In other words, “A server that is configured to detect an intruder by mirroring a real production system. It appears as an ordinary server doing work, but all the data and transactions are fake. Located either in or outside the firewall, these are used to learn about an intruder’s techniques as well as determine vulnerabilities in the real system.”Before proceeding further, the first thing is to understand what the actual honeypots are. To be very frank, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. It is what honeypots have their strong stand.
The basic consideration is that honeypots record all actions and interactions with users. Since these don’t provide any legitimate services, all activity is unauthorised (and possibly malicious).
Types of Honeypots
Honeypots are wide stream and can be classified based on their deployment and based on their level of involvement.
Based on deployment, honeypots may be classified as:
- Production honeypots
- Research honeypots
Production honeypots: These are easy to use, capture only limited information, and are used primarily by companies or corporations. Production honeypots are placed inside the production network with other production servers by an organisation to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots do.
Research honeypots: They are run to gather information about the motives and tactics of the Blackhat community targeting different networks and White Hat hackers protecting them. These honeypots do not add direct value to a specific organisation, instead, they are used to research the threats organisations face and to learn how to better protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organisations.
Based on design criteria, honeypots can be classified as
- Low-interaction honeypots
- Medium-interaction honeypots
- High-interaction honeypots
Low-interaction honeypots simulate only the services frequently requested by attackers. Since they consume relatively few resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time, and less code is required, reducing the complexity of the security of the virtual systems.
Low-interaction honeypots present the hacker emulated services with a limited subset of the functionality they would expect from a server, with the intent of detecting sources of unauthorised activity. For example, the HTTP service on low-interaction honeypots would only support the commands needed to identify that a known exploit is being attempted.
Medium-interaction honeypots might more fully implement the HTTP protocol to emulate a well-known vendor’s implementation, such as Apache. However, there are no implementations of a medium-interaction honeypots and for the purposes of this article, the definition of low-interaction honeypots captures the functionality of medium-interaction honeypots in that they only provide partial implementation of services and do not allow typical, full interaction with the system as high-interaction honeypots.
High-interaction honeypots imitate the activities of the real systems that host a variety of services. It lets the hacker interact with the system as they would any regular operating system, with the goal of capturing the maximum amount of information on the attacker’s techniques. Any command or application an end-user would expect to be installed is available and generally, there is little to no restriction placed on what the hacker can do once he/she comprises the system.
According to recent researches in high interaction honeypot technology, by employing virtual machines, multiple honeypots can be hosted on a single physical machine. Therefore, even if the honeypot is compromised, it can be restored more quickly. Although high interaction honeypots provide more security by being difficult to detect, but it has the main drawback that it is costly to maintain. If virtual machines are not available, one honeypot must be maintained for each physical computer, which can also lead to an increase of cost.
Advantages of a honeypot
Although they require significant resources, honeypots provide significant advantages as well. Some of the benefits of using a honeypot include:
- Collect real data: Honeypots collect data from actual attacks and other unauthorised activities, providing analysts with a rich source of useful information.
- Reduce false positives: Ordinary cybersecurity detection technologies generate alerts that can include a significant volume of false positives, but honeypots reduce this volume because there is no reason for legitimate users to access them.
- Cost-effective: Honeypots can be good investments because they do not require high-performance resources to process large volumes of network traffic looking for attacks, because they only interact with malicious activities.
- Encryption: Honeypots capture malicious activity, even if an attacker is using encryption.
Disadvantages of a honeypot
These are the top most relevant:
- Data: Honeypots only collect information when an attack occurs. Zero attempts to access the honeypot means there is no data to analyse.
- Honeypot network: Malicious traffic that has been captured is only collected when an attack targets the honeypot network; if attackers suspect a network is a honeypot, they will avoid it.
- Distinguishable: Honeypots are often distinguishable from legitimate production systems, which means experienced hackers can often differentiate a production system from a honeypot system using system fingerprinting techniques.
In general, honeypots help researchers understand threats in network systems, but production honeypots should not be seen as a replacement for a standard IDS. If a honeypot is not configured correctly, it can be used to gain access to real production systems or be used as a launch pad for attacks against other target systems.