If you’ve ever wondered how the good guys on the internet go after the bad guys, one way is something called a honeypot. You see, in addition to the security measures you might expect, such as strengthening a computer network to keep cybercriminals out, the good guys use a honeypot to do just the opposite — attract the bad guys.
A honeypot is a computer or computer system intended to mimic likely targets of cyberattacks. It can be used to detect attacks or deflect them from a legitimate target. It can also be used to gain information about how cybercriminals operate.
You may not have heard of them before, but honeypots have been around for decades. The principle behind them is simple: Don’t go looking for attackers. Prepare something that would attract their interest — the honeypot — and then wait for the attackers to show up.
Like mice to cheese-baited mousetraps, cybercriminals are attracted to honeypots — not because they’re honeypots. The bad guys think the honeypot is a legitimate target, something worthy of their time. That’s because the bait includes applications and data that simulate a real computer system.
How do honeypots work?
If you, for instance, were in charge of IT security for a bank, you might set up a honeypot system that, to outsiders, looks like the bank’s network. The same goes for those in charge of — or researching — other types of secure, internet-connected systems.
By monitoring traffic to such systems, you can better understand where cybercriminals are coming from, how they operate, and what they want. More importantly, you can determine which security measures you have in place are working — and which ones may need improvement.
Honeypot example
In 2015, internet security experts set up an online railway control system as honeypot bait. The goal was to study how criminals would attack projects where they could put the public at risk. In this case, the only damage done was to a model train set at a German technology conference. Over two weeks, the so-called “HoneyTrain” suffered 2.7 million attacks.
What could be at stake?
Stealing personal information from online targets is one thing. Targeting public transportation systems is another. Beyond the IoT devices and the HoneyTrain, researchers have used honeypots to expose vulnerabilities with medical devices, gas stations, industrial control systems used for such things as electrical power grids, and more.
Given all the attention that the bad guys get for their hacking and data breach efforts, it’s good to know that the good guys have a few tricks up their sleeves to help protect against cyberattacks.
As more and more devices and systems become internet-connected, the importance of battling back against those who use the internet as a weapon will only increase. Honeypots can help.
Production vs. Research Honeypots
There are two primary types of honeypot designs:
Production honeypots—serve as decoy systems inside fully operating networks and servers, often as part of an intrusion detection system (IDS). They deflect criminal attention from the real system while analyzing malicious activity to help mitigate vulnerabilities.
Research honeypots—used for educational purposes and security enhancement. They contain trackable data that you can trace when stolen to analyze the attack.
Honeypot Limitations
Honeypot security has its limitations as the honeypot cannot detect security breaches in legitimate systems, and it does not always identify the attacker. There is also a risk that, having successfully exploited the honeypot, an attacker can move laterally to infiltrate the real production network. To prevent this, you need to ensure that the honeypot is adequately isolated.
To help scale your security operations, you can combine honeypots with other techniques. For example, the canary trap strategy helps find information leaks by selectively sharing different versions of sensitive information with suspected moles or whistleblowers.
Honeynet: A Network of Honeypots
A honeynet is a decoy network that contains one or more honeypots. It looks like a real network and contains multiple systems but is hosted on one or only a few servers, each representing one environment. For example, a Windows honeypot machine, a Mac honeypot machine and a Linux honeypot machine.
A “honeywall” monitors the traffic going in and out of the network and directs it to the honeypot instances. You can inject vulnerabilities into a honeynet to make it easy for an attacker to access the trap.
Any system on the honeynet may serve as a point of entry for attackers. The honeynet gathers intelligence on the attackers and diverts them from the real network. The advantage of a honeynet over a simple honeypot is that it feels more like a real network, and has a larger catchment area.
This makes honeynet a better solution for large, complex networks – it presents attackers with an alternative corporate network which can represent an attractive alternative to the real one.
Spam Trap: An Email Honeypot
Spam traps are fraud management tools that help Internet Service Providers (ISPs) identify and block spammers. They help make your inbox safer by blocking vulnerabilities. A spam trap is a fake email address used to bait spammers. Legitimate mail is unlikely to be sent to a fake address, so when an email is received, it is most likely spam.
Types of spam traps include:
- Username typos—the spam filter detects typos resulting from human or machine error, including and sends the email into the spam folder. This includes misspelled email addresses like, for example, jhon@labra.com instead of the real john@labrat.com.
- Expired email accounts—some providers use abandoned email accounts or expired domain names as spam traps.
- Purchased email lists—these often contain many invalid email addresses that can trigger a spam trap. Additionally, since the sender didn’t gain authorization to send emails to the accounts on the list, they can be treated as spammers and blacklisted.
Spam trap vulnerabilities include generating backscatter (incorrectly automated bounce messages) and tainting legitimate email addresses that reply to or forward the message.
Moreover, once the spam trap has been exposed, it spammers can exploit it by sending legitimate content to it, causing the spam trap to lose its efficacy. Another risk is that some people may write to an address without realizing that it is a spam trap.
Accidentally hitting a spam trap can damage your organization by affecting your reputation and deliverability. An ISP might block or blacklist your IP address and companies that consult anti-spam databases will filter your emails.