A honeypot – in the modern, digital sense – is a trap in the form of a vulnerable or incorrectly configured system (for example, a router, or virtual machine emulating one) that is intentionally open to attacks from the internet. Constantly monitored by information security experts, it acts as bait to lure cybercriminals to it. The main task of a honeypot is to gather information about the tools and tactics of attackers. Honeypots are classified as passive defenses.
To attract cybercriminals, researchers typically and deliberately employ such measures as protecting honeypots with weak passwords or leaving commonly used ports open.
Data honeypots collect
Honeypots can collect a variety of data on attackers, including:
- IP addresses
- Users’ names and privileges they have
- Data they access, modify, or delete
- Malware and other tools that attackers try to upload to the honeypot
Types of honeypots
By purpose of deployment
- Production honeypots are installed in an organization’s real internal network to collect data on attacks on its systems.
- Research honeypots are used to study cybercriminal methods and behavior regardless of the organization targeted.
By level of interaction
- Low-interaction honeypots are traps that mimic vulnerable services open to attack, but without the ability to interact with the system after exploitation. These honeypots are less resource-intensive, but collect the least amount of attacker-related information. In addition, such traps are more likely to be spotted by an attacker, so they are used primarily to detect bot attacks.
- Mid-interaction honeypots are traps that mimic a system that can somehow be manipulated after exploitation. These honeypots also have limited functionality, but collect more information than low-interaction honeypots.
- High-interaction honeypots mimic full-fledged systems with a range of services and other elements attractive to attackers, such as databases. The more complex the system, the more information it can collect about the attackers.
- Pure honeypots mimic the full production environment with multiple servers. These traps are the most resource-intensive to deploy and maintain; they are also the most realistic and collect the most attacker-related information.
By object of analysis
- Malware honeypots are designed to be penetrated by malware. Once inside the trap, the malware can be studied by security experts.
- Spam honeypots are designed to collect data on spammers and bots that collect email addresses for spamming purposes. These honeypots can mimic a vulnerable mail server, such as an open mail relay or a web page with a decoy address in its code.
- Database honeypots are for analyzing database-related attacks, in particular SQL injections.
- Spider honeypots are hidden links on a website that detect data-harvesting bots. The primary task of such honeypots is to protect websites from scraping.
- Client honeypots are traps that mimic the behavior of client programs, such as browsers, that can be targeted by attackers. Unlike most honeypots, these honeypots are active: they connect to various servers under the guise of the client, and probe to see if the server will attack them.
- IoT honeypots are traps that mimic devices on the internet of things.
- Honeynets are multiple honeypots combined into one system. Depending on the components, they are used to analyze sophisticated attacks of various types.