How do honeypots work?

Honeypots are closely monitored decoys that are deployed in any network in order to study the trail of hackers and malicious persons. They are filled with fabricated information made to look like a real system — which the honeypot mimics. By having security vulnerabilities the honeypot lures the attackers in. The vulnerabilities vary between anything from a specific CVE vulnerability to an exposed port for a specific application.

The purpose of honeypots is not to directly prevent attacks like other types of security measures but rather to help us to get a better understanding of who is attacking and how they are doing it. When the attacker is caught in the trap, their IP and session is stored and sent to us for analysis.

When people are speaking about honeypots, there are generally two types: research and production honeypots.

Production honeypots sit located in and around the rest of your production servers and are running services that you would typically run. They are focused on identifying active compromises on the network they sit in. When they are triggered by tricking the attacker the company gets alerts that there is someone in their environment. The information gathered from the production sensors can be used to secure common gaps around identifying lateral movements and network scans.

Research honeypots on the other hand sits all over the world, not just in your environment and are used as a large blanket to study attacks from a broader perspective. By doing this they can gather information about attack trends, new malware strains and vulnerabilities that are actively being used.

Meet our sensor network

A sensor for us is a machine running multiple honeypots. We have these sensor boxes deployed all around the world, in what we call our sensor network. We try to spread them out as much as possible so we have at least a few in each country where possible. By running many sensor boxes and multiple in each location, we gain a better understanding of each attacker that tries to access them. Is the attacker only focusing their efforts in a particular area such as a country/continent or are they hitting all our honeypots around the world?

Our standard sensor is running tens of honeypots and mimic protocols such as ftp, ssh, telnet, http etc. In our fleet this is the one that we tend to deploy the most because it gives us the most information from one sensor.

We are also using different types of sensors in some areas just because they are more prune for directed attacks against a specific type of hardware/protocol. We are for example running specialized SCADA sensors in the middle east to be able to pick up attack patterns and attacker information. These sensors are deployed in this area because this is one of the primary regions for this system because of the oil production there. It would not be beneficial for us to run them in any other region as they would not get anyone to chop the bait elsewhere.

Why do we have honeypots?

What we are looking for in these honeypots is information about perpetrators, such as IP addresses or attack-vectors. When an attacker is hitting our honeypot all data about the session gets recorded and shipped back to our data centers where we enrich it and store the information in a data lake.

When the information is in our facilities we can then use it for our mitigation platform by creating lists of bad actors and block/drop the traffic as soon as it enters our hardware on layer 4 instead of taking the packages up to layer 7 for payload verification. This removes pressure from other parts of the chain as it's much easier to just drop the traffic based on the source IP instead of having to validate each package and check for its legitimacy on Layer 7.

The information we have gathered from the honeypots is being used for internal research such as spotting new attack vectors, map botnets against compromised devices such as ISP routers or IoT devices. The malware that gets uploaded to the sensors is also actively collected and enriched. By storing this information we can help the research community to analyze the spread of malwares and if there are any new forks or never before seen ones popping up.

Sebastian Svensson

Reliability Engineer

Related posts