Honeypot, some people might familiar with this term. Some people maybe even implement it to their network. But what is this Honepot exactly?
Literally, a honepot is a pot / jar / other container used to store honey. But in this case, honeypot is a metaphor. A honeypot, or some people refer it as honeytrap, in computer science terminology means a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information system.
Honeypot in general consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attacker.
Two or more honeypots on a network form a honeynet. Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient.
Usually, Honeypot and Honeynet implemented as parts of larger Network Intrusion Detection Systems.
So What are the Benefits to Us?
There are many. Here are some benefits we can get from honeypot:
- Early Detection
- Honeypot will notifies and alerts us when attacks occurred. At least when unauthorized access attempts to break our system, it gives us more times to prepare countermeasures.
- Analyze the Threat
- A trapped attacker on honeypot can be analyzed. By this, we can know newest threats and newest attacking vectors used by attacker in attempt of ‘privilege escalation’. This also gives use information about who the enemy is, what he did, and what methods.
- Secure the System
- This method trap the attacker and make him only do his break in to honeypot system only thus the real server still in good shape. The defense system will give better security as attacker won’t attack server directly. But there is no guarantee that our system will be absolutely secure.
- Disrupting Attacker
- Honeypot is a method to disrupt and make attacker confuse. With many alternative and virtual system in network system, at least attacker confuse for distinguishing the real and virtual system.
- Network Devices Hardware
- Honeypot acts as part of network, of course we net network devices.
- Monitoring or Logging Tools
- A set of tools or components to monitor and log activities inside Honeypot.
- Alert Mechanism
- A message system to notify or give a warning if an attack detected.
- Keystroke Logger
- Logging information about what attacker do including keystroke origin from attacker.
- Packet Analyzer
- Giving information about packet in and out between honeypot and attacker.
- Forensic Tools
- Giving information about forensic system used by attacker against System.
What are the Types of Honeypot?
From the degree of interaction, we can split honeypot into two categorizes: High-Interaction and Low-Interaction.
High-Interaction is a fake-system which emulates all aspects of a machine (operating system). We have a system running a specific operating system, certain services such as a web server and some web apps. A high-interaction honeypot can be compromised completely, allowing an adversary to gain full access to the system and use it to launch further network attacks.
Low-Interaction simulates only services that cannot be exploited to get complete access to the honeypot. This type of honeypots are more limited, but they are useful to gather information at a higher level, e.g, learn about network probes or worm activity.
We can also differentiate honeypot to physical and virtual honeypots.
A physical honeypot is a real machine on network. It is dedicated machine with its own IP address.
Avirtual honeypot is simulated by another machine that respondes to network traffic sent to the virtual honeypot.
When gathering information about network attacks or probes, the number of deployed honeypots influences the amount and accuracy of the collected data. A good example is measuring the activity of HTTP based worms. We can identify these worms only after they complete a TCP handshake and send their payload. However, most of their connection requests will go unanswered because they contact randomly chosen IP addresses. A honeypot can capture the worm payload by configuring it to function as a web server. The more honeypots we deploy the more likely one of them is contacted by a worm.
Physical honeypots are often high-interaction, so allowing the system to be compromised completely, they are expensive to install and maintain. For large address spaces, it is impractical or impossible to deploy a physical honeypot for each IP address. In that case, we need to deploy virtual honeypots.
Where Should Honeypot placed?
Honeypot can be placed on some place:
- Directly connected to internet without firewall
- Between firewall and internet connection
- Honeypot is on DMZ