A lot of our security effort goes into keeping attackers out of our systems. With honeypots, we try to suck them in. The idea behind a honeypot is to create something so tantalizing that an attacker can’t possibly resist.
Obviously, we don’t want to just leave our critical systems and data open for the attackers. While these systems would be great for luring in an attacker, we can’t risk a breach. Instead, we create systems that look as much as possible like the real thing but don’t actually contain anything sensitive.
Honeypots are single computers or other resources that are often purposely left vulnerable to lure in attackers. Honeynets are network segments that contain more than one honeypot. The same concept applies, but honeynets are simply more elaborate.
Why do we use honeypots and honeynets?
There are a few major reasons to set up honeypots or honeynets. Organizations may want to create them to act as decoys that distract attackers away from the actual resources. When an attacker comes across the honeypot the organization can analyze the attacker’s behavior. Watching how an attacker acts can help the organization help to patch up other potential security holes.
Honeypots and honeynets can also play a vital role as detective security controls. They are especially useful for detecting advanced persistent threats (APTs). These sophisticated attackers are so skilled and well-funded that they can often slip past other tools and make their way onto your network undetected. APTs will often move slowly and carefully to try and avoid setting off alarms. A honeypot or a honeynet may be too tempting for an APT to pass up, and if the APT does probe your decoy, it may be one of the first triggers that alerts you of their presence within your network.
Honeypots and honeynets are also commonly used by cybersecurity researchers. They can learn a lot about the latest threats and threat actors by deploying realistic-looking systems and allowing attackers to penetrate them. Studying how an attacker targets a honeypot can help to reveal the identity of the attacker, their motivations and their methods.
The honeypot pitfalls
If you are thinking about deploying a honeypot or a honeynet, there are a couple of things that you need to watch out for. First, you need to be incredibly careful with how you deploy the honeypot or honeynet and make sure that it is isolated from your sensitive resources. You do not want to leave any access between a honeypot and your real hosts and networks.
Another honeypot pitfall revolves around the legal concept of entrapment. The specifics vary from jurisdiction to jurisdiction, but the essence is that entrapment involves inducing someone to commit a crime that they otherwise wouldn’t have. If you deploy a honeypot, you do not want the attacker to be able to plausibly claim that it was entrapment because then you could end up facing the wrath of the authorities.
We took a look around and couldn’t find any instances where someone had deployed a honeypot and then ended up in legal trouble for entrapment. However, our search was not exhaustive, and we are definitely not lawyers, nor are we qualified to speak on legal matters. While most honeypot deployments are unlikely to leave you on the wrong side of the law, you should still be thoughtful about how you deploy them. As an easy rule of thumb, you should put honeypots or honeynets behind your firewall. With this arrangement, the only way an attacker is going to be caught by it is if they’ve already broken into your network. This would be considered enticement, which is legal, and not entrapment.
