Why implement honeypot

It is a system designed to be exploited, hacked, infected with malware, and generally abused by a malicious third party. Why should I do that you may ask?

Well, there are many benefits of honeypots. You may wonder why you should spend your time, effort, and money setting up a system that will attract hackers? Why you should deliberately create a system with weakened defenses that will be exploited? Why even attract interest from malicious third parties?

There are three very good reasons why you should. Secondly, by setting up a honeypot you will be able to see who is attacking you and the methods that are being used.

This will give you a very good idea of the types of attacks being used and the defenses you will need to install to protect your real systems and data from attack. Thirdly, an attack on a honeypot is likely to frustrate a hacker and stop them from hacking your real computer systems.

Security researchers are well aware of the benefits of honeypots. They can be used to determine how systems are attacked and are also a very useful part of system defenses. It is not a question of whether you should set up a honeypot, but rather why you have not already done so. There are many different types of honeypot that can be implemented. You can set up a dummy system with an entire network topology if you wish.

You can have many different hosts, you can include a wide range of services and even different operating systems. In short, an entire system can be set up to appear genuine and allow an attack to take place. There are many different types of honeypot that can be deployed, although for the purpose of this article we have provided further information on two popular honeypots below: Honeyd and Kippo. This is a small daemon that can be used to create a network containing many virtual hosts.

Each of those hosts can be set up and configured differently. You can run a range of arbitrary services on each, and configure them to appear as if they are running different operating systems.

For network simulation purposes, you can create tens of thousands of different hosts on your LAN using Honeyd if you so wish. You can use Honeyd to hide your real system, identify threats, assess risk, and improve your security posture.

We invited a guest sys admin Arona Ndiaye to provide input on the Honeyd honeypot to get the perspective of a Linux administrator. She installed it on Kali Linux, which was a simple process requiring a single line to be added to the sources. A few tweaks were needed to ensure the firewall had the correct permissions set, along with some simple text editing in a configuration file.

That was all that was needed. If any problems are encountered, or more detailed information is required, it is all available on the honeyd website. Most people find the easiest way to get started is to play with the system and to try to attack it, which is what she did.

She was particularly impressed with the information that can be gathered on attacks and scans. The methods of attack were recorded in intricate detail, including how it was possible for hackers to fool NMAP. This site uses cookies, including for analytics, personalization, and advertising purposes.

For more information or to change your cookie settings, click here. If you continue to browse this site without changing your cookie settings, you agree to this use. View Cookie Policy for full details. Honeypots are decoy systems or servers deployed alongside production systems within your network.

When deployed as enticing targets for attackers, honeypots can add security monitoring opportunities for blue teams and misdirect the adversary from their true target. Honeypots come in a variety of complexities depending on the needs of your organization and can be a significant line of defense when it comes to flagging attacks early. This page will get into more detail on what honeypots are, how they are used, and the benefits of implementing them.

There are many applications and use cases for honeypots, as they work to divert malicious traffic away from important systems, get an early warning of a current attack before critical systems are hit, and gather information about attackers and their methods.

For a honeypot to work, the system should appear to be legitimate. It should run processes a production system is expected to run, and contain seemingly important dummy files. The honeypot can be any system that has been set up with proper sniffing and logging capabilities. In terms of objectives, there are two types of honeypots: research and production honeypots. Research honeypots gather information about attacks and are used specifically for studying malicious behavior out in the wild.

Looking at both your environment and the wider world, they gather information about attacker trends , malware strains , and vulnerabilities that are actively being targeted by adversaries. This can inform your preventative defenses, patch prioritization, and future investments. Production honeypots, on the other hand, are focused on identifying active compromise on your internal network and tricking the attacker.

Information gathering is still a priority, as honeypots give you additional monitoring opportunities and fill in common detection gaps around identifying network scans and lateral movement. Production honeypots sit with the rest of your production servers and run services that would typically run in your environment. Research honeypots tend to be more complex and store more types of data than production honeypots.

Within production and research honeypots, there are also differing tiers depending on the level of complexity your organization needs:. Several honeypot technologies in use include the following:. Honeypots offer plenty of security benefits to organizations that choose to implement them, including the following:. For instance, a honeypot can show the high level of threat posed by attacks on IoT devices.

It can also suggest ways in which security could be improved. Using a honeypot has several advantages over trying to spot intrusion in the real system. For instance, by definition, a honeypot shouldn't get any legitimate traffic, so any activity logged is likely to be a probe or intrusion attempt. That makes it much easier to spot patterns, such as similar IP addresses or IP addresses all coming from one country being used to carry out a network sweep.

By contrast, such tell-tale signs of an attack are easy to lose in the noise when you are looking at high levels of legitimate traffic on your core network. The big advantage of using honeypot security is that these malicious addresses might be the only ones you see, making the attack much easier to identify.

Because honeypots handle very limited traffic, they are also resource light. As for software, a number of ready-written honeypots are available from online repositories, further reducing the amount of in-house effort that's necessary to get a honeypot up and running. Honeypots have a low false positive rate. Again, that helps prioritize efforts and keeps the resource demand from a honeypot at a low level.

In fact, by using the data collected by honeypots and correlating it with other system and firewall logs, the IDS can be configured with more relevant alerts, to produce fewer false positives. In that way, honeypots can help refine and improve other cybersecurity systems. Honeypots can give you reliable intelligence about how threats are evolving. They deliver information about attack vectors, exploits, and malware - and in the case of email traps, about spammers and phishing attacks. Hackers continually refine their intrusion techniques; a cyber honeypot helps to spot newly emerging threats and intrusions.

A good use of honeypots helps to eradicate blind spots, too. Honeypots are also great training tools for technical security staff. A honeypot is a controlled and safe environment for showing how attackers work and examining different types of threats. Honeypots can also catch internal threats. Most organizations spend their time defending the perimeter, and ensuring outsiders and intruders can't get in.

But if you only defend the perimeter, any hacker who has successfully gotten past your firewall has carte blanche to do whatever damage they can now that they're inside. Firewalls also won't help against an internal threat - an employee who wants to steal files before quitting their job, for instance. A honeypot can give you equally good information about internal threats and show vulnerabilities in such areas as permissions that allow insiders to exploit the system.

Finally, by setting up a honeypot you're actually being altruistic, and helping other computer users. The longer hackers spend wasting their effort on honeypots, the less time they have available for hacking live systems and causing real damage - to you or to others. While honeypot cybersecurity will help chart the threat environment, honeypots won't see everything that is going on - only activity that's directed at the honeypot.

Just because a certain threat hasn't been directed against the honeypot, you can't assume it doesn't exist; it's important to keep up with IT security news, not just rely on honeypots to notify you of the threats.

A good, properly configured honeypot will deceive attackers into believing that they've gained access to the real system. It will have the same login warning messages, the same data fields, even the same look and feel and logos as your real systems.