Back
What is a honeypot? How it can lure cyber attackers?
- By Elite CIO
Apr 11, 2019
5
If you’ve ever wondered how the good guys on the internet go after the bad guys, one way is something called a honeypot.
If you’ve ever wondered how the good guys on the internet go after the bad guys, one way is something called a honeypot. You see, in addition to the security measures you might expect, such as strengthening a computer network to keep cyber criminals out, the good guys use a honeypot to do just the opposite — attract the bad guys.
A honeypot is a computer or computer system intended to mimic likely targets of cyber attacks. It can be used to detect attacks or deflect them from a legitimate target. It can also be used to gain information about how cyber criminals operate.
You may not have heard of them before, but honeypots have been around for decades. The principle behind them is simple: Don’t go looking for attackers. Prepare something that would attract their interest — the honeypot — and then wait for the attackers to show up.
Like mice to cheese-baited mousetraps, cyber criminals are attracted to honeypots — not because they’re honeypots. The bad guys think the honeypot is a legitimate target, something worthy of their time. That’s because the bait includes applications and data that simulate a real computer system.
Types of honeypots
• A pure honeypot is a physical server configured in such a way as to lure in attackers.Special monitoring software keeps an eye on the connection between the honeypot and the rest of the network. Because these are full-fledged machines, they make for a more realistic-looking target to attackers, but there is a risk that attackers could turn the tables on the honeypot's creators and use the honeypot as a staging server for attacks. They're also labor-intensive to configure and manage.
• A high-interaction honeypot uses virtual machines to keep potentially compromised systems isolated. Multiple virtual honeypots can be run on a single physical device. This makes it easier to scale up to multiple honeypots and to sand box compromised systems and then shut them down and restart them, restored to a pristine state. However, each VM is still a full-fledged server, with all the attendant configuration costs.
• A low-interaction honeypot is a VM that only runs a limited set of services representing the most common attack vectors, or the attack vectors that the team building the honeypot is most interested in. This type of honeypot is easier to build and maintain and consumes fewer resources, but is more likely to look "fake" to an attacker.
Examples of honeypots and their benefits
In 2015, Symantec set up a honeypot to attract attacks on so-called Internet of Things (IoT) devices. These are internet-connected items,such as home routers, digital video recorders, and cameras. Symantec’s IoT honeypot worked. As reported in the company’s 2017 Internet Security Threat Report, attacks on the honeypot almost doubled from January to December 2016.
What can experts learn from honeypot data? Well, in the case of Symantec’s IoT honeypot, researchers were able to determine a lot of things,including these:
• Countries from which attacks originated. China, the U.S., Russia, Germany, and Vietnam made up the top five. (These metrics measured the countries in which the IP address of the attacking device was based, but does not necessarily mean the attackers themselves operated from these countries.)
• Passwords attempted — “admin” was No. 1, and “123456” wasn’t far behind.
• The need for baseline security standards on IoT devices — to make them less vulnerable to attack.
Another honeypot example? In 2015, internet security experts set up an online railway control system as honeypot bait. The goal was to study how criminals would attack projects where they could put the public at risk. In this case, the only damage done was to a model train set at a German technology conference. Over two weeks, the so-called “HoneyTrain” suffered 2.7 million attacks.
What could be at stake?
Stealing personal information from online targets is one thing. Targeting public transportation systems is another. Beyond the IoT devices and the Honey Train, researchers have used honeypots to expose vulnerabilities with medical devices, gas stations, industrial control systems used for such things as electrical power grids, and more.
Given all the attention that the bad guys get for their hacking and data breach efforts, it’s good to know that the good guys have a few tricks up their sleeves to help protect against cyber attacks.
As more and more devices and systems become internet-connected, the importance of battling back against those who use the internet as a weapon will only increase. Honeypots can help.
Author : Atul Bansal, Gateway Rail