Nowdays, honeypots are an essential cybersecurity tool to help companies to protect themselves against cyber attacks.
They provide the possibility to detect different types of attacks but also help to better understand the techniques used by pirates in order to be better prepared against them.
Honeypot's definition
A honeypot is a fake IT system but it has everything to make it real. It is designed to fool hackers so that organisations can redirect attacks.
The goal is to lure the target to a monitored IT system and to collect a variety of information to prevent the hacking attempt, but also to learn from it and improve the company's IT security.
The honeypot consists of a computer, applications and data. Its security is deliberately weakened to attract the target, who thinks he is getting an access to real sensitive data.
In reality, this is the company that has set up the honeypot which will collect key information for cybersecurity.
Be carefull ! Honeypots need to be set up carefully by experts otherwise they may be used as a gateway to real IT systems.
The benefits of a honeypot in an organization
Setting up a honeypot can :
Prevent from a cyber attack
Prevent from a malicious activity
Collect and study data that can help understand the techniques used in the cyber attack
Understand which IT systems are potential targets
Implement new measures to better secure the network
Adopt new security policies within the organisation
Honeypots are extremely efficient tools that help organisation save a lot of time in protecting themselves regarding cybercrime. No more hunting for pirates, with cleverly set up honeypot they will take the bait.
The objectives of a honeypot
Before setting up a honeypot, it is mandatory to define its objective. There are two distincts objectives : Research & Production
Research honeypot
Research honeypots are complex systems used for research and authentication by cybersecurity specialists. They meticulously analyse data and information collected to assess the level of vulnerability of the organisation and develop new techniques to patch any vulnerabilities that are found.
Production honeypot
Production honeypots are more commonly used by organisations. They collect information such as the IP address used, the types of passwords used, the date and time of the cyber attack, the destination of the stolen files or the volume of traffic.
Classification of the honeypots
There are several types of honeypot classification.
Classification of the honeypots according to the degree of interaction
There are two types of interaction level :
Low interaction honeypot : This honeypot is easy to build and to manage, but it will collect only limited data about the cyber attack. It is also easy to detect by attackers. It can be interesting for malware detection. Low interaction honeypots are mainly production honeypots.
High interaction honeypot : This type of honeypot requires a lot of resources but is a long-term project. The system is more complex, the hacker will need more time to bypass it. It will give the to company more time to gather information about their cyber adversaries and to adapt its cybersecurity protocols. Even if it is more relevant than the low interaction honeypot, it will need an enhanced security and monitoring system : the installation of a honeywall is recommended (software used to secure the honeypot). High interaction honeypots are usually research honeypots.
Classification of the honeypots according to the type of activity they perform
✉️ Emails-trap
E-mail trap honeypots are e-mail accounts created to detect spammers. Generally, theses honeypots are inactive accounts, because we assume that if an account that hasn't chosen to receive e-mails receives them, the sender is most likely a spammer.
🍞 Breadcrumbs
Breadcrumbs are replicas of files, identification information or registry keys that are deliberately left in specific places to simulate what we would normally find on an IT system used by a real user and they are used as bait
👾 Malware honeypot
This type of honeypot mimics applications and APIs (Application Program Interface) and detects malware to develop security measures
Setting up an honeynet
To be more effective and realistic, companies are advised to set up multiple honeypots to create a honeynet, a real network of honeypots that help cybercriminals navigate between servers
A honeynet looks like a real network and is divided into multiple systems. The reach of a honeynet will helps it to monitor and gather information on large networks. As well as adding realism, the honeynet also keeps hackers longer. Organisations can compile a large amount of information which will be essential in adaptating their cybersecurity protocol.
Ballpoint offers an innovative solution that simplifies the installation of a honeynet : Trapster.
Trapster is a tool that can be installed in less than 3 minutes. It consists of multiple baits that imitate attractive servers to be attacked. When a hacker interacts with Trapster, a notification is sent.
Setting up honeypots and honeynets within a company is essential to better fight against cybercriminals and adapt its protocols in terms of cybersecurity. In addition, to drastically reduce the number of security breaches in its system and to be better protected against all the innovative techniques of hackers, the company should carry out regular pentests