In the cybersecurity world honeypots represent traps designed solely to lure cybercriminals away from the real targets – sensitive corporate data repositories and vulnerable systems and applications.
Honeypots appear to those with malintent as actual computer systems carrying data and applications. However, they dupe hackers into believing they have identified an authentic target such as a corporate accounting or HR system.
Of course, once the hackers have breached the honeypot’s bogus defences, their activities can be tracked and their techniques and methods analysed. This data represents extremely valuable intelligence that can be used to strengthen the bulwarks of the corporate network.
By design, a honeypot will not attract any legitimate data traffic, so all activities logged are more than likely to be probes or intrusion attempts by cybercriminals.
Did you know that the term “honeypot” comes from the world of espionage? It refers to the romantic relationships cultivated by Mata Hari-type spies who use their feminine wiles to steal secrets from the enemy.
How is an effective honeypot established?
The plan is to incorporate intentional security vulnerabilities or materials that would make the honeypot attractive to an attacker. For instance, the honeypot may be associated with weak, easy-to-decipher passwords, or it may have exposed, open ports.
Honeypots also play an important role in penetration testing, supplying information in the form of forensic evidence that can be used to map existing threats and identify new threats. These may emanate from trusted insiders or external miscreants.
For organisations that view honeypots as valuable armour, there are a number of options from which to choose. The selection, which should be based on perceived vulnerabilities, is not limited in scope. In other words, choose as many as you believe will be necessary given your circumstances.
Probably one of the most common honeypots is the email or spam trap. This honeypot tricks hackers into searching for a fake email address in a hidden location where only an automated address harvester will find it. All messages containing similar content to those sent to the trap can be automatically blocked and the senders’ IP addresses added to a deny-list.
Another honeypot variant is the decoy database which is designed to monitor software vulnerabilities and identify attackers who take advantage of insecure system architectures or use techniques such as privilege abuse, SQL injection or SQL services exploitation.
“Spiders” in cybersecurity terms are web crawlers in the form of programs and automated script that browse the Internet in a methodical, automated manner searching for targets. A spider honeypot is therefore intended to trap web crawlers by creating web pages and links only accessible to crawlers. Detecting these spiders is central to blocking malicious bots and ad-network crawlers.
In addition to individual honeypots, there are complementary techniques and processes designed to frustrate the activities of hackers such as honeynets which expand the honeypot concept by incorporating a series of networked honeypots.
Then there are “tarpits” or mechanisms designed to slow the progress of hackers by purposefully delaying network connections, thereby presenting less-attractive targets.
“Black holes” also play a role in cybersecurity. They are defined as invisible places on the network where incoming or outgoing data traffic is silently discarded without the source – the hacker – being aware that the data did not reach its intended recipient.
Let me end with a word of warning: While a honeypot will most likely trick attackers into believing they’ve gained access to a real system, should the hackers realise the deception, they could create spoof attacks to distract attention from their real intentions or feed fake information to the honeypot for analysis.
This why honeypots should always be professionally configured and never be considered as permanent replacements for proven security systems and controls.