Article by Mary Rose Maguire
A honeypot is a trap set to detect or deflect attempts at unauthorized use of information systems.
Generally it consists of a computer, data or a network site that appears to be part of a network but which is actually isolated and protected, and which seems to contain information that would be of value to attackers.
It is important to note that honeypots are not a solution in themselves. They are a tool. How much they can help you depends upon what you are trying to achieve.
There are two different types of honeypots: production and research. Production honeypots are typically used by companies and corporations. They’re easy to use and capture only limited information.
Research honeypots are more complex. They capture extensive information, and used primarily by research, military, or government organizations.
The purpose of a production honeypot is to mitigate risk to an organization. It’s part of the larger security strategy to detect threats. The purpose of a research honeypot is to collect data on the blackhat community. They are used to gather the general threats against an organization, enabling the organization to strategize their response and protect their data.
The value of honeypots lies in their simplicity. It’s technology that is intended to be compromised. There is little or no production traffic going to or from the device.
This means that any time a connection is sent to the honeypot, it is most likely to be a probe, scan, or even attack. Any time a connection is initiated from the honeypot, this most likely means the honeypot was compromised.
As we say about our HoneyPoint Security Server, any traffic going to or from the honeypot is, by definition, suspicious at best, malicious at worst. Now, this is not always the case.
Mistakes do happen, such as an incorrect DNS entry or someone from accounting inputting the wrong IP address. But in general, most honeypot traffic represents unauthorized activity. What are the advantages to using honeypots?
Honeypots collect very little data. What they do collect is normally of high value. This eliminates the noise, making it much easier to collect and archive data. One of the greatest problems in security is sifting through gigabytes of useless data to find something meaningful. Honeypots can give users the exact information they need in a quick and easy to understand format.
- Many security tools can drown in bandwidth usage or activity. NIDs (Network Intrusion Detection devices) may not be able to handle network activity, and important data can fall through the cracks. Centralized log servers may not be able to collect all the system logs, potentially dropping logs. The beauty of honeypots is that they only capture that which comes to them.
Many of our clients swear by our HoneyPoint family of products to help save resources. With its advantages, it’s easy to see why! Leveraging the power of honeypots is an excellent way to safeguard your data.
Cross-posted from State of Security