In the world of cybersecurity, honeypots are a unique mechanism. They exhibit no business value, no production value. In fact, any or all interactions with the honeypot are expectedly anomalous and unauthorized.
Honeypots are nothing more than a trap set up to lure cybercriminals into believing that they have accessed legitimate and high value computing resources within your network. This is different from traditional security systems, which by nature are designed to prevent unauthorized use of resources.
So how does honeypot technology stop a cyberattack? It doesn’t.
What are honeypots in security?
While everything else in security is meant to keep hackers away, honeypots are meant to lure them in. Honeypots are designed to look like a real system, enticing hackers to stick around and try out their attack techniques. Effectively, honeypots buy you time so you can obtain intelligence into the cyberattack — the methods, attempts and possibly even tools that the hackers are using.
The cybercriminal swirls inside the honeypot with a false belief that it has intruded a network and can proceed with compromising the IT resources within its reach.
This decoy gives security teams to take on the offensive. They can capture unauthorized activities and learn how the black hat hackers are targeting the network. While this does not solve any specific problem, it does narrow down the field of view to manageable levels.
(Read about cyber threat intelligence.)
There are two types of honeypots: research and production.
The primary purpose of a research honeypot is to study:
- How cybercriminals establish their line of attack
- How the attack progresses
- The underlying motivation and their approach
These are complex systems that capture vast amounts of data, which is later used to publish academic research, adding value to the security community.
Production honeypot systems are designed to immediately benefit an organization against an ongoing or upcoming cyberattack. These systems are easy to build and deploy; they mirror the production environment and expose some vulnerabilities that a cybercriminal can exploit to intrude the network.
The main benefit of production honeypots is to help organizations build and enforce security policies for Intrusion Detection Systems, firewalls and security information and event management (SIEM) tools.
Honeypot interaction levels
Honeypot systems can also be categorized in terms of the interactions involved between the decoy technology and the cybercriminals: low, medium and high interactions.
Low interaction honeypot
A low-interaction system simulates network resources and services that have strong security defense and/or cannot be exploited. A great example is an in-house, off-line server that stores a database of sensitive credit card information.
An example of a low interaction honeypot may be temporal virtual machines that replicate such a server system.
Medium interaction honeypot
These systems simulate complex services running in your IT network. The intruder can interact with a simulating operating system layer. Network logs for these interactions are captured for further analysis.
High Interaction Honeypot
Advanced honeypot systems simulate the production environment or a complex IT service. An actual operating system is deployed, which runs multiple VMs that may simulate different service and application components.
This is by far the most complex and resource-intensive type of honeypot — it may require dedicated computers to give cybercriminals a correct illusion of the IT service.
A more advanced variation of this type of honeypot is called the honeynet, which replicates (not emulates) the entire service network. These are real computer systems acting as honeypots and equipped with network loggers and detection systems that capture real-time information into the activity of an intruder.
Honeypots for external and internal threats
The bait and deception of honeypot systems is not only designed to lure external threats, but also to tackle the security threats that exist within the organization. Insider threats from rogue employees and spies can be discovered using another type of honeypot that is not a computer system but a digital entity usually accessible to specific employees.
For example, login credentials to a restricted database accessible or fake credit card numbers linked to corporate accounts that should never be used. These digital entities are known as Honeytokens.
Like the honeypot, honeytokens do not solve a specific security problem — instead they identify the user linked to rogue behavior. It captures information on the user accessing or using the honeytoken, which is later used for forensics and further discovery into the organization’s state of security against internal threats.
(Learn about the related risk of corporate espionage.)
Challenges that aren’t changing
The honeypot concept is not new. In fact, the first documented versions of honeypots emerged in 1990 — the story of AT&T Bell Labs leading an attacker into believing they have access to the company’s Internet gateway. The attacker was sent on a merry chase across the network looking for more files and endpoints, all the while security teams traced and captured the attacker’s movements and identified new security holes in their systems.
This story, however, illustrates how honeypot systems have hardly enjoyed the status of a revolutionary approach, for obvious reasons.
The use of honeypot systems raises legal issues around privacy of the end-user, who may argue forced entrapment and monitoring without consent. In this case, strict privacy laws may hold organizations liable to penalties and compensation to the victim, even when the intent is to secure the corporate network from potential acts of cybercrime.