Looking after your own security is priority number one – across the vast expanses of the Internet as well. Financial transactions and sensitive data attract hackers or “attackers” like bees to honey. To protect against attacks, you can use honeypot deployment.
What is honeypot deployment?
The use of honeypot deployments dates back to a world that existed long before the Internet. In the past, honey was used to divert unwanted visitors such as bears from their actual target, such as human dwellings, or even to trap them. So this tactic has always been associated with personal protection. More recently, honeypot deployment has found its way into today’s digital world. Nowadays, the term “honeypot” is understood to refer to a computer program or server that simulates the network services of a computer, of a computer network or the behaviour of a user.
A honeypot is a service that is never used by the users or communication partners and is never addressed during normal operation. Instead, it serves as a trap that is used to send attackers away on the wrong track. That’s because external attackers are unable to distinguish between the trap and the real services they are trying to access. As they search for vulnerabilities in the system, they will inevitably run into the trap prepared for them – just like the bears and the honey. Once the hackers have been caught in the trap, the honeypot records the information and sends a warning to the operators of the attacked service.
How the honeypot works
Honeypots that simulate users (honeyclients), use normal web browsers and visit websites in order to detect attacks against the browser or browser plug-ins. In this context, honeypots must be subdivided into two different types: low-interaction and high-interaction honeypots. In addition, there are four different types of implementations for these hacker traps. A physical honeypot is an actual computer with its own network address in the network. A virtual honeypot is a logically independent system that is simulated by another computer. A client honeypot involves using honeypot software to communicate with a real server. A server honeypot is where honeypot software is used to “serve” real clients.
Honeypot technology and types
Low-interaction and high-interaction honeypots can be further divided into client-side and server-side, both of which have different features. A honeypot is operated by an administrator, who must set it up, to begin with. In both cases, the honeypot is isolated, which means that an attacker should not be able to access the productive system from the diversionary system. There are two options here:
Physical honeypotsThese are separate computers with their own addresses that are integrated into a network.
Virtual honeypots: This is a logical system for which the resources of a physical computer are made available by virtualisation software.
One well-known open-source solution that can be used to set up server-side low-interaction honeypots, is Honeyd. The Honeyd software published under GPL allows administrators to set up different virtual hosts within a computer network. In this case, attackers have only limited interaction opportunities. The virtual computers can be configured to represent different server types. A complete system including the TCP/IP protocol stack can be simulated in this way.
Client-side honeypots offer a slightly wider choice of different approaches. Client-side low-interaction honeypots (or honeyclients) are programs that can be used to emulate different browsers. This allows users to visit web pages and record attacks against the simulated web browsers.
This can be done with the following systems:
HoneyC:The low-interaction honeyclient – HoneyC – allows users to recognise dangerous servers on the Internet. Instead of providing a fully functional operating system and corresponding client software, HoneyC uses an emulated client to analyse the server responses to harmful content. In its basic configuration, the software consists of three components: the visitor engine is responsible for the interaction with the server and uses modules to emulate different web browsers. The queue engine compiles a list of servers, which is then processed by the visitor engine. The interaction with a web server is evaluated by the analysis engine – this checking after each visit whether the software’s security rules have been violated.
Monkey-Spider:Monkey-Spider is a web crawler that is used as a client-side low-interaction honeypot. To do this, the software crawls through web pages on the hunt for malicious code that could pose a danger to web browsers.
High-interaction server honeypots
High-interaction honeypots, which usually represent complete servers that offer services, are slightly more difficult to implement. The focus here is on attacks that are performed manually by hackers – as well as on logging these attacks. This type of control is particularly useful with regard to the most up-to-date methods of attack. For monitoring purposes, monitoring tools are required:
Sebek:This is a freely available tool that monitors all programs and sends the data to a logging server. The purpose of the tool is to remain undetected as far as possible – ideally so that attackers neither know nor suspect that they are being monitored.
Argos:To detect attacks via the network, memory content that contains data received via that network is marked as contaminated by the system. As soon as the CPU is instructed to execute contaminated memory content, Argos records the data stream and memory content for further forensic analysis
Honeypots are definitely suitable methods of supplementing existing IT security systems. However, it is important to check carefully whether any error messages or external messages from the systems are actually caused by an external attacker.