Honeypots, as the literal term suggests, are systems set up for luring an attacker into committing an offence in a controlled environment. Honeypots are an important part of the security infrastructure of organizations throughout the software industry. They are often set-up up as the entry-point of other systems.
Honeypots have different use cases depending upon where they are used. One use case is early threat detection. A system that is vulnerable to attack or suspected to be compromised can be set up as a honeypot to identify the attacker by gathering information about them. In a large network, honeypots can be set-up on some unsecured endpoints, turning those endpoints into easy targets for attackers. Any attackers that take that bait can then be nabbed before they are able to compromise the actual network. It can also be used to assess whether the actual system needs any more provisions.
Honeypots are an important security measure, especially in the high-value industries like e-commerce. Starting out a new e-commerce business is in itself a rigorous task, and it is made even more complex by the large number of spam accounts attackers create to exhaust discounts, offers and flash sales. Honeypots in the signup system (activated when a certain threshold is crossed in a specified time) are often used to catch offenders before they are able to wreak major havoc.
Another use case of honeypots is to identify targets of interest for security enforcement agencies. Networks with a weak authentication system like WEP are left out in the open in areas of interest, and any attempts to break into that system are an indication of a point of interest in the vicinity. This mechanism is applied in events like large gatherings.
Read Also: Cybersecurity-how-to-avoid-a-data-breach
Honeypots can be malicious as well. For example, a compromised Wifi network in a cafe can be used to sniff passwords and credit card details of unassuming customers. Fortunately, all major websites today use HTTPS and browsers are also pushing for HTTPS-only form submission by showing warnings to the users that their passwords might get compromised over an HTTP connection. Websites can use response headers like HSTS to prevent attacks like SSL stripping to protect their users even on compromised networks.
Based on the type of security response, honeypots can be categorized into two categories: pre-emptive and reactive. Pre-emptive honeypots are set-up to catch the attackers before any major attack happens. Examples of such honeypots are servers set up with weak password authentication instead of a key-pair based authentication. Logs from such honeypots can be used to identify potential attackers, and then those attackers can be blocked from accessing the actual important systems or even turned to law enforcement agencies. Reactive honeypots are used to gather information after the attack has happened.
Network security is a game of cat and mouse. Reactive honeypots are embedded into actual systems. A good example of a reactive honeypot is a Canary Trap. Various copies of a sensitive document can have uniquely identifying information embedded into them, so when a copy of the document leaks, the source of a leak is known. Images can have an invisible watermark that can be traced back to its origin. This type of honeypot is often used by the entertainment industry. Different versions of the videos are marked differently. When a video appears on the torrent trackers, the production house gets to know about the source of the leak and can proceed with legal action against the attackers. Invisible dots from a printer can also be used sometimes to identify the source of a leak of printed documents. Honeytokens are introduced as a garbage data in databases to track their leaks afterwards.
Most popular projects already have several honeypot proxies available for them. MongoDB has HoneyProxy, Elasticsearch has Elastichoney, and MySQL has Mysqlpot. Then there general honeypot frameworks like Glastopf for web applications, and Google Hack Honeypot (GHH) for analysing malicious web traffic. Other than honeypots, network and artefact analysis tools are equally important because they help in understanding the data obtained from honeypots. Several generalized malware analysis frameworks like the Cuckoo sandbox exist, but meaningful analysis often requires the trained eyes.
A list of the most popular honeypots for various services, various guides and tutorials, and network/artefact analysis tools can be found in Awesome Honeypot project. Honeypots have been used as long as spam and malicious actors have affected the internet and will be used in the future as well. The push today is towards automating the data collection and analysis processes.