Honeypots are a form of proactive threat detections. Proactive threat detection is the next step in improving an organization’s security posture. It has many significant advantages e.g. it provides information about the different kinds of threats attacking the organization and the possible vulnerabilities.
It works like a trap
A honeypot is a monitored resource that serves as a trap or a decoy against an attack or a threat. It is a security tool that helps to prevent, detect and to gather information about IT security issues. It prevents the threat from compromising its intended target by deflecting the threat from real systems to the honeypot. It works by appearing to be or have characteristics of the threat’s desired target.
Interesting fact: Lots of hackers look for open, unencrypted communication ports like Telnet. It’s an ideal place to set up a PortHoneypot. 🙂
It detects the threat through anomalies or unusual behaviors exhibited by the honeypot, and these behaviors can be used as a signature to identify the threat. The honeypot gathers information by observing the attack or threat as it functions in the honeypot. It does this by monitoring host changes and network traffic. It’s the same concept as a sandbox, but instead of running a malware and capturing information as a result of that execution, the honeypot continuously monitors for changes and captures information so it can be reviewed to determine whether an attack has already taken or is taking place.
Honeypots are designed to be baits so their deployment must not affect production systems in any way. A honeypot can be any resource e.g. a virtualized machine, a network drive, a network service or an e-mail address or even a single port.
Interesting fact: When two or more honeypots are deployed as a system or a host and are connected to each other to simulate a production network, it is called a honeynet. The originator of this concept was Lance Spitzner of Honeynet Project.
Two types of honeypots: active and passive
A passive (or low-interaction) honeypot just sits there and it is waiting to be attacked. It can be a system with low-level security and a lot of vulnerable applications waiting to be compromised. It can appear like a real workstation and simulate user behavior like logging in and out of websites and opening applications. Or it can be a “fake” e-mail address that is used as a hook for spear or whale phishing.
Interesting fact: Spear phishing is a targeted form of phishing. The hackers target specific organizations hoping that they can gain access to confidential information. Whale phishing or whaling are phishing attempts that are directed specifically toward senior executives, managers, CEOs and other high-profile business targets.
An active (or high-interaction) honeypot actively seeks out the threat. It’s similar to a passive honeypot that mimics user behavior but there is more to it. It actively crawls and clicks links of dangerous websites that will likely result in an infection.
We are going to continue this thread in the near future about Honeypot setup.
Our CEO also had a presentation about this topic, we encourage you to check it. 😉