What is a honeypot?
Either using software or through human actions, a honeypot is aimed to make it look as though a company has entry points in its systems that have not been adequately protected.
How does it work?
As a preventive measure, a company sets up a series of servers or systems that appear to be vulnerable. It looks as though the company has been careless about certain aspects of security. Once the trap has been set, the aim is to attract attackers.
What the criminal does not realize, however, is that instead of a vulnerable entry point, it is a trap that is being closely monitored by the company in question.
Companies can benefit in three ways from this: firstly, by containing genuinely dangerous attacks; secondly, by making attackers waste their time; and finally, by analyzing their movements to detect potential new forms of attacks that are being used in their sector.
A honeypot is similar to counter-espionage in cyber-security, which also uses lures which, appearing to be vulnerable, manage to draw in attackers and thwart their attacks, and in the meantime analyzing and monitoring all their actions.
This is a potentially useful strategy, above all for large companies that often have a lot of confidential data and due to their volume of business, are an attractive target for attackers.
Malware honeypots are used to detect malware, taking advantage of known propagation and attack vectors of malware. Propagation vectors, such as USB drives, can be easily checked by seeing if there have been any modifications, either manually or using special honeypots that emulate these drives.
Malware is being used increasingly to mine crypto-currencies, which creates opportunities for services like Bitcoin Vigil to create and monitor honeypots using a small amount of money to create a system of incentives, which provide early warnings in the case of malware infections.
There are in fact ways of refining the process further: if the honeypot is not created on non-productive networks, but on real applications and systems, then we are talking about another concept, the honeynet, which tricks cyber-criminals yet further, making them believe without doubt that they are attacking a real IT system.
A honeynet is a network of interacting honeypots that simulates a real network and is configured to discretely monitor and record all data. Normally, a honeynet is used to monitor large or diverse networks where a single honeypot would not be sufficient.
The combination of honeynets and honeypots are often used as part of a larger network intrusion detection system. Honeynets offer a centralized collection of honeypots and tools for analysis.