In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. A honeypot can be modelled after any digital asset, including software applications, servers or the network itself. It is intentionally and purposefully designed to look like a legitimate target, resembling the model in terms of structure, components and content. In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. A honeypot can be modelled after any digital asset, including software applications, servers or the network itself. It is intentionally and purposefully designed to look like a legitimate target, resembling the model in terms of structure, components and content.
This is meant to convince the adversary that they have accessed the actual system and encourage them to spend time within this controlled environment. Of course, all of this occurs with the intruder being none the wiser about what’s really happening. It may comprise of several components such as:
- Network devices,
- Keyloggers,
- Monitoring tools,
- Packet analyzers, and
- Alerting tools.
A network of honeypots (honeynet) can be placed in different positions, for example — outside the external firewall, in the DMZ, or within the internal network. A honeynet has servers, networking devices, and systems that are similar to a legitimate network with fake data. Two or more honeypots on a network form a honeynet. Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honeynets and honeypots are usually implemented as parts of larger network intrusion detection systems.
Some common types of Honeypots
Malware Honeypots — These types of honeypots detect malware based on known replication techniques and propagation vectors.
Database Honeypots — Since attacks on databases like SQL injections are fairly common, you can use database honeypots to distract an attacker from your legitimate database servers by setting up decoy databases.
Client Honeypots — These honeypots typically act as servers, listening in for incoming connections. Client honeypots actively engage with malicious servers that attack clients. They pose as a client to monitor and record any modifications.
Email Honeypots — Email honeypots are a list of email addresses used by email service providers to detect spammers. Typically, accounts inactive over a long period of time are used for this purpose.
Hosting a honeypot network allows you to discover threat actors in a low or no-stakes situation. Honeypots can take many forms, but the principle applies universally that if an unused area of your network sees traffic, that traffic is problematic. Data about indicators of compromise (IOCs) is turned into intelligence only after being scrutinized for contextual meaning. Studying honeypot data critically, using both software analytics and human reasoning, informs you of the threats as they exist within the context of your situation.