Honeypot (computing)

In computing, a honeypot is a cybersecurity tool used to lure hackers into attacking a particular system. By design, honeypots mimic the appearance of legitimate targets, appearing to be of value or interest to hackers. They also appear vulnerable or compromised, thus enticing malevolent actors into attempting to breach them. Internal cybersecurity professionals then monitor the Internet traffic interacting with the honeypot system, gaining valuable insights into the attackers’ objectives, hacking strategies, and capabilities.

Honeypots have been used as a network security strategy since the early days of the Internet and are widely used in enterprise and government cybersecurity. When deployed successfully, they offer an efficient and cost-effective way to identify specific threats, confuse and slow down attackers, and dupe attackers into overcommitting or exhausting their resources on a decoy. However, they also involve inherent risks, which must be carefully managed to prevent the damage that can occur if hackers correctly identify the honeypot as a trap.

Background

Honeypots have been a strategic mainstay of cybersecurity since the very beginning of the Internet era. Their history is often traced to two publications, which described the honeypot technique in its emergent form: The Cuckoo’s Egg,a 1989 book by NASA astronomer and computer systems expert Clifford Stoll, and “An Evening with Berferd,” a 1991 study by AT&T Bell Laboratories cybersecurity and networking researcher William (Bill) Cheswick.

In The Cuckoo’s Egg, Stoll recounts an experience from the waning years of the Cold War (1945–1989) in which he detected and tracked a West German hacker attempting to steal data from US government computer systems. Working in tandem with US federal agents, Stoll used an early incarnation of a honeypot to entice the hacker, which led to his identification as German national Markus Hess. Hess and an accomplice were later convicted of illegally obtaining information and selling it to the Soviet Union for $54,000 (about $108,000 when adjusted for inflation).

“An Evening with Berferd” describes Cheswick’s encounter with a hacker attempting to breach what appeared to be a vulnerability in an Internet gateway network under Cheswick’s management. In his report, Cheswick explains how he drew the hacker “on a merry chase in order to trace his location and learn his techniques.” The report documents the techniques that Cheswick used to lure the hacker into the network to observe the hacker’s activities.

By 1997, Stoll and Cheswick’s techniques had been codified into a system known as Deception Toolkit 0.1, which is widely cited as the first formally structured computing honeypot. The following year, the first commercialized honeypot software was issued under the name CyberCop Sting. Also in 1998, a free honeypot tool compatible with the Windows operating system was released as BackOfficer Friendly. These products marked a strong uptick in enterprise and organizational interest in honeypot cybersecurity systems, and by 2001, Internet technologists were using honeypots to capture malware threats from Internet-based sources and monitor malicious Internet traffic on computing networks. Honeypot software technology has continued to mature, expanding its range of applications and capabilities, and is proving to be a valuable research, detection, and cybercrime prevention tool.

Overview

Cybersecurity professionals classify contemporary honeypots using two schema: one scheme categorizes them based on their design; and the other groups them by their underlying purpose. Design-based labels include three main types of honeypots: pure honeypots; high-interaction honeypots; and low-interaction honeypots. Purpose-based descriptions include research honeypots and production honeypots.

A pure honeypot uses a purpose-built server configuration to draw in attackers by presenting false but convincing signals of underlying network vulnerability. The design of a pure honeypot includes specialized types of monitoring software that watch the connections between the honeypot server and other assets in the computing network. Pure honeypots require significant resources to set up and administer but also appear very convincing to hackers. High-interaction honeypots create virtual structures that isolate systems and networks that are or could become compromised by hackers. They are scalable and easy to shut down and secure but operate on servers and thus require planning, configuration, and management resources similar to those demanded by pure honeypots. Low-interaction honeypots operate on virtual machines that maintain a small, carefully selected set of functions that replicate a specific but limited set of attack vectors. They are resource-efficient alternatives to pure and high-interaction honeypots but also stand the greatest chance of being correctly identified as a trap by experienced hackers.

Objective-based classification systems include research honeypots, which are designed and configured to facilitate the careful, detailed monitoring and analysis of the strategies hackers deploy in attempting to compromise and penetrate a target. They are generally used to gather intelligence on evolving threats and novel hacking techniques and determine what types of information a particular hacker or hacking group seems most interested in. In some cases, research honeypots can also be used to trace and identify hackers and cybercriminals. Production honeypots typically operate parallel to but isolated from an enterprise or organization’s production network infrastructure, functioning as a distraction to hackers while a cyberattack is in progress. These honeypots draw hackers’ attention away from important, valuable, or sensitive digital assets, slowing them down so actual information and services can be properly protected.

Cybersecurity experts also deploy honeynets to similar ends. A honeynet is a group of honeypots arranged in a network, which appear from the outside to function exactly like a legitimate computer network would. They allow monitoring software and personnel to track complex hacker movement across networked file and web servers, creating a more convincing illusion of legitimacy to the hacker while delivering more detailed and valuable strategic intelligence regarding the hacker’s objectives and techniques.

Honeypots and honeynets are commonly grouped in an emerging cybersecurity market known as deception technology. This technology category offers dynamic tools powered by artificial intelligence and machine learning to deploy honeypots, honeynets, and similar products in ways that automatically shift and change. They therefore appear more authentic to hackers while freeing up internal IT and network resources by automating the design, configuration, and management of cybercrime deception initiatives.

Beyond their advantages, honeypots also carry risks that must be carefully managed and mitigated to properly protect digital assets. Honeypots have a narrow field of view and can only detect cyberattacks directed against them. If a hacker breaches a network but does not attempt to compromise a honeypot, the honeypot will not be aware of the hacker’s presence, potentially allowing the hacker to operate freely in the absence of secondary detection capabilities. If a hacker identifies the honeypot through what cybersecurity experts call “fingerprinting,” the hacker can also feed false information into the honeypot system, which could contaminate or completely undermine the accuracy of the data gathered by a research honeypot.

Bibliography

“2 W. Germans Get Suspended Terms as Computer Spies.” Los Angeles Times, 16 Feb. 1990, www.latimes.com/archives/la-xpm-1990-02-16-mn-667-story.html. Accessed 9 Mar. 2021.

Akkaya, Deniz and Fabien Thalgott. “Honeypots in Network Security.” Linnaeus University, 29 June 2010, www.diva-portal.org/smash/get/diva2:327476/fulltext01. Accessed 9 Mar. 2021.

“Booknotes: The Cuckoo's Egg.” C-SPAN, 13 Oct. 1989, www.c-span.org/video/?10122-1/the-cuckoos-egg. Accessed 9 Mar. 2021.

Cheswick, Bill. “An Evening with Berferd in Which a Cracker Is Lured, Endured, and Studied.” AT&T Bell Laboratories, 1991, www.cs.umd.edu/class/fall2017/cmsc414/readings/berferd.pdf. Accessed 9 Mar. 2021.

Fruhlinger, Josh. “What Is a Honeypot? A Trap for Catching Hackers in the Act.” IDG Communications, 1 Apr. 2019, www.csoonline.com/article/3384702/what-is-a-honeypot-a-trap-for-catching-hackers-in-the-act.html. Accessed 9 Mar. 2021.

Lutkevich, Ben, Casey Clark, and Michael Cobb. “Honeypot (Computing).” Tech Target, 27 Feb. 2021, https://searchsecurity.techtarget.com/definition/honey-pot. Accessed 9 Mar. 2021.

Regalado, Daniel, et al. Gray Hat Hacking: The Ethical Hacker’s Handbook, Fifth Edition. New York: McGraw Hill Professional, 2018.

Symanovich, Steve. “What Is a Honeypot? How It Can Lure Cyberattackers.” Norton, 26 May 2020, us.norton.com/internetsecurity-iot-what-is-a-honeypot.html. Accessed 9 Mar. 2021.