In this emerging and highly competing digital era, every single day is a new opportunity to invent and investigate new things. When comes to technology alone, as per a survey, millions of new ideas have been registering to change and renovate the digital world. Honeypot is such a new technology designed to secure your networks.
This post helps to understand what a Honeypot is and what are the different types of honeypots. Also, guides you to quickly setup a Honeypot in your local environment.
Denial-of-Service attacks are still a big threat to any organization. Did you ever face a breach, a hacker attempting to break into your system? Have you ever tried to hack the hacker back or did you get a chance to analyse how the intruder broke into your network? A successful attack can compromise the system which may attack other systems within the network. If you are looking for a solution then, Honeypot is the proposed solution to defend against Distributed Denial-of-Service (DDoS) attacks or any kind of brute forcing and unauthorized intrusion activities with certain features that make it especially attractive and can lure attackers into its vicinity.
What is a Honeypot?
A Honeypot is a devised system that is expressly implemented to attract and trick users who penetrates the systems over the network. This is more like a decoy which is intentionally made accessible to the hackers so that, all their efforts will be misled to attack the honeypot rather than attacking a system where they could cause serious trouble. Though, implementing honeypot seems harmful for few organizations because honeypots does not solve problems instead it will let any skilled hacker to play with it, which could create an additional risk and put a whole organization at risk. Keeping this in mind, a honeypot should not be the only solution instead it should be an additional layer of security that can be used alongside a firewall or IPS and IDS. Properly placed honeypots can prevent attacks, detect unauthorized activity and can gather information about the hackers.
Types of Honeypots
Conceptually, all honeypots work the same but they are categorized into few types based on the purpose of honeypots and level of interaction with the intruders
Production Honeypots: A Production honeypot is the one used within an organization to mitigate risk by misleading attackers.
Research Honeypots: A Research honeypot is used to retrieve the information about the hacker in order to trace back the hacker or to analyse the strategy & techniques applied by the intruder.
Based on level of interaction with the attackers, they are sub-categorized to Low, Medium, High interaction honeypots. When we say interaction, it meant to be the simulation of resources which can be accessible by an intruder.
Low -Interaction Honeypots: These honeypots simulate any of the services such as TELNET, FTP, MESSAGING, etc. This low-interaction honeypot is both easy to deploy and maintain.
The main objective of low-interaction honeypot is only to detect, such as unauthorized probes or login attempts. Good example of Low-interaction honeypot is "Honeyd", which will be covering in the next article.
Advantages:
- Easy to install, configure, deploy and maintain
- Logging and analyzing are quite simple
Disadvantages:
- Can be detectable by an attacker
- No superpowers - Not many features.
- May capture only known attacks
High - Interaction Honeypots: These honeypots are time-consuming to design and maintain. The purpose of a high level interaction honeypot is to give the attacker access to a real operating system where nothing is emulated. Using this honeypot we can take a control over the attacker as soon as he falls in our trap. A 'Honenynet' is a good example in this case.
Advantages:
- Quite a challenge to detect this honeypot
- Can capture real attacks for the further analysis
- Intelligent enough to prevent attacks
- You can know your enemy
Disadvantages:
- Building and Maintaining is very tedious
- May compromise actual network if this honeypot is not properly built and placed
What is a Honeynet?
A Honeynet is nothing but deploying multiple sets of honeypots into the network to prevent attacks and collect data. When an intruder tries to devise new techniques to detect and circumvent any of the Honeypots, their attention will be drawn to the other Honeypots located in different places. Though it depends on the cost benefit analysis, having a Honeynet is always good to defend the attacks. Kippo, Honeyd, etc., are the examples of Honeypots which can be studied further.
However, you can always give a try on these honeypots by setting up in your local virtual machine or on cloud. Another worth mentioning honeypot is Nepenthes, which emulates known vulnerabilities and captures the attack on any attempt.
Summary: Main Benefits of Honeypots
Risk Mitigation:
- A Honeypot deployed in a productive environment may lure an attacker away.
Attack strategies:
- Find out the reasons and strategies why and how you are attacked
- Can gather intelligence on the types of payloads being used
- Identification and classification:
- Figuring out who is attacking you
Evidence:
Once the attacker is identified with all the data captured , it may be used as evidence which can be really important for legal proceedings
Caveats to be considered:
- Deploying a Honeypot could create an additional risk and eventually put entire organization in danger if proper measures are not taken.
- Honeyfarm setup is a time consuming task.
- Honeypots add complexity to your network which makes it even harder to secure it.
- There are ways to bypass Honeypot protection
- If an attacker can identify the true identity of a Honeypot using banner grabbing, he can find the existing flaws in the Honeypot to bypass the protection.
Reference: https://www.symantec.com/connect/articles/defeating-honeypots-system-issues-part-1
Credit: ACE Team