When it comes to luring people to certain things, nothing works quite like a “honeypot.” For Winnie-the-Pooh, his honey pot was a literal honeypot, for cybercriminals, a honeypot is a much more complex, but equally alluring tactic. Here we’ll go over what exactly a honeypot is (spoilers, it’s not a literal jar of honey), what a honeypot might look like when it comes to catching cybercriminals, and how exactly they can work.
Let’s get into it.
What is a Honeypot?
Broadly, a honeypot is something enticing used to lure specific people away from something, or into some type of trap or scheme. When it comes to cybersecurity, it’s specifically used as a trap or decoy to either keep cybercriminals away from real data or to gain insight into hacker activity.
While that sounds simple enough, there are many complexities when it comes to setting up an effective honeypot, as well as a few different ways in which honeypots can be used to help boost cybersecurity.
How Honeypots Work
In cybersecurity, honeypots are fake assets, such as specific application layers or even full-scale production systems (systems that interface with customers), that look enticing to hackers attempting to illegally gather valuable data.
The honeypot will contain some form of security vulnerability that is intentionally put in place. One of the tricks is to make the vulnerability appear real so as not to raise suspicion from any would-be hacker, but also have it be easy enough to find to grab a hacker’s attention.
An example of this could be a business running a honeypot server that looks completely real but is actually made up of fake traffic and user data. They will then implement some sort of vulnerability into this fake system — although that part is unknown to the hacker — so that the hackers spend their time and resources trying to dig into what ultimately is fake information. Alternatively, some honeypots draw hackers in so that security teams can then observe how hackers interact with existing security systems, and also to see what information hackers are most interested in getting into. Again, these systems will not actually use real information as bait, instead the honeypot relies on seemingly-real, but fictitious information.
Thus, honeypots can be useful both in leading hackers away from actual information as well as revealing their methods and intentions, so that security teams can better understand future attacks and build defensive systems.
How Are Honeypots Used?
As touched on above, honeypots typically serve one of two goals. These two major ways in which honeypots are used are:
- Research Honeypots. Research honeypots aim to specifically analyze hacker activity and behavior so that companies can better develop security systems to keep cybercriminals away. These research honeypots can also be used to identify specific hackers by putting unique information in certain honeypots that can expose specific hackers. An example of a research honeypot would be the use of a honeypot that is set up with fake traffic, so that if any real traffic is detected, security teams are alerted to a possible compromise, and can then track the activity of the suspicious user.
- Production Honeypots. While research honeypots are used to track hackers and use that information to build better security systems, production honeypots are used to draw hackers away from real information. These aim to not only keep hackers away from actual assets, but also serve to waste the time and resources of would-be hackers.
Different Levels of Complexity
As with any sort of trap or decoy, there can be different levels of complexity. When it comes to honeypots, the same holds true, as there are a variety of levels at which honeypots can be deployed.
- Pure Honeypot. This is the most complex form of a honeypot. It replicates full-scale systems that appear confidential and consist of (unknown to the hacker) fake files and user information.
- High-Interaction Honeypot. The goal of this type of honeypot is to keep hackers engaged for as long as possible in order to gain the most amount of research data. These honeypots will often consist of various systems and databases that look appealing to hackers, so they try to work their way further into the system (and thus stay engaged with the honeypot longer).
- Mid-Interaction Honeypot. This type of honeypot is most often used as a security layer, as it mimics elements of the application layer. Its goal is to stall attackers in order to give security teams more time to counter an attack.
Low-Interaction Honeypot. These honeypots are relatively simple when compared to the others, and aim to gather basic information about possible threats and where they come from. Low-interaction honeypots can often be sniffed out as fake by seasoned hackers, but still serve as a low-maintenance way to catch attacks coming from bots or malware.
Types of Honeypots
Beyond general purposes and levels of complexity, honeypots can be broken down into more specific types that aim to accomplish targeted goals. Some of the most common include:
- Database Honeypots. Decoy databases that are meant to lure away any attackers who are able to get around firewalls.
- Malware Honeypot. Honeypots placed to imitate known malware attack vectors (places malware tends to enter a system or network).
- Spam Honeypot. Designed to attract spam emails in order to help identify spammers and block any malicious spam attempts.
- Client Honeypot. This honeypot poses as a client in order to attract hackers who target clients through modifications to servers.
Fighting cybercriminals is a moving target, so new forms of honeypots are being developed and deployed all the time. While the ones listed above are common, there are a number of other honeypots being used to thwart attacks.
Benefits and Drawbacks of Honeypots
It never hurts to strengthen cybersecurity, and honeypots are an effective way to do so.
Benefits of honeypots:
- Low maintenance. Once a honeypot is set up, cybersecurity teams just have to sit back and wait for an attacker to interact with it. Because they only interact with malicious activity, there’s no need to constantly monitor legitimate activity.
- Effective and efficient. While traditional cybersecurity systems are prone to false positives due to them interacting with a mix of legitimate and malicious users, when a honeypot detects activity, it’s a certain sign of an attack.
- Provides valuable insight. Because honeypots can be used as a research tool, they are able to collect data and monitor malicious tools and behavior. By having access to this information, cybersecurity teams are better able to implement security systems before it’s too late.
Drawbacks of honeypots:
- Not stand-alone solutions. While honeypots are certainly a great tool in gathering data or tricking hackers into a time-wasting path, they are only effective at monitoring what happens within the honeypot. That’s to say, they won’t provide any help should a hacker access a legitimate system.
- Can be detected. This isn’t the biggest drawback, but experienced hackers have a higher chance of sniffing out honeypots, and thus the data gained from them might not always include the tactics used by the best of the best when it comes to cybercriminals.
Can create potential vulnerabilities. Honeypots are designed to look like accidental vulnerabilities in a system. While they are built to be isolated from the real network, at some point they have the possibility to be connected (especially when setting up a high-interaction honeypot). That means that a mistake when setting up the honeypot, mixed with a skilled hacker, can result in an unintended compromise of the network.
How Hackers Can Flip the Script
While it is interesting to know how cybersecurity teams are working to ensure the safety of their users, honeypots don’t feel very applicable to your everyday internet user. While that’s true to some extent, cybercriminals have their own form of honeypot attack, more commonly referred to as a watering hole attack.
Watering hole attacks work by compromising a website that a certain group of people frequently visit and therefore trust. If they are able to do this without detection, they are able to alter the website to include malicious links. Because users of said website tend to frequent the site, they often won’t think twice before clicking a strange link or accepting some type of download (for example, you might think you’re clicking a PDF download link, when in fact it’s something malicious placed by a cybercriminal).
How You Can Stay Safe
It might sound like protecting yourself from this sort of attack is out of your control, but there are certain internet safety practices that can help ensure you don’t fall for this sort of trick.
- Make sure you always keep your computer up to date, as the latest security measures are more likely to catch any new forms of attacks.
- If your job gives you access to valuable organizational information, then you should keep all professional and personal devices and accounts separate.
- You should always ensure your password health is up to snuff, and it never hurts to consider using services such as a VPN.
Learn From the Pros and Apply It
While cybersecurity honeypots might be fairly specific, the concept of using a so-called honeypot is nothing new. In fact, catfishing is a highly similar tactic that people fall victim to every day. You can leave internet honeypots to the professionals, but if you ever feel like you’re being lured in by a person who isn’t who they claim to be, tools like Spokeo’s people finder can help you from getting caught in a trap.
Cyrus Grant is a writer from Southern California with a background in law and dispute resolution. When he isn’t writing he can be found deep-diving into the latest technology trends or simply spending time at the beach.