Let’s admit it – the first connection that you made with the word “honeypot” was Winnie-the-Pooh. In the same way, the ever-loved animated character is in love with honeypots, cybercriminals can be attracted and misled by these types of security decoy mechanisms.
This is the topic we are going to cover in our current edition of Expert´s Talk. In this series of articles, we are discussing with experts specific trends, insights, and perspectives in the field of cybersecurity. We will learn more about cybersecurity honeypots and the way they are used by Stefan Radushev. He is managing director and cybersecurity consultant in 3Cyber-Sec. Stefan has extensive knowledge and experience as a Cyber Security Consultant and Penetration tester within the Banking, Pharmaceutical, and Maritime sectors. He can build comprehensive penetration testing scenarios in support of compliance frameworks so that remedial actions and processes can be set in place to eliminate and mitigate vulnerabilities in the companies he works with.
What is a cybersecurity honeypot?
A cybersecurity honeypot is a way for companies and experts to “hack” the hackers. This is a shallow piece of the system of the organisation. It is designed with one single purpose – to attract the attention of any cyber attackers that will mistake it for an actual part of the system.
¨In reality it is created to serve as a decoy and distract the attention from the real essential parts of the operations and infrastructure. Its main function is to alarm if an attack occurs. It also can help the people that installed and maintain it to understand the tactics and tools used by the hackers in their attempts to penetrate the organisation.¨
Types of honeypots used in practice
As cybersecurity threats vary, so do the honeypots that are used to counter them. There are some preferred for the needs of the private sector, while others are strictly used by public bodies like government agencies and even military command bodies. Let’s go through the different types of honeypots out there:
Honeypot that works with a low level of interaction
As the name suggests, this type of cybersecurity honeypot is designed in a way to provide a limited part of the system in the form of a hacker bait.
¨It is hosted on a server and sets very streamline and numbered functionalities that can be appealing to hackers. The main goal here is to focus on the areas of the system that suffer cyber attacks most frequently. The end game? Locate where the attacks are coming from.¨
Honeypot that works with a high level of interaction
The complexity of the honeypot grows the investment you have to make to maintain it. Here we can have something that duplicates a whole production system.
¨This is like giving hackers a playground. You put some fences around and let them go wild inside. These types of honeypots can’t be detected by hackers so easily. And here the goal of the organisation/experts setting up the trap is different. It is to research and learn most they can about the cyber attacks and their source.¨
Honeypot in the form of e-mail trap
Spammers can be annoying and this is the way to deal with them. How an e-mail trap works are to set up a fake e-mail that all the spam letters will go to. After that their source can be tracked and blocked and you won’t hear of them again.
Using a database as a decoy
How do you limit attacks from SQL injections? Create a “fake” database and attract hackers to it while your real application remains intact and functional. If the database honeypot is compromised, observe what the vulnerable places are. If they are the same as in the real database take the actions needed to fix them.
Net for the spider crawlers
Here the name reveals the target. While other honeypots are directed at hackers and cyber attacks, here we are dealing with the automated spider crawlers.
¨“The net” here consists of a variety of online pages and links between them that will be a good pray for the spiders. The goal here is to study them and prevent further real damage they can do.¨
Honeypot that prevents malware attacks
This type of decoy is created in a way to trigger more malware attacks. Everything that is gathered here as useful information can be integrated into the development of software that detects and/or prevents malware attacks.
Can you use more than one honeypot?
There are cases where organisations set up two or more honeypots at the same time. These are called honey nets and they can even grow to honey farms in some cases.
¨If the network and infrastructure are big enough, such measures might be integrated into the whole cyber defense strategy of the company or institution.¨
The good and bad sides of having a honeypot
Of course, the coin has two sides and there are pros and cons of maintaining cybersecurity honeypots. Here are the good ones:
- You can learn useful insights about the cyber threats your company is facing;
- You can understand what vulnerable places in the system are being targeted;
- It sets a fake “red cape” for hackers to attack, instead of the system in place.
On the other hand, there can be some downsides to honeypots that experts in the sector admit about:
- If hackers find out that you give them decoy in the form of the honeypot, they can feed you false data, while planning an attack on your actual system;
- You may have a honeypot set up that is not configurated in the best way to suit your organisation;
- A honeypot can give you some misleading information even if there is no additional attack on your system.
The integration of the correct cybersecurity honeypot(s) in your defense strategy against cybercrimes should be a tailor-made approach handled by experienced professionals. We at 3Cyber-Sec have a personal approach to any case our team examines. This allows us to give recommendations based on the needs of any client. If you want to learn more about our security services and find out if you really can use something like a cybersecurity honeypot, feel free to reach out to us.