Honeypots are not a new idea. They have been part of the cybersecurity world for decades and have frequently gone in and out of “fashion” over that period. Recently, though, they have become an increasingly important part of vulnerability management.
That’s for a couple of reasons. Honeypots offer real-world data on the types of threats that companies face, and they can be a powerful research tool in identifying specific threat vectors. In a context where just 12% of ICS security pros are sure their firms can respond to digital attacks, identifying these specific vectors allows companies to dedicate resources to defeating the most dangerous threats they face.
Honeypots have also risen in popularity due to a simultaneous rise in adversarial cybersecurity techniques such as penetration testing. Rather than relying on general, passive protection systems, network administrators are now looking to test their cybersecurity in real-life, dynamic situations. Honeypots can be a very effective tool in these situations.
The Basics of Honeypots
A honeypot is essentially a “fake” system that looks like a real one. The basic idea is that a hacker will deploy their attack against the fake honeypot rather than real systems. If this happens, the company which has deployed the honeypot can gain insight into the types of tools, tactics, and procedures that are used by the hacker and maybe even gain advanced warning of an attack on their real systems.
Beyond this basic description, honeypots vary widely. In fact, a honeypot is more of a general technique than a specific tool. As complex networks get harder to secure, honeypots are being deployed that simulate a vast range of systems, from blogging platforms to SaaS cloud services.
In general, however, there are two major types of honeypot: research and production honeypots. Research deployments are used to gather information about potential attacks and are used by cybersecurity professionals to gather information about the types of attacks that are occurring in the wild. Production honeypots, by contrast, are those deployed by individual companies to give them advanced warning of an imminent attack and to test specific systems for security vulnerabilities.
Different Types of Honeypot
The types of systems in use by the average business today are incredibly varied, and as such, the types of honeypot they can deploy are also varied.
An important high-level distinction is between honeypots that seek to replicate full-scale systems and which contain confidential information and lower-level deployments that only aim to mimic a particular part of a system. Large, complex honeypots are generally referred to as “pure”; they contain everything that a real system would, albeit whilst also being full of sensors to detect unauthorized access. “Low-interaction” technologies, by contrast, will typically only run a handful of services and contain no sensitive information. This latter type serves more as a “tripwire” than a research tool, giving a company advance warning that they are being targeted.
Within these broad categories, honeypots can make use of a vast range of different web technologies.
There are, for instance, malware honeypots that are designed to mimic USB storage devices. Since malware often spreads by infecting USB storage devices, this type of honeypot can be used to trick the malware into infecting the emulated device, where it can be contained and studied.
Email marketers and bloggers often turn to spam honeypots which are designed to emulate email relays. If a hacker is tricked into thinking that this honeypot is a real relay, they will try to use it to send a flood of spam. The honeypot can be used to detect this attack, and then block the real attack from occurring. For beginners, the process of creating your blog typically includes deciding whether or not to go with one of the three main content management systems (WordPress, Joomla, Drupal). For any of these platforms, putting a honeypot to work combating spam is as easy as installing a plugin. Check with each site to see their current recommendations.
Newbie bloggers should understand how critical it is to get control of spam comments fast because you can get buried by them and disillusioned with the whole project in a hurry.
Other types of honeypots work with specific languages and systems. SQL injection can be detected via a fake SQL database, for instance; honeypot technologies can even be built that emulate entire user systems and “invite” hackers to attack them.
The Benefits of Honeypots
Honeypots are an integral part of most contemporary cybersecurity systems, and as such, the many advantages of using them are shared with other forms of threat detection and protection. Large companies can use them to test for vulnerabilities, harden their backup systems, or detect ongoing attacks. Smaller firms use them to improve website security, protect personal data, and build a reputation for taking cybersecurity seriously.
Beyond these general advantages, honeypots confer a level of detailed threat analysis that is impossible using more general cybersecurity analysis software. They act as a powerful tool for disrupting and defeating attacks that are already in progress since an attacker can get stuck trying to work out if a honeypot it real.
Honeypots are also useful for detecting new types of threats. Since they do not rely on known attack signatures, they can often provide zero-day warning of potential security vulnerabilities. Unlike intrusion detection systems, a user does not need to be acting suspiciously in order to trigger a warning that a system has been compromised. The very fact that someone is poking around in a honeypot is enough to identify them as a threat.
Finally, honeypots are also useful for testing managerial responses to cyberattacks. Since they can be used to emulate entire corporate systems, they can be used as part of penetration tests without the risk of compromising “real” data. This allows companies to run full-scale simulations of cyberattacks and assess whether they have the expertise and systems necessary to respond to them.
Because honeypots come in all shapes and sizes, they are rapidly becoming a major tool in the fight against cybercrime. Though the honeypot technique has long been associated with large-scale corporate networks, today it is possible for small companies (and even individual users) to deploy them on their systems.
As such, honeypots are now an integral part of broader cybersecurity systems and are likely to stay “fashionable” for many years to come.
About the Author: Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphasis on technology trends in cyberwarfare, cyberdefense, and cryptography.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.