What are honeypots?

If a threat actor is a bear, then the honeypot is a fake server/device you set up to trick them into communicating with. Honeypots can be servers, workstations, or other devices that are not supposed to get any communication.

How do we use them?

Creating a honeypot can be fairly simple or fairly complicated depending on how complex you want to make it. Honeypots are supposed to draw attackers in so having a windows 10 workstation with no running services and no open ports will do nothing but cost you money for electricity. Since there are many ways and tools you can use to create them I will not do a step by step guide however I will give some outlines to follow:

  • Give the honeypot some vulnerabilities

    • These can vary based on the environment but you do not want to make it too easy to connect to otherwise a smart attacker will realize it is a honeypot

    • If possible, give it some vulnerabilities that look like misconfiguration or failure to update a service running in your environment

    • Don't start throwing in vulnerabilities that don't look like they belong in your environment

  • Use tools to detect any unauthorized traffic to the honeypot

    • If you have the tools for it, this should be easy enough, since it's a fake server there should be absolutely no traffic to the device except what you set up to communicate with it

  • Set up some automated traffic to/from the server

    • This helps to fool an attacker into thinking it's a legitimate server by faking some network traffic going back and forth to other servers

    • Make sure to whitelist any fake traffic you set up

Why do we need them?

As I stated above this is used to give attackers a fake target to interact with so that we know they are in our environment. The nice thing about honeypots is they don't have to actually exploit any vulnerabilities on the device, simply interacting with it should generate an alert if setup correctly. Because of this it makes it much easier to catch an attacker even if they are just doing something like enumerating the network if your other tools fail to catch the activity.

Last updated