The role of intrusion-detection technology based on the decoy, or “honeypot”, is evolving. Once primarily used by researchers as a way to attract hackers to a network system to study their movements and behavior, honeypots are now beginning to play an important role in the security of enterprises. Indeed, honeypots are proving to be more useful to IT security professionals than ever, by providing early detection of unauthorized network activity.
This article examines how honeypots work, and how the technology emerges as a key component in a layered approach to protection against intrusion.
What is a Honeypot?
A honeypot is a mechanism of security that creates a virtual trap for attackers. An intentionally compromised computer system allows vulnerabilities to be exploited by attackers, so you can study them to improve your security policies. You can apply a honeypot to file servers and routers on any computing resource from software and networks.
Honeypots are a kind of trickery technology that allows you to understand patterns of attacker behavior. Security teams can use honeypots to investigate breaches of cybersecurity to gather intelligence on how cybercrime operates. They also reduce the risk of false positives when compared with traditional cybersecurity measures, as they are unlikely to attract legitimate activity.
Honeypots vary based on models of design and deployment, but they are all decoys intended to look like legitimate, vulnerable systems to attract cyber criminals.
How do the Honeypots function?
For example, if you were in charge of IT security for a bank, you could be setting up a honeypot system that looks like the network of the bank to outsiders. The same applies to those in charge of other forms of secure, internet-connected systems – or researching them.
You can better understand where cybercriminals come from, how they function and what they want by tracking traffic to these networks. More importantly, you can determine which security measures you have in place works — and which ones might need to be improved.
Types of Honeypots
There are four types of honeypot deployments allowing threatening actors to perform various levels of malicious activity:
- Pure honeypots — Complete production systems that monitor assaults on the link connecting the honeypot to the network through bug taps. They are unfashionable.
- High-interaction honeypot – This is similar to a pure honeypot as it runs a lot of services, but it’s not as complex and doesn’t hold as much data. High-interaction Honeypots are not meant to imitate a full-scale production system, but all the services that a production system would run, including a proper operating system, are run (or appear to run) there. This form of honeypot lets the distributing entity see the actions and strategies of the intruder. High-interaction honeypots are resource-intensive and present maintenance challenges, but the findings may be worth the squeeze.
- Mid-interaction honeypot – These emulate aspects of the application layer but have no operating system of their own. They work to halt or confuse attackers, so organizations have more time to figure out how to react to an attack properly.
- Low-interaction honeypot – This type of honeypot is the most frequently deployed in a production environment. Low-interaction honeypots run a handful of services and serve more than anything as an early-warning detection mechanism. They are easy to deploy and maintain, with multiple security teams deploying honeypots across various segments of their network.
The Benefits of the Honeypot system
Many organizations are wondering why they should spend both money and time creating a system that will attract hackers. However, with all of a honeypot’s many benefits, the real question should be why you haven’t already put one up.
The most significant value of a honeypot is based on the information it obtains and can be alerted to immediately. Data entering and exiting a honeypot enables security personnel to obtain information not accessible from an IDS (Intrusion Detection Program) program. During a session, the keystrokes of an attacker may be logged, even if encryption has been used to establish it. Any attempts at accessing the system can also trigger immediate alerts.
An IDS requires published signatures to detect an attack but a compromise that is not known at the time will often fail to be detected. Honeypots, on the other hand, can detect vulnerabilities based on the behavior of the attacker which may not be known to the security community. These are often termed exploits of the Zero-Day.
The honeypots collected data can be leveraged to improve other security technologies. The logs generated from a honeypot can be correlated with other system logs, IDS alerts, and firewall logs. This can generate a comprehensive picture of suspicious activity within an organization and allow the configuration of more relevant alerts which can produce fewer false positives.
Another advantage of a Honeypot is that once attackers enter the system, it can frustrate them, and cause them to stop attacking the network of the organization. The more time the honeypot spends means the less time it spends on your production system.
Honeypots, like all technologies, have their drawbacks, the biggest being their limited field of view. Honeypots only capture activity directed against them and will miss attacks on other systems.
For that reason, security experts do not recommend replacing existing security technologies with those systems. Instead, they see honeypots as a complementary technology to protect against network and host-based intrusion.
The only way to protect what you’ve worked hard to build is to be vigilant when it comes to cybersecurity. If you’d like to know more about how your business can benefit from managed services, just give us a call, we are here to help.
A honeypot is a mechanism of security that creates a virtual trap for attackers. An intentionally compromised computer system.