Guide on Honeypots

Hey guys Ashish this side. In this writeup, I’m going to share some basics info about Honeypots , So let’s hop into it.

Honeypots are generally hardware or software that are deployed by the security departments of any organization to examine the threats that are possessed by the attackers. Honeypots usually act as baits for an organization to gather information on the attacker and alongside protect the real target system.

Table of Contents :

• What are Honeypots
• Working of Honeypots
• Types of Honeypots
• Based on the design
• Based on the deployment
• Based on their deception technology

What are honeypots?

Honeypots are a type of Internet security resource which is used to entice cybercriminals to deceive them when they try to intrude inside the network for any illegal use. These honeypots are generally set up to understand the activity of the attacker in the network so that the organization can come up with stronger prevention methods against these intrusions. The honeypots do not carry any valuable data as it a fake proxy that helps in logging the network traffic.

Working of honeypots

In an organization as an IT administrator, you would want to set up a honeypot system that might look like a genuine system to the outside world. The kind of data that honeypots generally capture:

• Keystrokes entered and typed by the attacker.
• The IP address of the attacker
• The usernames and different privileges used by the attackers
• The type of data that the attacker had accessed, deleted or that was altered.

Types of Honeypots :

Low-Interaction Honeypots: They match a very limited number of services and applications that are present in the network or on the system. This type of honeypot can be used to keep track o UDP, TCP, and ICMP ports and services. Here we make use of fake databases, data, files, etc as bait to trap attackers to understand the attacks that would happen in real-time. Examples of a few Low-Interaction tools are Honeytrap, Specter, KFsensor, etc.

Medium-Interaction Honeypots: They are based on imitating real-time operating systems, and has all its applications and its services as that of a target network. They tend to capture more information as their purpose is to stall the attacker so that the organization gets more time to respond to the threat appropriately. Examples of a few medium-interaction tools are Cowrie, HoneyPy, etc.

High-Interaction Honeypots: They are genuine vulnerable software that is run on a real operating system with various applications that a production system would generally have. The information gathered using these honeypots is more resourceful but they are difficult to maintain. An example of a High-interaction tool is honeynet.

Pure Honeypots: These honeypots usually imitate the actual production environment of an organization which makes an attacker assume it to be a genuine one and invest more time exploiting it. Once the attacker tries to find the vulnerabilities, the organization will be alerted and hence any kind of attack can be prevented earlier.

Production Honeypots: These honeypots are usually installed in the organization’s actual production network. They also help in finding any internal vulnerability or attack as they are present in the network internally.

Research Honeypots: They are high-interaction honeypots but they are set with a focus of research in the areas of various governmental or military organizations to gain more knowledge on the behaviour of the attackers.

Malware Honeypots: They are the kind of honeypots that are used to trap malware in a network. Their purpose is to attract the attacker or any malicious software and allow them to perform certain attacks where can be used to understand the pattern of the attack.

Email Honeypots: These honeypots are hoax email address which is used to attract the attackers across the internet. The emails that are received by any malicious actor can be monitored and examined and can be used to help the fall for phishing email scams.

Database Honeypots: These honeypots pose as actual databases that are vulnerable in name and usually attract attacks like SQL injections. They are meant to lure the attackers into thinking that they might contain sensitive information like credit card details which will let the organization understand the pattern of the attacks performed.

Spider Honeypots: These honeypots are installed with the purpose to trap the various web crawlers and spiders which tend to steal important information from the web applications.

Spam Honeypots: These honeypots consist of hoax email servers to attract the spammers to exploit vulnerable email elements and give details about the activities performed by them.

Honeynets: these are nothing but a network of honeypots which are installed in the virtual and isolated environment along with various servers to record the activities of the attackers and understand the potential threats.