Even by having antivirus software, it is very difficult to say that the systems are free from virus threats. Similarly, sitting behind a firewall doesn’t mean that the network is safe from malicious activities. Every new virus or new attack finds some way or other to penetrate the security infrastructure and often goes undetected by the security technologies in place. The solution is to need a technology that welcomes the THREATS and detects its behavior of attacking, aka Honeypot.
According to Wikipedia, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. It attracts Cyber Attacks by mimicking as a target for the attacker. It uses cyber criminal’s Intrusion attempts to gain information about their tactics. Also, used as a distraction for hackers from the real target.
Working of a Honeypot
- Honeypot is a computer that looks like a genuine part of the network. It contains the data which looks legitimate like credit card detail, user data, etc.
- Honeypots have vulnerabilities like open port or default, weak passwords. It is less secure than the live network. So, attackers get attracted to it. Once hackers are in, we can track them and their behavior. This can be assessed for clues on how to make the real network more secure.
- Generally, honeypot does not have antiviruses or firewall. Because we want them to get attacked, which will help us in knowing to which threats our system is vulnerable. With the intelligence obtained from a honeypot, security efforts can be prioritized, focused, and can be stronger.
Types of Honeypot
Honeypots can be classified based on their deployment (use/action) and based on their level of involvement.
- Based on deployment, honeypots can be classified as,
- Production Honeypotsare easy to use, as their name suggests its placed inside the production network with other production servers to improve their overall security. It is easy to deploy but it gives less information about attack or attacker than research honeypot.
- Research Honeypots are used to gather information like the motives and tactics of attackers targeting different networks. It does not add direct value to a specific organization. Instead, they are used to research the threats that organizations faces and to learn how to better protect against those threats. Research honeypots are complex to deploy and maintain. They capture extensive information and are used primarily by researchers, military, or government organizations.
- Based on design criteria, honeypots can be classified as,
- Pure Honeypots are contained a Bug that tracks all the activities done by the attackers. As its name suggests no other software needs to be installed only honeypot is in the system. Even though a pure honeypot is useful, the stealthiness of the defense mechanisms can be ensured by a more controlled mechanism.
- High-interaction Honeypots imitate the activities of the production systems that host a variety of services and, therefore, an attacker may waste a lot of their time. By using the virtual machine, we can deploy multiple honeypots on a single machine. Therefore, if honeypots are compromised we can restore them easily. It provides more security by being difficult to detect, but they are expensive to maintain. If virtual machines are not available then one physical computer must be maintained for each honeypot, which can be exorbitantly expensive.
- Low-interaction Honeypots simulate only the services requested by attackers. They consume relatively few resources because it has fewer services then high-interaction honeypots. Because of fewer services and reducing the complexity of the virtual machines, it also has multiple virtual boxes on a single physical machine.
- Malware is one of the threats to information security that continues to increase. Malware has its own functionality and behavior. Everyday new malware is out and its detection is not possible using signature-based antivirus, firewall, and IDS. So for that, we need to understand the behavior of that malware with the system or in a live environment. Therefore, we can also use honeypot and track the behavior of the malware. We can use machine learning algorithms in Honeypots to classify malware. To know more, check the Next generation of Antivirus.
- Spam Detection Honeypots are used for detecting spam by an attacker. For instance, an attacker sends spam mail to everyone in the organization. Then honeypots can be used to check its header and look for the IP address of senders. If it’s not whitelisted or it is on the blacklist then it is flagged as spam and blocks that email. In this situation, honeypot work as an anti-spam tool.
- Honey Token is a honeypot, which is not a computer. It is a trap for illegal processes. They are entities, which carry interesting information that often looks attractive to the employees. But works as a tracker (sends an email to IT Admin when opened). It can be in a form of,
- Username / Password
- Financial sheets
- Payroll data
- Employee’s appraisal data
- Tax calculation sheet
- Credit card information
- Encryption keys
- Server configuration files
- R&D Reports
- Corporate presentation
- Proprietary information
- Any confidential document
Detection of Honeypot
- Look for unusual services and ports open. Most internet-facing systems are stripped of any unnecessary services. If it has a lot of unusual services and ports open, these are meant to attract attackers and it may be a honeypot.
- If there is less or no activity on that device, it may be a honeypot.
- If you see directories such a social security numbers or credit card numbers, it may be a honeypot.
- If you see a few software installed, it may be a honeypot.
- If there is a lot of free space on the hard drive, it may be a honeypot.
- If the configurations of the software running are still in their default settings, which almost never occurs in a live network (though it’s a major problem in cybersecurity).
You might be interested in,
- Code your own Honeypot – https://github.com/hackhunt/honeypot