Honeypots are networks or devices designed to look like they are legitimate systems that one would expect to come across. They look and feel just like a valid piece of equipment someone in your organization uses every day. But these devices are actually hacker bait.
Set up a honeypot, and you'll lure hackers into a research environment. You'll watch everything an attacker does, and those insights can help you build an even stronger system for your company.
What Is a Honeypot? A Formal Definition
A honeypot is either a computer or a computer system used to detect or study attacks from hackers. It functions just like a valid piece of equipment. But it's not tied to deeper and sensitive structures within your organization. Any information entered into the honeypot is contained, and all the data is gathered for research purposes.
You can't use a honeypot to block undesired traffic or activity, and no legitimate work should happen on that device. Instead, you'll use it solely to understand how an attack on your system might progress.
Imagine you're asked to defend Utah's state computer systems, which endure as many as 300 million hacking attempts per day. The more you know about the people trying to steal data, the better you can do your job.
You could, in theory, wait for a hacker to tap into a legitimate part of your system. You could watch that person carefully, and you could hope that you'll contain the damage before it goes too far. When the attack is over, you can patch the holes that allowed the breach.
Or, you could set up an experiment and watch a hacker with virtually no risk.
The very first honeypot study happened in 1991. A hacker stumbled into a server, and the administrators watched him carefully for more than a month. The data gathered was simply priceless, and since then, computer experts all around the world have become intrigued with the idea.
The average hacker spends more than 200 days inside a system before discovery. Even with sophisticated tools and processes, you're likely missing signatures of an attack as they unfold. Set up a honeypot, and you'll learn about threats in real time. That could help you keep the next hacker out altogether.
5 Honeypot Types
Research partners and large organizations use honeypots to study persistent threats within their computing environments. Several different structures are available.
Common honeypot uses include:
- Database decoys. Some attacks pass through your firewalls, as they come in the form of SQL injection. A honeypot is made to capture these attacks, which allows the real resource to stay functional.
- Malware. Traps look like software apps, and they hope to pull down malware attacks that can be studied and replicated.
- Spider. Web pages made for website crawlers study malicious activity.
- Production. Traps seem like part of a valid network, and they're placed as decoys to protect a company's real resources. A hacker trapped inside a honeypot spends so much time there that the administrators can upgrade defenses on the real asset.
- Research. Data is tagged with identifiers, and when hackers steal that information, it's tracked to connect participants.
Some of these honeypots use just a tiny amount of resources, and they collect only basic information. These low-interaction honeypots are easy to set up and quick to deploy.
A high-interaction honeypot is more elaborate, and teams hope to ensnare hackers for longer periods for detailed data collection.
Sometimes, researchers take this idea one step further and connect many honeypots in one system that looks a whole lot like a valid network. Honeynets like this provide a wealth of information, and they're almost impossible to separate from real networks.
Researchers also set up email traps or spam traps that work a bit like a honeypot. A bogus email address is created, and it sits in a spot likely visited by hackers. Any email message to that address likely comes from a spammer, allowing researchers to spot and stop those actors from doing their work. Since email traps don't involve a computer or computer network, they're not true honeypots.
How Do Honeypots Work?
All of the elements you'll need in a standard workstation also appear in a honeypot. The more you can mimic a real, valid environment, the more likely you will trick your hackers.
In a common setup, a honeypot contains:
- A web-enabled device. A computer, tablet, or phone works well.
- Applications. That device must be able to do real work of some sort.
- Data. Valuable pieces of information should either be on the device or accessible by it.
- Monitoring. Anything that happens on this honeypot is evidence of hacking. The device is ringed with alarms and alerts.
A honeypot is typically isolated from the production portion of the network. And it might contain security vulnerabilities attractive to hackers.
Honeypot Network Risks & Benefits
Most honeypots are built and maintained by teams of researchers working at large corporations. But if you're facing a tough threat environment, you might be tempted to build a honeypot yourself.
Common benefits include:
- Exposed vulnerabilities. Are you absolutely sure that your data is secure? A honeypot allows you to test your setup in real time.
- Low investment. Basic honeypots don't need a lot of hardware or software. You could have them working in minutes.
- New understandings. The data you gather could open your eyes to threats you just didn't know existed. For example, researchers set up a phony manufacturing server to see what hackers could do. One intrepid person managed to shut down the production line altogether, and that seemed very surprising.
A few honeypot risks are common too. You might experience:
- Decoys. If a hacker manages to discover that you have set up a honeypot, that person could deflect your attention from a real threat happening on your valid servers.
- Deeper attacks. Mimic your setup too carefully, and a hacker could practice on your honeypot to launch an attack on your valid servers later.
- Wasted resources. Build an in-depth system, and you could deflect time from your real work.
If you decide that a honeypot isn't right for you, consider pentesting. You'll take your system through a series of elaborate challenges, and you'll discover how well you perform during an attack. Find out more about this approach in our blog post.
NSA Data Center Experiencing 300 Million Hacking Attempts Per Day. The Council of Insurance Agents and Brokers.
An Evening with Berferd in Which a Cracker is Lured, Endured, and Studied. AT&T Bell Laboratories.
Hackers Spend 200+ Days Inside Systems Before Discovery. (February 2015). Infosecurity.
Elaborate Honeypot 'Factory' Network Hit With Ransomware, RAT, and Cryptojacking. (January 2020). Dark Reading.