Login to your account

Username *
Password *
Remember Me

Create an account

Fields marked with an asterisk (*) are required.
Name *
Username *
Password *
Verify password *
Email *
Verify email *
Captcha *
Reload Captcha

What are Honeypots?

Written by  Apr 15, 2019

A honeypot is a network-attached system set up as a decoy to lure cyberattackers and to detect, deflect or study hacking attempts in order to gain unauthorised access to information systems. 

In other words, “A server that is configured to detect an intruder by mirroring a real production system. It appears as an ordinary server doing work, but all the data and transactions are fake. Located either in or outside the firewall, these are used to learn about an intruder’s techniques as well as determine vulnerabilities in the real system.”Before proceeding further, the first thing is to understand what the actual honeypots are. To be very frank, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. It is what honeypots have their strong stand.

The basic consideration is that honeypots record all actions and interactions with users. Since these don’t provide any legitimate services, all activity is unauthorised (and possibly malicious).

Types of Honeypots

Honeypots are wide stream and can be classified based on their deployment and based on their level of involvement.

Based on deployment, honeypots may be classified as:

  1. Production honeypots
  2. Research honeypots

Production honeypots: These are easy to use, capture only limited information, and are used primarily by companies or corporations. Production honeypots are placed inside the production network with other production servers by an organisation to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots do.

Research honeypots: They are run to gather information about the motives and tactics of the Blackhat community targeting different networks and White Hat hackers protecting them. These honeypots do not add direct value to a specific organisation, instead, they are used to research the threats organisations face and to learn how to better protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organisations.

Based on design criteria, honeypots can be classified as

  1. Low-interaction honeypots
  2. Medium-interaction honeypots
  3. High-interaction honeypots

Low-interaction honeypots simulate only the services frequently requested by attackers. Since they consume relatively few resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time, and less code is required, reducing the complexity of the security of the virtual systems.

Low-interaction honeypots present the hacker emulated services with a limited subset of the functionality they would expect from a server, with the intent of detecting sources of unauthorised activity. For example, the HTTP service on low-interaction honeypots would only support the commands needed to identify that a known exploit is being attempted.

Medium-interaction honeypots  might more fully implement the HTTP protocol to emulate a well-known vendor’s implementation, such as Apache. However, there are no implementations of a medium-interaction honeypots and for the purposes of this article, the definition of low-interaction honeypots captures the functionality of medium-interaction honeypots in that they only provide partial implementation of services and do not allow typical, full interaction with the system as high-interaction honeypots.

High-interaction honeypots imitate the activities of the real systems that host a variety of services. It lets the hacker interact with the system as they would any regular operating system, with the goal of capturing the maximum amount of information on the attacker’s techniques. Any command or application an end-user would expect to be installed is available and generally, there is little to no restriction placed on what the hacker can do once he/she comprises the system.

According to recent researches in high interaction honeypot technology, by employing virtual machines, multiple honeypots can be hosted on a single physical machine. Therefore, even if the honeypot is compromised, it can be restored more quickly. Although high interaction honeypots provide more security by being difficult to detect, but it has the main drawback that it is costly to maintain. If virtual machines are not available, one honeypot must be maintained for each physical computer, which can also lead to an increase of cost.


Advantages of a honeypot

Although they require significant resources, honeypots provide significant advantages as well. Some of the benefits of using a honeypot include:

  • Collect real data: Honeypots collect data from actual attacks and other unauthorised activities, providing analysts with a rich source of useful information.
  • Reduce false positives: Ordinary cybersecurity detection technologies generate alerts that can include a significant volume of false positives, but honeypots reduce this volume because there is no reason for legitimate users to access them.
  • Cost-effective: Honeypots can be good investments because they do not require high-performance resources to process large volumes of network traffic looking for attacks, because they only interact with malicious activities.
  • Encryption: Honeypots capture malicious activity, even if an attacker is using encryption.

Disadvantages of a honeypot

These are the top most relevant:

  • Data: Honeypots only collect information when an attack occurs. Zero attempts to access the honeypot means there is no data to analyse.
  • Honeypot network: Malicious traffic that has been captured is only collected when an attack targets the honeypot network; if attackers suspect a network is a honeypot, they will avoid it.
  • Distinguishable: Honeypots are often distinguishable from legitimate production systems, which means experienced hackers can often differentiate a production system from a honeypot system using system fingerprinting techniques.

In general, honeypots help researchers understand threats in network systems, but production honeypots should not be seen as a replacement for a standard IDS. If a honeypot is not configured correctly, it can be used to gain access to real production systems or be used as a launch pad for attacks against other target systems.

Carl Perkins

A security tech expert, Carl specialises in IT Security having worked in the field for over 10 years and has previous Tech admin roles to his credit. He is very experienced and his contribution is invaluable to us.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.


Popular News

Jun 13, 2020 IT Security News

Microsoft announces major issue in Windows 10 June 2020 updates

On 9th June, 2020, Microsoft released cumulative updates for supported versions of Windows 10 including version 2004, ve...

Jun 12, 2020 Cyber Security

NHS email service fooled users in phishing attack

NHS Digital is contacting users of its NHSmail email system after a small number of mailboxes were compromised in a gene...

May 25, 2020 Cyber Security

Beware of security threats before deploying remote working

Remote working is receiving a great deal of attention recently for obvious reasons. The world has changed and remote wor...

Jun 09, 2020 Cyber Threats

Common types of cyber-attacks and how to avoid them

With cyber-attacks on the rise, businesses are constantly worried about losing vital data and the threat is very real. ...

May 19, 2020 IT Security News

EasyJet data breach: Over 9 million customers affected

The personal data of over 9 million EasyJet customers has been infiltrated by hackers, including over 2,000 users' credi...

Jun 12, 2020 IT Security News

100,000 cheap wireless cameras sold in the UK are vulnerable to hacking

Consumer advocacy organisation Which? has issued a warning over the security of wireless camera brands made by China-bas...

May 18, 2020 Cyber Security

UK power grid operator Elexon hit by cyberattack

The UK’s power grid middleman Elexon has announced it has fallen victim to a cyberattack, which did not compromise pow...

May 28, 2020 IT Security News

UK virus apps highlights tension between privacy and need for data

As more UK and European governments turn to tracing apps in the fight against the coronavirus, a deep-rooted tension bet...

Jun 09, 2020 IT Security News

Self-employed targeted by hackers with HMRC SMS phishing scam

Cyber criminals have launched a new phishing scam designed to steal personal and financial details of millions of self-e...

May 27, 2020 Cyber Security

UK scared cybercriminals will use NHSX Covid-19 Tracing App to launch attacks

Nearly half (48%) of the UK public surveyed about the NHSX COVID-19 tracing app do not trust the UK government to keep t...

Jun 08, 2020 Cyber Security

Ransomware attack compensation: What the UK public think

UK consumers believes businesses should stand their ground having suffered a ransomware attack and refuse to negotiate w...

May 28, 2020 IT Security News

Defence tips to stop a trojan invasion

Knowing not to open email attachments from unfamiliar addresses, or even the email itself, is a vital step to preventing...

Jun 11, 2020 IT Security News

UK government still can’t decide how NHS contact tracing app should work

A new report today says that the UK government still hasn’t decided exactly how its NHS contact tracing app should wor...

May 20, 2020 IT Security News

To VPN or not to VPN for business users

It’s a question many organisations are asking as they work to provide secure and reliable remote access at scale. ...

May 22, 2020 Cloud Security News

Overwhelming majority of UK organisations now confident in public cloud security

UK businesses are extremely confident in the security measures offered by public cloud service providers.

Jun 25, 2020 IT Security News

NCSC catch a million phish

The National Cyber Security Centre has received the millionth submission to its Suspicious Email Reporting Service. ...

Symantec Home 120x60