Source: Freepik
Sometimes the best defence is a strong offensive. When it comes to IT security, the demand for offensive security measures is greater than ever. These often rely on techniques and approaches that are actually used by criminal hackers to lure user into traps. But attackers themselves can also be tricked into a trap. Honeypots are not only used to attract bears. They can also be used to catch cybercriminals in the act. In this article, we will explain what a honeypot is and how it can be used to increase IT security.
What Is a Honeypot?
In information technology, a honeypot refers to an IT system that is intended to be tracked down and attacked. These systems can contain large amounts of data, which can make them particularly tempting for hackers. However, this data is fake data, not real data. Thus, the system is intentionally prepared in such a way that cyberattacks are possible, and their only purpose is to be hacked.
A honeypot does not perform any other tasks. Specifically, this means that the honeypot has no interaction with other computers or users on the network. As soon as an interaction takes place or data is exchanged with this computer, this indicates an attack. These attacks can then be observed and documented. Valuable information about the attackers’ modus operandi can then be gathered. This information can subsequently be used, for example, to protect productive systems more effectively against threats. If several honeypots are connected to form a network, it is referred to as a honeynet. The formation of such a honeynet can, under certain circumstances, simulate a fully productive network.
How Are Honeypots Set Up?
Basically, there are two ways to set up a honeypot: physically or virtually. A physical honeypot is a standalone computer. This computer has its own address and should be completely isolated from the rest of the network. This means, for example, that configuration work has to be always done directly on that particular machine. This computer is connected to the Internet, but not to the LAN.
In a virtual honeypot, systems and networks are merely simulated by replicating them on virtual machines. Here, too, the honeypot should be completely isolated from the actual network. In this way, potential attackers have no way of accessing the productive system via the diversion system.
Degree of Interaction of a Honeypot
Honeypots can be categorized according to their degree of interaction. A general distinction is made between high- and low-interaction honeypots. Low-interaction honeypots are, for example, programs that emulate one or more services or visit websites without using normal web browsers. These programs then attempt to detect attacks on the emulated services or browsers and may subsequently log them. Low interaction means that the attacker has no way to interact with the deception system. Low interaction honeypots can be used, for example, to determine if attacks are taking place or to detect automated attacks. However, if the attack is performed manually, attackers may not take long to recognize that the system is a honeypot.
High interaction honeypots, on the other hand, represent fully functional computer systems with real operating systems. After discovering a supposed security vulnerability, hackers can fully interact with the system. Due to the high level of interaction, considerably more data can then be collected about the attackers and their methods. The more realistic the system is to appear to cybercriminals, the more extensive the services offered and their interaction options should be. The use of high-interaction honeypots is therefore always associated with a high level of work and effort.
Advantages of Honeypots
Honeypots offer many advantages. They can contribute to the early detection of attacks, for example. These attacks can then be closely monitored and logged in detail. This can provide valuable information about attackers and their modus operandi. This new information can then be used to protect productive systems from similar attacks at an early stage. Honeypots can also work together with other systems, such as firewalls and intrusion detection systems (IDS). In this way, specific attack patterns and suspicious IP addresses can be transmitted. In this way, these IP addresses and attack patterns can be blocked in the productive system.
Attacks on honeypots can be detected without much effort, as it is an environment where no legitimate traffic takes place. When interaction with a honeypot occurs, an ongoing attack may be assumed. False alarms usually do not get triggered in the process. The resource requirements for deploying a honeypot are also relatively low because these systems are not productive. Discarded servers and obsolete computers are therefore often used for this purpose.
Disadvantages of Honeypots
However, the use of honeypots does not only have advantages. There may even be some risks involved. Honeypots are designed to be attacked. They therefore attract attention. If there is a connection between the honeypot and the productive system, hackers can use the diversion system to initiate further attacks on the productive system after a successful intrusion into a honeypot. In this case, the honeypot would have merely attracted attention and even encouraged an attack.
In addition, it must always be emphasized that honeypots do not fulfil the role of an early warning system. The absence of attacks on a honeypot does not mean that there are no attacks on the productive system. The productive system should therefore be permanently examined and monitored for vulnerabilities, for example with the help of an IDS. The Internet holds countless potential attack targets for cybercriminals. The probability that a honeypot gets lost in this mass is also extremely high. Therefore, companies should never be lulled into a false sense of security when using honeypots.
The IT Center Honeynet
Honeypots are also used as a security measure at RWTH Aachen University. The IT Center operates its own honeynet, which is used to analyze current threats and detect automatically spreading malware. By using these honeypots distributed on several virtual machines, a lot of valuable information about attackers, their methods, tools and motivations could already be collected. In addition, low-interaction honeypots are also used to identify infected computers in the RWTH Aachen University network and are an integral part of the intrusion detection system developed at the IT Center, the Blast-o-Mat.
The use of honeypots is no guarantee that a productive system will not also be attacked. While honeypots attempt to attract attention and draw attacks to themselves, they are more likely to be used to gain knowledge about attackers and their methods. Honeypots are one of many security measures that can be taken to improve IT security. They are particularly useful in conjunction with other systems such as firewalls and IDS.
Responsible for the content of this article is Stéphanie Bauens.
