The idea of a honeypot originates from national security. Traditionally a counter-espionage term that refers to a spy being lured into a trap by an attractive partner, cybersecurity has taken the term and spun it into a method for detecting cyber threats.
While honeypots have earned their space in the cybersecurity analyst’s toolbox, they rarely break into mainstream news. That was until 2021, when millions of dormant, Pentagon-owned IP addresses were suddenly brought back into use. Border Gateway Protocol (BGP) policies revealed that these addresses were now managed by a wholly unheard-of organization, Global Resource Systems. Having just been founded in September of that year, there was no history of federal contracts or a public-facing website. Now, the shadowy Global Resource Systems owns almost 6% of all IPv4 addresses and retains a grip over most of the military’s old addresses.
Fears of security oversights and internal bad actors ran riot until the Defense Digital Service (DDS) stepped forward and claimed responsibility. The DDS works to ensure the Department of Defense’s (DoD) security while also conducting experimental projects. Network security leaders were quick to read between the lines: the DoD had just established the largest honeypot in the world.
Understanding a honeypot
Automated cyberattacks represent a multi-million dollar black market. Constantly trawling the public internet are malicious bots; vulnerable networks can be discovered and probed with free tools such as Wireshark. For applications, a recent report found that one in five attacks are fuzzing attacks that rely on automation to detect and exploit known vulnerabilities. Part of its success stems from the fact that many business networks are essentially open – meaning that once an unauthorized user gains access, they can move into any part of the network.
In this context, the honeypot thrives: by segmenting and deliberately leaving a network or device exposed, it becomes possible to create a petri dish of live attacks. Honeypots are made enticing by intentionally incorporating security weaknesses. For example, a honeypot could include ports designed to be flagged during an attacker’s port scans – or offer apparently defenseless login screens. The real-world insights that honeypots help glean make them great training tools for security staff. Since a honeypot remains isolated from real high-risk organizational data, security analysts are granted the freedom to focus 100% on the threat at hand.
Types and uses of honeypots
The intelligence potential held by honeypots is almost unlimited. Thanks to this inherent flexibility, many different types exist. An organization’s attack intel can be built from one or a combination of the following formats:
The company embeds an unused email address within a public-facing asset, hiding it from human viewers. This email address is left to be picked up by automated email harvesters that scour the web. As the inbox is reserved solely for this honeypot, it lends analysts full visibility into the spam being leveraged against employees. Every email that reaches this inbox adds a data point to a proactive phishing protection campaign.
Web crawlers – also called web spiders – are automated programs that index and download content on the internet. Starting at a set of known webpages, web crawlers work by following a hyperlink to another page, selecting another URL on that page, and so on. Some crawlers are useful – such as Google’s own web crawlers that help categorize and index relevant results for users. However, malicious actors can also hunt for relevant information about your organization. Spider traps use fake links and pages that are only accessible to the crawlers themselves. You’re granted deeper insight into automated browsing patterns as you track their behavior patterns. This can then inform your malicious bot strategy.
One of the more involved forms of honeypot, the malware honeypot mimics an application and its associated APIs. Attackers are presented with a chance to exploit any vulnerabilities, helping shed light on longer-form attack paths that could otherwise be used to gain access. This analysis can then be incorporated into anti-malware software or close API vulnerabilities.
The final component to your honeypot infrastructure is a decoy database – tempting the would-be attacker to make an effort. It’s vital not to store genuine, sensitive data in this decoy database, as the idea is to stress-test any insecure system architecture that could lead to SQL injection and privilege abuse.
Low-interaction vs high-interaction honeypots
Honeypots come in various levels of interactivity. A low-interaction honeypot is designed to offer the bare minimum of system access – just enough to record the initial request of an attack.
In contrast, a high-interaction honeypot provides a much broader range of capabilities. Instead of a facade, attackers are provided an interactive platform to carry out post-exploitation activities. This gives security researchers and malware analysts a front-row seat to the attacker’s destination, what tools they use for privilege escalation, and what exploits they’re leveraging against the honeypot. This form of honeypot is significantly more resource and skill-intensive, however.
Risks of using a honeypot
While honeypots are valuable for monitoring the threat landscape, it’s essential to recognize their limitations. For instance, they can only detect activity directed at the honeypot itself – meaning they may not capture a picture of all existing threats.
An effective honeypot, when properly configured, can convincingly deceive attackers into thinking they have breached the actual system. It replicates login warnings, data fields, appearance, and logos identical to your genuine systems. However, if an attacker identifies it as a honeypot, they might redirect their efforts toward your other systems, leaving the honeypot untouched. Furthermore, once a honeypot is “fingerprinted,” an attacker can turn the tables on you by feeding it false information.
Even more concerning, a savvy attacker could use a honeypot as a gateway to access your systems. This is why honeypots should never replace essential security controls. A “honeywall” can offer basic honeypot security, preventing attacks from ricocheting into your live systems.
Setting up a honeypot to detect network intrusions
Getting a honeypot set up and running is easy; maintaining it can be a far more challenging task. With that in mind, the following steps can take you through set-up and beyond.
1. Choose your platform
While on-prem is a viable option, the cloud is the more secure place to host a new honeypot, thanks to the fact that many cloud providers offer a form of free virtual machine. VMs are one of the safest setups; if successfully exploited, you only need to reboot and restore it.
2. Set up your architecture
You can choose the machine images that define the virtual machine’s software on a platform such as AWS. This is where a specific operating system and applications can be spun up. At the same time, choosing the instance type dictates the amount of CPU cores and RAM your virtual machine will have.
Equally important is determining which events the honeypot program will monitor. Popular focal points include login attempts and file changes; with this in mind, set up an alternative logging method, as malicious actors could change the honeypot’s log files. Storing them outside of the honeypot can help prevent a headache.
3. Choose network settings
The honeypot is placed outside of an internal firewall for the best tradeoff between security and performance. Further modifications can include configuring the external firewall to keep only the necessary ports open. This approach further helps to direct malicious traffic toward the honeypot and away from the internal network. Closing all other ports keeps you a little more secure and adds further realism to the decoy software.
Alongside adequate network security measures, ensure top-notch security hygiene by assigning a name tag to the instance. This makes identification easier. Furthermore, when you’re first setting things up, make sure to permit only inbound access exclusively from your router or VPN. This allows you to test your honeypot service without exposing it to potential attacks until you’re ready. Port scanners such as Nmap are useful in this step.
4. Perform some final checks
Finally, perform some activity inside the honeypot and then have a look at the associated server logs. If the logs are missing anything, make sure your organization’s Intrusion Detection System isn’t flagging a port scan. This could encourage an attacker to go elsewhere. Once everything is ready, your new honeypot can be put into production; monitor it closely and fine-tune the configuration.
Honeypots aren’t a replacement for protection
Honeypots grant unmatched insight into the mechanisms of real-time attacks. For example, SophosLabs’ discovery of the Chalubo botnet was thanks to a honeypot server that pretended to be vulnerable to distributed denial-of-service (DDoS) attacks. With this, they found that a primary component of Chalubo was a downloader specifically optimized for hardware running Intel x86 processors.
It’s at this point, however, that the honeypot’s limitations appear. It offers very little true protection for the endpoints being targeted; those Intel processors still require defending.
NinjaOne’s endpoint protection lends you complete control over the applications and configurations across the entirety of your organization’s devices. Discover how NinjaOne’s one-click integration can upgrade the granularity of your antivirus, and empower your technical support team today.