Honeypots

In the struggle between cyber attackers and cyber defenders, many tools have been built to create a strategic advantage or to gather intelligence. One category of software has the benefit of being both. Honeypots are a combination of software and hardware that emulate a target computer system or service for the purpose of attracting attackers and/or analyzing their attack. In essence, honeypots are tools used against attackers to both catch them red-handed and to figure out how they’re doing the dirt.

Attackers regularly scan large blocks of IP addresses in an attempt to find exploitable computers. When they think they’ve found a likely target, some form of attack usually follows. By placing honeypots on the Internet, security researchers are able to get a first-hand view of just how the attacker carries out his goal. Since the honeypot is no different from any other computer system from the perspective of the attacker, they are likely to never even suspect anything is wrong.

Honeypots may run under a virtual machine or within some other form of sandbox environment to protect the host computer from suffering any actual harm. The effect is similar to a glass-bottom boat, where all attacker activity is transparent to the researcher. Most honeypots advertise themselves by responding to scans as if they were a vulnerable service. For example, a honeypot may accept connections to TCP port 80 and claim that it is a webserver. The attacker will be inclined to believe that a webserver actually resides on the target computer at TCP port 80, even though this is incorrect. If the attacker attempts to attack the computer via that channel, the honeypot will log the effort for future analysis.

It can also be fun to set one up on your own computer and see what you catch. HoneyBOT is Windows honeypot software that lets you turn your system into a functional honeypot, ready to catch attackers in the act . If that’s your thing.