spot attacks exploiting insecure system architecture or using SQL injection, SQL services exploitation, or privilege abuse.

A malware honeypot mimics software apps and APIs to invite malware attacks. The characteristics of the malware can then be analyzed to develop anti-malware software or to close vulnerabilities in the API.

A spider honeypot is intended to trap webcrawlers ('spiders') by creating web pages and links only accessible to crawlers. Detecting crawlers can help you learn how to block malicious bots, as well as ad-network crawlers.

By monitoring traffic coming into the honeypot system, you can assess:

  • where the cybercriminals are coming from
  • the level of threat
  • what modus operandi they are using
  • what data or applications they are interested in
  • how well your security measures are working to stop cyberattacks

Another honeypot definition looks at whether a honeypot is high-interaction or low-interaction. Low-interaction honeypots use fewer resources and collect basic information about the level and type of threat and where it is coming from. They are easy and quick to set up, usually with just some basic simulated TCP and IP protocols and network services. But there's nothing in the honeypot to engage the attacker for very long, and you won't get in-depth information on their habits or on complex threats.

On the other hand, high-interaction honeypots aim to get hackers to spend as much time as possible within the honeypot, giving plenty of information about their intentions and targets, as well as the vulnerabilities they are exploiting and their modus operandi. Think of it as a honeypot with added ‘glue’ - databases, systems, and processes that can engage an attacker for much longer. This enables researchers to track where attackers go in the system to find sensitive information, what tools they use to escalate privileges or what exploits they use to compromise the system.

why honeypots are used for cybersecurity

High-interaction honeypots are, however, resource-hungry. It is more difficult and time-consuming to set them up and to monitor them. They can also create a risk; if they’re not secured with a 'honeywall', a really determined and cunning hacker could use a high-interaction honeypot to attack other internet hosts or to send spam from a compromised machine.

Both types of honeypot have a place in honeypot cybersecurity. Using a blend of both, you can refine the basic information on threat types that comes from the low-interaction honeypots by adding information on intentions, communications, and exploits from the high-interaction honeypot.

By using cyber honeypots to create a threat intelligence framework, a business can ensure that it's targeting its cybersecurity spend at the right places and can see where it has security weak points.

The benefits of using honeypots

Honeypots can be a good way to expose vulnerabilities in major systems. For instance, a honeypot can show the high level of threat posed by attacks on IoT devices. It can also suggest ways in which security could be improved.

Using a honeypot has several advantages over trying to spot intrusion in the real system. For instance, by definition, a honeypot shouldn't get any legitimate traffic, so any activity logged is likely to be a probe or intrusion attempt.

That makes it much easier to spot patterns, such as similar IP addresses (or IP addresses all coming from one country) being used to carry out a network sweep. By contrast, such tell-tale signs of an attack are easy to lose in the noise when you are looking at high levels of legitimate traffic on your core network. The big advantage of using honeypot security is that these malicious addresses might be the only ones you see, making the attack much easier to identify.

Because honeypots handle very limited traffic, they are also resource light. They don't make great demands on hardware; it's possible to set up a honeypot using old computers that you don’t use anymore. As for software, a number of ready-written honeypots are available from online repositories, further reducing the amount of in-house effort that's necessary to get a honeypot up and running.

Honeypots have a low false positive rate.  That’s in stark contrast to traditional intrusion-detection systems (IDS) which can produce a high level of false alerts. Again, that helps prioritize efforts and keeps the resource demand from a honeypot at a low level. (In fact, by using the data collected by honeypots and correlating it with other system and firewall logs, the IDS can be configured with more relevant alerts, to produce fewer false positives. In that way, honeypots can help refine and improve other cybersecurity systems.)

pros and cons of honey pots

Honeypots can give you reliable intelligence about how threats are evolving. They deliver information about attack vectors, exploits, and malware - and in the case of email traps, about spammers and phishing attacks. Hackers continually refine their intrusion techniques; a cyber honeypot helps to spot newly emerging threats and intrusions. A good use of honeypots helps to eradicate blind spots, too.

Honeypots are also great training tools for technical security staff. A honeypot is a controlled and safe environment for showing how attackers work and examining different types of threats. With a honeypot, security staff won't be distracted by real traffic using the network - they'll be able to focus 100% on the threat.

Honeypots can also catch internal threats. Most organizations spend their time defending the perimeter, and ensuring outsiders and intruders can't get in. But if you only defend the perimeter, any hacker who has successfully gotten past your firewall has carte blanche to do whatever damage they can now that they're inside.

Firewalls also won't help against an internal threat - an employee who wants to steal files before quitting their job, for instance. A honeypot can give you equally good information about internal threats and show vulnerabilities in such areas as permissions that allow insiders to exploit the system.

Finally, by setting up a honeypot you're actually being altruistic, and helping other computer users. The longer hackers spend wasting their effort on honeypots, the less time they have available for hacking live systems and causing real damage - to you or to others.

The dangers of honeypots

While honeypot cybersecurity will help chart the threat environment, honeypots won't see everything that is going on - only activity that's directed at the honeypot. Just because a certain threat hasn't been directed against the honeypot, you can't assume it doesn't exist; it's important to keep up with IT security news, not just rely on honeypots to notify you of the threats.

A good, properly configured honeypot will deceive attackers into believing that they've gained access to the real system. It will have the same login warning messages, the same data fields, even the same look and feel and logos as your real systems. However, if an attacker manages to identify it as a honeypot, they can then proceed to attack your other systems while leaving the honeypot untouched.

Once a honeypot has been 'fingerprinted', an attacker can create spoofed attacks to distract attention from a real exploit being targeted against your production systems. They can also feed bad information to the honeypot.

Worse still, a smart attacker could potentially use a honeypot as a way into your systems. That's why honeypots can never replace adequate security controls, such as firewalls and other intrusion detection systems. Since a honeypot could serve as a launch pad for further intrusion, ensure all honeypots are well secured. A 'honeywall' can provide basic honeypot security and stop attacks directed against the honeypot from ever getting into your live system.

A honeypot should give you information to help prioritize your cybersecurity efforts - but it can't replace proper cybersecurity. However many honeypots you have, consider a package like Kaspersky's Endpoint Security Cloud to protect your business assets. (Kaspersky uses its own honeypots to detect internet threats, so you don't have to.)

Overall, the benefits of using honeypots far outweigh the risks. Hackers are often thought of as a distant, invisible threat - but using honeypots, you can see exactly what they're doing, in real time, and use that information to stop them getting what they want.

Related links

IoT under fire: Kaspersky detects more than 100 million attacks on smart devices in H1 2019

How Malware Penetrates Computers and IT Systems

What Is Browser Hijacking?

What is a honeypot?

You may have heard the term 'honeypot' being used and wondered what one is, and how it can make your computer system more secure. This article will tell you everything you need to know about honeypots and their place in cybersecurity.
Kaspersky Logo