There are several ways in which researchers and developers can work to protect the software that they write. Some are proactive, like code reviews and regression testing, while others are reactive, like the pwn2own contest where new vulnerabilities are used to exploit browsers. Some tools can take on aspects of both; one class of these tools are honeypots. The term honeypot was first presented by Lance Spitzner in 1999 in a paper titled To Build a Honeypot.
What is the history of honeypots?
Essentially, the motivation behind the name honeypots is derived from the honeypots existing in the actual real life. As we already know, such honeypots should be resourceful of desirable things which is the honey to someone who is a child or nest of ants for instance. This honeypot could be really useful to get this person lured out. When it comes to computer honeypots, it is no different at all. The same concept applies such that a tempting target exists and becomes attractive for an attacker who finds himself tempted to exploit the target and perform his desired attack in between.
Spitzner was the first one to bring the word honeypot to the field of computer science. However, the ideology was proposed since the mid-1980s. Since then, there has been some research on how attacks are performed on systems to have their devastating effects on different organizations. In January 1991, Bill Cheswick wrote the following comments regarding his time at AT&T Bell Laboratories. He was trying to find out reasons or logs for attacks, as he explains in the following comments:
On Sunday evening, January 20, I was riveted to CNN like most people. A CNN bureau chief in Jerusalem was casting about for a gas mask. I was quite annoyed when my terminal announced a security event: 22:33 finger attempt on berferd A couple of minutes later someone used the debug command to submit commands to be executed as root – he wanted our mailer to change our password file!
These statements show how Cheswick managed to understand the commands issued by a remote attacker. He was even able to manipulate the attacker through replying to him with some modified responses on the same day. However, on the following day, Cheswick started working with his team on creating a chroot environment where they can play with the attacker and even make the attacker play there. The following words show what he did exactly as he narrated:
I wanted to watch the cracker’s keystrokes, to trace him, learn his techniques, and warn his victims. The best solution was to lure him to a sacrificial machine and tap the connection. … We constructed such a chroot “Jail” (or “roach motel”) and rigged up logged connections to it through our firewall machine. … A little later Berferd [the attacker] discovered the Jail and rattled around in it. He looked for some programs that we later learned contained his favorite security holes. To us, the Jail was not very convincing, but Berferd seemed to shrug it off as part of the strangeness of our gateway. Berferd spent a lot of time in our Jai
The attacker was recognized by Cheswick for several months. Nonetheless, the attacker was kept there inside the honeypot until Cheswick shut it down. During that time, several attempts were made by the attacker to try to attack several other computer networks. The benefit from all his attempts lied mainly in the fact that administrators were able to find out the weak points in their networks where attacks were possible to be made. If it weren’t for the honeypot, Cheswick with his team of network administrators would not have been able to detect all of these flaws in the network of his organization. Furthermore, they were capable of recognizing where the source of the attack was. It was, in fact, coming from a Sweden guy who had a knack for subverting the system he was on. He should have had an account to do his bad deed.
Then, in 1997, Deception Toolkit 0.1 got released by Fred Cohen. This was basically like an introduction to how the structure of a honeypot should look like. Therefore, in the following year, CyberCop Sting honeypot got released to become the first commercially produced honeypot ever. In the same year, BackOfficer Friendly got released as well. It was actually a free software that was easy to use and configure. This version operated perfectly under the Microsoft Windows operating system platform. It was the beginning of increasing publicity of honeypots across the world. This is simply because a tremendous amount of people knew about it and tried it that year. Honeynet then started in 1999. It was after BlackOfficer when people became more attracted to the new trend of honeypots. There were several other papers that were written to tackle this technology and discuss new efficient implementations of honeypots. As a result, the general knowledge of people increased greatly because of the many releases and applications.
The usage of honeypots to capture any malicious activities, malicious software on the internet, detect it and raise awareness about any new threats occurred between 2000 and 2001. Since this year, honeypots became popular with organizations which cared about computer security. They implemented honeypots in their networks such that they could detect any malicious traffic going through their network and hence get their network security improved as a whole. Since 2002 till now, the concept of honeypots became familiar to the professionals in the field of computer security. Researchers and professionals worked on improving the functionalities of honeypots. Many more features were added to honeypots until their benefits became considerable for businesses and companies.