Honeypots 101: Origin, Services, and Types
By: Kevin O’Connor, Director of Threat Research
The Origin of the Honeypot
In the 1980s, honeypots became a permanent fixture in cybersecurity, riding the lines of defensive and deception technologies. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, published by Clifford Stoll in 1989, details the hunt for a computer hacker (later identified to be Markus Hess) who digitally broke into Lawrence Berkley National Laboratory (LBNL) in 1986[1]. Stoll provides one of the first descriptions of what is known today as a honeypot.
To catch the hacker, Stoll set up an elaborate ploy by inventing a fictitious department under an imaginary contract within a real organization under LBNL that Stoll suspected the hacker was targeting. Creating a fake user working for the faux organization, Stoll filled the user’s digital assets with attractive-looking documents designed to gain the hacker’s attention and lure them into grabbing the files. His efforts would ultimately lead to discovering the hacker’s identity as Hess and the following arrest in Germany.
After Stoll flew to Germany and testified against Hess, it became public that Hess had been selling the bounty of his hacking operations against organizations like LBNL to the Soviet Union’s KGB intelligence agency. They would also work out that a Hungarian agent had contacted the fictitious LBNL department using information that could have only been sourced from Hess. This was part of the KGB’s standard routine to verify Hess’s information.
Later, in 1991, Bill Cheswick, considered one of the pioneers of computer security, published An Evening with Berferd in Which a Cracker is Lured, Endured, and Studied[2]. The Chronicle, one of the earliest technical descriptions of a honeypot, details leading a hacker on a “merry chase” to trace his location and learn his techniques. It details the bait and traps used to lure him and is the work that first applied and popularized the terminology of “jail” in cyber security. Cheswick had created a digital jail to trap the actor and watch their actions in detail[3].
The concept of a honeypot has come a long way since its first use in the 1980s. Pioneers like Stoll and Cheswick were instrumental in laying the foundation for what has become an essential component of modern cybersecurity strategies. With the advancements in technology and the increasing sophistication of cyber-attacks, the use of honeypots has evolved over the years. Today, honeypots are used for defense, research, threat intelligence gathering, and incident response. Let’s explore the current usage landscape of honeypots in the field of cybersecurity and some considerations in deployment and usage.
What is a Honeypot?
Honeypots are security systems that lure cyber attackers and track their activities in a secure, isolated, and monitored environment. Honeypots can distract potential attacks from a target’s critical resources; act as an intelligence-gathering platform about attacks and their tactics, techniques, and procedures (TTPs); and strengthen security overall. Information collected by honeypots can also be used to identify vulnerabilities in a system, software, or protocol. They are, in essence, a decoy computer system meant to attract, trap, and expose potential attackers. As attackers are drawn to the honeypot and focus their efforts there, more valuable systems and data are protected by the attacker’s exposure through the honeypot. A well-designed and implemented honeypot is isolated from the rest of the network. It does not contain any sensitive information, so there is no risk of the attacker compromising it and accessing sensitive data.
Common Honeypot Services
Modern honeypots will typically work to provide “jailed” access to systems over specific protocols and their related applications, such as email, web services, and network administration services. These targeted applications may present high-value access to the target, data collection, theft opportunities, or an easy way to compromise and pivot through an organization’s and network’s systems.
Common services that are often developed into honeypots include:
- File Transfer Protocol (FTP)
- Telnet
- Secure Shell (SSH)
- HTTP Web Services
- MySQL or Database Specific Applications
- Administrative Applications
- Other Remote Access Methods (VPNs, Remote Desktops, and remote support apps)
Most network and computer services can be adapted into a honeypot with the proper modifications. Which honeypot services your organization deploys will depend on its legitimate services, attack surface, and known attacker motivations.
Types of Honeypots
Honeypots come in various forms and have evolved to meet the changing threat landscape. Several types of honeypots are designed to cater to specific security needs.
- Low-interaction honeypots are designed to simulate a limited number of services and are less complex to implement, making them ideal for small-scale organizations. On the other hand, high-interaction honeypots offer a much more realistic and complex environment and are designed for organizations with larger security teams[4].
- Another type of honeypot is a hybrid honeypot, which is a combination of low-interaction and high-interaction honeypots. This honeypot balances complexity and ease of deployment, making it ideal for medium-sized organizations.
- Virtual honeypots simulate a network environment and lure attackers into a virtual and often restricted or more heavily monitored network enclave.
- Honeypots can also be combined to create a honeynet or honeyfarm, a network of honeypots used to monitor and track attacker activities. Honeynets are often used to gather information about and monitor large-scale attacks, such as distributed denial-of-service (DDoS) attacks.
Through pioneers like Stoll and Cheswick, honeypots have evolved from simple traps used to study and track hackers to complex security solutions that detect, prevent, and respond to cyber threats. The term “honeypot” has become synonymous with deceptive security technologies, and the concept is widely used in various industries, from financial services to healthcare, to protect against cyberattacks. And regardless of the type, honeypots are an indispensable tool in any cybersecurity arsenal that is crucial in detecting and mitigating cyber-attacks.
Visit the Adlumin for Honeypots resource page for more information on expanding your defenses with deception technology.
References
- Stoll, C. (1989). The Cuckoo’s Egg: Inside the world of Computer Espionage. Doubleday.
- Cheswick, B. (n.d.). Biography. Bill Cheswick’s bio. Retrieved January 30, 2023, from https://www.cheswick.com/ches/bio.html
- Cheswick, B. (1992). https://cheswick.com/ches/papers/berferd.pdf. Winter USENIX Conference, San Francisco, 20–24. https://doi.org/https://cheswick.com/ches/papers/berferd.pdf
- Edgar, T. W., & Manz, D. O. (2017). Research methods for cyber security. Syngress, an imprint of Elsevier.