Describe the purpose of a honeypot.

Cybersecurity experts strive to enhance the security and privacy of computer systems. Quietly observing threat actors in action can help them understand what they have to defend against. A honeypot is one such tool that enables security professionals to catch bad actors in the act and gather data on their techniques. Ultimately, this information allows them to learn and improve security measures against future attacks.

Definition of a honeypot

What does “honeypot” mean in cybersecurity? In layman’s terms, a honeypot is a computer system intended as bait for cyberattacks. The system’s defenses may be weakened to encourage intruders. While cybercriminals infiltrate the system or hungrily mine its data, behind the smokescreen, security professionals can study the intruder’s tools, tactics and procedures. You might think of it as laying a trap for someone you know is coming with bad intentions and then watching their behavior so you can better prepare for future attacks.

Types of honeypots

In the world of cybersecurity, a honeypot appears to be a legitimate computer system, while the data is usually fake. For example, a media distribution company may host a bogus version of a film on a computer with intentional security flaws to protect the legitimate version of the new release from online pirates.

There are several different types of honeypots. Each has its own set of strengths. The kind of security mechanism an organization uses will depend on their goals and the intensity of threats they face.

Low-interaction honeypots

A low-interaction honeypot offers hackers emulated services with a narrow level of functionality on a server. The objective of this trap is usually to learn an attacker’s location and nothing more. Low-interaction honeypots are low-risk, low-reward systems.

High-interaction honeypots

Unlike the low-interaction variety, a high-interaction honeypot offers a hacker plenty to do on a system with few restrictions. This high-interaction ploy aims to study a threat actor for as long as possible and gather actionable intelligence.

Email traps

Technology companies use email traps to compile extensive deny lists of notorious spam agents. An email trap is a fake email address that attracts mail from automated address harvesters. The mail is analyzed to gather data about spammers, block their IP addresses, redirect their emails, and help users avoid a spam trap.

Decoy database

A SQL injection is a code injection procedure used to attacks databases. Network security experts create decoy databases to study flaws and identify exploits in data-driven applications to fight against such malicious code.

Spider honeypot

A spider honeypot is a type of honeypot network that consists of links and web pages that only automated crawlers can access. IT security professionals use spider honeypots to trap and study web crawlers in order to learn how to neutralize malicious bots and ad-network crawlers.

Malware honeypot

A malware honeypot is a decoy that encourages malware attacks. Cybersecurity professionals can use the data from such honeypots to develop advanced antivirus software for Windows or robust antivirus for Mac technology. They also study the malware attack patterns to enhance malware detection technology and thwart malspam like GuLoader and the like.

Pros and cons of honeypot use

Although there are many benefits of honeypots, they can also backfire if they fail to cage their prey. For example, a skilled hacker can use a decoy computer to their advantage. Here are some pros and cons of honeypots:

Benefits of using honeypots

  • They can be used to understand the tools, techniques and procedures of attackers.
  • An organization can use honeypots to ascertain the skill levels of potential online attackers.
  • Honeypotting can help determine the number and location of threat actors.
  • It allows organizations to distract hackers from authentic targets.

Dangers and disadvantages of using honeypots

  • A clever hacker may be able to use a decoy computer to attack other systems in a network.
  • A cybercriminal may use a honeypot to supply bad intelligence.
  • Its use can result in myopic vision if it's the only source of intelligence.
  • A spoofed honeypot can result in false positives, leading IT professionals on frustrating wild goose chases.

While there are pros and cons, careful and strategic use of a honeypot to gather intelligence can help a company enhance its security response measures and stop hackers from breaching its defenses, leaving it less vulnerable to cyberattacks and exploits.

There are many applications and use cases for honeypots, as they work to divert malicious traffic away from important systems, get an early warning of a current attack before critical systems are hit, and gather information about attackers and their methods. If the honeypots don’t actually contain confidential data and are well-monitored, you can get insight on attacker tools, tactics, and procedures (TTPs) and gather forensic and legal evidence without putting the rest of your network at risk.

For a honeypot to work, the system should appear to be legitimate. It should run processes a production system is expected to run, and contain seemingly important dummy files. The honeypot can be any system that has been set up with proper sniffing and logging capabilities. It’s also a good idea to place a honeypot behind your corporate firewall—not only does it provide important logging and alerting capabilities, but you can block outgoing traffic so that a compromised honeypot cannot be used to pivot toward other internal assets.

In terms of objectives, there are two types of honeypots: research and production honeypots. Research honeypots gather information about attacks and are used specifically for studying malicious behavior out in the wild. Looking at both your environment and the wider world, they gather information about attacker trends, malware strains, and vulnerabilities that are actively being targeted by adversaries. This can inform your preventative defenses, patch prioritization, and future investments.

Production honeypots, on the other hand, are focused on identifying active compromise on your internal network and tricking the attacker. Information gathering is still a priority, as honeypots give you additional monitoring opportunities and fill in common detection gaps around identifying network scans and lateral movement. Production honeypots sit with the rest of your production servers and run services that would typically run in your environment. Research honeypots tend to be more complex and store more types of data than production honeypots.

Honeypot complexity varies

Within production and research honeypots, there are also differing tiers depending on the level of complexity your organization needs:

  • Pure honeypot: This is a full-scale, completely production-mimicking system that runs on various servers. It contains “confidential” data and user information, and is full of sensors. Though these can be complex and difficult to maintain, the information they provide is invaluable.
  • High-interaction honeypot: This is similar to a pure honeypot in that it runs a lot of services, but it is not as complex and does not hold as much data. High-interaction honeypots are not meant to mimic a full-scale production system, but they do run (or appear to run) all the services that a production system would run, including a proper operating system. This type of honeypot allows the deploying organization to see attacker behaviors and techniques. High-interaction honeypots are resource-intensive and come with maintenance challenges, but the findings can be worth the squeeze.
  • Mid-interaction honeypot: These emulate aspects of the application layer but do not have their own operating system. They work to stall or confuse attackers so that organizations have more time to figure out how to properly react to an attack.
  • Low-interaction honeypot: This type of honeypot is the most commonly deployed in a production environment. Low-interaction honeypots run a handful of services and serve as an early warning detection mechanism more than anything. They are easy to deploy and maintain, with many security teams deploying multiple honeypots across different segments of their network.

Different types of honeypot tech

Several honeypot technologies in use include the following: 

  • Malware honeypots: These use known replication and attack vectors to detect malware. For example, honeypots (e.g., Ghost) have been crafted to emulate as a USB storage device. If a machine is infected by malware that spreads via USB, the honeypot will trick the malware to infect the emulated device.
  • Spam honeypots: These are used to emulate open mail relays and open proxies. Spammers will test the open mail relay by sending themselves an email first. If they succeed, they then send out large quantities of spam. This type of honeypot can detect and recognize this test and successfully block the massive volume of spam that follows.
  • Database honeypot: Activities such as SQL injections can often go undetected by firewalls, so some organizations will use a database firewall, which can provide honeypot support to create decoy databases.
  • Client honeypots: Most honeypots are servers listening for connections. Client honeypots actively seek out malicious servers that attack clients, monitoring for suspicious and unexpected modifications to the honeypot. These systems generally run on virtualization technology and have a containment strategy to minimize risk to the research team.
  • Honeynets: Rather than being a single system, a honeynet is a network that can consist of multiple honeypots. Honeynets aim to strategically track the methods and motives of an attacker while containing all inbound and outbound traffic. 

Benefits of a honeypot

Honeypots offer plenty of security benefits to organizations that choose to implement them, including the following:

They break the attacker kill chain and slow attackers down

As attackers move throughout your environment, they conduct reconnaissance, scan your network, and seek misconfigured and vulnerable devices. At this stage, they are likely to trip your honeypot, alerting you to investigate and contain attacker access. This allows you to respond before an attacker has the chance to successfully exfiltrate data from your environment. Malicious actors can also spend a significant amount of time trying to work on the honeypot instead of going after areas that have real data. Diverting their attack to a useless system wastes cycles and gives you early warning of an attack in progress.

They are straightforward and low-maintenance

Modern honeypots are not only easy to download and install, but can provide accurate alerts around dangerous misconfigurations and attacker behavior. In some cases, your team might even forget that a honeypot was ever deployed until someone starts poking around your internal network. Unlike intrusion detection systems, honeypots do not require known-bad attack signatures and fresh threat intel to be useful.

They help you test your incident response processes

Honeypots are a low-cost way to help you increase your security maturity, as they test whether your team knows what to do if a honeypot reveals unexpected activity. Can your team investigate the alert and take appropriate countermeasures?

Honeypots shouldn’t be your entire threat detection strategy, but they are another layer of security that can be helpful in discovering attacks early. They are one of the few methods available to security practitioners to study real-world malicious behavior and catch internal network compromise. Want to learn more about other types of tech that can boost your blue team defenses? Check out our page on deception technology.