Security

Honeypotting Security and Network Considerations

30 August, 2019

The primary purpose of cybersecurity infrastructure is to keep attackers out. Firewalls, antivirus programs, and authentication techniques all help prevent hackers from penetrating your systems. But some IT infrastructure is meant to be broken into. Known as a honeypot, managed services providers (MSPs) and IT administrators occasionally employ decoy sites explicitly designed to attract hackers. The information gathered when hackers are lured in helps understand their motivation and behavior, as well as inform how they might be more effectively repelled in the future.

In this article, we’ll examine honeypot security and how it can be deployed to protect your customers.

What is a honeypot in network security?

If you watch police shows, you’re probably familiar with the idea of a sting operation, where law enforcement officers go undercover and try to entice a suspected criminal to sell them illegal goods or services. If the target takes the bait and agrees to a sale, the police pull out their badges and arrest the perpetrator.

Honeypotting security works using the same principle. In honeypot computing, cybersecurity experts will create a fake system—called a honeypot—to attract malicious hackers. Just like a pot of honey is irresistible to Winnie the Pooh, honeypot technology is meant to entice hackers by being easy to penetrate and appearing to contain desirable information. A honeypot is most successful when it mimics an actual target and has applications and data that appear to be a real system.

Why would system administrators purposefully invite black-hat hackers in? The honeypot technique is valuable for learning about the cybersecurity threats an organization faces and how they work. A well-designed network honeypot can reveal where attackers are coming from, what information they’re interested in stealing, and which techniques they use. Honeypotting can also be used to deflect attacks from actual targets.

Of course, honeypotting is a dangerous game. If your honeypot IT setup is linked to real systems or sensitive data, the results could be disastrous. That’s why it’s essential for a honeypot to be completely separate from an organization’s other infrastructure. Honeypots are often run on virtual machines so they can be easily reset after an attack. The trick is to design a honeypot that’s indistinguishable from a genuine system.

What is a honeypot attack?

An attack occurs when hackers find a honeypot and make their way in. For honeypot network security to be successful, the honeypot must attract attacks. As an example, Symantec created an internet of things (IoT) honeypot architecture in 2015 to draw in hackers of connected consumer devices like routers, cameras, and video recorders. As the attacks poured in, the company discovered a great deal about hackers that target IoT devices. Based on IP addresses, they found that the attacks most commonly originated from China, the United States, Russia, Germany, and Vietnam. They also learned the passwords that hackers tried to use—"admin" and "123456" were the top attempts.

Honeypots come in two main varieties: production and research. A production honeypot is placed within an organization’s production network to learn the identity of potential hackers. Mainly utilized by corporations, production honeypots are relatively simple to deploy but only reveal limited information. Research honeypots, by contrast, are standalone systems designed from the ground up to entice attackers. They are complex to design, but provide more information on black-hat hackers. Used to identify emerging, widespread threats, research honeypots are developed in academia, military organizations, and governments.

What is the difference between a honeypot and a honeynet?

Whereas a honeypot is a single entity, a honeynet is two or more honeypots on the same network. Honeypot networking is typically implemented as part of a larger network intrusion detection system. Honeynets are used on large, complex networks where just one honeypot would not be enough.

An email trap is another form of honeypot cybersecurity. This is an email address expressly designed to attract spam messages. Email traps can reveal where spammers find their targets and identify spam email addresses to be blacklisted and blocked.

Ensure you're always protected from outside attacks by reading through our blog for other common IT threats.