As an IT security professional, you'll spend a lot of time trying to prevent attackers from gaining access to your systems, but you'll also be able to use your knowledge and techniques of security to create deception and disruption for those same attackers. One way to provide this deception is by using a honeypot. A honeypot is a way to attract attackers to your system and keep them involved in these systems so that you can see what type of security techniques they're trying to use against you.
In most of these cases, of course, the attacker is actually an automated process, and what you're trying to do is see what type of automation is being used and what type of systems they are trying to attack. These honeypots are a virtual world that effectively attracts these automated systems or attackers, and they spend all of their time trying to identify or attack systems which, in reality, are not part of your production processes. If you wanted to build your own honeypot and virtual world, you can do that using a number of commercial and open-source software packages.
This also creates a bit of a race between you, creating virtual worlds that in most cases are not production systems, and the attackers that are trying to discern whether these systems are actual systems or if they are trapped inside a honeypot. As the attackers get better at identifying a honeypot, we increase the complexity and intelligence of our honeypots to make them that much more realistic. It's very common, in fact, to combine a number of these virtualized honeypots into much larger infrastructures that we call honeynets.
These honeynets may consist of workstations, servers, routers, firewalls, and anything else to make the entire infrastructure look a little bit more real to the attacker. Once you combine all of these smaller honeypots into one much larger honeynet, you've now created a much more believable environment and hopefully one that will keep the attackers very busy. If you'd like to learn more about the techniques and technologies we're using today to create these honeypots and honeynets, you can visit projecthoneynet.
org. We can even go down to the file level and create honey files. These are files that have fake information, or they may be files that appear to be very important or contain sensitive information.
For example, you might have a honey file called password. txt which, of course, does not actually contain the passwords to your systems, but the attacker doesn't know that, and they may find this to be a very attractive file and spend a lot of time going through the information contained within that honey file. In your normal production network, no one should be accessing these honey files, so if someone does gain access to the file and opens or views the information, you may want to have alerts or alarms sent back to a management station so that you know someone is poking around in the honey files who probably should not be there.
Another type of data that might help you identify issues with data that's being released into the public would be a honey token. Honey tokens are a bit of traceable data that you would add to your honeynet, so if that information is copied and distributed, you know exactly where it came from. For example, you might put API credentials out on a public cloud share to see who may come by and grab those credentials.
Of course, these API credentials are not actual usable API credentials; you've simply made them up and put them into a file that is then accessed by the attacker. Alternatively, you might have a file that contains a number of fake email addresses. Because these email addresses are not used by anyone, you can constantly monitor for those addresses to appear somewhere else on the internet.
If they do, you can see exactly who posted it, which might give you information about who may be attacking your network. Of course, these honey tokens can be any type of data that you might falsify and put into an area for an attacker to find. This could be database records, browser cookies, pixels on a web page, or anything else that you could track if it happens to be posted somewhere else on the internet.
