If you ever had a problem with bees, you will know that putting a pot of honey will attract them to it. In computer security terms, a cyber-honeypot works in a similar way, baiting a trap for hackers. It's a sacrificial computer system that’s intended to attract cyberattacks, like a decoy. It mimics a target for hackers and uses their intrusion attempts to gain information about cybercriminals and the way they are operating or to distract them from other targets.
How honeypots work
A honeypot system looks just like a real computer with applications and data on it. This is done to fool hackers into believing that it is a real target. A good example of it would be a honeypot mimicking an organization’s billing system, trying to make cybercriminals attack it to gain access to users’ credit card numbers. Once the hackers get access to said system, they can be tracked and their attacks could be analyzed to make the real network more secure.
Honeypots attract cybercriminals because they are purposefully built with security vulnerabilities. For example, a honeypot might have ports that respond to a port scan or weak passwords. Vulnerable ports might be left open to trick attackers into attempting to hack the honeypot environment, rather than the more secure live network.
A honeypot is not set up to address a specific problem, such as a firewall or anti-virus. Instead, it's an information tool that can help you understand existing threats to your business and spot the emergence of new threats. With the intelligence obtained from a honeypot, security efforts can be prioritized and focused.
Different types of honeypot and how they work
There are different types of honeypots that can be used to identify different types of threats. Various honeypot definitions are based on the threat type that's addressed. All of them have a place in a thorough and effective cybersecurity strategy.
Email Traps a.k.a. Spam Traps
They place a fake email address in a hidden location where only an automated address harvester will be able to find it. Since the address isn't used for any purpose other than the spam trap, it's 100% certain that any mail coming to it is spam. All messages which contain the same content as those sent to the spam trap can be automatically blocked, and the source IP of the senders can be added to a blacklist.
A decoy database can be set up to monitor software vulnerabilities and spot attacks exploiting insecure system architecture or using SQL injection, SQL services exploitation, or privilege abuse.
A malware honeypot mimics software apps and APIs to invite malware attacks. The characteristics of the malware can then be analyzed to develop anti-malware software or to close vulnerabilities in the API.
However if you want some easy ways to remove malware from your Windows device, there are some easy steps that will completely eradicate them from your device.
A spider honeypot is intended to trap web crawlers (i.e. spiders) by creating web pages and links only accessible to crawlers. Detecting crawlers can help you learn how to block malicious bots, as well as ad-network crawlers.
High-interaction and Low-interaction Honeypots
A honeypot can either be high-interaction or low-interaction. Low-interaction honeypots use fewer resources and collect basic information about the level and type of threat and where it is coming from. They are easy and quick to set up, usually with just some basic simulated TCP and IP protocols and network services, however, there's nothing in the honeypot to engage the attacker for very long. Thus, you won't get in-depth information on their habits or on complex threats.
On the other hand, high-interaction honeypots aim to get hackers to spend as much time as possible within the honeypot, giving plenty of information about their intentions and targets, as well as the vulnerabilities they are exploiting. Think of it as a honeypot with added ‘glue’ - databases, systems, and processes that can engage an attacker for much longer. This enables researchers to track where attackers go in the system to find sensitive information, what tools they use to escalate privileges or what exploits they use to compromise the system.
High-interaction honeypots are, however, resource-hungry. It is more difficult and time-consuming to set them up and to monitor them. They can also create a risk; if they’re not secured with a 'honeywall', a really determined and cunning hacker could use a high-interaction honeypot to attack other internet hosts or to send spam from a compromised machine.
Why are honeypots used in cybersecurity?
For a good hacker-trapping system, both types of honeypot have to be used. Utilizing a blend of both, you can refine the basic information on threat types that comes from the low-interaction honeypots by adding information on intentions, communications, and exploits from the high-interaction honeypot.
By using cyber honeypots to create a threat intelligence framework, a business can ensure that it's targeting its cybersecurity spend at the right places and can see where it has security weak points.
The benefits of using honeypots
Honeypots can be a good way to expose vulnerabilities in major systems. For instance, a honeypot can show the high level of threat posed by attacks on IoT devices. It can also suggest ways in which security could be improved.
Using a honeypot has several advantages over trying to spot intrusion in the real system. For instance, by definition, a honeypot shouldn't get any legitimate traffic, so any activity logged is likely to be a probe or intrusion attempt.
That makes it much easier to spot patterns, such as similar IP addresses (or IP addresses all coming from one country) being used to carry out a network sweep. By contrast, such tell-tale signs of an attack are easy to lose in the noise when you are looking at high levels of legitimate traffic on your core network. The big advantage of using honeypot security is that these malicious addresses might be the only ones you see, making the attack much easier to identify.
Because honeypots handle very limited traffic, they are also resource light. They don't make great demands on hardware. It's even possible to set up a honeypot using old computers that you don’t use anymore. As for software, a number of ready-written honeypots are available from online repositories, further reducing the amount of in-house effort that's necessary to get a honeypot up and running.
Honeypots have a low false-positive rate. That’s in stark contrast to traditional intrusion-detection systems (IDS) which can produce a high level of false alerts. Again, that helps prioritize efforts and keeps the resource demand from a honeypot at a low level.
In fact, by using the data collected by honeypots and correlating it with other system and firewall logs, the IDS can be configured with more relevant alerts, to produce fewer false positives. In that way, honeypots can help refine and improve other cybersecurity systems.
Do you value your privacy online?
Use VPN Surf and surf safely and securely in the open waters of the internet.