Honeypots are an information system resource whose value lies in the unauthorized or illicit use of that resources.
In other words, “A server that is configured to detect an intruder by mirroring a real production system. It appears as an ordinary server doing work, but all the data and transactions are phony. Located either in or outside the firewall, these are used to learn about an intruder’s techniques as well as determine vulnerabilities in the real system.”Before proceeding further, the first thing is to understand what the actual honeypots are. To be very frank, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. It is what honeypots have their strong stand.
The basic consideration is that honeypots record all actions and interactions with users. Since these don’t provide any legitimate services, all activity is unauthorized (and possibly malicious).
Types of Honeypots
Honeypots are a wide stream and can be classified based on their deployment and based on their level of involvement.
Based on deployment, honeypots may be classified as:
- Production honeypots
- Research honeypots
These are easy to use, capture only limited information, and are used primarily by companies or corporations. Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots do.
They are run to gather information about the motives and tactics of the Blackhat community targeting different networks. These honeypots do not add direct value to a specific organization, instead, they are used to research the threats organizations face and to learn how to better protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information and are used primarily by research, military, or government organizations.
Based on design criteria, honeypots can be classified as
- Low-interaction honeypots
- Medium-interaction honeypots
- High-interaction honeypots
It simulates only the services frequently requested by attackers. Since they consume relatively few resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time, and less code is required, reducing the complexity of the security of the virtual systems.
Low-interaction honeypots present the hacker emulated services with a limited subset of the functionality they would expect from a server, with the intent of detecting sources of unauthorized activity. For example, the HTTP service on low-interaction honeypots would only support the commands needed to identify that a known exploit is being attempted. Some authors classify a third category, medium-interaction honeypots, as providing expanded interaction from low-interaction honeypots but less than high-interaction systems
It might more fully implement the HTTP protocol to emulate a well-known vendor’s implementation, such as Apache. However, there are no implementations of medium-interaction honeypots and for the purposes of this paper, the definition of low-interaction honeypots captures the functionality of medium-interaction honeypots in that they only provide a partial implementation of services and do not allow typical, full interaction with the system as high-interaction honeypots.
They imitate the activities of the real systems that host a variety of services. It let the hacker interact with the system as they would any regular operating system, with the goal of capturing the maximum amount of information on the attacker’s techniques. Any command or application an end-user would expect to be installed is available and generally, there is little to no restriction placed on what the hacker can do once he/she comprises the system. According to recent researches in high interaction honeypot technology, by employing virtual machines, multiple honeypots can be hosted on a single physical machine. Therefore, even if the honeypot is compromised, it can be restored more quickly. Although high interaction honeypots provide more security by being difficult to detect, it has the main drawback that it is costly to maintain. If virtual machines are not available, one honeypot must be maintained for each physical computer, which can also lead to an increase in cost. Example: Honeynet.
Summarized difference between Low-interaction honeypots and High-interaction honeypots
Advantages of honeypots
They provide several advantages over other security solutions, including network intrusion detection systems:
- Minimal resources: Honeypots require minimal resources, they only capture bad activity.
- New tools and tactics: Honeypots are designed to capture anything thrown at them, including tools or tactics that have never been seen before.
- Small data sets of high value: Honeypots collect small amounts of information. Instead of logging one GB of data a day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, they can generate only 10 alerts a day. Any interaction with a honeypot is most likely unauthorized or malicious activity.
- Encryption facility: Honeypots work in encrypted or IPv6 environments unlike most security technologies (such as IDS systems). It does not matter what the bad guys throw at a honeypot, the honeypot will detect and capture it.
- Simplicity: Finally, honeypots are conceptually very simple. There are no fancy algorithms to develop, state tables to maintain, or signatures to update. The simpler a technology, the less likely there will be mistakes or misconfigurations.
Disadvantages of honeypots:
Every technology that we use may have a wide range of advantages, but they also have their disadvantages. They also have their weaknesses as given:
- It can only track and capture activity that directly interacts with them. It will not capture attacks against other systems unless the attacker or threat interacts with the honeypots also.
- Can be used by an attacker to attack other systems
- Can potentially be detected by the attacker