The definition of a honeypot
One honeypot definition comes from the world of espionage, where Mata Hari-style spies who use a romantic relationship as a way to steal secrets are described as setting a ‘honey trap’ or ‘honeypot’. Often, an enemy spy is compromised by a honey trap and then forced to hand over everything he/she knows.
In computer security terms, a cyber honeypot works in a similar way, baiting a trap for hackers. It's a sacrificial computer system that’s intended to attract cyberattacks, like a decoy. It mimics a target for hackers, and uses their intrusion attempts to gain information about cybercriminals and the way they are operating or to distract them from other targets.
How honeypots work
The honeypot looks like a real computer system, with applications and data, fooling cybercriminals into thinking it's a legitimate target. For example, a honeypot could mimic a company's customer billing system - a frequent target of attack for criminals who want to find credit card numbers. Once the hackers are in, they can be tracked, and their behavior assessed for clues on how to make the real network more secure.
Honeypots are made attractive to attackers by building in deliberate security vulnerabilities. For instance, a honeypot might have ports that respond to a port scan or weak passwords. Vulnerable ports might be left open to entice attackers into the honeypot environment, rather than the more secure live network.
A honeypot isn't set up to address a specific problem, like a firewall or anti-virus. Instead, it's an information tool that can help you understand existing threats to your business and spot the emergence of new threats. With the intelligence obtained from a honeypot, security efforts can be prioritized and focused.
Different types of honeypot and how they work
Different types of honeypot can be used to identify different types of threats. Various honeypot definitions are based on the threat type that's addressed. All of them have a place in a thorough and effective cybersecurity strategy.
Email traps or spam traps place a fake email address in a hidden location where only an automated address harvester will be able to find it. Since the address isn't used for any purpose other than the spam trap, it's 100% certain that any mail coming to it is spam. All messages which contain the same content as those sent to the spam trap can be automatically blocked, and the source IP of the senders can be added to a denylist.
A decoy database can be set up to monitor software vulnerabilities and spot attacks exploiting insecure system architecture or using SQL injection, SQL services exploitation, or privilege abuse.
A malware honeypot mimics software apps and APIs to invite malware attacks. The characteristics of the malware can then be analyzed to develop anti-malware software or to close vulnerabilities in the API.
A spider honeypot is intended to trap webcrawlers ('spiders') by creating web pages and links only accessible to crawlers. Detecting crawlers can help you learn how to block malicious bots, as well as ad-network crawlers.
By monitoring traffic coming into the honeypot system, you can assess:
where the cybercriminals are coming from
the level of threat
what modus operandi they are using
what data or applications they are interested in
how well your security measures are working to stop cyberattacks
Another honeypot definition looks at whether a honeypot is high-interaction or low-interaction. Low-interaction honeypots use fewer resources and collect basic information about the level and type of threat and where it is coming from. They are easy and quick to set up, usually with just some basic simulated TCP and IP protocols and network services. But there's nothing in the honeypot to engage the attacker for very long, and you won't get in-depth information on their habits or on complex threats.
On the other hand, high-interaction honeypots aim to get hackers to spend as much time as possible within the honeypot, giving plenty of information about their intentions and targets, as well as the vulnerabilities they are exploiting and their modus operandi. Think of it as a honeypot with added ‘glue’ - databases, systems, and processes that can engage an attacker for much longer. This enables researchers to track where attackers go in the system to find sensitive information, what tools they use to escalate privileges or what exploits they use to compromise the system.
why honeypots are used for cybersecurity
High-interaction honeypots are, however, resource-hungry. It is more difficult and time-consuming to set them up and to monitor them. They can also create a risk; if they’re not secured with a 'honeywall', a really determined and cunning hacker could use a high-interaction honeypot to attack other internet hosts or to send spam from a compromised machine.
Both types of honeypot have a place in honeypot cybersecurity. Using a blend of both, you can refine the basic information on threat types that comes from the low-interaction honeypots by adding information on intentions, communications, and exploits from the high-interaction honeypot.
By using cyber honeypots to create a threat intelligence framework, a business can ensure that it's targeting its cybersecurity spend at the right places and can see where it has security weak points.
The benefits of using honeypots
Honeypots can be a good way to expose vulnerabilities in major systems. For instance, a honeypot can show the high level of threat posed by attacks on IoT devices. It can also suggest ways in which security could be improved.
Using a honeypot has several advantages over trying to spot intrusion in the real system. For instance, by definition, a honeypot shouldn't get any legitimate traffic, so any activity logged is likely to be a probe or intrusion attempt.
That makes it much easier to spot patterns, such as similar IP addresses (or IP addresses all coming from one country) being used to carry out a network sweep. By contrast, such tell-tale signs of an attack are easy to lose in the noise when you are looking at high levels of legitimate traffic on your core network. The big advantage of using honeypot security is that these malicious addresses might be the only ones you see, making the attack much easier to identify.
Because honeypots handle very limited traffic, they are also resource light. They don't make great demands on hardware; it's possible to set up a honeypot using old computers that you don’t use anymore. As for software, a number of ready-written honeypots are available from online repositories, further reducing the amount of in-house effort that's necessary to get a honeypot up and running.
Honeypots have a low false positive rate. That’s in stark contrast to traditional intrusion-detection systems (IDS) which can produce a high level of false alerts. Again, that helps prioritize efforts and keeps the resource demand from a honeypot at a low level. (In fact, by using the data collected by honeypots and correlating it with other system and firewall logs, the IDS can be configured with more relevant alerts, to produce fewer false positives. In that way, honeypots can help refine and improve other cybersecurity systems.)