adam's notes

Honeypots

Honeypot is a decoy system that can detect, monitor, and sometimes tamper with the activities of an attacker.

  • seek to redirect malicious users from live production systems
  • can configure to deliberately display fake vulnerabilities or materials that would make the system attractive to an attacker
    • E.g., intentionally insecure service, outdated and unpatched operating system, network share named “top-secret UFO documents”, etc.
  • A decoy server
  • typically placed in a DMZ designed to entice malicious users to attack them
  • often will collect intelligence on the attacker and their techniques
    • Research honeypots focus on the collection of information on observed attack methods and malicious activity happening “in the wild” or, more specifically, on Internet-facing systems

High-interaction honeypots is a design to mimic real production systems, making it difficult for attackers to tell the difference between the honeypot and a real system.

  • aims to capture more detailed attack information than can be accomplished by using a low-interaction honeypot
    • allows security teams to understand an attacker better
  • leverage a complete operating system and are more challenging for expert attackers to spot

Active decoy is a system designed to distract potential attackers away from an organization’s critical systems and data.

  • creates a false environment that looks like a real system, complete with fake data, applications, and other elements
  • is closely monitored to detect malicious activity and provide early warning and detailed insight into an attacker’s tactics and techniques
  • Advanced deception solutions automatically identify and reroute malicious traffic away from real assets and toward decoys

How it Works

  • When an attacker accesses the system, the honeypot monitors their activity without their knowledge
  • can connect multiple honeypots into a honeynet with varying configurations and vulnerabilities
    • uses a centralized instrumentation to monitoring all the honeypots on the network

Why Use a Honeypot?

  • provide an early warning system
  • lure hackers away from the real network
  • to discover an attacker’s methods
  • or as an intentional target to monitor the activities of malware in the wild
    • honeynets are useful for understanding malware activity on a larger scale since you can reproduce a variety of operating systems and vulnerabilities

Graph View

Backlinks