What Is a Honeypot?
A honeypot is a cybersecurity mechanism that uses a manufactured attack target to lure cybercriminals away from legitimate targets, and also gathers intelligence about the identity, methods and motivations of adversaries.
A honeypot can be modeled after any digital asset, including software applications, servers or the network itself. It is intentionally and purposefully designed to look like a legitimate target, resembling the model in terms of structure, components and content. This is meant to convince the adversary that they have accessed the actual system and encourage them to spend time within this controlled environment.
The honeypot serves as a decoy, distracting cybercriminals from actual targets, as well as a reconnaissance tool, using their intrusion attempts to assess the adversary’s techniques, capabilities and sophistication.
The intelligence gathered from honeypots is useful in helping organizations evolve and enhance their cybersecurity strategy in response to real-world threats and identify potential blind spots in the existing architecture.
How Can a Honeypot Identify Cyberattacks?
A honeypot is a trap set by the information security (“infosec”) team to instigate cyberattacks from cybercriminals. The strategy involves baiting adversaries, as well as monitoring traffic coming into the honeypot system to identify intrusion attempts and gather information about how various cybercriminals are operating.
As part of the monitoring process, the infosec team can determine:
- The origin of a cyberattack
- The sophistication level of the attacker
- Commonly used techniques by adversaries
- The most attractive targets within the network
- The effectiveness of existing cybersecurity measures in preventing such attacks
In this way, a honeypot helps organizations reverse-engineer their security policies and procedures to actively protect against known threats and specific adversarial techniques.
2021 CrowdStrike Global Threat Report
Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.Download Now
What Is a Honeynet?
A honeynet is a network of honeypots that is designed to look like a real network, complete with multiple systems, databases, servers, routers and other digital assets. Since the honeynet, or honeypot system, mimics the sprawling nature of a typical network, it tends to engage cybercriminals for a longer period of time.
Given the size of the honeynet, it is also possible to manipulate the environment, luring adversaries deeper into the system in order to gather more intelligence about their capabilities or their identities.
Different Types of Honeypots
Honeypots can be categorized in many different ways. On the most basic level, honeypots are classified by purpose as either a production honeypot or a research honeypot.
The production honeypot is the most common honeypot type. This decoy is used by businesses to collect information and intelligence about cyberattacks within the production network. This may include IP addresses, intrusion attempt time and dates, traffic volume and other attributes.
Production honeypots are relatively simple to design and deploy, but they are less sophisticated than research honeypots in terms of the intelligence produced. They are most commonly used by corporations, private companies and even high-profile individuals, such as celebrities, political figures and business leaders.
A research honeypot is designed to collect information about the specific methods and techniques used by adversaries and what possible vulnerabilities exist within the system in reference to such tactics.
Research honeypots are typically more complex than production honeypots. They are often used by government entities, the intelligence community and research organizations to get a better sense of the organization’s security risks.
Honeypots by Attribute
It is also possible to categorize honeypots by attribute. Most commonly, this means designating the decoy based on its level of interaction.
As the name implies, a low-interaction honeypot uses relatively few resources and collects basic information about the attacker. These honeypots are relatively easy to set up and maintain.
However, because they are fairly unsophisticated, they are unlikely to hold the attention of an attacker for very long — which means they are unlikely to be a particularly effective decoy and will only produce limited intelligence about the adversary. Also, given the growing sophistication of many adversaries, some advanced attackers can spot low-level decoys and avoid them or even exploit them by feeding them misinformation.
Most production honeypots are considered low-interaction honeypots.
A high-interaction honeypot is designed to engage cybercriminals for long periods of time through a network of exploratory targets, such as multiple databases. This gives the cybersecurity team a deeper understanding of how these adversaries work, their techniques and even clues to their identity. While a high-interaction honeypot consumes more resources, they also provide higher-quality and more relevant information that the organization can use to adapt existing security protocols.
That said, high-interaction honeypots also come with some amount of risk, in that they require proper monitoring and containment. A “honeywall” — or perimeter set up around the honeypot — must be adequately secured and offer only one point of entry and egress. This ensures that the cybersecurity team can monitor and manage all traffic and prevent lateral movement form the honeypot to the actual system.
Most research honeypots are considered high-interaction honeypots.
One emerging classification for honeypots is a subsegment called deception technology. This security technique applies intelligent automation — including the use of artificial intelligence (AI), machine learning (ML) and other data-driven advanced technologies — to the honeypot in order to automate data collection and analysis. Deception technology helps the organization process information more quickly and scale efforts across a more complex decoy environment.
Additional Honeypot Classifications
Honeypots can also be broken down by the type of activity they detect.
Email trap or spam trap
An email or spam trap will implant a fictitious email address in a hidden field that can only be detected by an automated address harvester or site crawler. Since the address is not visible to legitimate users, the organization can categorize all correspondence delivered to that inbox as spam. The organization can then block that sender and its IP address, as well as any messages that match its content.
A decoy database is an intentionally vulnerable fictitious data set that helps organizations monitor software vulnerabilities, architecture insecurities or even nefarious internal actors. The decoy database will gather information about injection techniques, credential hijacking or privilege abuse used by an attacker that can then be built into system defenses and security policies.
A malware honeypot mimics a software app or an application programming interface (API) in an attempt to draw out malware attacks in a controlled, non-threatening environment. In doing so, the infosec team can then analyze the attack techniques and develop or enhance anti-malware solutions to address these specific vulnerabilities, threats or actors.
Similar to the spam honeypot, a spider honeypot is designed to trap webcrawlers, sometimes called spiders, by creating webpages and links only accessible to automated crawlers. Identifying these spiders can help organizations understand how to block malicious bots, as well as ad-network crawlers.
How Does a Honeypot Work in Cybersecurity?
The basic premise of the honeypot is that it should be designed to look like the network target an organization is trying to defend.
For example, a honeypot can be manufactured to look like a payment gateway, which is a popular target for hackers because it contains rich amounts of personal information and transaction details, such as encoded credit card numbers or bank account information. The honeypot or honeynet can also resemble a database, which would lure actors that are interested in gathering intellectual property (IP), trade secrets or other valuable sensitive information. The honeypot may even appear to contain potentially compromising information or photos as a way to entrap adversaries whose goal is to harm the reputation of an individual or engage in ransomware techniques.
Once inside the network, it is possible to track cybercriminals’ movements to better understand their methods and motivations. This will help the organization adapt existing security protocols in order to thwart similar attacks on legitimate targets in the future.
To make honeypots more attractive, they often contain deliberate but not necessarily obvious security vulnerabilities. Given the advanced nature of many digital adversaries, it is important for organizations to be strategic about how easily a honeypot can be accessed. An insufficiently secured network is unlikely to trick a sophisticated adversary and may even result in the bad actor providing misinformation or otherwise manipulating the environment to reduce the efficacy of the tool.
The Benefits of Using a Honeypot in Cybersecurity
Honeypots are an important part of a comprehensive cybersecurity strategy. Their main objective is to expose vulnerabilities in the existing system and draw a hacker away from legitimate targets. Assuming the organization can also gather useful intelligence from attackers inside the decoy, honeypots can also help the organization prioritize and focus their cybersecurity efforts based on the techniques being used or the most commonly targeted assets.
Additional benefits of a honeypot include:
- Ease of analysis. Honeypot traffic is limited to nefarious actors. As such, the infosec team does not have to separate bad actors from legitimate web traffic — all activity can be considered malicious in the honeypot. This means that the cybersecurity team can spend more time analyzing the behavior of cybercriminals, as opposed to segmenting them from regular users.
- Ongoing evolution. Once deployed, honeypots can deflect a cyberattack and gather information continuously. In this way, it is possible for the cybersecurity team to record what types of attacks are occurring and how they evolve over time. This gives organizations an opportunity to change their security protocols to match the needs of the landscape.
- Internal threat identification. Honeypots can identify both internal and external security threats. While many cybersecurity techniques focus on those risks coming from outside the organization, honeypots can also lure inside actors who are attempting to access the organization’s data, IP or other sensitive information.
It is important to remember that honeypots are one component in a comprehensive cybersecurity strategy. Deployed in isolation, the honeypot will not adequately protect the organization against a broad range of threats and risks.
Just as an organization uses a honeypot to distract adversaries, so can cybercriminals. For example, if bad actors recognize that the honeypot is a decoy, they can flood the honeypot with intrusion attempts in an effort to draw attention away from real attacks on the legitimate system. The hacker can also deliberately provide misinformation to the honeypot, allowing their identity to remain a mystery and possibly confusing the algorithms and ML models used to analyze activity. This is why it’s crucial for an organization to deploy a range of monitoring, detection and remediation tools, as well as preventative measures to protect the organization.
Another honeypot risk occurs when the decoy environment is misconfigured. In this case, advanced adversaries may identify a way to move laterally from the decoy to other parts of the network. Using a honeywall to limit the points of entry and exit for all honeypot traffic is an important aspect of the honeypot design. This is another reason why the organization must enable prevention techniques such as firewalls and cloud-based monitoring tools to deflect attacks and identify potential intrusions quickly.