How Honeypots Work: Things that Go Bump in the Network

May 3, 2017 | Phillip Maddux

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Things That Go Bump in the Network

honeypots can identify malicious traffic in your network

Everytime I see one of those Capital One commercials where Samuel Jackson gives the tag line, “What’s in your wallet?”, I can’t help but think of a similar question in the context of network security. It’s a question fit for networking teams, security teams, and especially CISOs, which is, “What’s in your network?” Would you even know? How would you know? As networks continue to become more complex with applications, virtualization, and devices, these questions can be very difficult to answer. To help answer these questions there certainly has also been an explosion of fancy new solutions in the marketplace to monitor activity on a network. However, in addition to those great monitoring tools, I’d like to suggest implementing a simple concept that has been around in information security for quite a while. Every enterprise should consider running good old fashioned honeypots.

If this is the first time you are reading about honeypots in the context of security, it’s really quite simple. A honeypot is a computer on the network that is intended to look like it has a legitimate production purpose, but it is really there to act as a sort of tripwire for malicious activity. Since no legitimate users would be directed to the honeypot, any traffic hitting the honeypot is likely not legitimate. A honeypot can be configured to look like anything on the network, e.g. print server, web server, file server, etc., so when an attacker is probing the network and comes across a honeypot they think they’ve found a legitimate target.

honeypots can be configured to look like anything on your network

The value of running a honeypot shouldn’t be underestimated, even if you’re running some of the new AI and machine learning endpoint security solutions available today. Honeypots can be very inexpensive to deploy and maintain, and since they really should receive very little traffic, any log or alert from a honeypot is of high value. Any alert will contain information that is indicative of either malicious traffic (you want to know about that!) or a misconfigured system on the network (you still want to know about that!). There are no false positives here. This information helps you find bad things lurking on your network, but it can also enable you to assist operations when something has been misconfigured.

A honeypot is not just a network security sensor solution, it is also a component of your broader approach to applying network security. Going through the process of implementing a honeypot can actually help you to become more familiar with what your network looks like - from both a topology and behavior perspective. Having a better understanding of your network puts you in a better position to defend it. Also, those cases where you’ve identified misconfigured systems are opportunities to bridge relations with operation teams by providing additional value.

Ultimately however, to the detriment of an attacker, your network should be a really noisy place. The attacker wants to be stealthy, but if your network is layered with noisy bumps and misleading routes, you’re raising the risk to the attacker. When you increase the risk to the attacker you’re also increasing what it actually costs the attacker to be successful, which makes you a less attractive target.

honeypot for network security, or at least your own private research

If you are interested, and i hope you are, in adding honeypots as a layer in your approach to network security I have some resources to help you get you started. The first resource is an open source honeypot I’ve created called HoneyPy. Intended to be easy to configure and deploy, HoneyPy can be a great tool to help get your feet wet. To accompany HoneyPy, I’ve also authored getting started guides, in blog form, on my personal blog site. The guides cover some additional basics on honeypot concepts, but also instructions on how to get up and running with HoneyPy. The contents are as follows:

Part 1 - Covers installing, running, and configuring HoneyPy.

Part 2 - Covers services and service profiles.

Part 3 - Covers plugins and loggers.

There is a fourth post on another project called HoneyDB, which leverages honeypots in more of a research capacity. Research is an additional area of value honeypots provide. If you are not in a position to deploy honeypots in an enterprise network, then I encourage you to explore honeypots from a research perspective.

If you’d like to stay updated with the latest on HoneyPy or HoneyDB please follow me on twitter (@foospidy). Whenever new features (like the one I’ll be announcing this May at CaronlinaCon) or honeypot data worth sharing I’ll post a tweet. Thank you for reading and happy honeypotting!

Phillip Maddux

About the Author: Phillip Maddux
Phillip Maddux is a Senior Solutions Engineer at Signal Sciences and has over 10 years of experience in information security, with the majority of that time focused on application security in the financials sector. In his spare moments he enjoys converting ideas to code and committing them to Github.
Read more posts from Phillip Maddux ›


Watch a Demo ›