Honeypots are proactive security measures set up specifically to attract or detect malicious intrusions into a company’s networked systems for the purpose of catching and learning adversarial behavior. A honeypot is typically a dedicated computer or computers, applications, and data, not connected to an organization’s network, and serves as a lure to would-be attackers. Fake data is planted in the honeypot, which, were it real, could be very valuable to attackers.
Honeypots are an excellent way of identifying suspicious behavior because there is no reason for an authorized user to connect to the honeypot. (By definition, authorized users do not exist.) Security teams or analysts can monitor the activity inside the honeypot and see how the attacker behaves, the kind of data he or she is after, and what methods of attack are in use. This type of information is very valuable to security organizations as they harden legitimate systems and data.
Two types of honeypots exist:
Production honeypots: Placed inside the production environment to capture information on attackers. They are similar to an intrusion detection system (IDS) but put the focus on non-legitimate systems and divert attention away from production systems.
Research honeypots: Used to gather intelligence about attackers and their behavior and tactics, mitigate vulnerabilities, and research threats.
Honeypots can be either low-interaction or high-interaction; the former involves lower risk because real operating systems are not involved, whereas with the latter, systems are real, not emulated.
Some security professionals don’t see the need for a honeypot if their organization already uses an IDS. However, honeypots are different from IDSs because they reduce the amount of “noise” an IDS produces since honeypots only alert when the honeypot—one computer or network segment—is interacted with; they reduce the rate of false positives and negatives because all interactions are unauthorized by nature; and as a single computer or area of a network, they are less resource intensive than a full network, which an IDS must monitor.
Companies don’t have to build their own honeypots; many open source and commercial honeypots are available.
Multiple honeypots are called a honeynet.
Get the DeMISTIfying InfoSec newsletter every Tuesday!