Honeypots are unique because they allow a security researcher to see and record what actions a malicious user takes on a compromised computer without necessarily interfering or revealing to the attacker that they are being monitored. Because of this invisibility, valuable intelligence can be gathered about the actual strategies of an attacker. A honeypot can be configured to be either proactive or reactive to attacks, depending on the needs of the person who set it up.
What are the real advantages of a honeypot?
There are several benefits that a company can basically get out of configuring a honeypot inside their system. While there are many solutions to security problems that are available in the software market, honeypots still have unique benefits and really useful purposes. The benefits could be summarized in the following points:
Ø Any attacks could be easily captured using honeypots. Also, information about the attack type could be recognized such that weakness points become well known to the security administrators. This could be discovered using the logs which are created by a honeypot. In addition to that, if the laws do not interfere with it, additional information about the source of the attack and the attacker could be identified by using the honeypot technology.
Ø Administrators become practically familiar with new threats and modern methods of attacks. They take notice of the new attacks and further gain knowledge of how to defend a system against these attacks. Many solutions become practically possible even before the attack infects a machine in the organization. By looking at the behavior of malicious activity in the system, and through examining them well, many more attacks become understandable by the time they get their effect on the network in the very first place.
Ø When a honeypot captures traffic, it does not capture the entire traffic such that it becomes bulky and tedious to analyze and investigate through its captured traffic. On the other hand, it merely takes care of the incoming malicious traffic and notifies the network administrator of it. This is much easier for the investigation process when analyzing any malicious traffic is a must. This aspect, in fact, makes honeypots extremely useful in practice.
Ø From the above-mentioned point where we discussed that only malicious traffic gets captured by a honeypot, there is no need for a huge amount of storage at all. In practice, any dedicated computer could become the honeypot system without an urgent need to buy many more resources and allocate budget to deploy the honeypot technology within an organization.
Ø The configuration of honeypots is very easy and installing it does not have any complications. This is basically complemented with a simple algorithm that does not have any complexity. Moreover, for the installation purposes on a system, there is no need to get some other software programs updated, installed, or modified by the time a honeypot gets installed.
Ø We should know by now that any malicious activity is recognizable by a honeypot. However, in addition to that, new tools for detecting attacks are also captured by honeypots. Deploying a honeypot in a system gives the administrator a solid idea of how there are various points of view that they could look at the same problem to find several security solutions for the same problem according to each perspective.
Are there any disadvantages of a honeypot?
Everything in life has advantages and disadvantages, and we have to find the balance between them both before deciding if it is worth for or not. In fact, there are some points that could be simply considered as pitfalls for using honeypots in general. The following points give us an intuition of how many problems we can use after using honeypots.
Ø Information is only captured when an attack is performed. On the other hand, if there is no attack occurring on the system, then there will be no captured data at all.
Ø The captured malicious traffic is only collected when the attack is targeted at the honeypot machine. Nonetheless, if the target of the attack was another machine rather than the honeypot machine, then we are in really big trouble. Such systems will get infected by the malicious code without having the honeypot notifying us about such activity in the first place.
Ø Honeypots are sometimes distinguishable from other real systems that we have in our system. Of course, this is a big problem that could be tackled such that even experienced hackers cannot distinguish between honeypot systems and real systems using fingerprinting.
Ø A very unwanted result is that a not careful organization could end up having lies really in the fact that an attacker may depend on a honeypot and exploit it as a zombie to attack other systems within the network and get them compromised, causing really big trouble for the entire organization.
What is the system configuration for using a honeypot?
First of all, let’s agree with the idea that a honeypot has the capability to either work on its own or work in a group with some other honeypots in the system. In the case that there are several honeypots, we basically refer to this group of honeypots as a honeyfarm. It may be suggested to configure a honeypot alone without having to configure other many honeypots because this will make things much easier in the configuration and installation process.
Nevertheless, it turned out that having only one honeypot is not that effective nor powerful when compared to having a honeyfarm although it may be hard to configure this honeyfarm of honeypots. Furthermore, having only one honeypot is prone to have some unintended failures, many more than the number of such failures when having a honeyfarm. The reason for that lies in the fact that there is no ability for one honeypot on its own to load balance and also, they lack the redundancy of a group of cooperating servers.