psdesign1 - Fotolia

How to build a honeypot to increase network security

Create a honeypot that will trap attackers and monitor their activities to enhance your organization's network security. This step-by-step guide takes you through the process.

A honeypot is a network device that tricks hackers into thinking they've broken into an organization's real network when actually they are in a fake network set up as a trap. Once lured into a honeypot, an attacker's activities can be monitored and analyzed. Honeypots are designed to attract hackers, and the more convincing they are, the more successful they will be.

Attackers breaking into a honeypot believe they have hacked a legitimate part of the target network where they might find valuable data, critical applications or vulnerable parts of the network infrastructure. In reality, they are in an isolated computer system set up to keep them away from the production network and enable the target organization to track their movements and activities.

Researchers, businesses and consumers all use honeypots. Users monitor trapped attackers to gather information about their behavior and the types of attacks they employ. Network administrators can then use this information to strengthen their organization's cybersecurity strategy and infrastructure against future attacks.

How does a honeypot work?

A honeypot is usually placed in an isolated part of the network called the demilitarized zone (DMZ). The DMZ is connected to the internet and is where public-facing services, such as web and mail servers, are located. A firewall separates the DMZ from the corporate network and the sensitive data that is stored there. Think of the DMZ as a secure buffer zone that separates internal networks from the public internet. It protects the most important parts of the network while still letting traffic into the network.

Honeypots are placed on decoy servers within the DMZ that appear real to the intruder. They run realistic processes and use common protocols. In some cases, they have decoy data to make them appear more convincing. For example, a honeypot may emulate a fake server that has fake credit card data or files that appear to hold such data from the outside. The honeypot imitates all the normal restrictions and access control procedures and protocols that a real network would have to keep the data safe.

Where honeypots are placed in the network
Honeypots are placed in the network DMZ and appear to attackers as a vulnerable, undefended part of the network. The more convincing they are at that, the better they work.

Once a hacker is in a honeypot, administrators must decide how long to let them stay. In most cases, it is usually in the target organization's interest to keep a hacker in the honeypot for an extended period and collect as much information as possible.

What are the pros and cons of using a honeypot network?

Honeypots have obvious benefits, but they also have drawbacks that anyone considering using one needs to know about. The following advantages and disadvantages are worth considering:

Pros

  • Information collected. The value of a honeypot is in the information it collects about the methods and behavior of attackers while the attacker believes they aren't being watched. Other network monitoring tools, such as intrusion detection systems (IDS), don't provide the same level of information as a honeypot. For instance, an IDS monitors networks to identify suspicious activity, send out alerts and stop attackers a fast as possible. While an IDS does collect and analyze information about attackers, that isn't its main purpose.
  • Attack patterns identified. Security researchers, vendors, businesses and other organizations can use the information a honeypot generates to uncover patterns in the way cyber attackers operate and then adapt their products and strategies to counter the attack.
  • Vulnerabilities to be patched. Businesses can use honeypots for network reconnaissance and defense and to identify vulnerabilities that need to be patched.

Cons

  • Honeypot hijacked. Honeypots must be implemented properly. Experienced hackers can recognize when they are inside a poorly setup honeypot and hijack it to feed the network administrator bad information. For example, an attacker that identifies a system as a honeypot can engage in activities in the decoy system to direct the admin's attention away from the real malicious attack that's underway on the production system.
  • Production network entered. Although honeypots lie in the DMZ, they do connect to the internal network at some point; an experienced hacker may be able to use a poorly implemented honeypot as an entry point into the internal network.
  • Malicious honeypots deployed. Hackers can also set up honeypots of their own. A bad guy who sets up a fake website or spoofs a Wi-Fi network and monitors the traffic is essentially using a honeypot.

Consider using these other deception techniques to fight hackers.

Choosing a type of honeypot and a honeypot strategy

There are three types of honeypots: simple, high interaction and low interaction. They differ in the extent to which they are integrated with the network and the complexity of the decoy systems they run.

  1. Simple honeypot. Also called a pure honeypot, this system is a full-fledged production systems, complete with mock confidential files and data. Of the three honeypot types, simple ones are the most realistic looking ones, but they are also the most complex. That complexity makes it more difficult to maintain a simple honeypot.
  2. High-interaction honeypot. The distinguishing feature of a high-interaction honeypot is to get attackers to try to gain administrative-level access -- also known as root access -- to a server. Once an attacker has administrative access to a decoy system, the target organization can closely monitor the attacker's activities.

    A high-interaction honeypot is designed to imitate a production system, but it places few restrictions inside the system, encouraging attackers to interact with it. These honeypots provide a variety of services and are often able to capture extensive information.

    High-interaction and the simple honeypots are best for monitoring more experienced hackers, because they look realistic and are likely to fool them. The downside is that high-interaction honeypots point to root access, which is risky because the network can be breached through the honeypot.
  1. Low-interaction honeypot. These honeypots simulate only the popular attack vectors on a network: the services attackers are most likely to request access to, such as basic internet protocols like TCP and IP. They also only simulate portions of other services, such as presenting a web banner with nothing behind it. Unlike high-interaction systems, they do not point the malicious actor to the root system. This makes low-interaction honeypots safer but also easier to identify as fake, because they are less complex. These systems are particularly useful for monitoring less complex attacks, such as bots and malware.

To choose a strategy, companies should consider their vulnerabilities, the kinds of attacks they are most susceptible to and what level of system maintenance they can handle. For example, if a company is susceptible to simple bot attacks, a low-interaction honeypot might be the right approach. If an organization is worried about high-profile, targeted attacks that aim to steal sensitive data, one of the other two strategies might be useful.

Learn more about threat hunting techniques and technology that are being used to counter advanced threats.

How do you build a honeypot?

There are quite a few commercial and open source software tools available that assist with honeypot deployment. Regardless of which one an organization uses, there are four steps involved in setting up one of these traps on an enterprise network. They are as follows:

Step 1. Install the honeypot software

The first step in implementing a honeypot is to create the right environment. Admins should choose honeypot software they want to use, prepare the infrastructure for that software and install it. Virtual servers and physical servers can host honeypots. When using a physical server, it is important to take the following precautions to ensure it's secure:

  • Don't use administrator accounts with access to important systems. Use a different account.
  • Don't store important data on the server, use decoy data instead.
  • Isolate the physical server from the rest of the network.

Virtual machines are safer because if they are compromised, they can just be shut down quickly and recreated. If using a virtual server, network admins will want to create one or a collection of virtual machines using a hypervisor.

Step 2. Configure firewall and logging policies

The next step in the installation process is to determine which events the honeypot program will monitor. These can include login attempts, file changes and other activity. Admins must set up an alternative logging method, because hackers can change log files if they know where to look for them. To prevent this, log files should be out of sight and in a place hackers wouldn't think to look, such as in the Windows logging tool or some other cloud logging services that store the information outside of the honeypot.

The honeypot itself is placed outside the internal firewall, but inside of the DMZ. The external firewall should be configured so that only the ports necessary to access the honeypot are open, and all others are closed. This approach will direct traffic toward the open network where the honeypot is and not the internal network behind the firewall.

Step 3. Configure the honeypot

In contrast to the internal firewall, the honeypot is vulnerable. It should have several ports open and invite attackers in. However, admins should not open all the ports. Doing so will make it obvious to attackers that they are not on a critical server, and they will leave, or worse, they will manipulate the honeypot to their advantage.

Screenshot of Attivo Networks' ThreatDefend
During configuration, Attivo Networks Inc.'s ThreatDefend platform has users choose on which Active Directory servers they want to deploy decoys. Decoys allow the administrator to gather information on potential threats.

Step 4. Testing

Port scanners, such as Nmap and penetration testing tools, are useful for testing a honeypot setup. Attackers will often undertake their own port scan to look for vulnerabilities in a target network. Network admins can use Nmap to see what attackers see when they are poking around.

Screenshot of Nmap scan results.
Nmap shows users which ports on the network are open, which are closed and the services hosted on each port. Honeypots should have a mixture of open and closed ports to look realistic to hackers.

Next, admins should perform some activity inside the honeypot and then review server logs to check that everything logged properly. For example, if an IDS is running, it might automatically block a port scan attempt and show that the port as unavailable, alerting the attacker that the port is defended and encourage them to go elsewhere.

These issues should be fixed before putting a honeypot into production. The honeypot must be able to lure attackers in and capture as much information as possible, and any impediment to that should be removed. After initial testing, put the honeypot into production, monitor it closely and fine-tune the configuration.

Learn more about how attackers use port scans.

There are two important aspects to a successful honeypot strategy: The honeypot is functionally a sitting duck, but it cannot be obvious about that fact.

How to keep a honeypot from being discovered

There are two important aspects to a successful honeypot strategy: The honeypot is functionally a sitting duck, but it cannot be obvious about that fact.

Some specific situations will tip off a hacker that they are in a honeypot. For instance, attackers know that no self-respecting network administrator would leave an important server vulnerable, so if a system is too easy to access, it's probably a trap.

The following six points are tipoffs attackers watch for to identify honeypots:

  1. Having all network ports
  2. Having unusual ports open -- internet-facing systems usually only have basic services available.
  3. A site or server that is too easy to hack.
  4. Directories with extremely literal names denoting something of value, such as "Social Security numbers" or "credit card data."
  5. Very little software is installed.
  6. There is a lot of free space on the hard drive, indicating it's not a well-used production drive.

Using a cloud honeypot circumvents some of the challenges of a physical honeypot. Learn the benefits of using a honeypot hosted on a public cloud.

Honeypot software

Several honeypot tools are on the market suited to different strategies, network implementations and attack vectors. Available tools include the following:

Attivo Inc.'s ThreatDefend. This honeypot and deception tool has automatic learning capabilities. It profiles visible virtual local area networks (VLAN) to customize the decoys it deploys. It can detect techniques hackers use to move laterally into the enterprise network. It specializes in working with advanced persistent threats (APT), which are designed to beat traditional security controls.

Gianluca Brindisi's Wordpot. This honeypot is designed to enhance WordPress security. Users can detect files that hackers use to gather technical information about -- also known as fingerprinting -- a WordPress page. Wordpot can install custom plugins to emulate common vulnerabilities in WordPress. It is accessible using a command-line interface (CLI).

The Honeynet Project's Ghost USB. This open source honeypot looks like a USB storage drive on the network. It attracts and monitors malware that spreads through these devices. Users can access Ghost USB through a GUI or a CLI.

Screenshot of Honeynet Project Ghost USB
With the Honeynet Project's Ghost USB, users can view upload attempts in a GUI. Images of loaded modules can be taken out of Ghost USB into another program for analysis.

The Honeynet Project's Glastopf. This low-interaction, open source honeypot emulates a vulnerable web server. It runs on Python, PHP and MySQL, and it can emulate thousands of vulnerabilities.

The Honeynet Project's Snare and Tanner. Snare is Glastopf's successor. It is an open source web application honeypot that enables the user to convert a webpage to an attack surface. Snare records events and sends them to Tanner, which decides how Snare should respond to the threat. Users can change multiple sensors at once to adapt to evolving threats.

HoneyThing. This open source internet of things (IOT) honeypot acts as a modem or router and supports the customer premises equipment (CPE) WAN Management Protocol and runs on Allegro's RomPager web server. With it, users can emulate common IoT vulnerabilities such as the Misfortune Cookie router vulnerability to attract attackers. HoneyThing features an easy-to-use web-based interface instead of a CLI.

KeyFocus Ltd.'s KFSensor. This IDS includes a Windows-based honeypot. KFSensor is preconfigured to monitor common ports, such as TCP, UDP and ICMP, and emulate common services, such as Microsoft Telnet Service. It enables administrators to watch attackers without exposing any real services.

Learn how Attivo Networks used a honeypot to trick attackers.

Next Steps

Unsecured ElasticSearch server breached in eight hours flat

Steal a march on cyber criminals through security by deception

Deception technology applied to pharma cybersecurity

Dig Deeper on Network security