What are honeypots and honeynets?
- General
- by Jacob Riggs
- 14-07-2020
Believe it or not, sometimes admins will design systems to attract attackers. Working in information security, one of my favourite defensive strategies to deploy in operational practice involves the use of honeypots and honeynets. These tightly controlled decoy mechanisms are designed to entice attackers, rob them of their time, and help with profiling attack intent, objectives, and origin.
Honeypots
Honeypots are a useful way for admins to learn more about an adversary's objectives by intentionally exposing a machine that appears to be a highly valuable and sometimes unprotected target. Although a honeypot may seem legitimate to an attacker, honeypots are typically isolated from normal internal networks and configured in such a way that all interactive activity can be monitored and logged.
This has several benefits from a defensive point of view. By convincing an attacker to focus their efforts on a designated honeypot endpoint, an administrator can gain insight into an attacker's tactics, techniques, and procesures (TTPs). This can be used to predict attack execution behaviour, or even aid in attribution and identifying where the attack may have originated from. Furthermore, honeypots may delay an attacker, buying administrators crucial time to respond, or force attackers to exhaust their own resources pursuing fruitless tasks.
Honeypots have been in use for several decades, but they have often been costly to deploy because this typically meant dedicating actual hardware to face attackers, thus reducing what infrastructure could be reserved for production purposes. Furthermore, in order to engage an attacker for any significant amount of time, a honeypot needs to look like a real (and ideally valuable) network node, which means sitting in the attacker's seat and putting some thought into what software and data should be deployed on it. This all takes lots of time and traditionally was not practical for very large deployments. However, virtualisation addresses many of the challenges associated with administering honeypot machines because virtualised infrastructure is designed to scale easily.
Honeynets
A honeynet is an entire network designed to attract attackers. The benefits of its use are the same as that of honeypots, but honeynets are designed to look like real network environments, complete with real operating systems, applications, services, and associated network traffic. Honeypots can be thought of as a highly interactive set of honeypots, providing realistic feedback just as a real network would. For both honeypots and honeynets, deployed services are not actually used in production, so there shouldn't be any reason for any legitimate interaction with the servers. This makes it easy to recognise that any prolonged interaction with deployed services usually implies malicious intent. It follows that traffic from external hosts in a honeynet is usually indicative of attack behaviour and not as likely to be a false positive generated by expected network traffic.
As with individual honeypots, all activity is monitored, recorded, and security controls optimised to balance the liklihood of any attack occurence with the ease of attack execution. As with honeypots, virtualisation has also improved the performance of honeynets, allowing for varied and easily scalable network configurations on existing hardware infrastructure.