The sweet smell of IT security: Understanding honeypots
Davey Winder delves into the world of security traps and advises how to beat the bad guys at their own game.
So, to recap then, with the help of HP Fellow and CTO for Enterprise Services, Mateen Greenway:
A honeypot consists of a computer, data, web or other site that appears to be part of a network and appears to contain information or a resource of value to attackers but which in actual fact is isolated and monitored.
- Honeypots typically do not stop hackers intruding on a network. Instead they are designed to provide electronic evidence, such as IP addresses, that can identify the hackers, expose their methods, and even show the kind of systems and data the intruder is trying to access. Honeypots can be designed to allow a virus or malware to infect a simulated environment; or an emulation of a production system designed to deflect attackers from the real system.
- Honeypots can deter attacks if potential hackers are aware that they are being used to defend a system. These techniques can be effective in sidetracking attackers' efforts, causing them to devote their attention to activities that can cause neither harm nor loss.
- Honeypots allow the white hat and system administrator communities to study exactly the techniques and tools that attackers are using without exposing systems and networks to additional risk that results from compromised system.
- Honeypots are a good method of detecting insider attacks. Insider attacks involve fundamentally different attack patterns (usually considerably more subtle ones) from external attacks.
In conclusion
Honeypots and the more recent honeywords variation on a theme are useful additions to the data security arsenal. But, as David Emm, senior security researcher at Kaspersky Lab, reminds us they are no magic bullet. "None of these methods are able to prevent a system being compromised" Emm says. "However, they can sound the alarm if an attack occurs. The problem for an attacker is that they do not know if the database is protected in this way, or which passwords in a database may generate an alert. So if the technology is implemented, it could act as a deterrent to would-be attackers."
Historically, many organisations have been reluctant to install research honeypots (apart from those companies involved in R&D for security products) and, according to Ranum, this is primarily down to the time required for proper analysis.
"However production honeypots are very low resource. When nobody's breaking into them, they just sit there, yet can give a very valuable warning," Ranum insists. And in the current climate of data breaches and the ongoing reputational fallout that follows, warnings and deterrents have to be worth having.
Under the assumption that every connected server can be compromised and passwords can be stolen, distributing the authentication process with honeycheckers makes the challenge much greater for hackers. "Additionally" as Ben-Itzhak concludes "in the event of a successful brute force password break, the hacker is not given the confidence that they can log in successfully and undetected."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
With a honeychecker in place, they must either risk logging in and being detected, or else attempt to breach the honeychecker itself.
Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.
Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.
You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.