A honeypot is a decoy computer system used to analyze how cyber attackers attempt to compromise a real machine. They are used by both security researchers and companies to determine where to focus their security resources. Could your organization benefit from such a service?
What is a Honeypot?
A honeypot is a decoy machine designed to lure hackers into attacking a seemingly vulnerable or lucrative computer system. Because these machines are designed to look like a production system, hackers will use the same attacks that they would be using on a real computer system. This makes honeypots a great way to study how attackers carry out exploits and compromise systems in the real world.
Honeypots have primarily been used by security researchers to study new attacks being carried out “in the wild” and to design ways to respond to and mitigate newly discovered vulnerabilities. However, these systems can also be used by organizations to see how to better secure their own networks. By creating a virtual system that mimics their production environment, an organization can observe how attackers are attempting to breach their systems, and better determine where to focus their information security resources.
Types of Honeypots
There are two major categories of honeypots that are used: low-interaction and high-interaction. Both of these honeypots use virtual machines (VMs) to ensure that these decoy systems are disconnected from the real, production network. These VMs also ensure that the honeypot can be reverted back to its original state if it is compromised and corrupted, damaged, or destroyed.
While a low-interaction honeypot simulates a production machine, this type of honeypot has limited services running. The services running on a low-interaction honeypot feature either the most common attack vectors or the specific services that the organization is most concerned with securing. These limited honeypots also provide no access to an administrator account, limiting the ability to discover privilege escalation techniques. Because many attack vectors will be unavailable, previously undiscovered or undisclosed vulnerabilities (known as zero-days) will not be able to be executed. This limits what an organization is able to capture as far as real-world vulnerabilities.
Because a low-interaction honeypot is limited to a small number of services, however, these can be more cost-effective for smaller organizations to implement and maintain.
A high-interaction honeypot simulates a full-scale production system. These honeypots run all of the services that would be present on a real computer system. These include real directory structures, and available admin or “root” accounts that can be compromised. Because these VMs are full computer systems, they can be used to best determine how attackers are attempting to compromise the machine. Beyond detecting initial attacks, high-interaction honeypots can also be used to determine what actions an attacker takes after the system is compromised.
When an attacker breaches a computer system, they will begin to focus on “privilege escalation.” This is the stage where the attacker attempts to compromise an account with higher permissions than the account that they currently control. In most cases, they will attempt to access an administrator account or a user account that is setup to carry out administrator functions. By using a high-interaction honeypot, security professionals can monitor how attackers are attempting to escalate privileges, and determine ways to prevent these attempts in their real computer systems.
Because high-interaction honeypots are full computer systems in a virtual environment, they can be resource intensive to create and maintain, both in terms of time and financial cost. The same effort that goes into creating production servers must also go into creating the high-interaction honeypot system.
A honeynet is a network consisting of multiple honeypots. These can be used to help simulate a real environment, because most attackers would expect to other machines networked to the computer system they compromise. Through the use of a honeynet, security professionals can not only observe the privilege escalation that an attacker would attempt on one machine, but also how the attacker could use the services on networked systems to compromise other machines, such as migrating from a compromised web server to an internal file server. However, because of the cost and resources in setting up a honeynet, this is primarily used by security research organizations.
In 2015, Symantec set up a honeypot to simulate various Internet of Things (IoT) devices. These are devices that are directly connected to the Internet, and can include routers, camera systems, home assistants such as Google Home or Alexa, televisions, and more. This honeypot was used to determine which countries were launching the most IoT targeting attacks, and how these devices were being compromised. In many cases, attackers simply used default passwords, with “admin” being the most common password attempted. Attackers usually start with these types of guesses on IoT devices, as many users never change the default passwords.
Another honeypot experiment was conducted in 2015 that simulated an Internet-connected railway control system. This project, called “HoneyTrain,” used a model train system controlled by real industrial control hardware and communication protocols. The project also used simulated software for the control systems, including simulated CCTV footage of real railway stations. The project also launched a website for the fictional railway system, including a ticketing system as well as train arrival schedule. The data for the arrival schedule was pulled from the model train control system. As attacks were launched, the physical model train would be affected, and the delays would be reflected on the arrival schedule on the website.
Project “HoneyTrain” was used to determine how attackers would go after production systems that could put real lives in danger, or cause significant delays to a transportation system. Within 6 weeks of launch, 2.7 million attacks were launched against the fake train system.
Should Your Organization Use a Honeypot?
Honeypots can be a great resource to see how attackers may compromise a production environment. These honeypots can be fine-tuned to simulate an organization’s computer system. There are several important considerations an organization must make, however, before implementing such a system. The honeypot must be implemented with security in mind before anything else. It is important to make sure that the decoy system is properly isolated, so that an attacker is not able to move from the decoy system into an organization’s production environment. It is also important for an organization to determine what type of honeypot should be used, balancing the needs of the organization with the costs to implement the various types of honeypots.
Schedule a consultation with Phoenix Security Labs today to discuss whether your organization could benefit from a honeypot, how it could be implemented and isolated from your network, and the various pricing options for the creation and maintenance.