CDC Cyber Defence Center Detect Honeypots
Home Cyber Threat Detection Threat Hunting Honeypots
In computer terminology, a honeypot is a computer security mechanism set to
detect, deflect, or, in some manner, counteract attempts at unauthorized use of
information systems. Generally, a honeypot consists of data (for example, in a
network site) that appears to be a legitimate part of the site, but is actually
isolated and monitored, and that seems to contain information or a resource of
value to attackers, who are then blocked. This is similar to police sting
operations, colloquially known as "baiting" a suspect.
Diagram of an
information system honeypot
Types
Honeypots can be classified based on
their deployment (use/action) and based on their level of involvement. Based on
deployment, honeypots may be classified as
production honeypots
research honeypots
Production honeypots are easy to
use, capture only limited information, and are used primarily by corporations.
Production honeypots are placed inside the production network with other
production servers by an organization to improve their overall state of
security. Normally, production honeypots are low-interaction honeypots, which
are easier to deploy. They give less information about the attacks or attackers
than research honeypots.
Research honeypots are run to gather information about the motives and tactics of the black hat community targeting different networks. These honeypots do not add direct value to a specific organization; instead, they are used to research the threats that organizations face and to learn how to better protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.
Based on design criteria, honeypots can be classified as:
pure honeypots
high-interaction honeypots
low-interaction honeypots
Pure honeypots are
full-fledged production systems. The activities of the attacker are monitored by
using a bug tap that has been installed on the honeypot's link to the network.
No other software needs to be installed. Even though a pure honeypot is useful,
stealthiness of the defense mechanisms can be ensured by a more controlled
mechanism.
High-interaction honeypots imitate the activities of the production systems that host a variety of services and, therefore, an attacker may be allowed a lot of services to waste their time. By employing virtual machines, multiple honeypots can be hosted on a single physical machine. Therefore, even if the honeypot is compromised, it can be restored more quickly. In general, high-interaction honeypots provide more security by being difficult to detect, but they are expensive to maintain. If virtual machines are not available, one physical computer must be maintained for each honeypot, which can be exorbitantly expensive. Example: Honeynet.
Low-interaction honeypots simulate only the services frequently requested by attackers. Since they consume relatively few resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time, and less code is required, reducing the complexity of the virtual system's security. Example: Honeyd.
Deception technology
Recently, a new market segment called deception
technology has emerged using basic honeypot technology with the addition of
advanced automation for scale. Deception technology addresses the automated
deployment of honeypot resources over a large commercial enterprise or
government institution.
Malware honeypots
Malware
honeypots are used to detect malware by exploiting the known replication and
attack vectors of malware. Replication vectors such as USB flash drives can
easily be verified for evidence of modifications, either through manual means or
utilizing special-purpose honeypots that emulate drives. Malware increasingly is
used to search for and steal cryptocurrencies.
Spam
versions
Spammers abuse vulnerable resources such as open mail relays and
open proxies. These are servers which accept e-mail from anyone on the
Internet—including spammers—and send it to its destination. Some system
administrators have created honeypot programs that masquerade as these abusable
resources to discover spammer activity.
There are several capabilities such honeypots provide to these administrators, and the existence of such fake abusable systems makes abuse more difficult or risky. Honeypots can be a powerful countermeasure to abuse from those who rely on very high volume abuse (e.g., spammers).
These honeypots can reveal the abuser's IP address and provide bulk spam capture (which enables operators to determine spammers' URLs and response mechanisms). As described by M. Edwards at ITPRo Today:
Typically, spammers test a mail server for open relaying by simply sending themselves an email message. If the spammer receives the email message, the mail server obviously allows open relaying. Honeypot operators, however, can use the relay test to thwart spammers. The honeypot catches the relay test email message, returns the test email message, and subsequently blocks all other email messages from that spammer. Spammers continue to use the antispam honeypot for spamming, but the spam is never delivered. Meanwhile, the honeypot operator can notify spammers' ISPs and have their Internet accounts canceled. If honeypot operators detect spammers who use open-proxy servers, they can also notify the proxy server operator to lock down the server to prevent further misuse.
The apparent source may be another abused system. Spammers and other abusers may use a chain of such abused systems to make detection of the original starting point of the abuse traffic difficult.
This in itself is indicative of the power of honeypots as anti-spam tools. In the early days of anti-spam honeypots, spammers, with little concern for hiding their location, felt safe testing for vulnerabilities and sending spam directly from their own systems. Honeypots made the abuse riskier and more difficult.
Spam still flows through open relays, but the volume is much smaller than in 2001-02. While most spam originates in the U.S., spammers hop through open relays across political boundaries to mask their origin. Honeypot operators may use intercepted relay tests to recognize and thwart attempts to relay spam through their honeypots. "Thwart" may mean "accept the relay spam but decline to deliver it." Honeypot operators may discover other details concerning the spam and the spammer by examining the captured spam messages.
Open relay honeypots include Jackpot, written in Java by Jack Cleaver; smtpot.py, written in Python by Karl A. Krueger; and spamhole (honeypot)|spamhole, written in C.The Bubblegum Proxypot is an open source honeypot (or "proxypot").
Email trap
This section does not cite any sources. Please help improve this section by
adding citations to reliable sources. Unsourced material may be challenged and
removed.
Find sources: "Honeypot" computing – news · newspapers · books ·
scholar · JSTOR (June 2013) (Learn how and when to remove this template message)
Main article: Spamtrap
An email address that is not used for any other
purpose than to receive spam can also be considered a spam honeypot. Compared
with the term "spamtrap", the term "honeypot" might be more suitable for systems
and techniques that are used to detect or counterattack probes. With a spamtrap,
spam arrives at its destination "legitimately"—exactly as non-spam email would
arrive.
An amalgam of these techniques is Project Honey Pot, a distributed, open source project that uses honeypot pages installed on websites around the world. These honeypot pages disseminate uniquely tagged spamtrap email addresses and spammers can then be tracked—the corresponding spam mail is subsequently sent to these spamtrap e-mail addresses.
Database honeypot
Databases often get attacked by intruders using SQL
injection. As such activities are not recognized by basic firewalls, companies
often use database firewalls for protection. Some of the available SQL database
firewalls provide/support honeypot architectures so that the intruder runs
against a trap database while the web application remains functional.
Detection
Just as honeypots are weapons against spammers, honeypot detection
systems are spammer-employed counter-weapons. As detection systems would likely
use unique characteristics of specific honeypots to identify them, many
honeypots in-use utilise a set of unique characteristics larger and more
daunting to those seeking to detect and thereby identify them. This is an
unusual circumstance in software; a situation in which "versionitis" (a large
number of versions of the same software, all differing slightly from each other)
can be beneficial. There's also an advantage in having some easy-to-detect
honeypots deployed. Fred Cohen, the inventor of the Deception Toolkit, argues
that every system running his honeypot should have a deception port which
adversaries can use to detect the honeypot. Cohen believes that this might deter
adversaries.
Honey nets
"A 'honey net' is a
network of high interaction honeypots that simulates a production network and
configured such that all activity is monitored, recorded and in a degree,
discreetly regulated."
-Lance Spitzner,
Honeynet Project
Two or more
honeypots on a network form a honey net. Typically, a honey net is used for
monitoring a larger and/or more diverse network in which one honeypot may not be
sufficient. Honey nets and honeypots are usually implemented as parts of larger
network intrusion detection systems. A honey farm is a centralized collection of
honeypots and analysis tools.
The concept of the honey net first began in 1999 when Lance Spitzner, founder of the Honeynet Project, published the paper "To Build a Honeypot".
History
The metaphor of a bear being attracted to and stealing honey is
common in many traditions, including Germanic, Celtic, and Slavic. A common
Slavic word for the bear is medved "honey eater". The tradition of bears
stealing honey has been passed down through stories and folklore, especially the
well known Winnie the Pooh.The Brazilian folk tale "Boneca de pixe" tells of a
stealing monkey being trapped by a puppet made of pitch.
The earliest honeypot techniques are described in Clifford Stoll's 1989 book The Cuckoo's Egg.
In 2017, Dutch police used honeypot techniques to track down users of the darknet market Hansa.