What are Honeypots?

A honeypot is a network-attached system designed to lure cyber attackers and detect, deflect, and study hacking attempts in a given information system.

The function of a honeypot is to act as a decoy and represent itself on the internet as a potentional target for attackers. This is usually a server or another high-value asset. The honeypot gathers information and notifies defenders of any access attempts by unauthorized users.

Honeypot systems usually use hardened operating systems where extra security measures have been taken to minimize exposure to threats. These OSes are usually configured so that they appear to offer attackers explotitable vulnerabilities. An example of this is when a honeypot system might appear to respond to SMB (Server Message Block) requests used by the WannaCry ransomware attack. The system would represent itself as an enterprise database server storing sensitive consumer information.

Larger enterprises and companies that are involved in cybersecurity research often use honeypot systems to identity and defend against advanced persistent threat actors (APT). These honeypots are an important tool that many organizations use to secure an active defense against attackers. Researchers can also use honeypot systems to learn more about tools and techniques that attackers may use.

Honeypots usually consist of a computer, applications, and data that would simulate behavior of a real system that would be attractive to an attacker. Examples would be replicating a financial system, IoT (internet of things) devices, or public utility or transportation networks.

These operations appear as part of a network but are actually isolated and closely watched by the defender. The point of this is that there would be no real reason for a legitimate user to access these honeypots, so any attempts would be considered hostile.

The honeypot is usually placed in a DMZ (demilitarized zone) on the network.