In my previous blog I discussed Port Scanning. In this blog I would like to discuss another method used to protect servers from attackers using Network Honeypots.
A Honeypot is a sweet looking server, at least it’s intended to look sweet to the attacker, similar to how bears view honey. Honeypot is an additional security protection that can be used alongside a firewall this will help to protect your network from hackers.
Honeypots are programs that simulate a network services such as RDP(Report Desktop Protocol), Apache , SSH(Secure Shell), FTP (File Transfer Protocol), Telnet and many more. The attacker sees the honeypot server as a vulnerable running servers that he can use to break into live servers.
Security personal often use honeypots as a tool to gather intelligent on the attacker. Attackers constantly modify their methods to take advantage of different types of attacks. In some cases, we see attackers using zero-day vulnerability (Vulnerabilities before a patch is released) attacks against honeypot servers.
If the administrator does not configure the server just as if it was a live server and adopt proper security methods to the honeypot server, it might appear suspicious to an experienced attacker and simply avoid it.
HONEYPOTS HAVE TWO PRIMARY GOALS:
- Shift attackers from the live server. If attackers spend considerable time on the honeypot server, they will not have time to cause problems to live servers.
- Understand the attacker’s methodologies, to better protect the real production systems.
- Honeypot can also help security professionals to learn more about known and unknown attacks.
- Helps IT teams identify loops holes and vulnerabilities in the live servers
- Thus making honeypots a very useful part of the defense system.
- You can observe hackers in action and learn about their behavior.
- Gather intelligence on attack vectors, malware, and exploits and use that intel to train IT staff.
- Create profiles of hackers who are trying to gain access to your systems.
- Waste hackers’ time and resources.
- Improve your security posture by using the intel and data to obtain higher budgets for increases for security.
However, in addition to that, new tools for detecting attacks are also captured by honeypots. Deploying a honeypot in a system gives the administrator a solid idea of how the multiple points of views that they could evaluate in-order to find several security solutions for the same problem.
Disadvantages of honeypots:
One of the main issues of a honeypot is that the system is designed to be attacked, so attacks will most likely take place.
If an attack involves multiple systems and those honeypots remain untouched (for instance if the honeypot was identified as such by the attacker and it was avoided) it would be necessary to rely on other mechanisms to identify the attack.
An attacker may use our own honeypots to distract you, exploiting it as a zombie. Thus giving him enough room to attack other systems within the network and compromising them.
A honeypot is a concept and not a tool which can be simply be deployed. Given all of the above complexities, you should consider
Whether your time and security efforts are better spent configuring, monitoring and maintaining a honeypot
or
Configuring and deploying additional security and monitoring on your real servers using a SIEM or IPS/IDS software
or
Employing a trusted third-party organization who can observe your organization risk, which may free up your IT teams to concentrate on the core IT functionalities which are essential for your organisation’s smooth functioning