Jump to content

Honeypot (computing): Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
ce: the word "apparent" is confusing here; "abuser" in not "abuse"
m Fixed a typo: 'has' → 'have'
 
(198 intermediate revisions by more than 100 users not shown)
Line 1: Line 1:
{{Short description|Computer security mechanism}}
{{refimprove|date=June 2014}}


In computer terminology, a '''honeypot''' is a [[computer security]] mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of [[information systems]]. Generally, a honeypot consists of [[data]] (for example, in a network site) that appears to be a legitimate part of the site, but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, who are then blocked. This is similar to the police [[Entrapment|baiting]] a criminal.<ref>{{Cite web
In computer terminology, a '''honeypot''' is a [[computer security]] mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of [[information systems]]. Generally, a honeypot consists of [[data]] (for example, in a network site) that appears to be a legitimate part of the site which contains information or resources of value to attackers. It is actually isolated, monitored, and capable of blocking or analyzing the attackers. This is similar to police [[sting operations]], colloquially known as "baiting" a suspect.<ref>{{Cite web|url=https://www.sans.edu/cyber-research/security-laboratory/article/honeypots-guide|title=Honeypots: A Security Manager's Guide to Honeypots|last1=Cole|first1=Eric|last2=Northcutt|first2=Stephen|archive-url=https://web.archive.org/web/20170316110416/https://www.sans.edu/cyber-research/security-laboratory/article/honeypots-guide|archive-date=16 March 2017}}</ref>
|url = https://www.sans.org/security-resources/idfaq/what-is-a-honeypot/1/9
|title = Honeypot
|first = Sharanya
|last = Naveen
|accessdate = 1 June 2016
}}</ref>


The main use for this network decoy is to distract potential attackers from more important information and machines on the real network, learn about the forms of attacks they can suffer, and examine such attacks during and after the exploitation of a honeypot.
[[File:Honeypot diagram.jpg|thumb|Honeypot diagram to help understand the topic]]
It provides a way to prevent and see vulnerabilities in a specific network system. A honeypot is a decoy used to protect a network from present or future attacks.<ref name="A Virtual Honeypot Framework">{{cite web |last1=Provos |first1=N |title=A Virtual Honeypot Framework |url=https://www.usenix.org/legacy/event/sec04/tech/full_papers/provos/provos_html/ |website=USENIX |access-date=29 April 2023}}</ref><ref name="dl.acm.org">{{cite book |last1=Mairh |first1=A |last2=Barik |first2=D |last3=Verma |first3=K |last4=Jena |first4=D |title=Proceedings of the 2011 International Conference on Communication, Computing & Security - ICCCS '11 |chapter=Honeypot in network security: A survey |date=2011 |volume=1 |issue=1 |pages=600–605 |doi=10.1145/1947940.1948065 |isbn=978-1-4503-0464-1 |s2cid=12724269 |url=https://dl.acm.org/doi/abs/10.1145/1947940.1948065 |access-date=29 April 2023}}</ref> Honeypots derive their value from the use by attackers. If not interacted with, the honeypot has little to no value. Honeypots can be used for everything from slowing down or stopping automated attacks, capturing new exploits, to gathering intelligence on emerging threats or early warning and prediction.<ref>{{Cite book |last=Spitzner |first=L. |chapter=Honeypots: Catching the insider threat |title=19th Annual Computer Security Applications Conference, 2003. Proceedings. |chapter-url=http://dx.doi.org/10.1109/csac.2003.1254322 |date=2003 |pages=170–179 |publisher=IEEE |doi=10.1109/csac.2003.1254322|isbn=0-7695-2041-3 |s2cid=15759542 }}</ref>

[[File:Honeypot diagram.jpg|thumb|Diagram of an information system honeypot]]


==Types==
==Types==
Honeypots can be classified based on their deployment (use/action) and based on their level of involvement. Based on deployment, honeypots may be classified as
*production honeypots
*research honeypots
'''Production honeypots''' are easy to use, capture only limited information, and are used primarily by corporations. Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots.


Honeypots can be differentiated based on whether they are physical or virtual:<ref name="A Virtual Honeypot Framework"/><ref name="dl.acm.org"/>
'''Research honeypots''' are run to gather information about the motives and tactics of the [[black hat]] community targeting different networks. These honeypots do not add direct value to a specific organization; instead, they are used to research the threats that organizations face and to learn how to better protect against those threats.<ref>{{cite book| title=Honeypots tracking hackers| author=Lance Spitzner| publisher=[[Addison-Wesley]] | isbn=0-321-10895-7| year=2002| pages=68–70}}</ref> Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.
* Physical honeypot: a real machine with its own IP address, this machine simulates behaviors modeled by the system. Many times this modality is not used as much as the high price of acquiring new machines, their maintenance, and the complication affected by configuring specialized hardware<ref name="A Virtual Honeypot Framework"/><ref name="dl.acm.org"/>
* Virtual honeypot: the use of this type of honeypot allows one to install and simulate hosts on the network from different operating systems, but in order to do so, it is necessary to simulate the TCP/IP of the target operating system. This modality is more frequent.<ref name="A Virtual Honeypot Framework"/><ref name="dl.acm.org"/>
Honeypots can be classified based on their deployment (use/action) and based on their level of involvement. Based on deployment, honeypots may be classified as:<ref name=":0">{{Cite book|last1=Mokube|first1=Iyatiti|last2=Adams|first2=Michele|title=Proceedings of the 45th annual southeast regional conference |chapter=Honeypots: Concepts, approaches, and challenges |date=March 2007|chapter-url=https://doi.org/10.1145/1233341.1233399|pages=321–326|doi=10.1145/1233341.1233399|isbn=9781595936295 |s2cid=15382890}}</ref>
* production honeypots
* research honeypots
'''Production honeypots''' are easy to use, capture only limited information, and are used primarily by corporations. Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots.<ref name=":0" />


'''Research honeypots''' are run to gather information about the motives and tactics of the [[black hat (computer security)|black hat]] community targeting different networks. These honeypots do not add direct value to a specific organization; instead, they are used to research the threats that organizations face and to learn how to better protect against those threats.<ref>{{cite book| title=Honeypots tracking hackers| author=Lance Spitzner| publisher=[[Addison-Wesley]] | isbn=0-321-10895-7| year=2002| pages=68–70}}</ref> Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.<ref name="Attacks Landscape in the Dark Side of the Web">{{Cite web |url=http://www.madlab.it/papers/sac17_darknets.pdf |title=Attacks Landscape in the Dark Side of the Web |last=Katakoglu |first=Onur |date=2017-04-03 |website=acm.org |access-date=2017-08-09}}</ref>
Based on design criteria, honeypots can be classified as:
*pure honeypots
*high-interaction honeypots
*low-interaction honeypots


Based on design criteria, honeypots can be classified as:<ref name=":0" />
'''Pure honeypots''' are full-fledged production systems. The activities of the attacker are monitored by using a casual tap that has been installed on the honeypot's link to the network. No other software needs to be installed. Even though a pure honeypot is useful, stealthiness of the defense mechanisms can be ensured by a more controlled mechanism.
* pure honeypots
* high-interaction honeypots
* low-interaction honeypots


'''Pure honeypots''' are full-fledged production systems. The activities of the attacker are monitored by using a bug tap that has been installed on the honeypot's link to the network. No other software needs to be installed. Even though a pure honeypot is useful, the stealthiness of the defense mechanisms can be ensured by a more controlled mechanism.
'''High-interaction honeypots''' imitate the activities of the production systems that host a variety of services and, therefore, an attacker may be allowed a lot of services to waste his time. By employing [[virtual machine]]s, multiple honeypots can be hosted on a single physical machine. Therefore, even if the honeypot is compromised, it can be restored more quickly. In general, high-interaction honeypots provide more security by being difficult to detect, but they are expensive to maintain. If virtual machines are not available, one physical computer must be maintained for each honeypot, which can be exorbitantly expensive. Example: [[Honeynet Project|Honeynet]].


'''High-interaction honeypots''' imitate the activities of the production systems that host a variety of services and, therefore, an attacker may be allowed a lot of services to waste their time. By employing [[virtual machine]]s, multiple honeypots can be hosted on a single physical machine. Therefore, even if the honeypot is compromised, it can be restored more quickly. In general, high-interaction honeypots provide more security by being difficult to detect, but they are expensive to maintain. If virtual machines are not available, one physical computer must be maintained for each honeypot, which can be exorbitantly expensive. Example: [[Honeynet Project|Honeynet]].
'''Low-interaction honeypots''' simulate only the services frequently requested by attackers. Since they consume relatively few resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time, and less code is required, reducing the complexity of the virtual system's security. Example: [[Honeyd]].


'''Low-interaction honeypots''' simulate only the services frequently requested by attackers.<ref>{{Cite journal |last1=Litchfield |first1=Samuel |last2=Formby |first2=David |last3=Rogers |first3=Jonathan |last4=Meliopoulos |first4=Sakis |last5=Beyah |first5=Raheem |date=2016 |title=Rethinking the Honeypot for Cyber-Physical Systems |url=https://ieeexplore.ieee.org/document/7676152 |journal=IEEE Internet Computing |volume=20 |issue=5 |pages=9–17 |doi=10.1109/MIC.2016.103 |s2cid=1271662 |issn=1089-7801}}</ref> Since they consume relatively few resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time, and less code is required, reducing the complexity of the virtual system's security. Example: [[Honeyd]]. This type of honeypot was one of the first types being created in the late nineties and was mainly used for detecting attacks, not studying them.<ref>{{Cite book |last1=Göbel |first1=Jan Gerrit |last2=Dewald |first2=Andreas |last3=Freiling |first3=Felix |date=2011 |title=Client-Honeypots |url=http://dx.doi.org/10.1524/9783486711516 |doi=10.1524/9783486711516|isbn=978-3-486-71151-6 }}</ref>
===Deception Technology===


'''Sugarcane''' is a type of honeypot that masquerades as an open proxy.<ref>{{cite book|url=https://books.google.com/books?id=ntsJqzfwFhkC&dq=honeypot+sugarcane&pg=PA25|title=Architecting Secure Software Systems Page 25 – CRC Press, Taylor & Francis Group|date=17 December 2008|isbn=9781420087857|last1=Talukder|first1=Asoke K.|last2=Chaitanya|first2=Manish|publisher=CRC Press }}</ref> It can often take form as a server designed to look like a misconfigured HTTP proxy.<ref>{{cite web|url=https://www.secureworks.com/blog/proxies|title=Exposing the Underground: Adventures of an Open Proxy Server|date=21 March 2011}}</ref> Probably the most famous open proxy was the default configuration of [[sendmail]] (before version 8.9.0 in 1998) which would forward email to and from any destination.<ref>{{cite web|url=https://lwn.net/Articles/240120/|title=Capturing web attacks with open proxy honeypots|date=3 July 2007}}</ref>
Recently, a new market segment called [[deception technology]] has emerged using basic honeypot technology with the addition of advanced automation for scale. Deception Technology addresses the automated deployment of honeypot resources over a large commercial enterprise or government institution.<ref>http://blogs.gartner.com/lawrence-pingree/2016/09/28/deception-related-technology-its-not-just-a-nice-to-have-its-a-new-strategy-of-defense/</ref>


=== Deception technology ===
===Malware honeypots===
Recently, a new market segment called [[deception technology]] has emerged using basic honeypot technology with the addition of advanced automation for scale. Deception technology addresses the automated deployment of honeypot resources over a large commercial enterprise or government institution.<ref>{{cite web|url=http://blogs.gartner.com/lawrence-pingree/2016/09/28/deception-related-technology-its-not-just-a-nice-to-have-its-a-new-strategy-of-defense/|title=Deception related technology – it's not just a "nice to have", it's a new strategy of defense – Lawrence Pingree|date=28 September 2016}}</ref>


=== Malware honeypots ===
Malware honeypots are used to detect malware by exploiting the known replication and attack vectors of malware. Replication vectors such as [[USB flash drives]] can easily be verified for evidence of modifications, either through manual means or utilizing special-purpose honeypots that emulate drives. Malware increasingly is used to search for and steal cryptocurrencies,<ref>{{cite web|last1=Litke|first1=Pat|title=Cryptocurrency-Stealing Malware Landscape|url=https://www.secureworks.com/research/cryptocurrency-stealing-malware-landscape|website=Secureworks.com|publisher=SecureWorks|accessdate=9 March 2016}}</ref> which provides opportunities for services such as Bitcoin Vigil to create and monitor honeypots by using small amount of money to provide early warning alerts of malware infection.<ref>{{cite web|url=http://www.cryptocoinsnews.com/news/bitcoin-vigil-protecting-system-malware-bitcoin/2014/05/09|title=Bitcoin Vigil: Detecting Malware Through Bitcoin|date=May 5, 2014|publisher=cryptocoins news}}</ref>
A malware honeypot is a decoy designed to intentionally attract malicious software. It does this by imitating a vulnerable system or network, such as a web server. The honeypot is intentionally set up with security flaws that look to invite these malware attacks. Once attacked IT teams can then analyze the malware to better understand where it comes from and how it acts.<ref>{{Cite web |last=Praveen |date=2023-07-31 |title=What Is a Honeypot in Cybersecurity? Types, Implementation, and Real-World Applications |url=https://www.eccouncil.org/cybersecurity-exchange/ethical-hacking/what-are-honeypots-benefits-types/ |access-date=2023-12-05 |website=Cybersecurity Exchange |language=en-US}}</ref>


===Spam versions===
=== Spam versions ===
[[Spamming|Spammers]] abuse vulnerable resources such as [[open mail relay]]s and [[open proxy|open proxies]]. Some system administrators have created honeypot programs that masquerade as these abusable resources to discover spammer activity. There are several capabilities such honeypots provide to these administrators and the existence of such fake abusable systems makes abuse more difficult or risky. Honeypots can be a powerful countermeasure to abuse from those who rely on very high volume abuse (e.g., spammers).
[[Spamming|Spammers]] abuse vulnerable resources such as [[open mail relay]]s and [[open proxy|open proxies]]. These are servers that accept e-mail from anyone on the Internet—including spammers—and send it to its destination. Some system administrators have created honeypot programs that masquerade as these abusable resources to discover spammer activity.


There are several capabilities such honeypots provide to these administrators, and the existence of such fake abusable systems makes abuse more difficult or risky. Honeypots can be a powerful countermeasure to abuse from those who rely on very high-volume abuse (e.g., spammers).
These honeypots can reveal the abuser's [[IP address]] and provide bulk spam capture (which enables operators to determine spammers' [[URLs]] and response mechanisms). For open relay honeypots, it is possible to determine the e-mail addresses ("dropboxes") spammers use as targets for their test messages, which are the tool they use to detect open relays. It is then simple to deceive the spammer: transmit any illicit relay e-mail received addressed to that dropbox e-mail address. That tells the spammer the honeypot is a genuine abusable open relay, and they often respond by sending large quantities of relay spam to that honeypot, which stops it.<ref>{{cite web|last1=Edwards|first1=M.|title=Antispam Honeypots Give Spammers Headaches|url=http://windowsitpro.com/exchange-server/antispam-honeypots-give-spammers-headaches|publisher=Windows IT Pro|accessdate=11 March 2015}}</ref> The apparent source may be another abused system—spammers and other abusers may use a chain of abused systems to make detection of the original starting point of the abuse traffic difficult.

These honeypots can reveal the abuser's [[IP address]] and provide bulk spam capture (which enables operators to determine spammers' [[URLs]] and response mechanisms). As described by M. Edwards at ITPRo Today:

{{Blockquote
|text=Typically, spammers test a mail server for open relaying by simply sending themselves an email message. If the spammer receives the email message, the mail server obviously allows open relaying. Honeypot operators, however, can use the relay test to thwart spammers. The honeypot catches the relay test email message, returns the test email message, and subsequently blocks all other email messages from that spammer. Spammers continue to use the antispam honeypot for spamming, but the spam is never delivered. Meanwhile, the honeypot operator can notify spammers' ISPs and have their Internet accounts canceled. If honeypot operators detect spammers who use open-proxy servers, they can also notify the proxy server operator to lock down the server to prevent further misuse.<ref>{{cite web|last1=Edwards|first1=M.|title=Antispam Honeypots Give Spammers Headaches|url=http://windowsitpro.com/exchange-server/antispam-honeypots-give-spammers-headaches|publisher=Windows IT Pro|access-date=11 March 2015|archive-url=https://web.archive.org/web/20170701040344/http://windowsitpro.com/exchange-server/antispam-honeypots-give-spammers-headaches|archive-date=1 July 2017|url-status=dead}}</ref>
}}

The apparent source may be another abused system. Spammers and other abusers may use a chain of such abused systems to make detection of the original starting point of the abuse traffic difficult.


This in itself is indicative of the power of honeypots as [[anti-spam]] tools. In the early days of anti-spam honeypots, spammers, with little concern for hiding their location, felt safe testing for vulnerabilities and sending spam directly from their own systems. Honeypots made the abuse riskier and more difficult.
This in itself is indicative of the power of honeypots as [[anti-spam]] tools. In the early days of anti-spam honeypots, spammers, with little concern for hiding their location, felt safe testing for vulnerabilities and sending spam directly from their own systems. Honeypots made the abuse riskier and more difficult.


Spam still flows through open relays, but the volume is much smaller than in 2001 to 2002. While most spam originates in the U.S.,<ref>{{cite web|title=Sophos reveals latest spam relaying countries|url=http://www.net-security.org/secworld.php?id=4085|work=Help Net Security|publisher=Help Net Security|accessdate=14 June 2013|date=24 July 2006}}</ref> spammers hop through open relays across political boundaries to mask their origin. Honeypot operators may use intercepted relay tests to recognize and thwart attempts to relay spam through their honeypots. "Thwart" may mean "accept the relay spam but decline to deliver it." Honeypot operators may discover other details concerning the spam and the spammer by examining the captured spam messages.
Spam still flows through open relays, but the volume is much smaller than in 2001-02. While most spam originates in the U.S.,<ref>{{cite web|title=Sophos reveals latest spam relaying countries|url=http://www.net-security.org/secworld.php?id=4085|work=Help Net Security|access-date=14 June 2013|date=24 July 2006}}</ref> spammers hop through open relays across political boundaries to mask their origin. Honeypot operators may use intercepted relay tests to recognize and thwart attempts to relay spam through their honeypots. "Thwart" may mean "accept the relay spam but decline to deliver it." Honeypot operators may discover other details concerning the spam and the spammer by examining the captured spam messages.


Open relay honeypots include Jackpot, written in [[Java (programming language)|Java]] by Jack Cleaver; ''smtpot.py'', written in [[Python (programming language)|Python]] by Karl A. Krueger;<ref>{{cite web|title=Honeypot Software, Honeypot Products, Deception Software|url=http://www.honeypots.net/honeypots/products|work=Intrusion Detection, Honeypots and Incident Handling Resources|publisher=Honeypots.net|accessdate=14 June 2013|year=2013}}</ref> and ''spamhole (honeypot)|spamhole'', written in [[C (programming language)|C]].<ref>{{cite web|title=spamhole – The Fake Open SMTP Relay Beta|url=http://sourceforge.net/projects/spamhole/|work=SourceForge|publisher=Dice Holdings, Inc|accessdate=14 June 2013|author=dustintrammell|date=27 February 2013}}</ref> The ''Bubblegum Proxypot'' is an open source honeypot (or "proxypot").<ref name="Ec-Council2009">{{cite book|author=Ec-Council|title=Certified Ethical Hacker: Securing Network Infrastructure in Certified Ethical Hacking|url=https://books.google.com/books?id=nERI0SQqF_sC&pg=SA3-PA23|accessdate=14 June 2013|date=5 July 2009|publisher=Cengage Learning|isbn=978-1-4354-8365-1|pages=3–}}</ref><ref>{{cite journal|last1=Kaushik|first1=Gaurav|last2=Tyagi|first2=Rashmi|title=Honeypot : Decoy Server or System Setup Together Information Regarding an Attacker|journal=VSRD International Journal of Computer Science & Information Technology|year=2012|volume=2|pages=155–166|url=http://www.vsrdjournals.com/CSIT/Issue/2012_02_Feb/Web/10_Gaurav_Kaushik_586_Research_Communication_Feb_2012.pdf}}</ref>
Open-relay honeypots include Jackpot, written in [[Java (programming language)|Java]] by Jack Cleaver; ''smtpot.py'', written in [[Python (programming language)|Python]] by Karl A. Krueger;<ref>{{cite web|title=Honeypot Software, Honeypot Products, Deception Software|url=http://www.honeypots.net/honeypots/products|year=2013|work=Intrusion Detection, Honeypots and Incident Handling Resources|publisher=Honeypots.net|url-status=dead|archive-url=https://web.archive.org/web/20031008120110/http://www.honeypots.net/honeypots/products|archive-date=8 October 2003|access-date=14 June 2013}}</ref> and spamhole, written in [[C (programming language)|C]].<ref>{{cite web|title=spamhole – The Fake Open SMTP Relay Beta|url=http://sourceforge.net/projects/spamhole/|work=SourceForge|publisher=Dice Holdings, Inc.|access-date=14 June 2013|author=dustintrammell|date=27 February 2013}}</ref> The ''Bubblegum Proxypot'' is an open-source honeypot (or "proxypot").<ref name="Ec-Council2009">{{cite book|author=Ec-Council|title=Certified Ethical Hacker: Securing Network Infrastructure in Certified Ethical Hacking|url=https://books.google.com/books?id=nERI0SQqF_sC&pg=SA3-PA23|access-date=14 June 2013|date=5 July 2009|publisher=Cengage Learning|isbn=978-1-4354-8365-1|pages=3–}}</ref>


===Email trap===
=== Email trap ===
{{Main|Spamtrap}}
{{Unreferenced section|date=June 2013}}
An email address that is not used for any other purpose than to receive spam can also be considered a spam honeypot. Compared with the term "[[spamtrap]]", the term "honeypot" might be more suitable for systems and techniques that are used to detect or counterattack probes. With a spamtrap, spam arrives at its destination "legitimately"—exactly as non-spam email would arrive.
{{Main article|Spamtrap}}
An email address that is not used for any other purpose than to receive spam can also be considered a spam honeypot. Compared with the term "[[spamtrap]]", the term "honeypot" might be more suitable for systems and techniques that are used to detect or counterattacks and probes. With a spamtrap, spam arrives at its destination "legitimately"—exactly as non-spam email would arrive.


An amalgam of these techniques is [[Project Honey Pot]], a distributed, open source project that uses honeypot pages installed on websites around the world. These honeypot pages disseminate uniquely tagged spamtrap email addresses and [[spammers]] can then be tracked—the corresponding spam mail is subsequently sent to these spamtrap e-mail addresses.
An amalgam of these techniques is [[Project Honey Pot]], a distributed, open-source project that uses honeypot pages installed on websites around the world. These honeypot pages disseminate uniquely tagged spamtrap email addresses and [[spammers]] can then be tracked—the corresponding spam mail is subsequently sent to these spamtrap e-mail addresses.<ref>{{Cite news |title=What is a honeypot? |url=https://www.ionos.com/digitalguide/server/security/honeypots-it-security-through-decoy-programs/ |access-date=2022-10-14 |website=IONOS Digital Guide |date=8 August 2017 |language=en}}</ref>


===Database honeypot===
=== Database honeypot ===
Databases often get attacked by intruders using [[SQL Injection]]. As such activities are not recognized by basic firewalls, companies often use database firewalls for protection. Some of the available [[SQL database]] firewalls provide/support honeypot architectures so that the intruder runs against a trap database while the web application remains functional.<ref>{{cite web|url=http://www.dbcoretech.com/?p=453|archiveurl=https://web.archive.org/web/20120308171843/http://www.dbcoretech.com/?p=453|title=Secure Your Database Using Honeypot Architecture|archivedate=March 8, 2012|date=August 13, 2010|publisher=www.dbcoretech.com}}</ref>
Databases often get attacked by intruders using [[SQL injection]]. As such activities are not recognized by basic firewalls, companies often use database firewalls for protection. Some of the available [[SQL database]] firewalls provide/support honeypot architectures so that the intruder runs against a trap database while the web application remains functional.<ref>{{cite web|url=http://www.dbcoretech.com/?p=453|archive-url=https://web.archive.org/web/20120308171843/http://www.dbcoretech.com/?p=453|title=Secure Your Database Using Honeypot Architecture|archive-date=March 8, 2012|date=August 13, 2010|publisher=dbcoretech.com}}</ref>


=== Industrial Control Systems honeypot ===
==Detection==
[[Industrial control system|Industrial Control Systems]] (ICS) are often the target of cyberattacks.<ref>{{Cite journal |last=Langner |first=Ralph |date=May 2011 |title=Stuxnet: Dissecting a Cyberwarfare Weapon |url=https://ieeexplore.ieee.org/document/5772960 |journal=IEEE Security & Privacy |volume=9 |issue=3 |pages=49–51 |doi=10.1109/MSP.2011.67 |s2cid=206485737 |issn=1558-4046}}</ref> One of the main targets within ICS are [[Programmable logic controller|Programmable Logic Controllers]].<ref>{{Cite journal |last1=Stouffer |first1=Keith |last2=Falco |first2=Joe |last3=Scarfone |first3=Karen |date=June 2011 |title=Guide to Industrial Control Systems (ICS) Security - Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) |url=http://dx.doi.org/10.6028/nist.sp.800-82|website=NIST Publications|number=NIST Special Publication (SP) 800-82 |location=Gaithersburg, MD|doi=10.6028/nist.sp.800-82|pages=155 pages|doi-access=free}}</ref> In order to understand intruders' techniques in this context, several honeypots have been proposed. Conpot <ref>{{Cite book |last1=Jicha |first1=Arthur |last2=Patton |first2=Mark |last3=Chen |first3=Hsinchun |title=2016 IEEE Conference on Intelligence and Security Informatics (ISI) |chapter=SCADA honeypots: An in-depth analysis of Conpot |date=September 2016 |chapter-url=https://ieeexplore.ieee.org/document/7745468 |pages=196–198 |doi=10.1109/ISI.2016.7745468|isbn=978-1-5090-3865-7 |s2cid=14996905 }}</ref><ref>{{Citation |title=Conpot |date=2023-06-23 |url=https://github.com/mushorg/conpot |access-date=2023-06-24 |publisher=MushMush}}</ref> is a low interaction honeypot capable of simulation Siemens PLCs. HoneyPLC is a medium interaction honeypot that can simulate Siemens, Rockwell and other PLC brands.<ref>{{Cite book |last1=López-Morales |first1=Efrén |title=Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security |last2=Rubio-Medrano |first2=Carlos |last3=Doupé |first3=Adam |last4=Shoshitaishvili |first4=Yan |last5=Wang |first5=Ruoyu |last6=Bao |first6=Tiffany |last7=Ahn |first7=Gail-Joon |date=2020-11-02 |publisher=Association for Computing Machinery |isbn=978-1-4503-7089-9 |series=CCS '20 |location=New York, NY, USA |pages=279–291 |chapter=HoneyPLC: A Next-Generation Honeypot for Industrial Control Systems |doi=10.1145/3372297.3423356 |hdl=2286/R.I.57069 |author-link7=Gail-Joon Ahn |chapter-url=https://dl.acm.org/doi/10.1145/3372297.3423356 |s2cid=226228191}}</ref><ref>{{Citation |title=HoneyPLC |date=2023-05-24 |url=https://github.com/sefcom/honeyplc |access-date=2023-06-24 |publisher=SEFCOM}}</ref>
Just as honeypots are weapons against spammers, honeypot detection systems are spammer-employed counter-weapons. As detection systems would likely use unique characteristics of specific honeypots to identify them, a great deal of honeypots in use makes the set of unique characteristics larger and more daunting to those seeking to detect and thereby identify them. This is an unusual circumstance in software: a situation in which "[[versionitis]]" (a large number of versions of the same software, all differing slightly from each other) can be beneficial. There's also an advantage in having some easy-to-detect honeypots deployed. [[Fred Cohen]], the inventor of the [[Deception Toolkit]], even argues that every system running his honeypot should have a deception port that adversaries can use to detect the honeypot.<ref name="dtk">{{cite web|title=Deception Toolkit|url=http://all.net/dtk/index.html|work=All.net|publisher=All.net|accessdate=14 June 2013|year=2013}}</ref> Cohen believes that this might deter adversaries.


== Honeypot detection ==
==Honey nets==
Just as honeypots are weapons against spammers, honeypot detection systems are spammer-employed counter-weapons. As detection systems would likely use unique characteristics of specific honeypots to identify them, such as the property-value pairs of default honeypot configuration,<ref>{{cite conference |title=Review and Analysis of [[Cowrie (honeypot)|Cowrie]] Artefacts and Their Potential to be Used Deceptively |last1=Cabral |first1=Warren |last2=Valli |first2=Craig | last3=Sikos | first3=Leslie | last4=Wakeling |first4=Samuel |date=2019 |publisher=IEEE |book-title=Proceedings of the 2019 International Conference on Computational Science and Computational Intelligence |pages=166–171 |doi=10.1109/CSCI49370.2019.00035|isbn=978-1-7281-5584-5 }}</ref> many honeypots in use utilise a set of unique characteristics larger and more daunting to those seeking to detect and thereby identify them. This is an unusual circumstance in software; a situation in which [[wikt:Special:Search/versionitis|"versionitis"]] (a large number of versions of the same software, all differing slightly from each other) can be beneficial. There's also an advantage in having some easy-to-detect honeypots deployed. [[Fred Cohen]], the inventor of the [[Deception Toolkit]], argues that every system running his honeypot should have a deception port which adversaries can use to detect the honeypot.<ref name="dtk">{{cite web|title=Deception Toolkit|url=http://all.net/dtk/index.html|work=All.net|access-date=14 June 2013|year=2013}}</ref> Cohen believes that this might deter adversaries. Honeypots also allow for early detection of legitimate threats. No matter how the honeypot detects the exploit, it can alert you immediately to the attempted attack.<ref>{{Cite book |date=2005 |title=Honeypots for Windows |url=http://dx.doi.org/10.1007/978-1-4302-0007-9 |doi=10.1007/978-1-4302-0007-9|isbn=978-1-59059-335-6 }}</ref>

== Risks ==
The goal of honeypots is to attract and engage attackers for a sufficiently long period to obtain high-level [[Indicator of compromise|Indicators of Compromise]] (IoC) such as attack tools and [[Terrorist Tactics, Techniques, and Procedures|Tactics, Techniques, and Procedures]] (TTPs). Thus, a honeypot needs to emulate essential services in the production network and grant the attacker the freedom to perform adversarial activities to increase its attractiveness to the attacker. Although the honeypot is a controlled environment and can be monitored by using tools such as honeywall,<ref>{{Cite web|title=Honeywall CDROM – The Honeynet Project|url=https://www.honeynet.org/projects/old/honeywall-cdrom/|access-date=2020-08-07|language=en-US|archive-date=2022-10-11|archive-url=https://web.archive.org/web/20221011002345/https://www.honeynet.org/projects/old/honeywall-cdrom/|url-status=dead}}</ref> attackers may still be able to use some honeypots as pivot nodes to penetrate production systems.<ref>{{Cite book|author=Spitzner, Lance|title=Honeypots Tracking Hackers|date=2002|publisher=Addison-Wesley Professional|oclc=1153022947}}</ref>

The second risk of honeypots is that they may attract legitimate users due to a lack of communication in large-scale enterprise networks. For example, the security team who applies and monitors the honeypot may not disclose the honeypot location to all users in time due to the lack of communication or the prevention of insider threats.<ref>{{Cite journal|last1=Qassrawi|first1=Mahmoud T.|author2=Hongli Zhang|date=May 2010|title=Client honeypots: Approaches and challenges|url=https://ieeexplore.ieee.org/document/5488508|journal=4th International Conference on New Trends in Information Science and Service Science|pages=19–25}}</ref><ref>{{Cite web|title=illusive networks: Why Honeypots are Stuck in the Past {{!}} NEA {{!}} New Enterprise Associates|url=https://www.nea.com/blog/illusive-networks-why-honeypots-are-stuck-in-the-past|access-date=2020-08-07|website=www.nea.com}}</ref>

== Honey nets ==
{{Quote box
{{Quote box
|quote = "A 'honey net' is a network of high interaction honeypots that simulates a production network and configured such that all activity is monitored, recorded and in a degree, discreetly regulated."
|quote="A 'honey net' is a network of high interaction honeypots that simulates a production network and configured such that all activity is monitored, recorded and in a degree, discreetly regulated."
|author = -Lance Spitzner
|author = -Lance Spitzner
|source = <br />[[Honeynet Project]]
|source = <br />[[Honeynet Project]]
Line 72: Line 88:
|salign = right
|salign = right
}}
}}
Two or more honeypots on a network form a ''honey net''. Typically, a honey net is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honey nets and honeypots are usually implemented as parts of larger [[network intrusion detection system]]s. A ''honey farm'' is a centralized collection of honeypots and analysis tools.<ref>{{cite web|url=http://www.reouterhelpsupport.com/cisco-customer-service.php |title=cisco router Customer support |publisher=Clarkconnect.com |date= |accessdate=2015-07-31}}</ref><br>Updated on ClearOS' web page: ClearOS Pedigree<ref>[http://www.philippinehoneynet.org/index2.php?option=com_docman&task=doc_view&gid=6&Itemid=29 Honeynets a Honeynet Definition] ([[Portable Document Format|PDF]]) by Ryan Talabis from PhilippineHoneynet.org</ref>
Two or more honeypots on a network form a ''honey net''. Typically, a honey net is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honey nets and honeypots are usually implemented as parts of larger [[network intrusion detection system]]s. A ''honey farm'' is a centralized collection of honeypots and analysis tools.<ref>{{cite web |url=http://www.reouterhelpsupport.com/cisco-customer-service.php |title=cisco router Customer support |publisher=Clarkconnect.com |access-date=2015-07-31 |archive-url=https://web.archive.org/web/20170116043827/http://www.reouterhelpsupport.com/cisco-customer-service.php |archive-date=2017-01-16 |url-status=dead }}</ref>

The concept of the honey net first began in 1999 when Lance Spitzner, founder of the [[Honeynet Project]], published the paper "To Build a Honeypot".<ref>{{cite web|title=Know Your Enemy: GenII Honey Nets Easier to deploy, harder to detect, safer to maintain.|url=http://old.honeynet.org/papers/gen2/|date=12 May 2005|work=Honeynet Project|url-status=dead|archive-url=https://web.archive.org/web/20090125224729/http://old.honeynet.org/papers/gen2/|archive-date=25 January 2009|access-date=14 June 2013}}</ref>

== History ==
An early formulation of the concept, called "entrapment", is defined in [[Federal Information Processing Standard|FIPS]] 39 (1976) as "the deliberate planting of apparent flaws in a system for the purpose of detecting attempted penetrations or confusing an intruder about which flaws to exploit".<ref>{{cite web|url=https://www.govinfo.gov/content/pkg/GOVPUB-C13-18320c963d272d740d6dffce808fce3d/pdf/GOVPUB-C13-18320c963d272d740d6dffce808fce3d.pdf|title=National Bureau of Standards (February 15, 1976). Glossary for Computer Systems Security.|website=www.govinfo.gov|access-date= 19 Mar 2023}}</ref>

The earliest honeypot techniques are described in [[Clifford Stoll]]'s 1989 book ''[[The Cuckoo's Egg]]''.

One of the earliest documented cases of the cybersecurity use of a honeypot began in January 1991. On January 7, 1991, while he worked at AT&T Bell Laboratories Cheswick observed a criminal hacker, known as a [[Security hacker#Cracker|cracker]], attempting to obtain a copy of a password file. Cheswick wrote that he and colleagues constructed a "chroot "Jail" (or "roach motel")" which allowed them to observe their attacker over a period of several months.<ref>{{cite web|url=http://cheswick.com/ches/papers/berferd.pdf|title=An Evening with BerferdIn Which a Cracker is Lured, Endured, and Studied|website=cheswick.com|access-date= 3 Feb 2021}}</ref>


In 2017, [[Dutch police]] used honeypot techniques to track down users of the [[darknet market]] [[Hansa (market)|Hansa]].
The concept of the honey net first began in 1999 when Lance Spitzner, founder of the [[Honeynet Project]], published the paper "To Build a Honeypot".<ref>{{cite web|title=Know Your Enemy: GenII Honey Nets Easier to deploy, harder to detect, safer to maintain.|url=http://old.honeynet.org/papers/gen2/|work=Honeynet Project|publisher=Honeynet Project|accessdate=14 June 2013|date=12 May 2005}}</ref>


The metaphor of a bear being attracted to and stealing honey is common in many traditions, including Germanic, Celtic, and Slavic. A common Slavic word for the bear is ''medved'' "honey eater". The tradition of bears stealing honey has been passed down through stories and folklore, especially the well known [[Winnie the Pooh]].<ref>{{cite web |url=http://www.pitt.edu/~votruba/qsonhist/bearetymologyslovakenglishwelsh.html |title=The word for "bear" |website=Pitt.edu |access-date=12 Sep 2014 |archive-date=29 September 2013 |archive-url=https://web.archive.org/web/20130929171327/http://www.pitt.edu/~votruba/qsonhist/bearetymologyslovakenglishwelsh.html |url-status=dead }}</ref><ref>Shepard, E. H., Milne, A. A. (1994). The Complete Tales of Winnie-the-Pooh. United Kingdom: Dutton Children's Books.</ref>
==Metaphor==
The metaphor of a bear being attracted to and stealing honey is common in many traditions, including Germanic and Slavic. A common Germanic [[kenning]] for the bear was "honey eater". The tradition of bears stealing honey has been passed down through stories and folklore, especially the well known Winnie the Pooh.<ref>{{cite web|url=http://www.pitt.edu/~votruba/qsonhist/bearetymologyslovakenglishwelsh.html|title=The word for "bear" |website=Pitt.edu |accessdate= 12 Sep 2014}}</ref>


==See also==
== See also ==
* [[Canary trap]]
* [[Canary trap]]
* [[Client honeypot]]
* [[Client honeypot]]
* [[Cowrie (honeypot)|Cowrie]]
* [[Defense strategy (computing)]]
* [[HoneyMonkey]]
* [[HoneyMonkey]]
* [[Honeytoken]]
* [[Honeytoken]]
Line 88: Line 114:
* [[Tarpit (networking)|Tarpit]]
* [[Tarpit (networking)|Tarpit]]


==References and notes==
== References and notes ==
{{reflist}}
{{Reflist}}


==Further reading==
== Further reading ==
* {{cite book|title=Honeypots tracking hackers|author=Lance Spitzner|publisher=[[Addison-Wesley]]|isbn=0-321-10895-7|year=2002}}
* {{cite book|title=Honeypots tracking hackers|author=Lance Spitzner|publisher=[[Addison-Wesley]]|isbn=0-321-10895-7|year=2002}}
* {{cite book|title=[[Reverse Deception: Organized Cyber Threat Counter-Exploitation]]|author=Sean Bodmer, CISSP, CEH, Dr Max Kilger, PhD, DrPH(c) Gregory Carpenter, CISM, Jade Jones, Esq., JD|publisher=[[McGraw-Hill Education]]|isbn=978-0071772495|year=2012}}
* {{cite book|title=[[Reverse Deception: Organized Cyber Threat Counter-Exploitation]]|author=Sean Bodmer|author2=Max Kilger|author3=Gregory Carpenter|author4=Jade Jones|publisher=[[McGraw-Hill Education]]|isbn=978-0-07-177249-5|year=2012}}


==External links==
== External links ==
* [https://rootsh3ll.com/ultimate-fake-access-point-walkthrough/ The Ultimate Fake Access Point] {{Webarchive|url=https://web.archive.org/web/20210225223201/https://rootsh3ll.com/ultimate-fake-access-point-walkthrough/ |date=2021-02-25 }} - AP less clear-text WPA2 passphrase hacking
* [http://projects.webappsec.org/enwiki/w/page/29606603/Distributed%20Web%20Honeypots Distributed Open Proxy Honeypots Project: WASC]
* [http://projects.webappsec.org/enwiki/w/page/29606603/Distributed%20Web%20Honeypots Distributed Open Proxy Honeypots Project: WASC]
* [http://www.sans.org/resources/idfaq/honeypot3.php SANS Institute: What is a Honey Pot?]
* [https://web.archive.org/web/20090918210959/http://www.sans.org/resources/idfaq/honeypot3.php SANS Institute: What is a Honey Pot?]
* [http://www.sans.org/reading_room/whitepapers/detection/fundamental-honeypotting_2054 SANS Institute: Fundamental Honeypotting]
* [http://www.sans.org/reading_room/whitepapers/detection/fundamental-honeypotting_2054 SANS Institute: Fundamental Honeypotting]
* [http://blog.simwood.com/2011/09/an-introduction-to-the-simwood-sip-honeypots/ Simwood eSMS SIP Honeypot Project]
* [http://www.grc.com/securitynow.htm PodCast – Episode #2: "HoneyMonkeys"] from [[Security Now!]]
* [http://www.projecthoneypot.org/ Project Honeypot]
* [http://www.projecthoneypot.org/ Project Honeypot]
* [https://github.com/paralax/awesome-honeypots#honeypots/ A curated list of honeypots, tools and components focused on open source projects]
* [http://www.honeynet.org The Honeynet Project]


{{Malware}}
{{Malware}}


{{DEFAULTSORT:Honeypot (Computing)}}
[[Category:Computer network security]]
[[Category:Computer network security]]
[[Category:Spamming]]
[[Category:Spamming]]

Latest revision as of 22:26, 8 November 2024

In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site which contains information or resources of value to attackers. It is actually isolated, monitored, and capable of blocking or analyzing the attackers. This is similar to police sting operations, colloquially known as "baiting" a suspect.[1]

The main use for this network decoy is to distract potential attackers from more important information and machines on the real network, learn about the forms of attacks they can suffer, and examine such attacks during and after the exploitation of a honeypot. It provides a way to prevent and see vulnerabilities in a specific network system. A honeypot is a decoy used to protect a network from present or future attacks.[2][3] Honeypots derive their value from the use by attackers. If not interacted with, the honeypot has little to no value. Honeypots can be used for everything from slowing down or stopping automated attacks, capturing new exploits, to gathering intelligence on emerging threats or early warning and prediction.[4]

Diagram of an information system honeypot

Types

[edit]

Honeypots can be differentiated based on whether they are physical or virtual:[2][3]

  • Physical honeypot: a real machine with its own IP address, this machine simulates behaviors modeled by the system. Many times this modality is not used as much as the high price of acquiring new machines, their maintenance, and the complication affected by configuring specialized hardware[2][3]
  • Virtual honeypot: the use of this type of honeypot allows one to install and simulate hosts on the network from different operating systems, but in order to do so, it is necessary to simulate the TCP/IP of the target operating system. This modality is more frequent.[2][3]

Honeypots can be classified based on their deployment (use/action) and based on their level of involvement. Based on deployment, honeypots may be classified as:[5]

  • production honeypots
  • research honeypots

Production honeypots are easy to use, capture only limited information, and are used primarily by corporations. Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots.[5]

Research honeypots are run to gather information about the motives and tactics of the black hat community targeting different networks. These honeypots do not add direct value to a specific organization; instead, they are used to research the threats that organizations face and to learn how to better protect against those threats.[6] Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.[7]

Based on design criteria, honeypots can be classified as:[5]

  • pure honeypots
  • high-interaction honeypots
  • low-interaction honeypots

Pure honeypots are full-fledged production systems. The activities of the attacker are monitored by using a bug tap that has been installed on the honeypot's link to the network. No other software needs to be installed. Even though a pure honeypot is useful, the stealthiness of the defense mechanisms can be ensured by a more controlled mechanism.

High-interaction honeypots imitate the activities of the production systems that host a variety of services and, therefore, an attacker may be allowed a lot of services to waste their time. By employing virtual machines, multiple honeypots can be hosted on a single physical machine. Therefore, even if the honeypot is compromised, it can be restored more quickly. In general, high-interaction honeypots provide more security by being difficult to detect, but they are expensive to maintain. If virtual machines are not available, one physical computer must be maintained for each honeypot, which can be exorbitantly expensive. Example: Honeynet.

Low-interaction honeypots simulate only the services frequently requested by attackers.[8] Since they consume relatively few resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time, and less code is required, reducing the complexity of the virtual system's security. Example: Honeyd. This type of honeypot was one of the first types being created in the late nineties and was mainly used for detecting attacks, not studying them.[9]

Sugarcane is a type of honeypot that masquerades as an open proxy.[10] It can often take form as a server designed to look like a misconfigured HTTP proxy.[11] Probably the most famous open proxy was the default configuration of sendmail (before version 8.9.0 in 1998) which would forward email to and from any destination.[12]

Deception technology

[edit]

Recently, a new market segment called deception technology has emerged using basic honeypot technology with the addition of advanced automation for scale. Deception technology addresses the automated deployment of honeypot resources over a large commercial enterprise or government institution.[13]

Malware honeypots

[edit]

A malware honeypot is a decoy designed to intentionally attract malicious software. It does this by imitating a vulnerable system or network, such as a web server. The honeypot is intentionally set up with security flaws that look to invite these malware attacks. Once attacked IT teams can then analyze the malware to better understand where it comes from and how it acts.[14]

Spam versions

[edit]

Spammers abuse vulnerable resources such as open mail relays and open proxies. These are servers that accept e-mail from anyone on the Internet—including spammers—and send it to its destination. Some system administrators have created honeypot programs that masquerade as these abusable resources to discover spammer activity.

There are several capabilities such honeypots provide to these administrators, and the existence of such fake abusable systems makes abuse more difficult or risky. Honeypots can be a powerful countermeasure to abuse from those who rely on very high-volume abuse (e.g., spammers).

These honeypots can reveal the abuser's IP address and provide bulk spam capture (which enables operators to determine spammers' URLs and response mechanisms). As described by M. Edwards at ITPRo Today:

Typically, spammers test a mail server for open relaying by simply sending themselves an email message. If the spammer receives the email message, the mail server obviously allows open relaying. Honeypot operators, however, can use the relay test to thwart spammers. The honeypot catches the relay test email message, returns the test email message, and subsequently blocks all other email messages from that spammer. Spammers continue to use the antispam honeypot for spamming, but the spam is never delivered. Meanwhile, the honeypot operator can notify spammers' ISPs and have their Internet accounts canceled. If honeypot operators detect spammers who use open-proxy servers, they can also notify the proxy server operator to lock down the server to prevent further misuse.[15]

The apparent source may be another abused system. Spammers and other abusers may use a chain of such abused systems to make detection of the original starting point of the abuse traffic difficult.

This in itself is indicative of the power of honeypots as anti-spam tools. In the early days of anti-spam honeypots, spammers, with little concern for hiding their location, felt safe testing for vulnerabilities and sending spam directly from their own systems. Honeypots made the abuse riskier and more difficult.

Spam still flows through open relays, but the volume is much smaller than in 2001-02. While most spam originates in the U.S.,[16] spammers hop through open relays across political boundaries to mask their origin. Honeypot operators may use intercepted relay tests to recognize and thwart attempts to relay spam through their honeypots. "Thwart" may mean "accept the relay spam but decline to deliver it." Honeypot operators may discover other details concerning the spam and the spammer by examining the captured spam messages.

Open-relay honeypots include Jackpot, written in Java by Jack Cleaver; smtpot.py, written in Python by Karl A. Krueger;[17] and spamhole, written in C.[18] The Bubblegum Proxypot is an open-source honeypot (or "proxypot").[19]

Email trap

[edit]
Main article: Spamtrap

An email address that is not used for any other purpose than to receive spam can also be considered a spam honeypot. Compared with the term "spamtrap", the term "honeypot" might be more suitable for systems and techniques that are used to detect or counterattack probes. With a spamtrap, spam arrives at its destination "legitimately"—exactly as non-spam email would arrive.

An amalgam of these techniques is Project Honey Pot, a distributed, open-source project that uses honeypot pages installed on websites around the world. These honeypot pages disseminate uniquely tagged spamtrap email addresses and spammers can then be tracked—the corresponding spam mail is subsequently sent to these spamtrap e-mail addresses.[20]

Database honeypot

[edit]

Databases often get attacked by intruders using SQL injection. As such activities are not recognized by basic firewalls, companies often use database firewalls for protection. Some of the available SQL database firewalls provide/support honeypot architectures so that the intruder runs against a trap database while the web application remains functional.[21]

Industrial Control Systems honeypot

[edit]

Industrial Control Systems (ICS) are often the target of cyberattacks.[22] One of the main targets within ICS are Programmable Logic Controllers.[23] In order to understand intruders' techniques in this context, several honeypots have been proposed. Conpot [24][25] is a low interaction honeypot capable of simulation Siemens PLCs. HoneyPLC is a medium interaction honeypot that can simulate Siemens, Rockwell and other PLC brands.[26][27]

Honeypot detection

[edit]

Just as honeypots are weapons against spammers, honeypot detection systems are spammer-employed counter-weapons. As detection systems would likely use unique characteristics of specific honeypots to identify them, such as the property-value pairs of default honeypot configuration,[28] many honeypots in use utilise a set of unique characteristics larger and more daunting to those seeking to detect and thereby identify them. This is an unusual circumstance in software; a situation in which "versionitis" (a large number of versions of the same software, all differing slightly from each other) can be beneficial. There's also an advantage in having some easy-to-detect honeypots deployed. Fred Cohen, the inventor of the Deception Toolkit, argues that every system running his honeypot should have a deception port which adversaries can use to detect the honeypot.[29] Cohen believes that this might deter adversaries. Honeypots also allow for early detection of legitimate threats. No matter how the honeypot detects the exploit, it can alert you immediately to the attempted attack.[30]

Risks

[edit]

The goal of honeypots is to attract and engage attackers for a sufficiently long period to obtain high-level Indicators of Compromise (IoC) such as attack tools and Tactics, Techniques, and Procedures (TTPs). Thus, a honeypot needs to emulate essential services in the production network and grant the attacker the freedom to perform adversarial activities to increase its attractiveness to the attacker. Although the honeypot is a controlled environment and can be monitored by using tools such as honeywall,[31] attackers may still be able to use some honeypots as pivot nodes to penetrate production systems.[32]

The second risk of honeypots is that they may attract legitimate users due to a lack of communication in large-scale enterprise networks. For example, the security team who applies and monitors the honeypot may not disclose the honeypot location to all users in time due to the lack of communication or the prevention of insider threats.[33][34]

Honey nets

[edit]

"A 'honey net' is a network of high interaction honeypots that simulates a production network and configured such that all activity is monitored, recorded and in a degree, discreetly regulated."

-Lance Spitzner,
Honeynet Project

Two or more honeypots on a network form a honey net. Typically, a honey net is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honey nets and honeypots are usually implemented as parts of larger network intrusion detection systems. A honey farm is a centralized collection of honeypots and analysis tools.[35]

The concept of the honey net first began in 1999 when Lance Spitzner, founder of the Honeynet Project, published the paper "To Build a Honeypot".[36]

History

[edit]

An early formulation of the concept, called "entrapment", is defined in FIPS 39 (1976) as "the deliberate planting of apparent flaws in a system for the purpose of detecting attempted penetrations or confusing an intruder about which flaws to exploit".[37]

The earliest honeypot techniques are described in Clifford Stoll's 1989 book The Cuckoo's Egg.

One of the earliest documented cases of the cybersecurity use of a honeypot began in January 1991. On January 7, 1991, while he worked at AT&T Bell Laboratories Cheswick observed a criminal hacker, known as a cracker, attempting to obtain a copy of a password file. Cheswick wrote that he and colleagues constructed a "chroot "Jail" (or "roach motel")" which allowed them to observe their attacker over a period of several months.[38]

In 2017, Dutch police used honeypot techniques to track down users of the darknet market Hansa.

The metaphor of a bear being attracted to and stealing honey is common in many traditions, including Germanic, Celtic, and Slavic. A common Slavic word for the bear is medved "honey eater". The tradition of bears stealing honey has been passed down through stories and folklore, especially the well known Winnie the Pooh.[39][40]

See also

[edit]

References and notes

[edit]
  1. ^ Cole, Eric; Northcutt, Stephen. "Honeypots: A Security Manager's Guide to Honeypots". Archived from the original on 16 March 2017.
  2. ^ a b c d Provos, N. "A Virtual Honeypot Framework". USENIX. Retrieved 29 April 2023.
  3. ^ a b c d Mairh, A; Barik, D; Verma, K; Jena, D (2011). "Honeypot in network security: A survey". Proceedings of the 2011 International Conference on Communication, Computing & Security - ICCCS '11. Vol. 1. pp. 600–605. doi:10.1145/1947940.1948065. ISBN 978-1-4503-0464-1. S2CID 12724269. Retrieved 29 April 2023.
  4. ^ Spitzner, L. (2003). "Honeypots: Catching the insider threat". 19th Annual Computer Security Applications Conference, 2003. Proceedings. IEEE. pp. 170–179. doi:10.1109/csac.2003.1254322. ISBN 0-7695-2041-3. S2CID 15759542.
  5. ^ a b c Mokube, Iyatiti; Adams, Michele (March 2007). "Honeypots: Concepts, approaches, and challenges". Proceedings of the 45th annual southeast regional conference. pp. 321–326. doi:10.1145/1233341.1233399. ISBN 9781595936295. S2CID 15382890.
  6. ^ Lance Spitzner (2002). Honeypots tracking hackers. Addison-Wesley. pp. 68–70. ISBN 0-321-10895-7.
  7. ^ Katakoglu, Onur (2017-04-03). "Attacks Landscape in the Dark Side of the Web" (PDF). acm.org. Retrieved 2017-08-09.
  8. ^ Litchfield, Samuel; Formby, David; Rogers, Jonathan; Meliopoulos, Sakis; Beyah, Raheem (2016). "Rethinking the Honeypot for Cyber-Physical Systems". IEEE Internet Computing. 20 (5): 9–17. doi:10.1109/MIC.2016.103. ISSN 1089-7801. S2CID 1271662.
  9. ^ Göbel, Jan Gerrit; Dewald, Andreas; Freiling, Felix (2011). Client-Honeypots. doi:10.1524/9783486711516. ISBN 978-3-486-71151-6.
  10. ^ Talukder, Asoke K.; Chaitanya, Manish (17 December 2008). Architecting Secure Software Systems Page 25 – CRC Press, Taylor & Francis Group. CRC Press. ISBN 9781420087857.
  11. ^ "Exposing the Underground: Adventures of an Open Proxy Server". 21 March 2011.
  12. ^ "Capturing web attacks with open proxy honeypots". 3 July 2007.
  13. ^ "Deception related technology – it's not just a "nice to have", it's a new strategy of defense – Lawrence Pingree". 28 September 2016.
  14. ^ Praveen (2023-07-31). "What Is a Honeypot in Cybersecurity? Types, Implementation, and Real-World Applications". Cybersecurity Exchange. Retrieved 2023-12-05.
  15. ^ Edwards, M. "Antispam Honeypots Give Spammers Headaches". Windows IT Pro. Archived from the original on 1 July 2017. Retrieved 11 March 2015.
  16. ^ "Sophos reveals latest spam relaying countries". Help Net Security. 24 July 2006. Retrieved 14 June 2013.
  17. ^ "Honeypot Software, Honeypot Products, Deception Software". Intrusion Detection, Honeypots and Incident Handling Resources. Honeypots.net. 2013. Archived from the original on 8 October 2003. Retrieved 14 June 2013.
  18. ^ dustintrammell (27 February 2013). "spamhole – The Fake Open SMTP Relay Beta". SourceForge. Dice Holdings, Inc. Retrieved 14 June 2013.
  19. ^ Ec-Council (5 July 2009). Certified Ethical Hacker: Securing Network Infrastructure in Certified Ethical Hacking. Cengage Learning. pp. 3–. ISBN 978-1-4354-8365-1. Retrieved 14 June 2013.
  20. ^ "What is a honeypot?". IONOS Digital Guide. 8 August 2017. Retrieved 2022-10-14.
  21. ^ "Secure Your Database Using Honeypot Architecture". dbcoretech.com. August 13, 2010. Archived from the original on March 8, 2012.
  22. ^ Langner, Ralph (May 2011). "Stuxnet: Dissecting a Cyberwarfare Weapon". IEEE Security & Privacy. 9 (3): 49–51. doi:10.1109/MSP.2011.67. ISSN 1558-4046. S2CID 206485737.
  23. ^ Stouffer, Keith; Falco, Joe; Scarfone, Karen (June 2011). "Guide to Industrial Control Systems (ICS) Security - Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC)". NIST Publications (NIST Special Publication (SP) 800-82). Gaithersburg, MD: 155 pages. doi:10.6028/nist.sp.800-82.
  24. ^ Jicha, Arthur; Patton, Mark; Chen, Hsinchun (September 2016). "SCADA honeypots: An in-depth analysis of Conpot". 2016 IEEE Conference on Intelligence and Security Informatics (ISI). pp. 196–198. doi:10.1109/ISI.2016.7745468. ISBN 978-1-5090-3865-7. S2CID 14996905.
  25. ^ Conpot, MushMush, 2023-06-23, retrieved 2023-06-24
  26. ^ López-Morales, Efrén; Rubio-Medrano, Carlos; Doupé, Adam; Shoshitaishvili, Yan; Wang, Ruoyu; Bao, Tiffany; Ahn, Gail-Joon (2020-11-02). "HoneyPLC: A Next-Generation Honeypot for Industrial Control Systems". Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. CCS '20. New York, NY, USA: Association for Computing Machinery. pp. 279–291. doi:10.1145/3372297.3423356. hdl:2286/R.I.57069. ISBN 978-1-4503-7089-9. S2CID 226228191.
  27. ^ HoneyPLC, SEFCOM, 2023-05-24, retrieved 2023-06-24
  28. ^ Cabral, Warren; Valli, Craig; Sikos, Leslie; Wakeling, Samuel (2019). "Review and Analysis of Cowrie Artefacts and Their Potential to be Used Deceptively". Proceedings of the 2019 International Conference on Computational Science and Computational Intelligence. IEEE. pp. 166–171. doi:10.1109/CSCI49370.2019.00035. ISBN 978-1-7281-5584-5.
  29. ^ "Deception Toolkit". All.net. 2013. Retrieved 14 June 2013.
  30. ^ Honeypots for Windows. 2005. doi:10.1007/978-1-4302-0007-9. ISBN 978-1-59059-335-6.
  31. ^ "Honeywall CDROM – The Honeynet Project". Archived from the original on 2022-10-11. Retrieved 2020-08-07.
  32. ^ Spitzner, Lance (2002). Honeypots Tracking Hackers. Addison-Wesley Professional. OCLC 1153022947.
  33. ^ Qassrawi, Mahmoud T.; Hongli Zhang (May 2010). "Client honeypots: Approaches and challenges". 4th International Conference on New Trends in Information Science and Service Science: 19–25.
  34. ^ "illusive networks: Why Honeypots are Stuck in the Past | NEA | New Enterprise Associates". www.nea.com. Retrieved 2020-08-07.
  35. ^ "cisco router Customer support". Clarkconnect.com. Archived from the original on 2017-01-16. Retrieved 2015-07-31.
  36. ^ "Know Your Enemy: GenII Honey Nets Easier to deploy, harder to detect, safer to maintain". Honeynet Project. 12 May 2005. Archived from the original on 25 January 2009. Retrieved 14 June 2013.
  37. ^ "National Bureau of Standards (February 15, 1976). Glossary for Computer Systems Security" (PDF). www.govinfo.gov. Retrieved 19 Mar 2023.
  38. ^ "An Evening with BerferdIn Which a Cracker is Lured, Endured, and Studied" (PDF). cheswick.com. Retrieved 3 Feb 2021.
  39. ^ "The word for "bear"". Pitt.edu. Archived from the original on 29 September 2013. Retrieved 12 Sep 2014.
  40. ^ Shepard, E. H., Milne, A. A. (1994). The Complete Tales of Winnie-the-Pooh. United Kingdom: Dutton Children's Books.

Further reading

[edit]
[edit]
Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=Honeypot_(computing)&oldid=1256232168"