Virtual Trap to Lure Attackers
If you have ever wondered how the good guys on the Internet go after the bad guys, one way is something called a honeypot. You see, in addition to the security measures you might expect, such as strengthening a computer network to keep cybercriminals out, the good guys use a honeypot to do just the opposite to attract the bad guys.
What is a honeypot?
As devices, information, and activities valued by individuals and organisations are moved online, they become susceptible to threat activity. Cyber threat actors, particularly cybercriminals, continue to adapt their activities to find information that people value and attempt to obtain it, hold it for ransom, or destroy it.
You may not have heard of them before, but honeypots have been around for decades. The principle behind them is simple: Don’t go looking for attackers. Prepare something that would attract their interest, the honeypot, and then wait for the attackers to show up.
A honeypot is a security mechanism that creates a virtual trap to lure attackers. Honeypots are a type of deception technology that allows you to understand attacker behaviour patterns. Security teams use honeypots to investigate cyber security breaches to collect intel on how cybercriminals operate.
Like mice to cheese-baited mouse traps, cybercriminals are attracted to honeypots. The bad guys think the honeypot is a legitimate target, something worthy of their time. That’s because the bait includes applications and data that simulate a real computer system.
The function of a honeypot is to represent itself on the Internet as a potential target for attackers usually, a server or other high-value asset, and to gather information and notify defenders of any attempts to access the honeypot by unauthorised users.
Here are some dangers of honeypots to be aware of:
Narrow Field of View: The greatest disadvantage of honeypots is they have a narrow field of view which means that people can only see what activity is directed against them or is being hacked. If an attacker breaks into the network and attacks a variety of systems, the honeypot will be blissfully unaware of the activity unless it is attacked directly. If the attacker has identified the honeypot for what it is, they can avoid that system and infiltrate the computer, with the honeypot never knowing how the cybercriminal got in.
Risk: Honeypots can introduce risk to your environment. By risk, we mean that a honeypot, once attacked, can be used to attack, infiltrate, or harm other systems. Some honeypots introduce very little risk, while others give the attacker entire platforms from which to launch new attacks. The simpler the honeypot, the less the risk. In contrast, a honeypot that creates a jail gives an attacker an actual operating system with which to interact. An attacker might be able to break out of such a cage and then use the honeypot to launch passive or active attacks against other systems or organisations. Risk is not consistent and is bound to change, depending on how one builds and deploys the honeypot.
Finger Printing: Fingerprinting is when an attacker can identify the true identity of a honeypot because it has certain expected characteristics or behaviours. Once a honeypot has been ‘fingerprinted’, an attacker can create spoofed attacks to distract attention from a real exploit being targeted against your production systems. They can also feed bad information to the honeypot. Worse still, a smart attacker could potentially use a honeypot as a way into your systems. That’s why honeypots can never replace adequate security controls, such as firewalls and other intrusion detection systems.
Here are some benefits of using honeypots:
While honeypot cyber security will help chart the threat environment, honeypots won’t see everything that is going on and only activity that’s directed at the honeypot. Just because a certain threat hasn’t been directed against the honeypot, you can’t assume it doesn’t exist; it’s important to keep up with IT security news, not just rely on honeypots to notify you of the threats.
A good, properly configured honeypot will deceive attackers into believing that they’ve gained access to the real system. It will have the same login warning messages, the same data fields, even the same look and feel and logos as your real systems. However, if an attacker manages to identify it as a honeypot, they can then proceed to attack your other systems while leaving the honeypot untouched.
No legitimate traffic: A honeypot shouldn’t get any legitimate traffic, so any activity logged is likely to be an intrusion attempt. That makes it much easier to spot patterns, such as similar IP addresses (or IP addresses all coming from one country) being used to carry out a network sweep. By contrast, such tell-tale signs of an attack are easy to lose in the noise when you are looking at high levels of legitimate traffic on your core network.
Enhanced security: With security enhanced by honeypot, it is easier to identify the malicious addresses making the attack much easier to identify. Just because honeypots handle very limited traffic, they are also resource-light. They don’t make great demands on hardware and it’s possible to set up a honeypot using old computers that you don’t use anymore. As for software, several ready-written honeypots are available from online repositories, further reducing the amount of in-house effort that’s necessary to get a honeypot up and running.
Honeypots have a low false-positive rate. That’s in stark contrast to traditional intrusion-detection systems (IDS) which can produce a high level of false alerts. Again, that helps prioritise efforts and keeps the resource demand from a honeypot at a low level. (In fact, by using the data collected by honeypots and correlating it with other system and firewall logs, the IDS can be configured with more relevant alerts, to produce fewer false positives. In that way, honeypots can help refine and improve other cyber security systems.)
Honeypots cannot replace other security mechanisms such as firewalls and intrusion detection systems. Rather, they add value by working with existing security mechanisms. They play a part in your overall defenses. A honeypot should give you information to help prioritise your cyber security efforts – but it can’t replace proper cyber security.
Hackers are often thought of as a distant, invisible threat but using honeypots, you can see exactly what they’re doing, in real-time, and use that information to stop them from getting what they want.
“The five most efficient cyber defenders are: Anticipation, Education, Detection, Reaction and Resilience. Do remember: cyber security is much more than an IT topic.” – Stephane Nappo