Cyberattacks may be on the rise, but so are the defensive tactics organizations can use to protect themselves against them.
What is a honeypot? How do honeypots work?
This guide reviews what honeypots are, how they work, and the potential benefits and risks they may introduce when using them.
What Is a Honeypot?
The term “honeypot” originally comes from the world of military espionage, wherein spies would use a romantic relationship to steal secrets from the enemy. By setting a “honey trap” or a “honeypot,” they aimed to attract and ensnare targets into divulging sensitive information.
In cybersecurity, cyber honeypots often work fundamentally in the same way as traditional honeypots.
Cyber honeypots are baited, virtual traps for threat actors. They’re decoys designed to mimic targets for attackers and can be used as a reconnaissance tool to assess an attacker’s techniques, capabilities, and levels of sophistication.
Most honeypots are intentionally compromised computer systems that use intrusion attempts to glean information about attackers and their modus operandi or to distract them from other targets. Honeypots can be applied to virtually any computing resource, including software, networks, file servers, and routers, and aim to convince an attacker that they have accessed a legitimate system. This encourages them to spend as much time as possible in the controlled environment for observation.
As a type of deception technology, honeypots help organizations better understand threat actors and their behavior patterns. With the cyber intelligence gathered from honeypots, organizations can enhance their existing cybersecurity strategy in response to real-world threats and identify gaps in their security architecture, information, and network security.
Types of Honeypots
Honeypots may vary based on their design and deployment models, but at the core, all honeypots are decoys that are designed to look like legitimate, vulnerable systems to attract threat actors.
There are three types of honeypots aiming to allow threat actors to perform various levels of malicious activity:
1. Pure Honeypots
Pure honeypots typically comprise a complete production system and monitor attacks through bug taps on links that connect honeypots to networks. This type of honeypot is known for being relatively unsophisticated.
2. Low-Interaction Honeypots
Low-interaction honeypots typically imitate services and systems that most frequently attract attention from threat actors. This type usually offers a method for collecting data from blind attacks including botnets and worms.
Low-interaction honeypots tend to use fewer resources and often collect only basic information about threats and their origins. These honeypots are usually easy and quick to set up and can be accomplished with basic simulated TCP and IP protocols and network services.
However, because there’s nothing in the low-interaction honeypot to engage the attacker for very long, it often doesn’t result in in-depth information on their habits.
3. High-Interaction Honeypots
High-interaction honeypots are typically composed of more complex setups that aim to behave like legitimate production infrastructure. This type doesn’t usually restrict a threat actor’s activity level and can provide more extensive cybersecurity insights than pure honeypots or low-interaction honeypots.
They can be thought of as extra “sticky” and are designed to engage attackers for longer so researchers can trace where attackers go in the system to locate sensitive information, what tools or techniques they used to escalate privileges, or what exploits they used to compromise the system.
However, high-interaction honeypots are often high-maintenance and require extensive expertise and technologies that prevent attackers from accessing legitimate systems. Additionally, high-interaction honeypots can introduce risks if they’re not properly secured with a “honeywall.”
While all three types of honeypots have a place in cybersecurity, using a combination of honeypots may help organizations capitalize on the information they provide. For instance, combining the basic information on threat types from pure or low-interaction honeypots with information on intentions, communications, and exploits from high-interaction honeypots can provide a more holistic view than any single type of honeypot can provide.
What Are Honeypots Used for?
Honeypots are usually used as:
Production honeypots typically act as decoy systems inside networks and servers and are often part of an intrusion detection system (IDS). Honeypots used for production aim to deflect an attacker’s attention from a legitimate system while analyzing their activity to help mitigate vulnerabilities.
Research honeypots are often used for educational purposes and to enhance security. Honeypots used for research contain trackable data so security teams can trace it once stolen to better analyze an attack.
How Do Honeypots Work?
Honeypots aim to mimic a legitimate computer system with applications and data designed to trick threat actors into thinking they’re real targets.
For example, a honeypot might mimic an organization’s customer billing system, which is often a frequent target for threat actors looking for credit card numbers. Once the attackers gain entry, the honeypot can track and assess their behavior for ideas about how to better secure their real network.
To attract attackers, honeypots are built with deliberate security vulnerabilities. For instance, a honeypot might include ports that respond to a port scan or weak passwords, and vulnerable ports might be intentionally left open. However, if a honeypot’s vulnerabilities are too obvious, the threat actor may realize the target is illegitimate.
Honeypots aren’t often set up to deal with specific problems like firewalls or antivirus software. Instead, they typically serve as information-gathering tools designed to help organizations understand existing threats and vulnerabilities and identify new threats.
Monitoring traffic coming into the honeypot system can help an organization assess:
- Where threat actors originate
- The threat’s level
- The threat actor’s modus operandi
- What data or applications the threat actor is interested in
- How well an organization’s security measures are working to stop threat actors
Honeywalls vs Honeynets
A honeywall monitors network traffic and redirects it to the honeypot. A honeynet is a decoy network containing one or more honeypots.
Like honeypots, honeynets mimic real networks and often contain multiple systems, but are typically hosted on just one or only a few servers, each of which represents a single environment. Honeynets typically divert attackers from real networks to gather intelligence on their actions.
Using a honeynet, security teams can also inject vulnerabilities that make it easier for attackers to gain access to their trap, and any system on a honeynet could serve as an entry point for attackers. Unlike honeypots, honeynets often feel more similar to a real network, and provide a larger environment for observation. They’re better suited for larger, more complex networks because they present attackers with an alternative corporate network.
Reviewing some examples of honeypots can organizations determine which type of honeypot could work best.
Spam Traps & Email Traps
Spam traps are often used to help Internet Service Providers (ISPs) identify and block spammers, and to make email inboxes more secure by fixing vulnerabilities. Spam traps are typically set by using fake email addresses placed in hidden locations to bait spammers.
Since the email address is hidden, only an automated address harvester should be able to find it, so any emails sent to the fake email address will most likely be spam. Then, any messages containing similar content as those sent to the fake email address may be blocked, and the source IP of the sender can be added to a blacklist to prevent any future emails.
The most common types of spam traps include:
- Username typos: The spam filter typically detects typos resulting from human or machine error and sends the email to the spam folder. This often includes misspelled email addresses, such as [email protected] vs. [email protected]
- Expired email accounts: Providers may use abandoned email accounts or expired domain names to trick spammers into sending emails to these accounts.
- Purchased email lists: An email list containing multiple invalid email addresses will be automatically added to a denylist.
There are spam trap vulnerabilities to consider.
- Spam traps can generate backscatter, or incorrectly automated bounce messages.
- Spam traps can also taint legitimate email addresses if they reply to or forward the original email.
- Once a spam trap has been exposed, spammers may try to exploit it by flooding it with legitimate content that causes it to lose effectiveness.
- Some users may accidentally write to an address without realizing it’s a spam trap, which can cause reputational damage to organizations if an ISP blocks or blacklists their IP address.
Honeypots may also resemble a legitimate database, luring threat actors that are most interested in gathering intellectual property, trade secrets, or other valuable sensitive information. Decoy databases can be constructed to monitor software vulnerabilities and identify attacks that exploit insecure systems architecture or use SQL injection, SQL services exploitation, or privilege abuse.
A decoy database may even appear to contain potentially compromising data to attract attackers who are most interested in harming the reputation of an organization or engaging in ransomware techniques.
Malware honeypots are typically designed to mimic software apps and APIs to invite malware attacks in a controlled environment. Once deployed, the malware’s characteristics can then be analyzed by a security team to develop anti-malware software or to remediate vulnerabilities in the API.
Spider honeypots are usually intended to attract web crawlers (also called “spiders”) by creating web pages or links that are only accessible to automated crawlers. By detecting spiders, organizations can learn how to block malicious bots and ad-network crawlers.
Benefits and Risks of Honeypots
Honeypots are often considered an important part of a comprehensive cybersecurity strategy, as their main objective is to expose vulnerabilities in existing systems and distract attackers from legitimate targets. However, honeypots can also introduce a number of risks to the organizations that use them.
Benefits of Honeypots
Here are some of the benefits that may come with using honeypots:
1. Honeypots Can Expose Vulnerabilities in Major Systems.
By nature, honeypots are designed to alert organizations to any vulnerabilities in their existing systems. Additionally, honeypots can help organizations determine the ways in which their security might be improved.
2. Honeypots Can Make it Easier to Spot Intrusions.
Honeypots ideally shouldn’t get any legitimate traffic, so any activity it logs is likely to be a probe or an intrusion attempt. This can make it easier for security teams to spot patterns, including similar IP addresses (or IP addresses coming from a specific location), used to carry out a network sweep.
When looking at traffic patterns on a core network, it can be easy to lose sight of the telltale signs of an attack amidst a sea of data. With a honeypot, malicious activity is often the only activity logged, which often makes attacks much easier to identify.
3. Honeypots Stop Other Attacks.
The more time attackers spend wasting their efforts on honeypots, the less likely they are to attack other, legitimate systems that could cause real damage to the target organization, and any others.
4. Honeypots Are Often Resource-Light.
Honeypots often don’t make demands on hardware, and it may even be possible to configure honeypots with old computers that are no longer in use. Where software is concerned, there are a number of ready-written honeypots available from a variety of online repositories, which can further reduce the amount of in-house effort (and time) that’s necessary to operate a honeypot.
5. Honeypots Can Have Low False-Positive Rates.
Unlike traditional intrusion detection systems, which often produce a large number of false alerts, honeypots have low false-positive rates. This helps organizations prioritize efforts and keep resource demands from honeypots at relatively low levels.
6. Honeypots May Help Refine And Improve Other Cybersecurity Systems.
By using the data collected from honeypots and correlating it with other system and firewall logs, existing intrusion detection systems may be configured with more relevant alerts to yield fewer false positives.
7. Honeypots Can Deliver Intelligence About Evolving Threats.
Honeypots can deliver information about attack vectors, exploits, and malware. In the case of email or spam traps, they can also deliver information about spammers and phishing attacks. Since attackers are continually refining and evolving their intrusion techniques, a honeypot can help organizations spot newly emerging threats and eradicate blindspots.
8. Honeypots Can Be An Effective Training Tool For Security Teams.
Honeypots are controlled, safe environments, and can be used to show security teams how attackers work by examining different types of threats. Honeypots effectively eliminate distractions from legitimate traffic so security teams can focus 100% of their efforts on threats.
9. Honeypots Can Also Catch Internal Threats.
Since most organizations spend the majority of their resources defending the network perimeter to ensure outsiders can’t get in, they effectively ignore insider threats or attackers who have successfully breached a firewall. Once inside, attackers are essentially free to do whatever damage they can.
Unlike firewalls, which don’t often help against internal threats, honeypots can provide equally reliable information about inside threat actors and reveal vulnerabilities in areas such as permissions which often allow insiders to exploit systems.
Dangers of Honeypots
Although honeypots may come with benefits, they also come with some drawbacks, including:
1. Honeypots Can Only See Activity Directed At Them.
Just because a threat isn’t directed at a honeypot doesn’t mean that threat does not exist. Honeypots only work when they successfully attract a threat actor and trick them into thinking it’s a legitimate computing resource.
However, threat actors are increasingly sophisticated and intelligent and may be able to sniff out a honeypot before they take any additional action. For this reason, it’s important for organizations to implement other detection technologies in addition to honeypots to cover all their bases.
2. Honeypots Can Be Identified By Attackers.
While a properly configured honeypot should, in theory, deceive an attacker into believing that they’ve gained access to a legitimate system, should an attacker manage to identify it as a honeypot, they may be able to use that information to their advantage.
For example, once a honeypot has been “fingerprinted,” an attacker may create a spoofed attack to distract attention away from a real exploit targeted at production systems or even feed false information to the honeypot.
3. Honeypots Can Be Used To Gain Access To Real Systems.
A sophisticated threat actor may use a honeypot as a way into legitimate production systems, using it as a launch pad for further intrusion. Although a honeywall may provide some basic security or stop attacks directed at the honeypot from infiltrating production systems, honeypots shouldn’t replace necessary security controls including firewalls and other intrusion detection systems.
4. Honeypots Can’t Replace Proper Cybersecurity.
Honeypots can give organizations information to help prioritize their cybersecurity efforts, but they simply cannot replace proper, robust cybersecurity measures.
Honeypots to Deception Technology
Today, honeypots are largely seen as the precursor to modern multi-faceted and more advanced cyber deception technology. Like honeypots, deception technology is designed to confuse, misdirect, and delay attackers, but beyond that, the technologies are quite different.
Unlike honeypots, deception technology uses high-interaction engagement servers to lure, engage, and analyze attacks. Some deception providers have even developed advanced deception techniques that can hide data from attackers and misdirect their attack traffic to decoys.
Deception technology has proven its utility by addressing the initial limitations of honeypots and by adding a second line of defense should attackers bypass existing security solutions. As such, it continues to become mainstream in IT security infrastructure. The benefits of deception technology include minimizing damage to a network, as well as the ability to observe and study the real-world tools used by threat actors.
However, deception technology must also be sophisticated enough to convince threat actors of its legitimacy by creating an environment that’s virtually indistinguishable from an organization’s true environment. Deception technology that uses machine learning (ML) and artificial intelligence (AI) can help organizations adjust their environment dynamically as the attack on decoy assets occurs, which can free IT teams from continuously creating specialized, standalone deception campaigns (i.e., honeypots).
Additionally, cybersecurity deception technology can be layered with additional tools that help IT teams identify threat actors. For example, a database of fake credentials may contain tracking information embedded in the files, which, when opened, can trigger an alert to the organization or to law enforcement officials.
Sink-hole servers may also be used for traffic redirection by tricking bots and malware into reporting straight to law enforcement, rather than to their owner, the threat actor.
SentinelOne’s Deception Technology
A recognized industry leader in deception technology solutions, SentinelOne’s threat deception platform, Singularity Hologram, received top honors at the inaugural MITRE ATT&CK Deception Evaluation for its ability to protect against an emulated threat group.
Singularity Hologram is a complex deception technology that can fully deploy decoy operating and network management systems to lure potential attackers and insiders, resulting in telemetry that supports investigations and contributes to adversary intelligence.
Using deception and misdirection while tracking the attacker’s activity and preventing lateral movement within the network, Singularity Hologram helps organizations gain actionable information about TTPs and reduces the time to detect, analyze, and stop attacks.
With Singularity Hologram, organizations can:
- Identify active compromise: Catch adversaries and insiders lurking anywhere in the network as they move laterally, interacting with decoy assets and lures.
- Visualize and strengthen: Quickly visualize attacks on the network, watch how they play out over time, and apply what they learn to strengthen defenses.
- Cast a wide net: Attract adversaries performing reconnaissance with mimicked production OSes, apps, data, ICSes, IoT, cloud functions, and more.
Singularity Hologram operates in on-premise networks, in the cloud, and at remote sites to detect lateral attack activity that can evade detection from other security controls. Together, Hologram and Singularity XDR can strengthen overall security programs by surfacing broader environment vulnerabilities that need attention.