Have you ever wondered how a hacker breaks into a live system? Would you like to keep any potential attacker occupied so you can gather information about him without the use of a production system? Would you like to immediately detect when an attacker attempts to log into your system or retrieve data?\u00a0\nOne way to see and do those things is to deploy a honeypot. It\u2019s a system on your network that acts as a decoy and lures potential hackers like bears get lured to honey. Honeypots do not contain any live data or information, but they can contain false information. Also, a honeypot should prevent the intruder from accessing protected areas of your network.\n\nA properly configured honeypot should have many of the same features of your production system. This would include graphical interfaces, login warning messages, data fields, etc. An intruder shouldn\u2019t be able to detect that he is on a honeypot system and that his actions are being monitored.\nBenefits of a honeypot system\nMany organization wonder why they should spend money and time setting up a system that will attract hackers. With all the many benefits of a honeypot, however, the real question should be why you have not already set one up.\u00a0\nA honeypot\u2019s most significant value is based on the information that it obtains and can immediately alert on. Data that enters and leaves a honeypot allows security staff to gather information that is not available from an intrusion detection system (IDS). An attacker\u2019s keystrokes can be logged during a session, even if encryption was used to establish it. Also, any attempts to access the system can trigger immediate alerts.\nAn IDS requires published signatures to detect an attack, but it will often fail to detect a compromise that is not known at the time. Honeypots, on the other hand, can detect vulnerabilities based off the attacker\u2019s behavior that the security community may not be aware of. These are often called zero-day exploits.\nThe data collected by honeypots can be leveraged to enhance other security technologies. You can correlate logs generated from a honeypot with other system logs, IDS alerts and firewall logs. This can produce a comprehensive picture of suspicious activity within an organization and enable more relevant alerts to be configured that can produce fewer false positives.\nAnother benefit of a honeypot is that once attackers enter the system, it can frustrate them and cause them to stop attacking the organization\u2019s network. The more time spent in the honeypot means less time spent on your production system.\nDesign and operation of a honeypot\nThere are variety of operating systems and services a honeypot can use. A high-interaction honeypot can provide a complete production-type system that the attacker can interact with.\u00a0\nOn the other end is a low-interaction honeypot that simulates specific functions of a production system. These are more limited, but they\u2019re useful for obtaining information at a higher level. In my experience, the high-interaction honeypot is the most beneficial because it can completely simulate the production environment. However, it requires the most time to deploy and configure.\u00a0\nIt is critical to have proper alerting configured for your honeypot. You should have logs for all devices in the honeypot sent to a centralized logging server, and security staff should be paged whenever an attacker enters the environment. This will enable staff to track the attacker and closely monitor the production environment to make sure it is secure.\u00a0\nIt is important your honeypot system is attractive to a potential attacker. It should not be as secure as your production system. It should have ports that respond to port scans, have user accounts and various system files. Passwords to fake accounts should be weak, and certain vulnerable ports should be left open. This will encourage the attacker to go into the honeypot environment versus the live production environment.\nAttackers typically attack the less secure environment before going to one that has stronger defenses. This allows security staff to learn how hackers bypass the standard controls, and afterwards they can make any required adjustments.\nYou can deploy a physical or virtual honeypot. In most cases, it is best to deploy a virtual honeypot because it is more scalable and easier to maintain. You can have thousands of honeypots on just one physical machine, plus virtual honeypots are usually less expensive to deploy and more easily accessible.\nHoneypot on internal network protects against insider threats\nHoneypots can also protect an organization from insider threats. According to the 2016 Cyber Security Intelligence Survey, IBM found that 60% of all attacks were carried by insiders. A honeypot should be deployed within your internal network and only a minimal number of employees should know the system exists. Internal deployment is preferred over external due to the larger number of attacks carried by insiders and the fact that many hackers prefer to establish command-and-control servers for communication to compromised servers on the internal network.\u00a0\nHoneyd is an open-source tool used for creating honeypots. It is a daemon that can be used to create many virtual hosts. You can configure each host differently and run a variety of services on them. They can be configured to run on different operating systems. You can set up real HTTP servers, FTP servers and run Linux applications on it. It is also enables you to simulate various network topologies.\u00a0\nHoneypots have been used mostly by researchers to study the tactics and techniques of attackers. But as I explained earlier, they can be very useful to defenders as well. It is time for more organizations to consider using them as a proactive way to protect their network.\nThe benefits of deploying them far outweigh the costs for organizations that manage a significant amount of sensitive data.