|
In computer terminology, a honeypot is a computer security mechanism
set to detect, deflect, or, in some manner, counteract attempts at unauthorized
use of information systems.
Generally, a honeypot consists of data (for example, in a network site) that appears to be
a legitimate part of the site, but is actually isolated and monitored, and that
seems to contain information or a resource of value to attackers, who are then
blocked. This is similar to police sting operations, colloquially known as "baiting," a suspect.
A honeypot is a computer system that is set up to act as a
decoy to lure cyber attackers, and to detect, deflect or study attempts to gain unauthorized access to information systems. Generally, it consists
of a computer, applications, and data that simulate the behavior of a real
system that appears to be part of a network but is actually isolated and
closely monitored. All communications with a honeypot are considered hostile,
as there's no reason for legitimate users to access a honeypot. Viewing and
Logging
this activity can provide an insight into the level and types of threat a
network infrastructure faces while distracting attackers away from assets of
real value.
Based
on their design and deployment, honeypots are classified as either production
or research honeypots. Research honeypots are run to enable close analysis of hacker activity and how attacks develop and progress in order
to learn how to better protect systems against them. Data placed in a honeypot
with unique identifying properties can also help analysts track stolen data and
identify connections between different participants in an attack.
Production honeypots are placed inside a production
network with other production servers in the role of a decoy as part of a
network intrusion detection system (IDS). They are designed to appear
real and contain information or a resource of value with which to attract and
occupy hackers. This ties up the attacker's time and resources, hopefully
giving administrator’s time to assess and mitigate any vulnerabilities in
their actual production systems. The information gathered from the honeypot can
also be useful in catching and prosecuting those behind an attack. Researchers
suspect that some cybercriminals also use honeypots to gather intelligence
about researchers, act as decoys and to spread misinformation.
High-interaction honeypots imitate the
activities of a production system and capture extensive information -- pure
honeypots are full-fledged production systems using a tap on the honeypot's
link to the network. The goal of high-interaction honeypots is for the attacker
to gain root access on the machine, and then study what he or she does. An
attacker with root access has access to all commands and files on a system, so
this type of honeypot carries the greatest risk but also has the greatest
potential for collecting information. Low-interaction honeypots simulate only
the services frequently targeted by attackers and so are less risky and less
complex to maintain. Virtual machines are often used to host
honeypots so the honeypot can be restored more quickly if it is compromised. Two
or more honeypots on a network form a honey net, while a honey farm is a
centralized collection of honeypots and analysis tools.
Honeypots do help
in understanding the threats network systems face, but production honeypots
should not be seen as a replacement for a standard IDS. If not configured
correctly they can be used to access the real production system or be used as a
launch pad for attacks against other systems.
HONEYPOTS CLASSIFICATION
·
Pure Honeypots
·
High-Interaction Honeypots
·
Low-Interaction Honeypots
Pure honeypots are full-fledged production
systems. The activities of the attacker are monitored by using a bug tap that
has been installed on the honeypot's link to the network. No other software
needs to be installed. Even though a pure honeypot is useful, stealthiness of
the defense mechanisms can be ensured by a more controlled mechanism.
High-interaction honeypots imitate the activities of the
production systems that host a variety of services and, therefore, an attacker
may be allowed a lot of services to waste their time. By employing virtual
machines, multiple honeypots can be hosted on a single physical machine.
Therefore, even if the honeypot is compromised, it can be restored more
quickly. In general, high-interaction honeypots provide more security by being
difficult to detect, but they are expensive to maintain. If virtual machines
are not available, one physical computer must be maintained for each honeypot,
which can be exorbitantly expensive. Example: Honeynet.
Low-interaction honeypots simulate only the services
frequently requested by attackers. Since they consume relatively few resources,
multiple virtual machines can easily be hosted on one physical system, the
virtual systems have a short response time, and less code is required, reducing
the complexity of the virtual system's security. Example: Honeyd.
