- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
In this article, you’ll learn what a honeypot is, what honeypots are used for, and the benefits and risks associated with them. You’ll also learn about the different types and examples of honeypots and how they work. By the end of the article, you’ll have a deeper understanding of honeypots in cyber security, and how a secure infrastructure access platform can help you safeguard your network, systems, and apps without using a honeypot.
What Is a Honeypot?
A honeypot is a phony digital asset designed to look like a poorly-guarded, valuable asset. The goal is to trick cyber attackers into targeting the vulnerable honeypot, which deflects attention away from critical assets, alerts companies to when and what type of attack is occurring, and enables them to mitigate the risk before important network security perimeters are compromised.
As a cyber attacker enters the decoy tool—for example, a honeypot security server—and tries to gain access to data and systems, the honeypot then detects and deflects their actions away from the real network. Not only do honeypots enable companies to prevent attacks on critical assets, they’re also able to collect valuable data from real attacks to help them improve their security posture for future attacks.
In pure research settings or government sting operations, organizations use honeypot espionage to gain a deep understanding of cyber-attack techniques and even thwart large-scale criminal operations.
What is a honeynet?
A honeynet is a network of honeypots that encompasses multiple systems and behaves as a real network would. Deploying a honeypot network is useful if an organization’s security team wants to study threats to an especially large or complex network or if they want to gather deeper, more nuanced data about the attacker.
History of Honeypots
The original metaphor of a bear attracted to a pot of honey is illustrated in the well-known Winnie the Pooh children’s stories. The cybersecurity industry evolved the honeypot concept as a means to lure, trap, and observe cybercriminals. Honeypot schemes have been in use as far back as the late 1980s and early 1990s when Lawrence Livermore National Laboratories and AT&T Bell Labs, respectively, used early versions of the honeypot security concept to chase down hackers who had infiltrated their systems.
Over time, honeypot espionage became more prevalent. It’s now key in trapping hackers and helping cybersecurity professionals gain extensive knowledge about various kinds of cyber attacks so they can develop systems and techniques to counter them.
Purpose of Honeypots
The purpose of honeypot cyber security—or honeypot network security—is ultimately to keep intruders away from the real network. Once an intruder is detected and isolated in the honeypot, security teams can gather intelligence about their tactics and how they move around inside the decoy system or network. Cyber professionals and security teams can learn how certain attacks work and even how to trace attacks back to the source.
The information gleaned from the honeypot data collection process is valuable for identifying system gaps and vulnerabilities so teams know where and how to improve security protocols. Honeypot security tools are also useful for detecting ransomware and malware.
72% of companies already use or plan to use honeypots or other deception technologies.
What types of companies use honeypots?
Outside of the cybersecurity space, there are companies in many industries that utilize honeypot network security systems, especially those that deal with huge volumes of highly sensitive information every day. They include healthcare, financial services, government, and retail organizations.
Benefits of Honeypots
Honeypots are instrumental in preventing future attacks. Since the tools uncover where actual threats exist, they show organizations where to focus their security efforts and resources.
Additional benefits of honeypots in network security include:
- Reduction of false positives: Because threat detection tools alert security teams to every threat, the teams often end up with many false positives that require time and resources to investigate. A honeypot is designed so that only bad actors are accessing it—so alerts that come from a honeypot are real threats. This helps teams know when and where to prioritize their efforts.
- Reliable data: Instead of dealing with hypothetical situations or relying on data from other organizations, honeypot hacking gives security teams access to data that comes from a real attack on the honeypot, information that enriches and enhances their efforts when analyzing security.
- Gets around encryption: As attackers become more sophisticated, they introduce techniques to hide what they’re doing, such as encrypting their activities to impair security teams’ ability to monitor network traffic. A honeypot is able to capture attackers’ activity whether they’re using encryption or not.
- Fewer resources: Maintaining threat detection tools is resource-heavy work, especially if network speed and data volume continually increase. In contrast, a simple or low-interaction honeypot takes fewer resources and can sometimes run off a single computer.
Risks of Honeypots
Though it’s tempting to rely on a honeypot to enhance threat detection and mitigation, there are still reasons to be cautious when deploying one. This is for two primary reasons:
- They’re not foolproof: Though a good honeypot security project will succeed in tricking an attacker, a really accomplished attacker can sometimes identify the honeypot, especially if it’s a little too easy to access or they use a technique like system fingerprinting. If they do identify the honeypot, they can get in and wreak havoc on other systems in the network. They can even co-opt the honeypot itself to launch an attack.
- They’re not omniscient: A honeypot system won’t notice everything that’s happening in the network. Instead, it can only detect threats against itself. If the honeypot doesn’t detect a particular malicious threat, security teams can’t assume it doesn’t exist. They still have to keep up with evolving threats and use other tools to ensure malicious activities in the actual network won’t escape notice.
Types of Honeypots
The primary types of honeypots can be grouped by either their goal, level of technical capabilities, or area of focus. Which type of honeypot an organization uses will depend on its goals, time constraints, and available resources.
Types of honeypots by goal
- Production: The typical honeypot for an organization, a production honeypot is designed to deflect the attacker away from critical assets while also alerting IT teams to an active attack so they can diffuse it and better protect their systems from future attacks. These honeypots are deployed within a network’s security system to some extent but are isolated as much as possible to limit the potential risk of the attacker gaining access to real data.
- Research: Used by government entities and research organizations, this type of honeypot enables deep research into cybercriminal activity. Research honeypots are fully isolated from enterprise systems—typically via laboratory environments—so that researchers can safely study attack techniques in the hope of developing better protection security software or catching cyber criminals.
Types of honeypots by technical capabilities
- Pure: A dedicated system, such as a physical server, that contains fake files and user information. Because a pure honeypot so closely resembles a real system, it’s also the most likely to fool hackers successfully. A honeypot server or any other pure honeypot is a complex system that requires considerable effort to set up and manage.
- High-interaction: A collection of systems that host multiple services and provide multiple avenues for hackers to get deep into them. The point of a high-interaction honeypot is to get hackers to engage with it for a long period of time to collect extensive data about the hackers’ intentions and targets. Similar to pure honeypots, high-interaction honeypots require significant time and resources to monitor and maintain them.
- Low-interaction: A system with limited capabilities that collects basic information about specific threat types—such as bots and malware. Unlike high-interaction honeypots, low-interaction honeypots aren’t designed to engage hackers for lengthy time periods or to gather in-depth information on complex threats. They are also more likely to appear fake to attackers, making them more easily discoverable.
Types of honeypots by area of focus
- Malware: A honeypot built to mimic software apps and APIs that draws malware attacks, producing information useful for studying malware and developing anti-malware tools.
- Database: Built as a decoy database, this honeypot attracts and observes attackers who find and exploit flaws in data-driven applications.
- Spider: A honeypot that creates web pages and links to attract spiders or web crawlers—bots that browse the internet for web indexing purposes—so teams can figure out how to block malicious bots.
- Email: Built as a collection of fake email addresses, this honeypot’s purpose is to receive spam and study spam activity, as well as block attackers from sending phishing emails.
Examples of Honeypots
There are a couple of notable examples of honeypots in cyber security that have made headlines. Publicized honeypots are typically research honeypots that have a high profile due to the success of government entities in using these resources to catch criminals.
Global law enforcement arrests hundreds
Law enforcement agencies around the world used a single honeypot operation that co-opted the Anom encrypted communications service to trick cybercriminals. The agencies were able to observe hundreds of criminal organizations and thousands of criminals who thought they were using a safe, encrypted messaging service.
The honeypot operation enabled police operations across 16 countries, which led to 800 arrests and the seizure of eight tons of cocaine and over $48 million.
Dutch police co-opt a darknet market
In this honeypot example, Dutch law enforcement took over a darknet market called Hansa and used it to secretly monitor criminal purchases of illicit products. The honeypot operation allowed the police to get the specific delivery addresses of several orders and learn more about high-value targets, before eventually shutting down the market.
The honeypot operation produced 10,000 foreign addresses of the market’s buyers that were then shared with law enforcement in those countries.
Production vs. Research Honeypots
Another way to categorize a honeypot in cyber security is whether it’s used in production or for research.
Production honeypots are good for detecting threats and supplementing existing threat protection tools. They help improve the overall protection of an organization’s networks and infrastructure.
Research honeypots are used for educational purposes by collecting information about attackers’ activities that can be studied by experts. A nonprofit organization called the Honeynet Project is a prominent research group that uses the latest in honeypot tools and technologies to study and expand the world’s understanding of cyber threats.
How Does a Honeypot Work
An IT professional sets up a decoy system to look like a real system—such as a database with sensitive financial information—but isolated from actual production data or legitimate network traffic. The honeypot often includes a honeywall—or honeypot firewall—that keeps it separate from the rest of the network and limits the entry and exit points of the attacker. Importantly, the honeypot is deliberately built with security vulnerabilities that are irresistible to attackers.
An attacker notices the vulnerability, then exploits it by hacking into the system. But instead of gaining access to the organization’s live network, the attacker ends up in the honeypot environment. If the honeypot is set up outside the external firewall, it can deflect—and therefore prevent—outside attacks on the internal network.
Once the honeypot attack occurs, the honeypot tracks the attacker’s movements and actions. Security teams then use the data to understand where and how the network should be better secured, and how to prepare for potential new threats.
The top three honeypot attack types are:
• SSH brute force to access a server
• TCP/UDP attacks to hack into services that use these protocols and packets
• Credential stealers to scan devices for passwords and authentication tokens
Honeypot Detection Systems
Attackers who suspect the presence of a honeypot security tool may try to hide their activities with encryption, but the savviest attackers will have detections in place to help them directly detect the honeypot. The “honeypot hacking” term refers to the tools and techniques used by attackers to detect honeypots so they can avoid them and hack into poorly secured systems.
Attackers can use a variety of tools to help them detect honeypots, such as:
- Send-safe Honeypot Hunter
The catch, though, is that these detection tools can also be used by security teams to ensure that before they deploy a honeypot, it doesn’t contain mistakes or giveaways that attackers can find.
Honeypots: Frequently Asked Questions
Is it legal to use a honeypot?
While it’s not illegal to use a honeypot operation, there are legal risks associated with it. One of the biggest is that companies can run afoul of various state and federal regulations if they’re not careful.
For example, tricking hackers into downloading systems that reveal their identity can put organizations at risk of violating anti-hacking laws. Gathering certain types of data about hackers can also violate privacy laws. Companies shouldn’t proceed with a honeypot trap unless they thoroughly understand the risks and ramifications and are careful not to violate any laws.
Is using a honeypot ethical?
The ethics around honeypots are sometimes controversial. One line of thinking is that entrapping someone into committing a crime is considered unethical, so the same logic should be applied to honeypots in cyber security.
On the other hand, because honeypots reveal valuable information about attackers and threats that can improve security techniques, some argue that it’s fine and even advantageous to use them if it means organizations, systems, consumers, and data can be better protected.
Can a honeypot be hacked?
The short answer is yes. Hackers and cybercriminals are constantly upping their game, so it’s often a matter of time before they can discover a new way to exploit a system—including a honeypot. That’s why honeypot security risks have to be considered when configuring and implementing one.
Do hackers use honeypots?
Any organization or entity can use a honeypot, including hackers themselves. Hackers have been known to use honeypot technology on each other as a means of exposing someone’s identity and knocking them out as a competitor.
How StrongDM Keeps You Secure without Honeypots
While there is a variety of open-source honeypot software available on the market, you don’t need to employ honeypot solutions to learn how to better secure your systems. A honeypot is an invitation to attack, and no matter how well the decoy system is disguised, it can still carry some level of risk.
StrongDM’s Infrastructure Access Platform includes security features like pervasive auditing, credential and secret management, identity federation, log management, and data protection that make honeypots unnecessary. The platform is built on the SOC 2 Type 2 security framework and certified by an independent audit firm to further establish trust and credibility in the platform’s security.
Because security doesn’t begin or end in the cyber world, StrongDM also subjects all its new hires to background checks and provides security training for all its employees and contractors. Additional measures include frequently reviewing permissions and accounts and planning for any contingencies that could disrupt normal business operations.
With a secure platform, people, and processes, you don’t need honeypot security products to identify threats and attackers and secure your organization.
Secure Your Infrastructure with StrongDM
While there are some advantages of honeypot security that may be tempting, honeypots aren’t without risk and they can be a significant drain on resources. As hackers get smarter and savvier, honeypots have to as well, putting a burden on researchers and cyber professionals to stay one step ahead.
Instead of strengthening your network and data security using a honeypot system, you can secure your infrastructure, network, and apps with StrongDM’s Infrastructure Access Platform—built with and supported by the highest security standards that keep hackers out.
Ready to get started? Sign up for a free 14-day trial of StrongDM today.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.