The famous words of Headie One. But I’m not talking about shh and shh, I’m referring to honeypots. I mentioned in my previous blog, how organisations use honeypots to aid in the early detection of malware.
In Cybersecurity, honeypots are used as bait to lure and trap hackers. It essentially pretends to be a target system, which hackers will be drawn to. It will then monitor how a hacker gains access into the network and use this information to improve their real system. It is also used as a way of keeping the hacker’s attention away from the real network. Let’s look into a scenario of how honeypots work:
A honeypot for instance, may be a computer system that contains a database of usernames and passwords. As we all know, this type of data is very attractive to a hacker and once they’ve found their way in, all their actions are tracked in real-time. So a hacker may think they’re doing the business, but in reality they’re doing nada. Organisations will use different types of honeypots that match their current estate, let’s take a look at a few.
Honeypot Examples
Malware honeypot – This uses fake applications to attract malware attacks and once an attack occurs, it can be used to create anti-malware software.
Database honeypot – This is used to see the different methods attackers use to gain access into a database.
Spam honeypot – This is used to catch spam mail, and once discovered they can be automatically blocked alongside the IP address of where it came from.
Organisations can use honeypots to identify any new potential threats that could harm the business and then use this information to improve their security posture*. But are honeypots the best way of improving overall security?
Benefits
As described before, honeypots are a good way of noticing holes in your system. It allows a business to see how a hacker attacks their system in real-time, which can give a business time to sort out issues with their network. It also means that organisations can learn about new attack vectors** and exploits*** that these hackers use.
Also, a honeypot is not a real system. Since this is the case, there wouldn’t be any real traffic going into the network in comparison to a real network. For example, if ASOS was to use a honeypot, that honeypot wouldn’t be seeing our IP address when viewing and buying items. Sites such as ASOS see high volumes of traffic on a normal day to day basis, therefore it will be difficult for a security team to spot the hacker’s IP address amongst them, whereas a honeypot will spot it easily.
Furthermore, Honeypots can allow an organisation to see what applications hackers are intrigued by, whilst also allowing them to see how well their current security holds up against cybercriminal attacks.
Dangers
Honeypots are all well and good, but what happens if the attacker uses a different method to get into your real system *PLOT TWIST*. Honeypots are only good at exposing the attacks that they see.
Once an attacker realises they are in a honeypot, they may either stop the attack or use the honeypot as a way to get into the system. This will mean an organisation will need to configure their honeypot appropriately to stop attacks being directed at their real network.
Ultimately, honeypots should not replace organisations’ current security mechanisms, but they should use this as a way to improve their systems. By monitoring and learning from what these hackers are doing, they’ll be able to improve their security posture and reduce their threat landscape.
* Organisations overall security strength
** method used by hacker to access a system
*** an attack on a computer system
Love & Guidance
TT
The TT Protocol 