Security & Privacy

A Honeypot Guide: Why Researchers Use Honeypots for Malware Analysis

Posted on August 29th, 2018 by

What are Honeypots

You may have heard the term "honeypot" thrown about in the security community from time to time. While it may spark your imagination, you may be wondering what is a honeypot and what role does it play in the security industry? Certainly malware hunters aren't referring to Winnie the Pooh helping himself to jars and jars of honey, right? So, what exactly do security researchers mean what talking about honeypots?

A honeypot, in the Internet security world, is a real or simulated system designed to attract attacks on itself. Essentially they are virtual or physical machines that are open to the real world whilst flaunting their intended vulnerabilities. Honeypots became popular amidst the wide spreading of worms in the late 1990s and early 2000s. The main purposes of these traps were to capture and analyze attacks in order to improve defenses from malicious intrusions.

Below is a simple, yet practical guide that covers the basic types of honeypots, as well as how and why they help researchers analyze malware. Without further do, let's get to it!

What Are the Different Types of Honeypots

There are two main categories of honeypots: high-interaction and low-interaction. 

High-interaction honeypots are real physical machines with perhaps some software to aid analysis and configuration. The attacker has a large amount of freedom for nefarious actions within a high-interaction honeypot — hence the name. Usually the system will have vulnerabilities, which make it easy for attackers to gain access. While these can collect a large amount of forensic data for an analyst, they are expensive in their maintenance and are complex to deploy.

Low-interaction honeypots emulate systems with vulnerabilities. For instance, Dionaea (named after the Venus flytrap) is a low-interaction honeypot, which emulates Windows protocol (SMTP, FTP, etc.) vulnerabilities that are targeted by malware. Low-interaction honeypots are relatively easy to deploy and use little resources due to the fact that these can quickly be deployed within a virtual machine.

The problem with this approach is that an attacker has a greater chance of being aware that they are within a honeypot and can use it against the host. An attacker can ‘fingerprint’ a honeypot based on known characteristics of publicly available honeypots like the aforementioned Dionaea and Honeyd.

How Honeypots Help Malware Researchers

As previously stated, these systems can be used for malware analysts to collect current ‘in-the-wild’ malware, an insight into hackers’ attack patterns or as a decoy. Another common use for honeypots is within a large corporate network. A company can deploy a collection of honeypots, or a honeynet, within their network to mitigate attacks toward their corporate servers and instead direct them at the Honeynet.

Though the development of new honeypots seemed to slow down after the mid 2000s, the applications and use of them have not ceased. As technology advances and data becomes more and more valuable, so will the sophistication and types of attacks on said technology.

What is Deception Technology?

A somewhat new advancement on the use of honeypots is Deception Technology.

Deception technology is the current approach to stopping advanced attacks. Deception technology aims to deceive attackers much like honeypots. The difference is that this technology is maintained by a company, which deploys a large system of decoy servers and/or machines within your network and provides all of the capabilities of analysis and insight for you. This seems to be the current trend in network security; such that, more sophisticated defense mechanisms are needed in today's world as cybercriminals use more advanced approaches to attacking network infrastructures. 

Further reading: