← Back to Glossary

What are Honeypots?

by Iwan Price-Evans on Security • April 29, 2022

Honeypots are decoy computers or systems that lure hackers and cybercriminals into attacking them. Honeypots deceive attackers into displaying the techniques and behaviors they use to compromise a system. It's called a honeypot because it attracts hackers like a bear is attracted to honey. Cybersecurity teams can use them to identify criminal behavior and understand the methods hackers use to breach systems.  

When creating a honeypot, security teams will ensure that the system contains something attractive to the attacker, such as personal or financial data. The key to creating a honeypot is to make it appear to be a genuine system. Significant skill is required to maintain that deception as the attacker moves through the honeypot environment. The aim is to deceive the attacker long enough for security teams to monitor the attacker and learn their techniques.

Cybersecurity teams can monitor the attacker's activity as they exploit the system. A honeypot is designed to monitor attacker activity by capturing network packets, filtering them, classifying the activity flow, and many other measures.

Security teams will expect that legitimate users will not interact with the decoy system and therefore all interactions to suspicious. This makes honeypots different from running an Intrusion Detection System (IDS) on normal production systems, which will have legitimate and suspicious users and might trigger false positives.

What are the benefits of using honeypots?

Hotpots are not a new security mechanism. They have been around for many years. The idea is simple: prepare an attractive target to lure attackers, wait for them to turn up, then monitor and learn from their activity.

Honeypots can be set up with minimal cost and resources because they don't handle much traffic. Old computers can be used for the devices and prebuilt honeypot configurations are available from online resources.

It is often difficult to identify malicious activity in a production system because of the high volume of normal legitimate traffic. Malicious actors are able to hide amongst the 'noise' of normal activity. Honeypots allow all of this background activity to be completely removed putting any attacker in open view of the security team monitoring.

Organizations can gain vital information from honeypots to enhance their security systems and identify emerging threats. This allows security teams to focus their efforts on high-risk threats, prioritizing their defense activities.

Honeypot examples

One of the earliest honeypots is 'BackOfficer Friendly' (BOF), created in 1999. It was designed to send alerts when the system was attacked via open network ports. BOF was a basic system that identified live intrusion but required human monitoring.

More recently, security experts have used honeypots at conferences to study how criminals might attack critical public services or infrastructure. One example of this was the 'HoneyTrain', a model train system used at a German conference. This appeared to be real-world infrastructure to the attacker and was used to monitor their activity over two weeks.

What are the different types of honeypots?

The types of honeypots can be grouped by their use and may be classified by production or research. They can be further grouped based on their design as high-interaction honeypots, low-interaction honeypots, and pure honeypots.

Honeypot classifications

Production honeypots

Production honeypots are decoy systems that are located inside production networks and servers. They can be implemented as part of an Intrusion Detection System (IDS). The purpose of putting them inside a production system is to deflect an attacker's attention from real systems. Once an attack on the honeypot is identified activity monitoring and additional protection of real systems can be put into action.

Research honeypots

Academic institutions and security research organizations create research honeypots to use for education or security system improvement. They often create them with traceability built-in to the deception assets. This helps them to perform attack analysis on stolen data. 

Honeypot design

High-interaction honeypots

High-interaction honeypots mimic real networks and infrastructure and allow attackers unrestricted movement, which enables security teams to collect extensive intelligence. Often the system's response times may be slowed slightly to extend the session duration to allow more activity data to be collected. High-interaction honeypots are complex and require expertise to maintain, which means they have a higher cost.

Low-interaction honeypots

Low-interaction honeypots are created as low-cost, scalable distractions for attackers. They imitate real systems and services. They are useful for gaining intelligence on automated attacks from botnets and malware.

Pure honeypots

A pure honeypot is a full copy of a production system. Sensitive information will be removed and replaced with data that looks real to the attacker. This allows a detected attacker to be directed to this monitored honeypot where attack intelligence can be gathered.

Honeypot applications

Honeypots can be created for a specific purpose.

Threat intelligence honeypots pass attacker data to threat intelligence platforms to contribute to threat detection, reputation databases, and risk analyses.

Malware honeypots simulate systems commonly targeted and attacked by malware.

Email trap honeypots are used to attract, identify and block spam. An email trap can be a fake email or email list published on a website waiting to be collected by an email scraper. It can also include expired email domains or unused email accounts. These can be monitored and blacklisted when used by spammers.