What is a Honeypot in Cybersecurity?

10 April 2022 | by Xavier Bellekens

What is a honeypot?

honeypot cyber security or decoys are lures made to replicate the behaviour of a real system or service on a network to draw cyber criminals away from a legitimate target.

Decoys are designed to gather intelligence data from interactions. The data can consist of techniques, tactics and procedures or criminal motivations. In some cases, the information collected can also reveal the identity of the perpetrator.

They are often modelled after legitimate assets, such as software applications, network applications or servers. The intention is to purposely make the honeypot instance look and feel like a legitimate target. The blue team’s aim is to convince adversaries to exploit multiple honeypots first. While adversaries spend their time within the controlled environment, the production network remain safe.

The honeypot system, will record all interactions between the criminal and the decoy. The intelligence gathered will be used to analyse the attacker’ methods, their capabilities and understand the sophistication of the attack. The intelligence will benefit the blue team to evolve and improve their cybersecurity strategy. The red team on the other hand will also benefit from the data by staying current with their techniques, and may give them ideas for their next engagement.

Honeypots can also help both the blue and red team reveal potential blind spots within the architecture, and uncover a new attack surface.

How honeypots work?

The premise of a honeypot is simple, look and feel like a (valuable) target.

It can be made to look and feel like a database containing valuable information such as IP, patents or credit card data.

The attacker’ appeal for the honeypot is a simple equation

REWARD X DIFFICULTY = APPEAL

Honeypots can be classified in two categories

Production Honeypots

Production honeypots are deployed by organizations, private companies, and high-profile individuals, to gather threat intelligence on attackers in production systems. Most often IP addresses, intrusion attempts, attack velocity, volume of traffic generated are collected. The decoys emulate real services, website, or systems to lure attackers into spending their time and resources on them. While, the target production systems can continue operating without damage. This type of honeypot is also known as pure honeypot.

Research Honeypots

Research honeypots are design to collect data and information on the methods used by attackers. They are deployed and monitoring to gather information on new malware, vulnerabilities such as 0 days and to reference the tactics used.

Both production honeypots and research honeypots have 3 modes of operation;

Low Interaction Honeypots

Low interaction honeypots provides very limited access to the website or service. These are resource effective and are mostly used to generate a high-fidelity alert while collecting basic information about the attacker. Your honeypot is a static environment, that emulates a small percentage of a real system. Low interaction honeypots aren’t complex enough to capture threats such as zero-days exploit. While they may not fool advanced threat actors, they are still very effective against insider threats and low threat actors.

Medium Interaction Honeypots

Medium interaction decoys often offer a good balance between the amount of data to be collected and its risk of being exploited by the attacker for a lateral movement.

These decoys often include specific vulnerabilities, increasing the appeal by lowering the attack difficulty. For example, a medium interaction decoy may emulate a web server with a specific vulnerability and by providing enough functionality to the attacker to obtain certain information, while revealing some of its methods.

High Interaction Honeypots

High interaction honeypots are designed to fully engage adversaries and may consist of real or virtualized systems such as operating systems or databases. The aim of a these honeypots is to provide the cybersecurity team with a deep understanding of the modus operandi of the adversary.

A high interaction honeypot will inherently consume more resources. Both on the technical and maintenance side, however, will also provide higher-quality intelligence. A high interaction honeypot may yield information on an attacker’s behaviour, privilege escalation or zero-days used.

The main downside of a high-interaction decoys is the time consumed to build and maintain the environment for a long period of time, while ensuring a proper monitoring of the system.

Cyber Deception Technology

While honeypots are part of the cyber deception ecosystem, at Lupovis we consider cyber deception technology to be the holistic approach that help deceive an adversary consistently before and during a cyber-attack. Note that they are also most often stand-alone systems.

To learn more about cyber deception, have a read at our guide.

What are the types of honeypots?

There are various types of honeypots

Services Honeypots

These honeypots are low, medium or high interaction honeypots that represent a service such as SSH, FTP, RDP, Web applications, API, PLC, RTU, etc. Each can be deployed individually or in conjunction with other services. For example, a web application decoy may also have an API decoy and port 22 open for an SSH decoy.

Example Types:

  • Malware honeypots: A malware honeypot can be used to create a malware zoo or simply emulate a USB device luring malware towards the honeypot.
  • Spider honeypots: A spider honeypot is designed to trap web crawlers by creating web pages and links only accessible to automated crawlers.
  • Spam honeypots: You could set up an open mail relay as a spam trap to detect spammer activities. The spam traps can also make use of a fake email address to detect abuse.
  • Decoy databases: SQL injections can often go undetected, hence having a database honeypot can help detect these types of attack vectors.

Honeynets

When more than one high interaction honeypot is deployed, you can create a honeynet. Honeynets can consist of one or more types of decoys such as the combination of a spam honeypot and pure honeypot, both residing on the internal network, monitoring for interactions. Combining honeynets with intrusion detection systems and firewalls can tremendously improve the security measures of a production system.

Operating Systems Honeypots

Operating System similarly to services honeypots may be low, medium or high interaction an aim but representing a real computer system. These may represent a full or a portion of an operating system. For example, when scanned with NMAP, virtual machines may reply with the signature of a Cisco router.

Various honeypots simulate and emulate databases, programmable logic controllers, Apache server, windows operating systems and can be run on bare metal, virtualized or containerized.

What are the risks and benefits of using honeypots?

Benefits

  • Expose vulnerabilities. With their data collection capabilities, honeypots can identify new threats and expose new vulnerabilities early.
  • Expose lateral movement. As honeypots act as low-hanging fruit, they can expose compromised machines within the network and identify an intrusion early.
  • Identify insider threat. A honeypot carefully placed within a network may reveal an insider threat that could not have been picked up by the EDR or the intrusion detection system due to valid credentials used.
  • High alert fidelity. Any interaction with a honeypot is suspicious. That’s in stark contrast to traditional defences such as Intrusion Detection Systems (IDS) and firewalls, which produce a high level of false alerts.
  • Collect threat intelligence. Honeypots gather intelligence for each interaction with the attackers.
  • Turning the tables on attackers. Without honeypot and deception, you must have 100% confidence in your ability to maintain and protect your architecture. With honeypots and deception, attackers must be 100% confident in the services they probe and attack, giving you, the defender, the upper hand.
  • Incident Response processes: When the honeypot is triggered by the attacker, it will send your organization an alert to investigate and respond to the breach as well as provide key information to the incident response team on the type of attacks faced.

Risks

  • Lateral movement. A misconfigured honeypot could lead to lateral movement. However, given the data collection abilities of honeypots, any interaction would have been logged and generated an alert.
  • Maintenance and administration. Creating, building and monitoring a honeypot is time-consuming, especially over long periods of times. However, deception vendors can help reduce that time to the minimum and deploy a deception environment within hours.

Thinking about your Return on Investment

Whichever type of honeypot or deception solution you use, the most important element to consider is your end-goal objective. Hence, the main question to answer is

Do I want to stop a breach early or collect threat intelligence?

Your ROI will be based on how much the honeypot or deception solution is costing you in management overhead, compared to the actual cost of a successful cyberattack in the first case.

In the second case, your ROI will be based on how much the honeypot or deception solution is costing you in management overhead, compared to the value of the information you can collect in threat intelligence before and during a breach.

10 April 2022 | by Xavier Bellekens

Speak to an Expert

Whether you have a specific security issue or are looking for more information on our Deception as a Service platform, simply request a call back with one of our security experts, at a time that suits you.