Honeypots defend digital assets by attracting cybercriminals and allowing their activities to be analyzed.
In the battle against cybercrime attacks that continue to increase in sophistication and now target servers all the way down to the firmware layer, a helpful but often overlooked tool is the honeypot. A honeypot fools hackers into thinking they’re snooping around a company’s servers when they actually aren’t. The devices subsequently alert the owners of a breach and give them a chance to clamp down on the attack before it’s too late.
As explained by TechTarget, any attempt to connect or communicate with a honeypot is considered hostile because there's no reason for legitimate users to access the system. By viewing and logging such activity on a honeypot server, security teams can gain valuable insight into the level and types of threats the network infrastructure faces. At the same time, honeypots can distract attackers away from going after assets of real value.
Types of Honeypots
Honeypots typically consist of a computer, applications, and data that simulate the behavior of a real system. Honeypot servers appear to be part of a network, but are actually isolated and closely-monitored, and they can be configured in a variety of forms:
- Research honeypots enable analysis of hacker activity and how attacks develop and progress. Data placed in a honeypot with unique identifying properties can also help analysts track stolen data and identify connections between different participants in an attack.
- Production honeypots are deployed alongside other production servers, appearing real and containing information or a resource of value to attract and occupy hackers. This ties up the attacker's time and resources, hopefully creating enough time to assess and mitigate vulnerabilities that might hit actual production systems.
- High-interaction honeypots imitate a production system and attempt to allow attackers to gain root access and then study what they do. An attacker with root access has access to all commands and files on a system, so this type carries the greatest risk but also has the greatest potential for collecting information.
- Low-interaction honeypots simulate only the services frequently targeted by attackers and are less risky and less complex to maintain. Virtual machines are often used to host this type of honeypot so it can be restored more quickly if it is compromised.
Two or more honeypots on a network form a honeynet, while a honeyfarm is a centralized collection of honeypots and analysis tools.
A Honeypot Put to the Test
In the UK, honeypot servers were part of a test that the BBC asked a security company to run in order to judge the scale and caliber of cyberattacks that businesses face every day. The servers were given real, public IP addresses and other identifying information that announced their presence online. To make the honeypot servers realistic, each one was configured to superficially resemble a legitimate server and accept requests for website pages, file transfers and secure networking.
The servers were not capable of doing anything more than providing a very basic response to a query about basic services and protocols. But a just a little more than an hour after the servers were set up, they were visited by automated attack tools that scanned them for weaknesses. Once the machines had been found by the bots, they were subjected to a constant assault.
The servers' limited responses did not deter the automated attack tools, or bots, that many cyber-thieves use to find potential targets. A wide variety of attack bots probed the servers seeking weaknesses that could be exploited had they been full-blown, production machines.
Here are some of the key findings of the BBC test:
- 17% of the attack bots were scrapers that sought to suck up website content
- 37% looked for vulnerabilities in apps or tried well-known admin passwords
- 10% checked for application bugs
- 29% tried to get at user accounts using brute force techniques that tried commonly-used passwords
- 7% sought loopholes in the operating system
While these results show a typical pattern for automatic bots, information like this can prove very valuable to InfoSec teams devising a security strategy to protect the company’s digital assets. More importantly, the existence of an attack on a honeypot server indicates an attack on a legitimate server may be coming around the corner.
Get a Big Jump on Cyberattacks
Honeypots have actually been around a long time, but very few businesses have implemented them, more often relying on penetration testing by an outside consultant. And while honeypots help in understanding the threats network systems face, production honeypots should not be seen as a replacement for a standard IDS (intrusion detection system). If not configured correctly, they can be used to access the real production system or as a launch pad for attacks against other systems.
On the plus side, the payoff of using a honeypot can be huge. Creating a honeypot as a server can be done in a matter of minutes, and they don’t require a lot of on-going management until an attack actually occurs—at which time the effort to manage them is well worth the return.
Just think how the security team will feel when it discovers “Winnie-the-Pooh” stuck inside a honeypot server! They can get a big jump on making sure no actual cyberattack damage occurs across the network.