Honeypot in Practice: A honeypot is ideally suited to get a clearer picture of the activity on or around the critical systems in your environment.
The common use of honeypots is to look like a legitimate resource so as to be indistinguishable from the real thing.
This will subject both the honeypot and the real resource to the same activity, meaning that attacks can be detected more easily.
An example of a typical deployment of a honeypot would be one where we have a high traffic web server. In this environment we would put the web server and a honeypot configured identically in the DMZ.
Since both are the same, the attacks both are exposed to in the same location should also match. Any malware, probes, enumeration, or other actions would immediately be detectable as a potential attack because the honeypot has no legitimate use.
This information gathered from the honeypot would allow for the design and placement of better defenses.
High vs. Low Interaction
Honeypots are not all created equal. There are two main categories: high- and low-interaction varieties.
- Low interaction honeypots rely on the emulation of service and programs that would be found on a vulnerable system.
If attacked, the system detects the activity and throws an error that can be reviewed by an administrator.
- High-interaction honeypots are more complex in that they are no longer a single system that looks vulnerable but an entire network typically known as a
Any activity that happens in this tightly controlled and monitored environment is reported.
One other difference in this setup is that in lieu of emulation, real systems with real applications are present.
Honeypots can be easily exposed and evaluated as something to consider for your environment. Those available include KFSensor, HoneyBOT, and HoneyDrive, to name a few.