Skip to content ↓ | Skip to navigation ↓

What is a “honeypot”? How does it work? And how can companies use it to enhance their defenses?

According to Lance Sptizner, a honeypot is “an information system resource whose value lies in unauthorized or illicit use of that resource.” It has no production value of its own and does not give legitimate users any reason to ever interact with it. For these reasons, honeypots make the perfect deceit tools and traps by wasting attacker’s time while allowing sysadmins to learn more about different intrusion methods being used against them.

Tripwire security researcher Ken Westin and Ioannis Koniaris, HoneyDrive developer and blogger, recently presented a webcast discussing how organizations can leverage honeypots, using threat intelligence for active defense

“When we combine the vulnerability centric approach with a threat centric approach, we add another perspective to the mix that understands prevention will eventually fail,” said Ken Westin. “That is simply the nature of the world we now live in.”

Kionaris explained honeypots are generally broken down into two types of categories: production and research. The former is set up alongside real servers and thereby act as decoy or “mirror” servers, whereas the latter are used primarily to monitor malicious traffic.

Three different levels of interaction—low, medium, and high—allow attackers’ certain degrees of access to the technology. The higher the interaction level, the higher the risk and the rate of data capture. Where the honeypots are placed, whether externally, internally, or along the DMZ, also helps determine what purposes companies use them for. Additionally, honeypots can even be specified for different types of attacks, including SSH, malware, web-based and SCADA.

However, while this defensive strategy has its advantages, honeypots also have their flaws, such as increasing the complexity of networks and, if not observed carefully, could be exploited to launch attacks against other actors and/or parts of a network.

One member of the audience asked whether it was legal to counter an attacker caught in a honeypot. Koniaris advised against this. As he reasoned, attackers could be using other companies’ compromised networks as a hacking platform. If a company retaliated against this type of attacker, it could bring up a number of liability issues.

Nonetheless, Honeypots still present a unique concept and have become more useful now than ever in the current landscape of threats, shedding light on the what tools, tactics and procedures attackers may use to penetrate networks.

If you missed the webcast, the slide deck is available here and live recording is available here.

 

RELATED ARTICLES:

RESOURCES:

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

SANS White Paper: Security Basics
  • Kionaris explained honeypots are generally broken down into two types of categories: production and research. The former is set up alongside real servers and thereby act as decoy or “mirror” servers, whereas the latter are used primarily to monitor malicious traffic.