- Honeypot is an information system resource that is expressly set up to and trap people who attempt to penetrate an organization’s network. It has no authorized activity, does not have any production value, and any traffic to it is likely to be a probe, attack or compromise. honeypot can log port access attempts or monitor an attacker’s keystrokes. These could be early warnings of a more concerted attack.
Types of Honeypots?
Low-interaction Honeypots: These honeypots simulate only a limited number of services and application of a target system or network.
Medium-interaction Honeypots: These honeypots simulate a real operating system, applications, and services of a target network.
High-interaction honeypots: These honeypots simulate all services and applications of a target network
Pure Honeypots: These honeypots emulate the real production network of a target organization.
Low- interaction Honeypots
•Low-interaction honeypots emulate only a limited number of services and applications of a target system or network. If the attacker does something that the emulation does not expect, the honeypot will simply generate an error. They capture limited amount of information, mainly transactional data, and some limited interactions. These honeypots cannot be compromised completely they are set to collect higher-level information about attack vectors such as network probes and worm activities.
Some examples are specter, KFSensor, and Honeytrap.
•KFSensor is a low-interaction honeypot used to attract and identify penetrations. It implements vulnerable system services and Trojans to attract hackers. This honeypot can be used to monitor all TCP, USP, and ICMP ports and services.KFSensor identifies and raises alerts about port scanning and DOS attacks.
Medium-interaction honeypots simulate a real OS as well as applications and services of a target network. they provide greater misconception of an OS then low-interaction honeypots. Therefore, it is possible to log and analyze more complex attacks. These honeypots capture more useful data than low-interaction honeypots. they can only respond to preconfigured commands; therefore, the risk of intrusion increases. The main disadvantage of medium – interaction honeypots is that the attacker can quickly discover that the system behavior is abnormal .Some examples of medium-interaction honeypots include honeypie,kojoney2 and cowrie.
•Unlike their low and medium-interaction counterparts,high-interaxtion honeypots do not emulate anything. They run actual vulnerable services or software on production system with real OS and applications. These honeypots simulate all services and applications of a target network. They can be area. They capture complete information about an attack vector such as attack techniques, tools and intent. The honeypot zed system is more prone to infection as attack attempts can be carried out on real production systems.
•At the same time the honeynet controls the attacker’s activity. Honeynets do this by using a honey wall gateway, which allows inbound traffic to the victim’s systems but controls the outbound traffic using intrusion prevention technologies. This gives the attacker the flexibility to interact with the victim’s system but privets the attacker from harming other non-0honeynet computers.
•Pure honeypots emulate the real production network of a target organization. They cause attackers to devote their time and resources toward attacking the critical production system of the company. Attackers uncover and discover the vulnerabilities and trigger alerts that help[ network administrators to provide early warnings of attacks and hence reduce the risk of an intrusion.
Classification of honeypots based on their deployment strategy
Production honeypots are deployed inside the production network of the organization along with other production servers. Although such honeypots improve the overall state of security of the organization, they effectively capture only a limited amount of information related to the adversaries. Such honeypots fall under the low-interaction honeypot category and are extensively employed by large organizations and corporations. As production honeypots are deployed internally, they also help to find out internal flaws and attackers within an organization.
Research honeypot are high-interaction honeypot primarily deployed by research institutes, governments, or military organizations to gain details knowledge about the actions of intruders. By using such honeypots, security analysts can obtain in depth information about how an attack is performed, vulnerabilities are exploited, and attack techniques and methods are used by the attackers. This analysis, in turn, can help an organization to improve attack prevention detection, and security mechanisms and develop a more secure network infrastructure.
•Malware honeypots are used to trap malware camapaigns or malware attempts over the network infrastructure. These honeypots are simulated with known vulnerabilities such as outdated APIs, vulnerable SMBv1 protocols, etc, and they also emulate different Trojans, viruses, and backdoors that encourage adversaries to perform exploitation activities. These honeypots lure the the attacker or malware into performing attacks, from which the attack pattern, malware signatures, and malware threat actors can be identified effectively.
•Database honeypots employ fake databases that are vulnerable to perform database related attacks such as SQL injection and database enumeration. These fake databases trick the attackers by making them think tat these databases contain crucial sensitive information such as credit card details of all the customers and employee databases. However all the information present in the database are fake and simulated. Such databases lure the attacker to perform attacks, with their vulnerabilities. From the attacks the attack pattern and the threat actor TTP towards database attacks can be identified effectively.
•Spam honeypots specifically target spammers who abuse vulnerable resources such as open mail relays and open proxies. Basically, Spam honeypots consist of mail servers that deliberately accept emails from any random source from the internet. They provide crucial information about spammers and their activities.
Email honeypots are also called email traps. They are nothings but fake email addresses that are specifically used to attract fake and malicious emails from adversaries. These fake email IDs will be distributed across the open internet and dark web to lure threat actors into performing various malicious activities to exploit the organization. By constantly monitoring the incoming emails. The adversary’s deception techniques can be identified by the administrators and internal employees can warned to avoid falling into such email’s traps.
•Spider honeypots are also called spider traps. These honeypots are specifically designed to trap web crawlers and spiders. Many threat actors perform web crawling and spidering to extract important information from web application. Such crucial information includes URLs, contact details, directory details, etc. Spider honeypots are employed to trap such adversaries. A fake website will be emulated and presented as a legitimate one.
•Honeynets are networks of honeypots. They are very effective in determining the entire capabilities of the adversaries. Honeynets are mostly deployed in an isolated virtual environment along with a combination of vulnerable servers. The various TTPs employed by different attackers to enumerate and exploit networks will be recorded and this information can be very effective in determining the complete capabilities of the adversary
•Honeypots are security tools that allow the security community to monitor attackers’ tricks and exploits by logging all their activity so that it can respond to such exploits quickly before the attacker can misuse or compromise the system.
•KFSensor: KFSensor is a host-based IDS that acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system services and Trojans. By acting as a decoy server, it can divert attacks from critical systems and provide a higher level of information than that achieved using firewalls and NIDS alone. You can use KFSensor in a windows-based corporate environment. It includes many innovative and unique features such as remote management, a Snort- compatible signature engine, and emulations if windows networking protocols.
•SPECTER: Specter is a honeypot or deception system. It simulates a complete system and provides an appealing target to lure hackers away from production systems. It offers typical internet services such as SMTP, FTP, POP#, HTTP, and TELNET, which appear perfectly normal to attackers. However, it traps attackers by tricking them into leaving some traces that show that they had connected to a decoy system that does none of the things it appears to but instead logs everything and notifies the appropriate people. Furthermore, SPECTER automatically investigates attackers while they are still trying to break in. It provides massive amounts of decoy content and generates decoy programs that do not leave traces on the attacker’s computer. Automated weekly online updates of the honeypot’s content and vulnerability databases allow the honeypot to change regularly without user interaction.
Honeypot Tools: KFSensor
•KFSSensor is a host-based intrusion Detection System (IDS) that acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system services and Trojans.
•SPECTER is a honeypot-based intrusion detection system that offers common Internet services such as SMTP, FTP,POP3, HTTP, and Telnet which appear perfectly normal to the attackers but in fact are traps.
Some additional honeypot tools are listed below:
•Modern Honey Network(https://github.com)