Have you ever wondered how a hacker breaks into a live system? Would you like to keep any potential attacker occupied so you can gather information about him without the use of a production system? Would you like to immediately detect when an attacker attempts to log into your system or retrieve data?
One way to see and do those things is to deploy a honeypot. It’s a system on your network that acts as a decoy and lures potential hackers like bears get lured to honey. Honeypots do not contain any live data or information, but they can contain false information. Also, a honeypot should prevent the intruder from accessing protected areas of your network.
A properly configured honeypot should have many of the same features of your production system. This would include graphical interfaces, login warning messages, data fields, etc. An intruder shouldn’t be able to detect that he is on a honeypot system and that his actions are being monitored.
Benefits of a honeypot system
Many organization wonder why they should spend money and time setting up a system that will attract hackers. With all the many benefits of a honeypot, however, the real question should be why you have not already set one up.
A honeypot’s most significant value is based on the information that it obtains and can immediately alert on. Data that enters and leaves a honeypot allows security staff to gather information that is not available from an intrusion detection system (IDS). An attacker’s keystrokes can be logged during a session, even if encryption was used to establish it. Also, any attempts to access the system can trigger immediate alerts.
An IDS requires published signatures to detect an attack, but it will often fail to detect a compromise that is not known at the time. Honeypots, on the other hand, can detect vulnerabilities based off the attacker’s behavior that the security community may not be aware of. These are often called zero-day exploits.
The data collected by honeypots can be leveraged to enhance other security technologies. You can correlate logs generated from a honeypot with other system logs, IDS alerts and firewall logs. This can produce a comprehensive picture of suspicious activity within an organization and enable more relevant alerts to be configured that can produce fewer false positives.
Another benefit of a honeypot is that once attackers enter the system, it can frustrate them and cause them to stop attacking the organization’s network. The more time spent in the honeypot means less time spent on your production system.
Design and operation of a honeypot
There are variety of operating systems and services a honeypot can use. A high-interaction honeypot can provide a complete production-type system that the attacker can interact with.
On the other end is a low-interaction honeypot that simulates specific functions of a production system. These are more limited, but they’re useful for obtaining information at a higher level. In my experience, the high-interaction honeypot is the most beneficial because it can completely simulate the production environment. However, it requires the most time to deploy and configure.
It is critical to have proper alerting configured for your honeypot. You should have logs for all devices in the honeypot sent to a centralized logging server, and security staff should be paged whenever an attacker enters the environment. This will enable staff to track the attacker and closely monitor the production environment to make sure it is secure.
It is important your honeypot system is attractive to a potential attacker. It should not be as secure as your production system. It should have ports that respond to port scans, have user accounts and various system files. Passwords to fake accounts should be weak, and certain vulnerable ports should be left open. This will encourage the attacker to go into the honeypot environment versus the live production environment.
Attackers typically attack the less secure environment before going to one that has stronger defenses. This allows security staff to learn how hackers bypass the standard controls, and afterwards they can make any required adjustments.
You can deploy a physical or virtual honeypot. In most cases, it is best to deploy a virtual honeypot because it is more scalable and easier to maintain. You can have thousands of honeypots on just one physical machine, plus virtual honeypots are usually less expensive to deploy and more easily accessible.
Honeypot on internal network protects against insider threats
Honeypots can also protect an organization from insider threats. According to the 2016 Cyber Security Intelligence Survey, IBM found that 60% of all attacks were carried by insiders. A honeypot should be deployed within your internal network and only a minimal number of employees should know the system exists. Internal deployment is preferred over external due to the larger number of attacks carried by insiders and the fact that many hackers prefer to establish command-and-control servers for communication to compromised servers on the internal network.
Honeyd is an open-source tool used for creating honeypots. It is a daemon that can be used to create many virtual hosts. You can configure each host differently and run a variety of services on them. They can be configured to run on different operating systems. You can set up real HTTP servers, FTP servers and run Linux applications on it. It is also enables you to simulate various network topologies.
Honeypots have been used mostly by researchers to study the tactics and techniques of attackers. But as I explained earlier, they can be very useful to defenders as well. It is time for more organizations to consider using them as a proactive way to protect their network.
The benefits of deploying them far outweigh the costs for organizations that manage a significant amount of sensitive data.