The Honeypot: Improving Cyber Defense Using Deception

Cybercriminals and cyber threats are rapidly becoming more sophisticated. In the beginning, hacking was a hobby, where people broke into computers and systems just to show that they could. While many of these hobbyist hackers were very good at what they did, there weren’t very many of them. Over time, hacking became profitable as cybercriminals could steal data and sell it on the black market. This led to the beginning of organized cybercrime, where state-sponsored or professional hacking groups developed tools and skills for breaking into peoples’ computer for profit.

As cybercrime became professionalized, the average cybercriminal became more dangerous. On the whole, it is no longer possible to secure a computer or network to the point where it is impossible for a hacker to get in. Now, the goal of cyber defense is to make the cost and effort of breaching a system so high that cybercriminals will give up since the payoff is less than the cost. An important part of this is the use of deception, which makes knowing the answer to the question “What is a honeypot?” so important.

Applications of Honeypots

Honeypots are computers that are set up to look like real systems but aren’t. For example, an organization may set up a honeypot to look like an employee workstation (seeded with fake “valuable data”) on the network. These honeypots can be used for a variety of different purposes to improve an organization’s cyber defenses.

  • Threat Detection

One application of honeypots is to help with detecting and distracting cybercriminals attempting to attack an organization’s systems. Many organizations deploy one or more honeypots in their network at the locations that cybercriminals are more likely to access early in their attacks. These honeypots are designed to look realistic but direct the attacker’s attention away from the real systems on the network. This can be accomplished by presenting the cybercriminal with a fake network of machines that does not include any of the organization’s true endpoints.

These honeypots serve a number of purposes for the organization. First, they distract the attacker’s attention from the true network, increasing the probability that the cybercriminal will give up and go away before compromising an organization’s real systems. Secondly, these machines serve as an early warning system for the organization. If the organization’s honeypots are under attack and fail to deter an attacker, it is likely that attacks on real systems will follow shortly. This forewarning, and knowledge of the tactics that the attacker will likely use based upon monitoring of their attack on the honeypots, can help to detect and thwart a real attack before it does significant damage.

  • Fake Services

Honeypots are commonly used for sinkholing, which is where the honeypot pretends to offer a certain service, like a web or email server, but does not actually fulfill the requests. Sinkholes can be used for a variety of different purposes. One application of sinkholing is to handle Domain Name System (DNS) requests made by malware. These requests are designed to translate a domain name embedded in the malware into an IP address. Honeypots can be used to ensure that requests for malicious domains are either not answered (by sending them to a DNS sinkhole) or point to a HTTP honeypot owned by the organization (to observe the functionality of the malware).

Sinkholing is also useful for wasting attackers’ time. Web applications are a common target of attack since they often contain vulnerabilities (33 on average) and have access to sensitive data or protected functionality. An HTTP honeypot pretending to be a vulnerable web application can waste a great deal of an attacker’s time as they try to exploit it.

  • Cybersecurity Research and Development

Cybersecurity is a cat and mouse game, where cyber defenders are always trying to create new ways to detect and block cyberattacks, and cybercriminals work to circumvent or overcome these defenses. However, developing protections against the latest attacks requires insight into what cybercriminals are doing.

Since detection usually results in an intrusion being eradicated from an organization’s systems, most cybercriminals often work very hard to remain undetected until it is “too late” (like when the ransom message pops up after a ransomware infection). This involves hiding their malicious activities in the noise of legitimate activities. It is difficult or impossible to completely characterize a network’s “normal” activities, leaving cybercriminals with plenty of room to hide.

Honeypots enable cyber researchers to collect valuable data since no “legitimate” activities involve them. Any interaction with a honeypot is, by definition, unauthorized, making it easy for cybersecurity researchers to detect an attacker’s actions on the system. A sufficiently convincing set of honeypots can force an attacker to use a number of their standard tools and tricks, enabling researchers to observe and develop defenses against them.

Achieving Cybersecurity Through Deception

According to Sun Tzu’s The Art of War, “All warfare is based on deception.” By deceiving an adversary about one’s capabilities, it is possible to gain an advantage.

The same is true with regard to cyberattacks. If an organization can trick cybercriminals into spending time attacking a honeypot instead of their real network, they can gain several strategic advantages. The main challenge with the use of honeypots for cybersecurity is that cybercriminals are aware of them as well. A honeypot has to be well-designed and well-maintained in order to be able to deceive the best cyber threats.