<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Curious about how StrongDM works? 🤔 Learn more here!

Search
Close icon
Search bar icon
Search
Close icon
Search bar icon
Blog / Security

What Is a Honeypot? How Trapping Bad Actors Helps Security

Andrew Magnusson
by
Customer Engineering Expert
StrongDM
9 min read
Last updated on: December 14, 2022
Found in: Security
StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen
Get a demo
What Is a Honeypot? How Trapping Bad Actors Helps Security

In this article, you’ll learn what a honeypot is, what honeypots are used for, and the benefits and risks associated with them. You’ll also learn about the different types and examples of honeypots and how they work. By the end of the article, you’ll have a deeper understanding of honeypots in cyber security, and how a secure infrastructure access platform can help you safeguard your network, systems, and apps without using a honeypot.

What Is a Honeypot?

A honeypot is a phony digital asset designed to look like a poorly-guarded, valuable asset. The goal is to trick cyber attackers into targeting the vulnerable honeypot, which deflects attention away from critical assets, alerts companies to when and what type of attack is occurring, and enables them to mitigate the risk before important network security perimeters are compromised.

As a cyber attacker enters the decoy tool—for example, a honeypot security server—and tries to gain access to data and systems, the honeypot then detects and deflects their actions away from the real network. Not only do honeypots enable companies to prevent attacks on critical assets, they’re also able to collect valuable data from real attacks to help them improve their security posture for future attacks.

In pure research settings or government sting operations, organizations use honeypot espionage to gain a deep understanding of cyber-attack techniques and even thwart large-scale criminal operations.

What is a honeynet?

A honeynet is a network of honeypots that encompasses multiple systems and behaves as a real network would. Deploying a honeypot network is useful if an organization’s security team wants to study threats to an especially large or complex network or if they want to gather deeper, more nuanced data about the attacker.

History of Honeypots

The original metaphor of a bear attracted to a pot of honey is illustrated in the well-known Winnie the Pooh children’s stories. The cybersecurity industry evolved the honeypot concept as a means to lure, trap, and observe cybercriminals. Honeypot schemes have been in use as far back as the late 1980s and early 1990s when Lawrence Livermore National Laboratories and AT&T Bell Labs, respectively, used early versions of the honeypot security concept to chase down hackers who had infiltrated their systems.

Over time, honeypot espionage became more prevalent. It’s now key in trapping hackers and helping cybersecurity professionals gain extensive knowledge about various kinds of cyber attacks so they can develop systems and techniques to counter them. 

Purpose of Honeypots

The purpose of honeypot cyber security—or honeypot network security—is ultimately to keep intruders away from the real network. Once an intruder is detected and isolated in the honeypot, security teams can gather intelligence about their tactics and how they move around inside the decoy system or network. Cyber professionals and security teams can learn how certain attacks work and even how to trace attacks back to the source.

The information gleaned from the honeypot data collection process is valuable for identifying system gaps and vulnerabilities so teams know where and how to improve security protocols. Honeypot security tools are also useful for detecting ransomware and malware.

72% of companies already use or plan to use honeypots or other deception technologies.

What types of companies use honeypots?

Outside of the cybersecurity space, there are companies in many industries that utilize honeypot network security systems, especially those that deal with huge volumes of highly sensitive information every day. They include healthcare, financial services, government, and retail organizations.

Benefits of Honeypots

Honeypots are instrumental in preventing future attacks. Since the tools uncover where actual threats exist, they show organizations where to focus their security efforts and resources.

Additional benefits of honeypots in network security include:

  • Reduction of false positives: Because threat detection tools alert security teams to every threat, the teams often end up with many false positives that require time and resources to investigate. A honeypot is designed so that only bad actors are accessing it—so alerts that come from a honeypot are real threats. This helps teams know when and where to prioritize their efforts.
  • Reliable data: Instead of dealing with hypothetical situations or relying on data from other organizations, honeypot hacking gives security teams access to data that comes from a real attack on the honeypot, information that enriches and enhances their efforts when analyzing security.
  • Gets around encryption: As attackers become more sophisticated, they introduce techniques to hide what they’re doing, such as encrypting their activities to impair security teams’ ability to monitor network traffic. A honeypot is able to capture attackers’ activity whether they’re using encryption or not.
  • Fewer resources: Maintaining threat detection tools is resource-heavy work, especially if network speed and data volume continually increase. In contrast, a simple or low-interaction honeypot takes fewer resources and can sometimes run off a single computer.

Risks of Honeypots

Though it’s tempting to rely on a honeypot to enhance threat detection and mitigation, there are still reasons to be cautious when deploying one. This is for two primary reasons:

  • They’re not foolproof: Though a good honeypot security project will succeed in tricking an attacker, a really accomplished attacker can sometimes identify the honeypot, especially if it’s a little too easy to access or they use a technique like system fingerprinting. If they do identify the honeypot, they can get in and wreak havoc on other systems in the network. They can even co-opt the honeypot itself to launch an attack.
  • They’re not omniscient: A honeypot system won’t notice everything that’s happening in the network. Instead, it can only detect threats against itself. If the honeypot doesn’t detect a particular malicious threat, security teams can’t assume it doesn’t exist. They still have to keep up with evolving threats and use other tools to ensure malicious activities in the actual network won’t escape notice. 

Types of Honeypots

The primary types of honeypots can be grouped by either their goal, level of technical capabilities, or area of focus. Which type of honeypot an organization uses will depend on its goals, time constraints, and available resources.

Types of honeypots by goal

  • Production: The typical honeypot for an organization, a production honeypot is designed to deflect the attacker away from critical assets while also alerting IT teams to an active attack so they can diffuse it and better protect their systems from future attacks. These honeypots are deployed within a network’s security system to some extent but are isolated as much as possible to limit the potential risk of the attacker gaining access to real data.
  • Research: Used by government entities and research organizations, this type of honeypot enables deep research into cybercriminal activity. Research honeypots are fully isolated from enterprise systems—typically via laboratory environments—so that researchers can safely study attack techniques in the hope of developing better protection security software or catching cyber criminals.

Types of honeypots by technical capabilities

  • Pure: A dedicated system, such as a physical server, that contains fake files and user information. Because a pure honeypot so closely resembles a real system, it’s also the most likely to fool hackers successfully. A honeypot server or any other pure honeypot is a complex system that requires considerable effort to set up and manage.
  • High-interaction: A collection of systems that host multiple services and provide multiple avenues for hackers to get deep into them. The point of a high-interaction honeypot is to get hackers to engage with it for a long period of time to collect extensive data about the hackers’ intentions and targets. Similar to pure honeypots, high-interaction honeypots require significant time and resources to monitor and maintain them.
  • Low-interaction: A system with limited capabilities that collects basic information about specific threat types—such as bots and malware. Unlike high-interaction honeypots, low-interaction honeypots aren’t designed to engage hackers for lengthy time periods or to gather in-depth information on complex threats. They are also more likely to appear fake to attackers, making them more easily discoverable.

Types of honeypots by area of focus

  • Malware: A honeypot built to mimic software apps and APIs that draws malware attacks, producing information useful for studying malware and developing anti-malware tools. 
  • Database: Built as a decoy database, this honeypot attracts and observes attackers who find and exploit flaws in data-driven applications.
  • Spider: A honeypot that creates web pages and links to attract spiders or web crawlers—bots that browse the internet for web indexing purposes—so teams can figure out how to block malicious bots. 
  • Email: Built as a collection of fake email addresses, this honeypot’s purpose is to receive spam and study spam activity, as well as block attackers from sending phishing emails. 

Examples of Honeypots

There are a couple of notable examples of honeypots in cyber security that have made headlines. Publicized honeypots are typically research honeypots that have a high profile due to the success of government entities in using these resources to catch criminals.

Global law enforcement arrests hundreds

Law enforcement agencies around the world used a single honeypot operation that co-opted the Anom encrypted communications service to trick cybercriminals. The agencies were able to observe hundreds of criminal organizations and thousands of criminals who thought they were using a safe, encrypted messaging service. 

The honeypot operation enabled police operations across 16 countries, which led to 800 arrests and the seizure of eight tons of cocaine and over $48 million.

Dutch police co-opt a darknet market

In this honeypot example, Dutch law enforcement took over a darknet market called Hansa and used it to secretly monitor criminal purchases of illicit products. The honeypot operation allowed the police to get the specific delivery addresses of several orders and learn more about high-value targets, before eventually shutting down the market.

The honeypot operation produced 10,000 foreign addresses of the market’s buyers that were then shared with law enforcement in those countries. 

Production vs. Research Honeypots

Another way to categorize a honeypot in cyber security is whether it’s used in production or for research.

Production honeypots are good for detecting threats and supplementing existing threat protection tools. They help improve the overall protection of an organization’s networks and infrastructure.

Research honeypots are used for educational purposes by collecting information about attackers’ activities that can be studied by experts. A nonprofit organization called the Honeynet Project is a prominent research group that uses the latest in honeypot tools and technologies to study and expand the world’s understanding of cyber threats.

How Does a Honeypot Work

An IT professional sets up a decoy system to look like a real system—such as a database with sensitive financial information—but isolated from actual production data or legitimate network traffic. The honeypot often includes a honeywall—or honeypot firewall—that keeps it separate from the rest of the network and limits the entry and exit points of the attacker. Importantly, the honeypot is deliberately built with security vulnerabilities that are irresistible to attackers.

An attacker notices the vulnerability, then exploits it by hacking into the system. But instead of gaining access to the organization’s live network, the attacker ends up in the honeypot environment. If the honeypot is set up outside the external firewall, it can deflect—and therefore prevent—outside attacks on the internal network.

Once the honeypot attack occurs, the honeypot tracks the attacker’s movements and actions. Security teams then use the data to understand where and how the network should be better secured, and how to prepare for potential new threats.

The top three honeypot attack types are:
 SSH brute force to access a server
 TCP/UDP attacks to hack into services that use these protocols and packets
 Credential stealers to scan devices for passwords and authentication tokens

Honeypot Detection Systems

Attackers who suspect the presence of a honeypot security tool may try to hide their activities with encryption, but the savviest attackers will have detections in place to help them directly detect the honeypot. The “honeypot hacking” term refers to the tools and techniques used by attackers to detect honeypots so they can avoid them and hack into poorly secured systems.

Attackers can use a variety of tools to help them detect honeypots, such as:

  • Send-safe Honeypot Hunter
  • Kippo
  • Cowrie
  • Checkpot
  • KFSensor

The catch, though, is that these detection tools can also be used by security teams to ensure that before they deploy a honeypot, it doesn’t contain mistakes or giveaways that attackers can find. 

Honeypots: Frequently Asked Questions

Is it legal to use a honeypot?

While it’s not illegal to use a honeypot operation, there are legal risks associated with it. One of the biggest is that companies can run afoul of various state and federal regulations if they’re not careful.

For example, tricking hackers into downloading systems that reveal their identity can put organizations at risk of violating anti-hacking laws. Gathering certain types of data about hackers can also violate privacy laws. Companies shouldn’t proceed with a honeypot trap unless they thoroughly understand the risks and ramifications and are careful not to violate any laws.

Is using a honeypot ethical?

The ethics around honeypots are sometimes controversial. One line of thinking is that entrapping someone into committing a crime is considered unethical, so the same logic should be applied to honeypots in cyber security.

On the other hand, because honeypots reveal valuable information about attackers and threats that can improve security techniques, some argue that it’s fine and even advantageous to use them if it means organizations, systems, consumers, and data can be better protected.

Can a honeypot be hacked?

The short answer is yes. Hackers and cybercriminals are constantly upping their game, so it’s often a matter of time before they can discover a new way to exploit a system—including a honeypot. That’s why honeypot security risks have to be considered when configuring and implementing one.

Do hackers use honeypots?

Any organization or entity can use a honeypot, including hackers themselves. Hackers have been known to use honeypot technology on each other as a means of exposing someone’s identity and knocking them out as a competitor.

How StrongDM Keeps You Secure without Honeypots

While there is a variety of open-source honeypot software available on the market, you don’t need to employ honeypot solutions to learn how to better secure your systems. A honeypot is an invitation to attack, and no matter how well the decoy system is disguised, it can still carry some level of risk.

StrongDM’s Infrastructure Access Platform includes security features like pervasive auditing, credential and secret management, identity federation, log management, and data protection that make honeypots unnecessary. The platform is built on the SOC 2 Type 2 security framework and certified by an independent audit firm to further establish trust and credibility in the platform’s security.

Because security doesn’t begin or end in the cyber world, StrongDM also subjects all its new hires to background checks and provides security training for all its employees and contractors. Additional measures include frequently reviewing permissions and accounts and planning for any contingencies that could disrupt normal business operations.

With a secure platform, people, and processes, you don’t need honeypot security products to identify threats and attackers and secure your organization. 

Secure Your Infrastructure with StrongDM

While there are some advantages of honeypot security that may be tempting, honeypots aren’t without risk and they can be a significant drain on resources. As hackers get smarter and savvier, honeypots have to as well, putting a burden on researchers and cyber professionals to stay one step ahead.

Instead of strengthening your network and data security using a honeypot system, you can secure your infrastructure, network, and apps with StrongDM’s Infrastructure Access Platform—built with and supported by the highest security standards that keep hackers out.

Ready to get started? Sign up for a free 14-day trial of StrongDM today.

About the Author

, Customer Engineering Expert, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Cybersecurity Audit: The Ultimate Guide
Cybersecurity Audit: The Ultimate Guide for 2024
A cybersecurity audit is a comprehensive assessment of your organization's information systems, networks, and processes that identify vulnerabilities and weaknesses that cybercriminals could exploit. The audit also evaluates the effectiveness of your security controls, policies, and procedures and determines if they align with industry best practices and compliance standards.
How StrongDM Simplifies NIS2 Compliance for EU Organizations
How StrongDM Simplifies NIS2 Compliance for EU Organizations
The NIS2 Directive establishes comprehensive cybersecurity legislation across the European Union. Building upon its predecessor, the Network and Information Security (NIS) Directive, the goal of NIS2 is to standardize cybersecurity practices among EU Member States. Much like the General Data Protection Regulation (GDPR), NIS2 seeks to unify strategies and actions throughout the EU to fortify digital infrastructure against the escalating threat of cyberattacks.
Top 9 Zero Trust Security Solutions
Top 9 Zero Trust Security Solutions in 2024
Zero trust is a security and authentication model that eliminates the assumption of trust and shifts the focus from a traditional security parameter, like a VPN or firewall, to the individual user. Nearly all (92 percent) cybersecurity professionals agree that it’s the best network security approach that exists. In this article, we’ll evaluate the top nine zero trust solutions and help you decide which is right for your organization.
Water Utilities Cybersecurity Guide: Challenges & Solution
Water Utilities Cybersecurity Guide: Challenges & Solution
StrongDM is working with the National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) on Cybersecurity for the Water and Wastewater Sector: A Practical Reference Design for Mitigating Cyber Risk in Water and Wastewater Systems. This effort provides a means to identify common scenarios among Water and Wastewaters Systems (WWS) sector participants, to develop reference cybersecurity architectures, and propose the utilization of existing commercially available products to mitigate and manage risk.
XZ Utils Backdoor Explained: How to Mitigate Risks
XZ Utils Backdoor Explained: How to Mitigate Risks
Last week, Red Hat issued a warning regarding a potential presence of a malicious backdoor in the widely utilized data compression software library XZ, which may affect instances of Fedora Linux 40 and the Fedora Rawhide developer distribution. CISA, or Cybersecurity & Infrastructure Security Agency, confirmed and issued an alert for the same CVE.