What is a honeypot? How it is used in cyber security?
August 1, 2022
In cybersecurity, a honeypot is a security tool that can help computer systems defend against cyber attacks in unique ways. This network-attached system is used as a decoy to distract cyber attackers from their real targets.
The word “honeypot” has historically been used to represent a “lure” — on the side of criminals pulling their victims into a scheme. However, honeypots are now being used as cyber bait in the opposite way — to fool criminals by luring them into a cyber set-up.
More specifically, honeypots mimic likely targets of cyberattacks, such as vulnerable networks. These cyber honeypots can be used to attract, detect, and thereby deflect cybercriminals from hacking into legitimate targets.
When hackers are lured in by these honeypots, security analysts are then able to gather information about their identities and methods of attack. Indeed, a honeypot is a cybersecurity measure used to root out cybercriminals before they attack legitimate targets.
In this article, you’ll learn more about how honeypots work, the primary types of honeypots, the risks and benefits associated with their use, the legal considerations surrounding them, and frequently asked questions about their role in cybersecurity.
- How do honeypots work in cybersecurity?
- Why use honeypots?
- Types of honeypots
- Do honeypots pose risks?
- Are honeypots illegal?
- Honeypot Questions and Answers (Q&As)
A honeypot is software that serves as bait to lure in hackers. In simpler terms, envision a hacker instead of a bear. Instead of offering the bear’s irresistible honey, cybercriminals are lured in with cyber bait — anything that is attractive to the hacker.
What exactly is this bait? For example, hackers would be very interested in applications and data that act like a legitimate computer system, contain sensitive information, and aren’t secure. Anything that looks like it contains security vulnerabilities will be very attractive to hackers.
While monitoring traffic to honeypot systems, security analysts can better understand three key data points: where cybercriminals are coming from, how they operate, and what they want. Monitoring honeypots can help determine which security measures are working — and which ones need improvement.
More specifically, honeypots can be useful in detecting and preventing outside attempts to break into internal networks. For example, a honeypot could be placed outside an external firewall to attract, deflect, and analyze traffic.
Honeypots also are intentionally created with security vulnerabilities that will lure in cyber attackers. For example, a decoy database with vulnerable software might be created to flag attackers that seek to exploit those software vulnerabilities. The cybercriminals would then attack the decoy database rather than a legitimate one, simultaneously divulging their identities so companies can spot and flag them in the future.
One example of this would be oversight of IT security for a bank. You might set up a honeypot system that, to outsiders, looks like the bank’s network. Then you can protect the bank’s real network.
There are two primary uses for honeypots: research and production.
1. Research honeypots. Research honeypots allow administrators to study the activity of hackers to learn how to offer better protection against such threats. Honeypots also can help shed light on larger software system vulnerabilities that might not otherwise be detected. For example, honeypots should only receive fake traffic, so any activity is a red flag that marks a cyber attacker. You can then take actions like flagging similar IP addresses.
2. Production honeypots. Production honeypots are usually placed inside networks to act as a decoy and lessen the risk of real targets being infiltrated. These honeypots serve to distract cyber attackers from legitimate targets inside the network.
Honeypots are useful in the benefits they offer, including data collection, cost savings, encryption circumvention, and enhanced cybersecurity detection reliability. Regarding reliability, honeypots should only be accessed by cyber attackers, so honeypots shouldn’t generate the false positives that other detection technologies might generate.
Honeypots also can save costs in their efficiency. Instead of spending time and money searching for potential cyber attackers, a honeypot waits for hackers while pretending to be a legitimate target.
Just as there are different types of cyber threats and criminals, there are different types of honeypots to gather intelligence on those threats.
There are four primary types of honeypots.
These so-called spam traps are email addresses created to attract and receive spaminternet traffic. What they do is set up a fake email address to attract automated spammers only. They’re particularly useful in blocking spammers from sending phishing emails to legitimate email addresses, as their Internet Protocol (IP) addresses can be automatically blocked. They’re also used to study spamming activity.
As noted above, a security team might set up a honeypot to act as a decoy database that flags attackers who are trying to exploit software vulnerabilities. The decoy databases are useful in attracting and distracting attackers that get through firewalls. Afterward, they might count the number of attacks that might occur in the 1,000s.
The malware honeypot copies software apps and APIs to attract malware attacks. Then security teams can find out what API weaknesses need to be addressed and create anti-malware software.
So-called spider honeypots are malicious bots and ad-network crawlers that essentially prowl the web. Spider honeypots are created to trap hackers with accessible web pages and links.
There’s now a fifth type of honeypot known as a HoneyBot, which is being tested by university researchers. Rather than staying in one place, it’s cyber bait that moves. Why is this beneficial? As honeypots become more sophisticated, so do cybercriminals. The fact that honeypots don’t interact with hackers has become a red flag that it’s a trap. The HoneyBot, however, can mimic legitimate systems by interacting with hackers — representing a new way to fool them.
The result? Hackers are spending time and resources while trying to get what they can from the HoneyBot, all the while giving away their identifying data to those that they’re trying to hack.
One of the risks of having a honeypot could be relying too heavily on its intelligence. For example, honeypots only spot the activity that they attract. Another disadvantage is that, as mentioned above, experienced hackers may be able to tell the difference between honeypots and legitimate systems with fingerprinting, for example.
Honeypots also may introduce risk in their connection to the administrators collecting the information generated.
The questions of whether honeypots are illegal and unethical is worth considering. While honeypots are protective, do they harm innocent third parties? For example, could they entice someone who isn’t a hacker, but who thinks the honeypot is a legitimate website? Would you then be infiltrating their privacy when collecting their personal information?
One argument is that innocent third parties aren’t out there trying to hack into places where they aren’t supposed to be. The hackers already were looking for their hack; they just were fooled with the wrong one.
On the other hand, say the third party is a hacker. Is luring them with a fake website considered entrapment? Is it legal to collect information about them without their knowledge or hack into their systems?
The key is to be sure you aren’t violating any privacy laws — national or international, along with state or federal anti-hacking laws. Consider the Federal Wiretap Act and the Electronic Communications Privacy Act. The hook here is that organizations are trying to protect themselves. Thus, if you’re a security technology that’s trying to protect itself, then you could fall under a service provider protection exemption in the ECPA. You’ll also need to consider EU law — namely, the protections of the General Data Protection Regulation (GDPR) that became effective in 2018.
As more and more devices and systems become internet-connected, the importance of battling back against those who use the internet as a weapon will only increase. Honeypots can help, if used wisely and within legal limits.
Here are some frequently asked questions about honeypots and the cybersecurity that surrounds them.
How do honeypots work in cybersecurity?
Honeypots are network-attached systems intended to mimic likely targets of cyber attacks, such as vulnerable networks. These cyber honeypots can be used to attract, detect, and thereby deflect cybercriminals from hacking into legitimate targets. When hackers make their way into these decoy computer systems, security administrators can gather information about how cybercriminals are trying to hack into information systems — and make note of their identities to block them from attacking legitimate systems.
Why use honeypots?
A honeypot is a cybersecurity measure with two primary uses: research and production. Honeypots can both root out and collect information on cybercriminals before they attack legitimate targets, as well as lure them away from those real targets.
What are the types of honeypots?
Just as there are different types of cyber threats, there are different types of honeypots to gather intelligence on those threats: email, malware, database, and spider honeypots, along with a new type of honeypot known as a HoneyBot.
Do honeypots pose risks?
There may be some risks associated with using honeypots. You don’t want to rely too heavily on their intelligence at the risk of ignoring other criminal activity that isn’t being caught in a honeypot’s reach. More sophisticated hackers may also begin to spot honeypots due to their static nature and fingerprinting.
It is always prudent to weigh any legal and ethical considerations associated with systems like honeypots, which can gather and analyze personal data. Consider all applicable privacy laws, along with state and federal anti-hacking laws. If you’re using honeypots for protective security reasons, for example, you could claim protection under a service provider protection exemption in the Electronic Communications Privacy Act.
Copyright © 2022 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.