What is a honeypot?

Just as bears are always on the lookout for sweet treats like honey, so too do hackers find them­selves drooling over the thought of an in­ad­e­quate­ly protected server. While a hacker and its mammalian cousin, the bear, may not appear to have much in common, both are often equated with the image of a honeypot. In the IT world, honeypots are security mech­a­nisms that ad­min­is­tra­tors use in order to bait hackers, making them run their attacks on pre­de­ter­mined decoy sites or servers, hopefully iden­ti­fy­ing the culprits in the process. Honeypots simulate network services or ap­pli­ca­tion programs in order to attract hackers and protect from system damage. Generally, both client-side and server-based tech­nolo­gies can be used to set up honeypots.

• Server-side hon­ey­pot­ting: the basic idea behind server-side honeypots is to isolate attackers in isolated areas of an IT system and, in the process, keep them away from critical network com­po­nents. Fur­ther­more, honeypots offer the pos­si­bil­i­ty to track hackers’ actions. To this end, honeypots are able to simulate sever ap­pli­ca­tions that host one or multiple services (e.g. a web server) within the targeted network. If the hacker is fooled by the dis­trac­tion and attempts breaking into your system, the activity will draw attention to the honeypot and set off an alarm or counter measures. In the most ideal case, server honeypots deliver in­for­ma­tion as to how automated or manual attacks proceed, so that ad­min­is­tra­tors receive data enabling them to defend their systems against future attacks.

• Client-side hon­ey­pot­ting: A client-side honeypot imitates ap­pli­ca­tion software that uses server services. A prime example of this tech­nol­o­gy is the sim­u­la­tion of a browser that seeks out and visits dubious websites in order to collect in­for­ma­tion on security risks. Should an attack on the browser or browser plugin result from this page, then the process is noted. An eval­u­a­tion of the detected data helps improve the simulated software.

Research in­sti­tutes, public au­thor­i­ties, and the military use so-called research honeypots in order to find out in­for­ma­tion regarding new attack patterns and then make this in­for­ma­tion pub­li­cal­ly available online for the benefit of the internet community. In companies, this type of security mechanism is used first and foremost to protect the company network. To this end, ad­min­is­tra­tors install so-called pro­duc­tion honeypots in network areas usually not addressed during normal op­er­a­tions, available to neither employees nor customers. The goal here is steer attackers into more harmless areas by at­tract­ing them to simulated security gaps. Every attack on these normally-inactive systems is then reg­is­tered, monitored, and analyzed.

If multiple honeypots are combined in order to simulate an entire network, offering hackers a par­tic­u­lar­ly at­trac­tive target, then this tactic refers to what is known as a ‘honeynet’.

There are generally two different pos­si­bil­i­ties at ad­min­is­tra­tors’ disposal for setting up honeypots: honeypots are either realized as physical systems or im­ple­ment­ed on the basis of re­al­iza­tion software:

• Physical honeypot: physical honeypots involve in­de­pen­dent computers that are connected to a network with their own addresses

• Virtual honeypot: a virtual honeypot is a logical system that is assigned the physical resources of a computer through vir­tu­al­iza­tion software

In both cases, the honeypot is isolated, meaning that attackers cannot attack the pro­duc­tive system from the decoy system.

The goal of honeypots is to remain un­de­tect­ed. The longer an attacker can be deceived, the more in­for­ma­tion the system is able to ac­cu­mu­late on their strategy and methods. An important criterion used for clas­si­fy­ing honeypots is assessing the extent of in­ter­ac­tiv­i­ty with the attacker. In this context, one dif­fer­en­ti­ates between server-side and client-side ,as well as low-in­ter­ac­tion and high-in­ter­ac­tion honeypots.

• Low-in­ter­ac­tion honeypots: honeypots with lower levels of in­ter­ac­tion are based on im­i­ta­tions of real systems or ap­pli­ca­tions. Here, services and functions are only simulated to the extent that an attack can be carried out on them

• High-in­ter­ac­tion honeypots: honeypots with a high level of in­ter­ac­tiv­i­ty generally involve real systems that offer server services that must be well guarded and secured. If a high-in­ter­ac­tion honeypot is not properly protected by the pro­duc­tion system, then the system you are aiming to protect may be in­fil­trat­ed. Another po­ten­tial­ly hazardous pos­si­bil­i­ty involves attacks being launched from the protected server onto other online servers.

The simplest version of server honeypots involves a single ap­pli­ca­tion that emulates (i.e. repli­cates) network services, including the con­nec­tion set-up. Given that those attacking this type of honeypot are only able to interact with the simulated system in a limited way, the type of in­for­ma­tion that can be found out about the attackers through low-in­ter­ac­tion honeypots is rel­a­tive­ly limited. As such, hackers are generally able to expose these server honeypots rel­a­tive­ly quickly. For this reason, this type of security mechanism is favored for the rooting-out of malware-based automated attacks. A known open-source solution with which low-in­ter­ac­tion server honeypots can be set up is Honeyd.

• Honeyd: published under the GPL software, Honeyd allows ad­min­is­tra­tors to create different virtual hosts in a computer network. This can be con­fig­ured in such a way that allows different types of server types to be repli­cat­ed, making it possible for an entire system, including the TCP/IP protocol stack, to be repli­cat­ed. However, the software is still among the low-in­ter­ac­tion honeypots, given that Honeyd doesn’t simulate all system pa­ra­me­ters, meaning that hackers are able to quickly look through the system. The software appears to not have been developed since 2008.

Low-in­ter­ac­tion client honeypots (also known as hon­ey­clients) are programs that enable users to emulate different browser types. Users have the pos­si­bil­i­ty to visit websites and record attacks to these simulated browsers. Known open-source hon­ey­clients with limited in­ter­ac­tiv­i­ty include HoneyC, Monkey Spider and PhoneyC.

• HoneyC: the low-in­ter­ac­ton Hon­ey­client HoneyC enables users to identify malicious servers found online. Instead of a fully-op­er­a­tional operating system and a cor­re­spond­ing client software, HoneyC uses an emulated client that inspects server responses for malicious content. The software’s fun­da­men­tal structure is made up of three com­po­nents: the visitor engine is re­spon­si­ble for the in­ter­ac­tion with the server and emulates different web browsers through modules. The queue engine creates a list of servers that is processed by the visitor engine. An eval­u­a­tion of the in­ter­ac­tion with a web-server is carried out through the analysis engine, which checks whether the software’s safety rule was damaged after every visit.
• Monkey Spider: Monkey Spider is a web crawler that can be used as a low-in­ter­ac­tion hon­ey­client. To this end, the software crawls the software websites and searches for malicious code that could pose a threat to the web browser.
• PhoneyC: Written in Python, PhoneyC is a hon­ey­client with which various web browsers can be imitated in order to inspect websites for malicious content. The software is able to process script languages like JavaScript or VB script, and supports de-ob­fus­ca­tion functions, which allow the malicious code to be unraveled. What’s more, PhoneyC supports many different methods for analyzing websites, e.g. the open source antivirus engine ClamAV.

Ad­min­is­tra­tors looking to make use of server­side honeypots with lots of pos­si­bil­i­ties for in­ter­ac­tions generally use a fully-func­tion­ing server set up as a decoy system. This can either be set-up on real hardware or in virtual en­vi­ron­ments. While low-in­ter­ac­tion honeypots are first and foremost sued for iden­ti­fy­ing and analyzing automatic attacks, high-in­ter­ac­tion honeypots aim to tackle manually-executed attacks.

Server-side hon­ey­pot­ting is es­pe­cial­ly promising when the goal is to bait hackers with an es­pe­cial­ly at­trac­tive target with a high degree of in­ter­ac­tiv­i­ty. However, this set-up is much more time consuming than simple software solutions, which merely imitate server functions. When a real server is used as a honeypot, there is always the danger that an attacker could use the in­fil­trat­ed system as a starting point for further online attacks. This could result in further con­se­quences, given that server operators are often liable for any of the ac­tiv­i­ties carried out with their devices.

Special mon­i­tor­ing tools are needed in order to survey servers set up as honeypots. Such tools include the freely-available Sebek. A high-in­ter­ac­tion honeypot en­vi­ron­ment can be realized with the software, Argos.

• Sebek: the data col­lec­tion tool, Sebek, is used for highly-in­ter­ac­tive honeypots to monitor hackers and collect data on security-related ac­tiv­i­ties. Fun­da­men­tal­ly, the software is composed of two different com­po­nents: the client runs on the honeypot and collects all the hacker ac­tiv­i­ties, such as entries, data uploads, and passwords, and transfers these to a protocol server that is able to run on an in­de­pen­dent system.

• Argos: the high-in­ter­ac­tion honeypot en­vi­ron­ment, Argos, is based on a modified QEMU hardware emulator. The software supports various guest operating systems that are executed in a virtual machine and represent the honeypot. In order to recognize and record attacks, Argus operates without ad­di­tion­al mon­i­tor­ing software. Incoming data traffic that reaches the honeypot via the network card is au­to­mat­i­cal­ly ‘tainted’ and monitored. The same applies to data that has been generated from tainted data. The ad­di­tion­al computing effort required for emulating the operating system, and the data analysis, means that Argos is sig­nif­i­cant­ly slower than pro­duc­tive systems running on com­pa­ra­ble hardware.

High-in­ter­ac­tion client honeypots are software solutions that run on real operating systems and use standard web browsers in order to record attacks that orig­i­nat­ed from online servers. Common tools here include Capture-HPC and mapWOC.

• Capture HPC: the high-in­ter­ac­tion hon­ey­client Capture-HPC uses a client server ar­chi­tec­ture. Here, a server de­ter­mines which websites are to be visited and checks various clients. These then call up pre­de­ter­mined sites and send the result data back to the server. Possible clients include various web browsers, office ap­pli­ca­tions, PDF readers, or media players.
• mapWOC: Also free of charge, mapWOC (short for massive automated passive Web Ob­ser­va­tion Center) loads websites with real browsers. These run on virtual machines whose data traffic with clients is per­ma­nent­ly monitored. This is done in order to record and analyze attacks such as drive-by-downloads. mapWOC’s basic com­po­nents use the host system Debian Squeeze, KVM for vir­tu­al­iza­tion, and ClamAV for examining malware.

Honeypots are generally used to sup­ple­ment other IT security com­po­nents, like the intrusion detection system (IDS) and firewalls. One aspect that makes honeypots par­tic­u­lar­ly valuable assets is their ability to collect highly-relevant data that can help ad­min­is­tra­tors find out valuable in­for­ma­tion. Given that honeypots don’t actually take on any actual network functions, any activity taking place in this control system poses a potential threat. All data collected by honeypots is relevant to your system’s security. If, on the other hand, pro­duc­tive systems are monitored, then this type of data analysis requires an ad­di­tion­al process step in which data relevant to the attack has to be filtered out of the system’s entire dataset.

One thing to take into con­sid­er­a­tion, however, is that not every honeypot is able to deliver valuable in­for­ma­tion. If the offered bait is too un­at­trac­tive or difficult to find, then it could also be the case that no attacks happen. This means that any in­vest­ments made into the security systems were a waste of money.

Honeypots can help reveal crucial data to companies, but they also present ad­di­tion­al risks. Given that the decoy system seeks to actively bait hackers, there’s always the risk that a break-in into the honeypot might lead to further damage in the network. This risk can be reduced by max­i­miz­ing the sep­a­ra­tion between honeypots and pro­duc­tive systems, and by per­ma­nent­ly mon­i­tor­ing all ac­tiv­i­ties within the bait systems. What’s more, it’s also important to take into account that a com­pro­mised system could lead to hackers using this in order to launch external attacks. In order to prevent honeypots from being used as starting points for attacks, it’s crucial to keep outbound con­nec­tions to an absolute minimum.

If a high-in­ter­ac­tion server honeypot is equipped with the same security systems as the pro­duc­tive system, then this can be used for im­ple­ment­ing quality control measures. In this case, the collected data is able to deliver direct feedback on how effective the security system is. If an in­fil­tra­tion is reg­is­tered in the honeypot, then it’s also important to check whether or not the pro­duc­tive system has been in­fil­trat­ed. What’s more, both systems have to be adjusted in order to defend against future attacks of similar patterns.

In the past, pros­e­cu­tors have used hon­ey­pot­ting to catch criminals on the lookout for illegal content. Ad­di­tion­al­ly, it’s often discussed whether copyright owners are able to use honeypots in order to try and surpass the dis­sem­i­na­tion of copyright-protected content.

According to a report published by CNet, in 2006 the FBI re­port­ed­ly placed a link in forums that eluded to leading to content con­tain­ing child pornog­ra­phy. American citizens that then proceeded to visit these links were later visiting by the au­thor­i­ties.

Honeypots are also used to in­ves­ti­gate illegal file sharing platforms. Given that some of these were taken offline and some were able to stay online, it was assumed that both copyright owners and per­se­cu­tors were able to use them as honeypots. However, depending on which country you live in, this tactic may have no legal basis.