Honeypots in computer and internet world is basically a ploy to identify and thwart the endeavors of hackers trying to get in one’s system to exploit information. Honeypots have been used mainly by the investigators to attract hackers to a specific network system so they can study their moves and discover the susceptibilities of the website. Early detection of unauthorized network activities on the website has proved quite useful. Inquisitive about how do honeypots work, read on to know everything about it.
What is a honeypot?
As we already discussed above honeypot is basically a system which is put on a network so that it can be prodded and attacked. However, there is no legal use for honeypot as it doesn’t have any production value. There are two ways in which honeypots can be used– production and research.
Honeypots have mainly been used for researches. They are used mainly to collect information about the action of hackers. For instance, the Honeynet Project is a non-profit security research institution which collects information on cyber-attacks with the help of honeypots.
Production honeypots are not much in use. Such honeypots are actually used to guard establishments. These types of honeypots are gaining recognition because of their abilities to detect and also the means by which they can appendage both host and network based invasion security.
Types of Honeypots
To understand how do honeypots work, it is important to know their types.
Honeypots can be either high or low interaction, a difference which is grounded on the extent of activity that the honeypot permits a hacker.
In a high interaction honeypot, there are actual applications and operating systems involved, there are no copies or duplicates here. The hackers have original systems to play with and organizations can learn much about the behavior of the hackers. Such honeypots do not assume the behavior of the attacker and tracks every move of the hacker. This way the behavior of the hackers is learnt which would not have been possible otherwise. High-interaction honeypots are quite malleable and the professionals of IT security can apply it according to their need or requirement. Also since there is nothing duplicate or copied here it proves to be a more genuine target which has the abilities to identify the actual caliber of an attacker. High-interaction honeypots could be difficult to be executed and there are high technologies required so the hackers can be refrained from using the honeypot to attack other systems.
On the other hand, a low interaction honeypot works by imitating operating systems and services. Low-interaction honeypots are considered advantageous because they can be set up easily and since the hacker would be operating on something which is not real, nothing or no one would be harmed actually.
How do Honeypots Work?
To understand its working let us take an example. For instance, there is a contact form on a website which has various fields such as name, date of birth, address etc. Spammers and automated crawlers look for all types of fields which can be filled and sent. A honeypot will comprise of a hidden field visible to the automated spammers but hidden to the regular users. Once the fields of a form are completed usually done in a matter of seconds by the automated spammers, it tries to submit the form. If the hidden field has been filled by the automated spammer then the form isn’t submitted. Honeypots are also time-based. It comes with a timer. Automated spammers complete such processes in no time which is not actually possible if real people are filling the form. Honeypots deny accepting this data.
A honeypot controls or monitors the work of an attacker. The activity of the attacker is audited by the honeypot through file changes, by recording keystrokes, by started processes and saving log files. Honeypot should be designed not to save the log files on itself otherwise the attacker would be able to change the data.
Worms and auto-rooters look for open systems to attack. Honeypots slow down or even stop automated attacks such as auto-rooters or worms. Honeypots use Transmission Control Protocol or TCP tricks to hold an attacker. Another way by which a honeypot can thwart cyber-attacks is by daunting attacks by the human. Honeypots try to sidetrack an attacker diverting their attention to undertakings which are not harmful thus giving an organization to stop the attack.
In the discussion above we see that honeypots are helpful in addressing external attacks. However, it is noteworthy that they are also used in detecting internal attacks which could cause more harm than the external ones.
A system which has been compromised could be tough to examine because it is not easy to understand the activity of the attacker. Honeypots capture the unauthorized activity on the system and this can be taken offline to be investigated without harming the daily activities of a business. The more advanced honeypots are much stronger and can even shut down the system based on the activities on an attacker and facilitate the security administrators to regulate the actions of an attacker.
Although honeypots are meant to track or stop the attackers there could be chances of its compromise too. Ensure there is an alert set which would inform the administrator about its compromise. A honeypot should be set on its own subnet behind a firewall. This was the production servers will not be harmed.
The boundaries of honeypots are limited. They can detect activities which have been directed against them other systems that are being attacked go unnoticed by them. This is why even if you are using honeypots the other security systems should not be removed from your system. They should be placed as a complementary technology which is a host-based intrusion defense system.
So, now you know how do honeypots work? With research and time, honeypots will soon become an important element in the online security system.