Honeypots are security mechanisms that creates a virtual trap to attackers. An intentionally compromised computer system allows attackers to exploit vulnerabilities so you can study them to improve your security policies.
Honeypots are a type of deception technology that allows you to understand attacker behavior patterns. Security teams can use honeypots to investigate cybersecurity breaches to collect intel on how cybercriminals operate.
Old honeypot technologies creates easy to detect networks called “low interaction honeypots”
But honeypots are the only way to know your enemies by analyzing their moves, their capabilities and skills.
Deception is the new challenge for both attackers and defenders.
By implementing a network of highly-interactive honeypots, on the one hand, the objective is to obtain statistical information on attacks in the Caribbean region and also to know the profile of the attackers.
Certain vulnerable scenarios have been created to analyze the vulnerability exploit ability of attackers using both automated tools and manual attacks. Vulnerabilities with known Internet exploits were planted.
Low Interaction vs High Interaction Honeypots
Some honeypots introduce very little risk, such as low interaction honeypots. They’re easy to install and isn’t really a functioning operating system that an attacker can operate on. They’re mostly idle, waiting for some kind of activity. It captures very little information, only alerting you when someone visits your honeypot and that you should go observe the activity.
Whereas a high interaction honeypot is much riskier. A real operating system, it has services, programs, emails, and operates just like a real computer. It’s also more complicated to install, deploy, and requires strategic placement. You could either increase the risk of your network as a whole or no one would see it.
Types of Honeypots
- Pure honeypots—complete production systems that monitor attacks through bug taps on the link that connects the honeypot to the network. They are unsophisticated.
- Low-interaction honeypots—imitate services and systems that frequently attract criminal attention. They offer a method for collecting data from blind attacks such as botnets and worms malware.
- High-interaction honeypots—complex setups that behave like real production infrastructure. They don’t restrict the level of activity of a cybercriminal, providing extensive cybersecurity insights. However, they are higher-maintenance and require expertise and the use of additional technologies like virtual machines to ensure attackers cannot access the real systems
Implemented Honeypots
High interaction honeypots with known vulnerabilities and with known exploits available on the internet were implemented. These exploits allow attacking the published web page and accessing the base of the operating system and accessing the honeypots’ internal networks by making lateral movements once the initial exploitation has been done. This scenario allows us to analyze the attacker’s exploitation times and his ability to carry out post-exploitation activities and to know the commands and tools he uses without the attacker being able to notice that we are observing him.
There are certain metrics that we are interested in knowing.
- Time between a vulnerability being made public and noticing attacks.
- Time between when an exploit is published and when we receive a successful attack using the same
- Number of attackers who accomplish more than one simple step by exploiting vulnerabilities
- Average time spent on attacks
- Attack times