Systemically, honeypots are systems that act as bait for attackers. Within the network, they do not provide meaningful services and are therefore not addressed directly from within the system, so any attempt to contact them will result in an attacker not knowing the system configuration. The search for a clear definition is not easy, because there are a lot of them. The reason why there are so many different definitions is that honeypots can be applied to many different types of Internet applications. Unlike many other security techniques on the Internet, they are not geared to a particular problem but try to cover the widest possible range of bandwidth. For example, a firewall is designed to prevent attackers from accessing a system. In contrast, honeypots try to detect not only unauthorized system access but also Trojans, worms, and other attacks. In doing so, a honeypot only collects relevant data that is directly related to the attack on the computer and evaluates it if necessary. Thus, a honeypot deals with relatively few but highly relevant data in terms of attack and its methodology, while other programs such as firewalls and antivirus programs are dealing with a huge flood of data as they continuously control the entire data stream to match it with known patterns or to monitor the access permissions of all programs to the system resources.
A honeypot is a security resource whose value is to be attacked or compromised And this is precisely the difference between honeypots and other security techniques. One wants to have an attack on a honeypot to learn something new about the attack and the attacker himself. There are several possible uses of Honeypots. For example, they can detect and analyze a worm attack, or they can recognize and point out unauthorized system access at an early stage. As different as the possible uses of an application are so different are the honeypots themselves.
You can roughly differentiate between two types of honeypots. There are production and research honeypots. Production honeypots are mainly used in companies and the private sector. With this honeypot type, attacks can usually only be determined. However, this also has the advantage that these honeypots are much easier to handle. On the contrary, the research honeypots, as the name implies, are used for research purposes. With honeypots of this type, attacks are not only detected but also much information about the attack, and its attacker is collected and evaluated. This is to gain new insights into the methods and tools of attackers. These are then used to develop new security techniques to protect systems in the future better.
Honeypots are much more complex and difficult to use than the production honeypots. In addition to the type distinction of honeypots, one can classify all honeypots. There are a total of three different classes, low-, medium- and high-interaction honeypots. Classification takes place depending on how many interaction possibilities an attacker has with a honeypot.
History of HoneyPots
The idea of a honeypot is already a bit longer. However, the concept of honeypots was not yet known under its current name. Only recently has the concept of honeypots prevailed.
In 1990, two different publications were made on this topic. The first was a book by Clifford Stoll entitled “The Cuckoo ‘s Egg.” Clifford Stoll was working with computer systems at that time and found that an attacker had resorted to the data of this system. But instead of suppressing this grief, he decided to let the attacker go on and observe him instead. This allowed him to gather much information about him. The system on which Stoll watched the attacker was not yet a honeypot in the current sense. It was instead a real system with sensitive data. While the attached system cannot be described as a honeypot, since it was not specifically intended to collect information about the attack, the basic idea behind the intruder’s observation was the same.
The second release this year came from Bill Cheswick. This was a paper titled “An Evening with Berferd in Which a Cracker Is Lured, Endured, and Studied.” The difference to Stoll ‘s book was that they had a system specially designed to be attacked. So this was a honeypot by definition, even if Cheswick did not call it that. The document describes how the system was created and what its properties were. As in Stoll ‘s book, Cheswick also describes how an attacker tried to access his system and what he could learn from it.
The next most important date in the history of honeypots is the year 1997. That year saw the release of the first program to install and use a honeypot on his private computer. It was called Deception Toolkit (DTK) and was written by Fred Cohen. The program for operating a honey-pot was primarily intended to collect information about the attackers’ activities and to confuse them.
In the following year, as an extension to DTK, another Honeypot product called CyberCop Sting was developed. When used, CyberCop Sting offered the user two important new features. The first one was that the program did not run on Unix but Windows NT. The second and much more important difference was that CyberCop Sting could run many parallel systems of various kinds. For example, it was possible to replicate Cisco, Solaris, and NT applications at the same time. This greatly increased the chance of attack. Despite all the benefits and ease of use of this product, it has never really been successful in the marketplace.
In 1998, a program called NetFacade was developed by Marty Roesch. It was able to simulate up to seven different types of applications, allowing for up to 254 systems. Although the program was not very well known, it had a lot of benefits for the development of honeypots.
Back Officer Friendly was developed in the same year. This program was simple to use and, despite its limited functionality, allowed a wide audience to truly deal with the honeypot concept for the first time. Back Officer Friendly was free of charge and very easy to install. This allowed it to be downloaded and applied without much prior knowledge.
In 1999, finally, the Honeynet Project was founded. The team of this project, which consisted of volunteer security experts, focused on the use of honeynets.
Due to the rapid increase in attacks by worms in the years since 2000, Honeypots have been used more and more, thanks to their good results, and have become increasingly accepted as a tool in the fight against attacks on the Internet.
Benifits of HoneyPots
A first advantage that honeypots face over other security techniques is their ease of use. While other techniques of security need to be very familiar with the subject to be able to work with it at all, in a honeypot, it is sufficient to install it and make some modifications if necessary. This makes handling a honeypot much easier than with other techniques. Naturally, it also, as mentioned in the previous chapter, requires more complex honeypots that require some prior knowledge. However, initially, a simple honeypot can be run without much prior knowledge. This allows everyone to engage with honeypots and to observe attackers. This is not the case with other security techniques.
The next big benefit of honeypots is the amount of data and its associated analysis. Because of the other security techniques, an immense amount of data is collected. The problem here, however, is their recovery. Many of the data collected are not meaningful and are, therefore, unnecessary for analysis. Nevertheless, the security techniques have to record this data because it is not possible to tell in advance which data are important and which are unimportant. This large amount of data sometimes makes it difficult to analyze and process them promptly so that system functions may be degraded in terms of response times. Sometimes even regular system requests are blocked. In contrast, the honeypot limits itself to the data related to the attack to subsequently analyze it. This leads to a greatly reduced volume of data, which does not affect the system functions. Evaluating the analysis reveals potential errors within security techniques. Such information can then be used to develop protection mechanisms further. And this is precisely the advantage of honeypots. You have to deal with much fewer data. However, these data are very meaningful, and thus it will be possible to carry out faster and more precise analyses. As a result, there is an opportunity to quickly respond to possible problems or failures in the applied security programs by modifying and improving them.
The third big advantage is the much lower hardware requirement. Since the majority of security programs have the problem of having to cope with the ever-increasing speed of traffic on the Internet with more and more data volume at the same time, correspondingly high demands are placed on the processing speed of the hardware. Failure to do so can lead to difficulties as the safety techniques can no longer control everything and hence can easily cause malfunction. The advantage of honeypots is that they need much fewer resources because they only have to react when they are addressed. As a result, a honeypot does not have to be particularly fast or efficient. It is quite possible to use older computers for use as Honeypot. For this reason, honeypots do not have to be brought up to state of the art and are thus very cost-effective to operate.
The next advantage of honeypots is the ability to make everyone aware of the danger posed by the Internet. Since honeypots tell the operator each time an attacker tries to access his system, he is constantly reminded that sufficient protection is required. With other security techniques, there is the possibility of not being aware of this danger, since these programs block off the attacks so that the user is not even brought to the attention of the user. This could lead to the wrong conclusions and tends to suggest that his system is not at risk at all. Honeypots prevent this assumption and explicitly point to the danger.
Disadvantages of HoneyPots
The first big drawback honeypots have is the risk they bring with them. A risk exists because a honeypot if an attacker has invaded it, can be used to then out of the network other attack systems. The risk and associated damage depend on the interaction level of the honeypot. As described in the last chapter, the more the honeypot can do it, the bigger the danger.
The next problem, and thus another disadvantage of honeypots, is that a honey pot does not observe what is happening around it, but only what affects itself. As a result, even though there is an attack on the network, the honeypot does not react because it is not itself attacked. Honeypots react only when they become the target of the attack.
Another major disadvantage results from the identification of a system as Honeypot. This can lead to an attacker bypassing the honeypot in the future and focusing on other systems. Also, it can happen that an attacker deliberately uses his knowledge of the existence of a honeypot to access other systems. For example, an attacker can bombard a honeypot with attacks and distract the user to such an extent that he can attack other systems unhindered. In the research honeypots already mentioned, identification can lead to serious errors. This is because an attacker can deliberately leave behind false information about himself and his methods during an attack. But as conclusions are drawn from this information through analysis, this leads to wrong conclusions. This poses a massive problem if these failures find their way into the security software of the next version. This way, it can be manipulated, and instead of protecting the systems, new ones can be created.
Future of HoneyPots
Although honeypots have been on the market for quite some time, the acceptance is not very big. One of the underlying problems is that you still do not agree on how to define a honeypot. Since companies do not know exactly what benefit they can expect from the use of a honeypot, they do not deal with it at all. Therefore, the most important task is to work out the strongest of the honeypots, so that companies recognize the advantage of honeypots and use them in their favor. As a result, acceptance will certainly increase, and the benefits of further development by security experts will rise sharply, which in turn favors the development of honeypots.
Unfortunately, the lack of unity over the definition is not the only problem of Ho-neypots. Another disadvantage is the still relatively heavy operation. Today’s honeypots, and especially research honeypots, usually have an unmanageable operating surface, making the operation of such a honeypot very difficult and complex. Difficult handling also automatically results in greater error liability due to misadjustment by the user. Furthermore, with a honeypot, it is not yet possible to communicate with other security techniques. If there is an attack on a honeypot, it detects and registers it, but the information is not forwarded to other security programs. Through a corresponding interaction between Honeypot and security techniques, further attacks could be avoided quickly and without much effort. In the future, these problems could be eliminated by further development of Honeypot.
One prediction, which is also presented in the book by Lance Spitzner, is that honey-pots and especially research honeypots still have a lot of potentials. With the development so far, only approaches to future applications have been made. Possible use of honeypots could be to detect patterns at attacks. Thus, by analyzing the collected information, possible patterns could be identified to warn against attackers at an early stage. Another application is the specialization for attackers who are looking for highly sensitive data. A possible goal is also that honeypots no longer work on their own, but cooperation between several honeypots distributed around the world is closed. The advantage is that the data collected by each honeypot are analyzed together to make it much more accurate. As a result, there are better protection mechanisms.
