What is a honeypot? A trap for catching hackers in the act
- 01 April, 2019 21:00
A honeypot is a trap that an IT pro lays for a malicious hacker, hoping that they'll interact with it in a way that provides useful intelligence. It's one of the oldest security measures in IT, but beware: luring hackers onto your network, even on an isolated system, can be a dangerous game.
Norton's simple definition of a honeypot is a good starting place: "A honeypot is a computer or computer system intended to mimic likely targets of cyberattacks." Often a honeypot will be deliberately configured with known vulnerabilities in place to make a more tempting or obvious target for attackers. A honeypot won't contain production data or participate in legitimate traffic on your network — that's how you can tell anything happening within it is a result of an attack. If someone's stopping by, they're up to no good.
That definition covers a diverse array of systems, from bare-bones virtual machines that only offer a few vulnerable systems to elaborately constructed fake networks spanning multiple servers. And the goals of those who build honeypots can vary widely as well, ranging from defense in depth to academic research. In addition, there's now a whole marketing category of deception technology that, while not meeting the strict definition of a honeypot, is definitely in the same family. But we'll get to that in a moment.
Types of honeypots
There are a two different schemes for categorizing honeypots: one based on how they're built, and one based on what they're for.
Let's first look at the different ways a honeypot can be implemented. Fidelis Cybersecurity breaks it down:
- A pure honeypot is a physical server configured in such a way as to lure in attackers. Special monitoring software keeps an eye on the connection between the honeypot and the rest of the network. Because these are full-fledged machines, they make for a more realistic-looking target to attackers, but there is a risk that attackers could turn the tables on the honeypot's creators and use the honeypot as a staging server for attacks. They're also labor-intensive to configure and manage.
- A high-interaction honeypot uses virtual machines to keep potentially compromised systems isolated. Multiple virtual honeypots can be run on a single physical device. This makes it easier to scale up to multiple honeypots and to sandbox compromised systems and then shut them down and restart them, restored to a pristine state. However, each VM is still a full-fledged server, with all the attendant configuration costs.
- A low-interaction honeypot is a VM that only runs a limited set of services representing the most common attack vectors, or the attack vectors that the team building the honeypot is most interested in. This type of honeypot is easier to build and maintain and consumes fewer resources, but is more likely to look "fake" to an attacker.
Another way to divide honeypots up is by the intentions behind those who build them: there are research honeypots and production honeypots. The distinction between the two gets into the weeds of what honeypots are actually used for in practice, so we'll discuss that next.
What is a honeypot used for?
As Information Security Solutions Review explains it, research honeypots aim to allow close analysis of how hackers do their dirty work. The team controlling the honeypot can watch the techniques hackers use to infiltrate systems, escalate privileges, and otherwise run amok through target networks. These types of honeypots are set up by security companies, academics, and government agencies looking to examine the threat landscape. Their creators may be interested in learning what sort of attacks are out there, getting details on how specific kinds of attacks work, or even trying to lure a particular hacker in the hopes of tracing the attack back to its source. These systems are often built in fully isolated lab environments, which ensures that any breaches don't result in non-honeypot machines falling prey to attacks.
Production honeypots, on the other hand, are usually deployed in proximity to some organization's production infrastructure, though measures are taken to isolate it as much as possible. These honeypots often serve both as bait to distract hackers who may be trying to break into that organization's network, keeping them away from valuable data or services; they can also serve as a canary in the coal mine, indicating that attacks are underway and are at least in part succeeding.
What is the difference between a honeypot and a honeynet?
Honeynets are a logical extension of the honeypot concept. A honeypot is an individual machine (or virtual machine), whereas a honeynet is a series of networked honeypots. Attackers will, of course, expect to find not just a single machine on their victim's infrastructure, but many servers of different specialized types. By watching attackers move across the network from file servers to web servers, for instance, you'll have a better sense of what they're doing and how they're doing it — and they'll be more willing to buy into the illusion that they've really breached your network. A key feature of honeynets is that they connect and interact as a real network would, because an emulated or abstracted layer would be a tip-off.
Honeypots and honeynets are the basis of so-called deception technology. Deception products often include honeypots and honeynets but may also put "bait" files on production servers. Marc Laliberte over at DarkReading says that the category "more or less refers to modern, dynamic honeypots and honeynets." The biggest distinction is that deception technology includes automated features that allow the tool to respond in real time to attacks, luring attackers to a deception asset rather than its real counterpart. CSO tested out four different deception tools, and the review should help you understand how they work.
A key point about all these tools, as Laliberte points out, is that while they deliver data about attackers, they don't necessarily respond to those attacks directly. You still need someone to analyze the information about what attackers are doing in your honeypot or on your honeynet, though there are security vendors that offer analysis and protection as a service, so you don't need to handle this in-house.
One of the earliest high-profile infosec stories involved what is almost certainly the first use of a honeypot. As detailed in his book, The Cuckoo's Egg, in 1986 UC Berkeley sysadmin Clifford Stoll tried to track down an apparently erroneous charge for $0.75 for use of a Unix system at Lawrence Berkeley Lab; in the process, he discovered that someone was dialing into the system and had managed to gain superuser access. Stoll implemented two honeypot-like defenses to track down the hacker: he attached borrowed terminals to all fifty incoming phone lines over a long weekend and waited for the hacker to dial in; once he realized that the hacker was looking for information on nuclear defense secrets, he created an entirely fictitious department at LBL supposedly working on the "Star Wars" missile defense system in order to lure the hacker into spending time there. Eventually, the attacker was arrested and revealed to be a West German working for the KGB.
Another important early honeypot incident came in 1990, when a hacker attempted to break into AT&T Bell Labs and steal its password file. Internet pioneer Bill Cheswick, working for Bell Labs at the time, led the attacker on what he called "a merry chase" through some ad-hoc honeypot systems to trace his location and learn his techniques; his writeup of the incident, "An Evening with Berferd," was extremely influential.
Soon honeypots started to become a more standardized part of the security pro's toolbox. The Deception Toolkit project launched in 1997; though it's now dormant, its website is still up in all its late '90s web design glory. The Honeynet Project, which began in 1999, remains active today as a security community resource.
There are a number of honeypot projects with offerings out there, most of them free and open source. One of the most venerable is Honeyd, a virtual low-interaction honeypot. The aforementioned Honeynet Project has assembled an extensive list of tools that provide not just honeypot functionality but ways to analyze the data the honeypots collect.
There's also an awesome list of honeypots on github that breaks them down into various categories. The list is actually a great way to learn about the diversity of honeypot types out there — there are, for instance, honeypots that simulate everything from databases to industrial SCADA devices.
There are few standalone commercial honeypot systems; instead, most deception vendors offer honeypots as part of their solutions; Rapid7's InsightIDR is one such product. CSO's David Strom examined a number of deception offerings and how to evaluate them.
Build a honeypot system
Ready to roll out your own honeypot? You might want to follow along with an online tutorial. Splunk, a security tool that can take in information from honeypots, outlines how to set up a honeypot using the open source Cowrie package. And if you want to keep things isolated from your own system, 0x00sec.org will tell you how to set up a honeypot — for free! — on an Amazon AWS server.