Honeypots: how to catch hackers
In this article I will introduce you to honeypots. You can literally think of them as bait to lure attackers. In the computing world, honeypots can be sensitive data, information, know-how and systems that we want to protect from unauthorised users, i.e. hackers. But why would we try to lure attackers to our sensitive data? What is the true purpose of a honeypot and how to go about creating one?
A honeypot can be a physical or virtual computer that aims to analyse a vector of possible attacks. These are usually isolated systems accessible directly from the internet or often part of a demilitarised zone of a corporate network. The demilitarised zone contains only entities accessible directly from the internet that are separated from the rest of the local network and used for routing network traffic or other services. Honeypots usually contain some vulnerable software or services with default login credentials. It is also possible to configure the honeypot to accept all login attempts with arbitrary passwords.
Why is it good to have a honeypot on your network?
If you now understand what a honeypot is, you are probably wondering why you would want a vulnerable computer on your network? The reason is very simple. As mentioned in the previous paragraph, these are completely isolated devices. You will never find actual sensitive data in a honeypot, only randomly generated data. To attackers and everyone else, the honeypot looks like a legitimate computer. Its huge benefit is its ability to detect system infiltration, monitor actions performed by an unauthorised user and alert the system administrator. The moment someone connects to the honeypot, all their actions are logged. All information about the attacker's movements, file and application manipulations are stored. By subsequently studying the sequence of these events, we can analyse the attack vector and the attackers' thinking, and then deploy appropriate security measures.
How do I deploy a honeypot on my network?
There are many different honeypots and many of them are freely available, usually with source code. The best source for finding the right honeypot with the features you want is GitHub, where you can find the source code for various systems. In the well-known repository of the most used honeypots, you can find database, web or SSH honeypots, as well as a lot of useful tools. This repository is available at https://github.com/paralax/awesome-honeypots and contains not only descriptions of each solution, but also tutorials on how to use them. All these solutions can be deployed on both virtual and physical servers.
The use of microcomputers such as Raspberry Pi or Arduino is not excluded. I personally tested the creation of a honeypot on an ESP8266 microcomputer and within a few minutes I managed to create an FTP honeypot with its own Wi-Fi network. The price of this device is around CZK 150 and is more suitable for testing purposes. For a production environment, I recommend a virtual machine or Raspberry Pi microcomputer, which is priced around CZK 1,500 for lower models.
Deploying a honeypot on a network infrastructure has its advantages. You can analyse attempts to attack your devices and respond to them appropriately and in a timely manner. It may seem like the ultimate security measure, but the opposite is true. Honeypots do not secure the network infrastructure in any way, but rather serve to analyse the progress of potential attacks. Another disadvantage is that the honeypot must run constantly, which comes with certain overheads for operation and maintenance. There is also the risk that a poorly configured honeypot can be exploited by a clever attacker for further attacks without being noticed, so it is necessary to thoroughly test the correct configuration when deploying a honeypot.