What is honeypot in cyber security

Honeypots are decoy systems or servers deployed alongside production systems within your network. When deployed as enticing targets for attackers, honeypots can add security monitoring opportunities for blue teams and misdirect the adversary from their true target. Honeypots come in a variety of complexities depending on the needs of your organization and can be a significant line of defense when it comes to flagging attacks early. This page will get into more detail on what honeypots are, how they are used, and the benefits of implementing them.

There are many applications and use cases for honeypots, as they work to divert malicious traffic away from important systems, get an early warning of a current attack before critical systems are hit, and gather information about attackers and their methods. If the honeypots don’t actually contain confidential data and are well-monitored, you can get insight on attacker tools, tactics, and procedures (TTPs) and gather forensic and legal evidence without putting the rest of your network at risk.

For a honeypot to work, the system should appear to be legitimate. It should run processes a production system is expected to run, and contain seemingly important dummy files. The honeypot can be any system that has been set up with proper sniffing and logging capabilities. It’s also a good idea to place a honeypot behind your corporate firewall—not only does it provide important logging and alerting capabilities, but you can block outgoing traffic so that a compromised honeypot cannot be used to pivot toward other internal assets.

In terms of objectives, there are two types of honeypots: research and production honeypots. Research honeypots gather information about attacks and are used specifically for studying malicious behavior out in the wild. Looking at both your environment and the wider world, they gather information about attacker trends, malware strains, and vulnerabilities that are actively being targeted by adversaries. This can inform your preventative defenses, patch prioritization, and future investments.

Production honeypots, on the other hand, are focused on identifying active compromise on your internal network and tricking the attacker. Information gathering is still a priority, as honeypots give you additional monitoring opportunities and fill in common detection gaps around identifying network scans and lateral movement. Production honeypots sit with the rest of your production servers and run services that would typically run in your environment. Research honeypots tend to be more complex and store more types of data than production honeypots.

Honeypot complexity varies

Within production and research honeypots, there are also differing tiers depending on the level of complexity your organization needs:

Pure honeypot: This is a full-scale, completely production-mimicking system that runs on various servers. It contains “confidential” data and user information, and is full of sensors. Though these can be complex and difficult to maintain, the information they provide is invaluable.
High-interaction honeypot: This is similar to a pure honeypot in that it runs a lot of services, but it is not as complex and does not hold as much data. High-interaction honeypots are not meant to mimic a full-scale production system, but they do run (or appear to run) all the services that a production system would run, including a proper operating system. This type of honeypot allows the deploying organization to see attacker behaviors and techniques. High-interaction honeypots are resource-intensive and come with maintenance challenges, but the findings can be worth the squeeze.
Mid-interaction honeypot: These emulate aspects of the application layer but do not have their own operating system. They work to stall or confuse attackers so that organizations have more time to figure out how to properly react to an attack.
Low-interaction honeypot: This type of honeypot is the most commonly deployed in a production environment. Low-interaction honeypots run a handful of services and serve as an early warning detection mechanism more than anything. They are easy to deploy and maintain, with many security teams deploying multiple honeypots across different segments of their network.

Different types of honeypot tech

Several honeypot technologies in use include the following:

Malware honeypots: These use known replication and attack vectors to detect malware. For example, honeypots (e.g., Ghost) have been crafted to emulate as a USB storage device. If a machine is infected by malware that spreads via USB, the honeypot will trick the malware to infect the emulated device.
Spam honeypots: These are used to emulate open mail relays and open proxies. Spammers will test the open mail relay by sending themselves an email first. If they succeed, they then send out large quantities of spam. This type of honeypot can detect and recognize this test and successfully block the massive volume of spam that follows.
Database honeypot: Activities such as SQL injections can often go undetected by firewalls, so some organizations will use a database firewall, which can provide honeypot support to create decoy databases.
Client honeypots: Most honeypots are servers listening for connections. Client honeypots actively seek out malicious servers that attack clients, monitoring for suspicious and unexpected modifications to the honeypot. These systems generally run on virtualization technology and have a containment strategy to minimize risk to the research team.
Honeynets: Rather than being a single system, a honeynet is a network that can consist of multiple honeypots. Honeynets aim to strategically track the methods and motives of an attacker while containing all inbound and outbound traffic.

Benefits of a honeypot

Honeypots offer plenty of security benefits to organizations that choose to implement them, including the following:

They break the attacker kill chain and slow attackers down

As attackers move throughout your environment, they conduct reconnaissance, scan your network, and seek misconfigured and vulnerable devices. At this stage, they are likely to trip your honeypot, alerting you to investigate and contain attacker access. This allows you to respond before an attacker has the chance to successfully exfiltrate data from your environment. Malicious actors can also spend a significant amount of time trying to work on the honeypot instead of going after areas that have real data. Diverting their attack to a useless system wastes cycles and gives you early warning of an attack in progress.

They are straightforward and low-maintenance

Modern honeypots are not only easy to download and install, but can provide accurate alerts around dangerous misconfigurations and attacker behavior. In some cases, your team might even forget that a honeypot was ever deployed until someone starts poking around your internal network. Unlike intrusion detection systems, honeypots do not require known-bad attack signatures and fresh threat intel to be useful.

They help you test your incident response processes

Honeypots are a low-cost way to help you increase your security maturity, as they test whether your team knows what to do if a honeypot reveals unexpected activity. Can your team investigate the alert and take appropriate countermeasures?

Honeypots shouldn’t be your entire threat detection strategy, but they are another layer of security that can be helpful in discovering attacks early. They are one of the few methods available to security practitioners to study real-world malicious behavior and catch internal network compromise. Want to learn more about other types of tech that can boost your blue team defenses? Check out our page on deception technology.

Deception Technology

Honeypots refer to decoy servers or systems that are deployed next to systems your organization actually uses for production. Honeypots are designed to look like attractive targets, and they get deployed to allow IT teams to monitor the system’s security responses and to redirect the attacker away from their intended target.

There are various honeypots, and they can be set up according to what your organization needs. Because they appear to be legitimate threats, honeypots act like a trap, enabling you to identify attacks early and mount an appropriate response. This honeypot meaning points to some of the ways they can be used to direct attackers away from your most important systems. While the attacker falls for the bait, you can gather crucial intelligence about the type of attack, as well as the methods the attacker is using.

A honeypot works best when it appears to be a legitimate system. In other words, it must run the same processes your actual production system would run. It should also contain decoy files the attacker will see as appropriate for the targeted processes. In many cases, it is best to put the honeypot behind the firewall protecting your organization’s network. This enables you to examine threats that get past the firewall and prevent attacks engineered to be launched from within a compromised honeypot. As the attack ensues, your firewall, positioned between the honeypot and the internet, can intercept it and eliminate the data.

In many ways, a honeypot looks exactly like a genuine computer system. It has the applications and data that cyber criminals use to identify an ideal target. A honeypot can, for instance, pretend to be a system that contains sensitive consumer data, such as credit card or personal identification information. The system can be populated with decoy data that may draw in an attacker looking to steal and use or sell it. As the attacker breaks into the honeypot, the IT team can observe how the attacker proceeds, taking note of the various techniques they deploy and how the system’s defenses hold up or fail. This can then be used to strengthen the overall defenses used to protect the network.

Honeypots use security vulnerabilities to lure in attackers. They may have ports that are vulnerable to a port scan, which is a technique for figuring out which ports are open on a network. A port left open may entice an attacker, allowing the security team to observe how they approach their attack.

Honeypotting is different from other types of security measures in that it is not designed to directly prevent attacks. The purpose of a honeypot is to refine an organization’s intrusion detection system (IDS) and threat response so it is in a better position to manage and prevent attacks.

There are two primary kinds of honeypots: production and research. Production honeypots focus on the identification of compromises in your internal network, as well as fooling the malicious actor. Production honeypots are positioned alongside your genuine production servers and run the same kinds of services.

Research honeypots, on the other hand, collect information regarding attacks, focusing not just on how threats act within your internal environment but how they operate in the wider world. Gathering information about threats in this way can help administrators design stronger defense systems and figure out which patches they need to prioritize. They can then ensure that sensitive systems have up-to-date security measures to defend against the attacks that fell for the honeypot’s lures.

There are different types of honeypots, each designed for different production or research purposes.

A pure honeypot refers to a full-scale system running on various servers. It completely mimics the production system. Within a pure honeypot is data made to look confidential, as well as “sensitive” user information, which have a number of sensors used to track and observe attacker activity.

A high-interaction honeypot is designed to get attackers to invest as much time as possible inside the honeypot. This gives the security team more opportunities to observe the targets and intentions of the attacker and more chances to discover vulnerabilities within the system.

A high-interaction honeypot may have extra systems, databases, and processes that the attacker will want to try to infiltrate. Researchers can observe how the attacker goes about looking for information, as well as which information they prefer and how they attempt to escalate access privileges.

Mid-interaction honeypots imitate elements of the application layer, but they do not have an operating system. Their mission is to confuse an attacker or stall them so the organization has more time to ascertain how to react to the kind of attack in question.

Low-interaction honeypots are less resource-intensive and gather rudimentary information regarding the kind of threat and where it came from. These are relatively simple to set up, and they make use of Transmission Control Protocol (TCP), Internet Protocol (IP), and network services. However, there is nothing inside the honeypot to hold the attacker’s attention for a considerable amount of time.

Malware honeypots use attack vectors already known to lure in malware. They can, for example, imitate a Universal Serial Bus (USB) storage device. If a computer comes under attack, the honeypot fools the malware into attacking the emulated USB.

Spam honeypots are designed to attract spammers by using open proxies and mail relays. Spammers perform tests on mail relays by using them to send themselves an email. If they are successful, they can then transmit large amounts of spam. A spam trap can identify a spammer’s test and then block the spam they try to send out.

A database honeypot is used to make decoy databases to attract database-specific attacks like SQL injections, which illicitly manage data. These kinds of honeypots can be implemented using a database firewall.

Client honeypots attempt to lure in malicious servers that attackers use while hacking clients. They pose as a client to observe how an attacker makes modifications to a server during the attack. Client honeypots are typically run in a virtualized environment and have containment protections in place to reduce the risk of exposure to the researchers.

Honeynets consist of a network of honeypots. With different kinds of honeypots forming a honeynet, several types of attacks can be studied, such as distributed denial-of-service (DDoS) attacks, attacks to a content delivery network (CDN), or a ransomware attack. While a honeynet is used to study different kinds of attacks, it contains all traffic, both inbound and outbound, to protect the rest of the organization’s system.

What is a honeypot in cybersecurity? Honeypot network security is designed to lure attackers into fake network environments to:

See what they want
How they go about trying to meet their objectives
Learn how to stop them

A network honeypot, in the context of an organization’s cybersecurity, involves creating an environment filled with potentially attractive digital assets and then observing how hackers attempt to gain access to them and what they do once they are inside the system.

What is a honeypot in network security? Honeypot cybersecurity involves connecting a fake asset to the internet—or even within an organization’s internal network—and enabling hackers to gain access to it. The actual setup you use can be relatively straightforward or complex, depending on the kind of activity you are trying to study.

A power company can set up a fake Microsoft SQL server that appears to contain a database of the locations of all the plants it uses to source the power it sells to customers.

So suppose the power company has eight hydroelectric plants, one nuclear power plant, 10 solar farms, and two coal-burning power plants that all provide power to the people the company serves. Network admins can create a fake database, host it on an SQL server, make it relatively easy to hack into, and then use this honeypot to see how hackers try to steal the information. Of course, the names of the power plants, and especially their geolocations, are all false.

In many cases, the IT team will create a system that closely parallels their real network setup. In this way, if hackers are able to get in, they can identify vulnerabilities in their actual setup.

It is important to keep in mind that honeypots in network security are designed based on your IT team’s objectives. Consequently, honeypot security setups can vary drastically from one organization to another.

Suppose an IT team thinks someone may be trying to launch an insider attack. They may establish a fake server that has the same stringent access controls as the one they suspect the insider attacker may be after. In this way, they limit the attack surface to someone who can bypass a strict credential system, such as someone on the inside.

On the other hand, another organization may just want to see which random attacks in the wild may want to target a specific kind of system and what hackers do once inside. In that case, they may make the asset relatively easy to hack into, just so they can get more data to use in their intel.

Honeypots come with several advantages a security team can leverage to improve network safety.

Attackers move through your environment like predators, scanning your network and looking for vulnerabilities. While they are on the prowl, they may engage with your honeypot. At this point, you can both trap the attacker inside and investigate its behavior. Honeypots also disrupt the kill chain by enticing attackers to invest their time going after the useless information in the honeypot instead of actual, sensitive targets of value.

Honeypots are an efficient way to see how your security team and the system will react to a threat. You can use a honeypot to evaluate the effectiveness of your team’s responses and address any weaknesses in policies.

Honeypots are both easy-to-implement and effective tools for providing alerts and information regarding the attacker's behavior. Your security team can deploy a honeypot and just wait for an attacker to interact with it. There is no need to constantly monitor the decoy environment, and you do not have to arm it with intel regarding known threats for it to be an effective tool.

Even though a honeypot in cybersecurity can be effective, it is typically not enough. For instance, it cannot detect security breaches in legitimate systems. In other words, while a hacker is attacking your fake asset, another one can be attacking an actual resource and the honeypot would not be able to tell you.

Also, a honeypot cannot always identify an attacker. While you may get some information on the hacker’s methods, you may not get all the intel you need to identify or prevent an attack.

The Fortinet FortiDeceptor uses deception technology to identify and respond to threats from outside and within your network. FortiDeceptor gives you a network of virtual machines with honeypots running on them, and it uses real-time protections and threat analytics through the Fortinet Security Fabric. FortiDeceptor works in three phases:

Deceive phase: The cybersecurity team sends out deception virtual machines (VMs) and decoys across the data center, campus, or cloud that appear to be genuine assets.
Expose phase: An attacker’s lateral movement and activity are observed, collected, logged, and correlated. Then a timeline is developed based on this data, which sheds light on the attack and how it may play a role in a larger campaign. The security team is also alerted during this phase, and intel can be shared with security information and event management (SIEM) systems to allow for event management in a consolidated, single-pane environment.
Elimination phase: The security team uses the intel they have gathered to investigate and take steps to remediate. You also have the option of letting FortiDeceptor perform the mitigation automatically.