A honeypot, trap, or decoy system is a computer security tool placed on a network or computer system that purports to be a vulnerable device to be the target of an attack.
These honeypots have evolved and are currently being implemented in the form of honeynets, which are entire networks of honeypots that can simulate entire systems and so collect much more information about attacks.
The honeypot can be configured to take various actions as soon as an attacker enters it.
1. Alert: It can be configured to simply alert you as soon as an attacker occurs without taking any further action.
2. Obtain information: Obtain all information about what the attacker is doing and using.
3. Slow down: Slow down the attack as much as possible.
4. A combination of all of the above.
When a company is deploying a honeypot, there is no legitimate reason for that organization’s users to try to access it. Therefore, any interaction with the computer can be considered malicious. The idea of this system is to make the attacker believe that he is entering a real system. However, it carries out its malicious activities in an environment that is completely under our control.
In order to convince an attacker to fall into the honeypot, some of the normal oversights that a person has must be committed, but voluntarily in places on the Internet that are frequently visited by attackers, e.g. B. by putting passwords in notepads or on Github, a site where millions of people share their projects and where certain misunderstandings by users often occur.
Once the trap is set, an attacker can step into the honeypot and, thinking of having accessed something secure and important, call up code and use all of their tools to try to steal all available information and even send this information to other networks. Criminals or not interested in the attack, all under our control and knowledge.
Like everything, this technique has its advantages and disadvantages. In terms of the benefits we mentioned above, any registered activity can be considered malicious. In a real system there is a lot of traffic and it will be difficult to detect an attack. Because of this, honeypots have very little traffic, so they are low on resources and not very demanding on their deployment. Honeypots have already been written online, which reduces the internal workload for commissioning. In contrast to other conventional systems, they have a low false-positive rate. They provide information about new intrusion techniques that attackers have developed.
Regarding the dangers of a honey pot, we find that they don’t realize everything that is happening, if not just the activity directed towards them. The fact that a threat didn’t target the honeypot doesn’t mean it doesn’t exist. Hence, it is important not to rely on them solely to detect threats. There is a chance that an attacker could discover that it is a honeypot and attack other systems, leaving the honeypot intact. Worse, use it to access your systems. Because of this, you need to have other security controls in place, such as firewalls.
To sum up, honeypots are very useful tools that you can use to protect your business and obtain a large amount of information about an attacker. However, they should complement other security techniques.
Diego Calvo Maroas (DLT code)
Copyright © Grupo Edefa SA Reproduction, in whole or in part, of this article is prohibited without the prior authorization of the publisher.