Honeypots Explained: In the Wild and in SecOps

A honeypot is a computer configured to be vulnerable in an attempt to log and study unauthorized interactions. Because Internet-facing systems are subject to constant automated attacks, it is important to be aware that any port open to the internet provides a bridge for outside parties to interact with your system. When we leave our honeypots out, we are mimicking signs of vulnerable systems hoping attackers come in and try to execute on their attacks. Think about that next time you’re looking at vulnerability reports. 🙇

Honeypot Uses

Honeypots are used to collect data on attacking behaviors. The attack source, techniques used, their success or failure rates, and malware samples can all be extracted from honeypot logs. Security teams may take action based on intelligence sourced from the analyzed data. Patterns seen in the attacker’s behavior are identified within security logs to alert on security events that matched the behaviors observed in honeypot logs. Security teams are benefited because it give them a unique opportunity to proactively blocklist suspicious behaviors before systems are infected.

Research by individuals within the security community often target specific industries, products, protocols, or challenge widely accepted security standards against emerging technologies. Security researchers consider the kinds of questions they are looking to have their data answer. When applied to an organization, consider how honeypot data can be leveraged to mature your…