So, to recap then, with the help of HP Fellow and CTO for Enterprise Services, Mateen Greenway:
A honeypot consists of a computer, data, web or other site that appears to be part of a network and appears to contain information or a resource of value to attackers but which in actual fact is isolated and monitored.
- Honeypots typically do not stop hackers intruding on a network. Instead they are designed to provide electronic evidence, such as IP addresses, that can identify the hackers, expose their methods, and even show the kind of systems and data the intruder is trying to access. Honeypots can be designed to allow a virus or malware to infect a simulated environment; or an emulation of a production system designed to deflect attackers from the real system.
- Honeypots can deter attacks if potential hackers are aware that they are being used to defend a system. These techniques can be effective in sidetracking attackers' efforts, causing them to devote their attention to activities that can cause neither harm nor loss.
- Honeypots allow the white hat and system administrator communities to study exactly the techniques and tools that attackers are using without exposing systems and networks to additional risk that results from compromised system.
- Honeypots are a good method of detecting insider attacks. Insider attacks involve fundamentally different attack patterns (usually considerably more subtle ones) from external attacks.
In conclusion
Honeypots and the more recent honeywords variation on a theme are useful additions to the data security arsenal. But, as David Emm, senior security researcher at Kaspersky Lab, reminds us they are no magic bullet. "None of these methods are able to prevent a system being compromised" Emm says. "However, they can sound the alarm if an attack occurs. The problem for an attacker is that they do not know if the database is protected in this way, or which passwords in a database may generate an alert. So if the technology is implemented, it could act as a deterrent to would-be attackers."
Historically, many organisations have been reluctant to install research honeypots (apart from those companies involved in R&D for security products) and, according to Ranum, this is primarily down to the time required for proper analysis.
"However production honeypots are very low resource. When nobody's breaking into them, they just sit there, yet can give a very valuable warning," Ranum insists. And in the current climate of data breaches and the ongoing reputational fallout that follows, warnings and deterrents have to be worth having.
Under the assumption that every connected server can be compromised and passwords can be stolen, distributing the authentication process with honeycheckers makes the challenge much greater for hackers. "Additionally" as Ben-Itzhak concludes "in the event of a successful brute force password break, the hacker is not given the confidence that they can log in successfully and undetected."
With a honeychecker in place, they must either risk logging in and being detected, or else attempt to breach the honeychecker itself.
