RAMAADYUTI BATTABYAL (CSE 4A)

380117111007

Honeypot definition
A honeypot is a trap that an IT pro lays for a malicious hacker, hoping that they'll interact with it in a
way that provides useful intelligence. It's one of the oldest security measures in IT, but beware:
luring hackers onto your network, even on an isolated system, can be a dangerous game.

Norton's simple definition of a honeypot is a good starting place: "A honeypot is a computer or
computer system intended to mimic likely targets of cyberattacks." Often a honeypot will be
deliberately configured with known vulnerabilities in place to make a more tempting or obvious
target for attackers. A honeypot won't contain production data or participate in legitimate traffic on
your network — that's how you can tell anything happening within it is a result of an attack. If
someone's stopping by, they're up to no good.

Types of honeypots
There are a two different schemes for categorizing honeypots: one based on how they're built, and
one based on what they're for.

According to how they’re built , it can be classified into the following categories:

• A pure honeypot is a physical server configured in such a way as to lure in attackers. Special
monitoring software keeps an eye on the connection between the honeypot and the rest of the
network. Because these are full-fledged machines, they make for a more realistic-looking target to
attackers, but there is a risk that attackers could turn the tables on the honeypot's creators and use
the honeypot as a staging server for attacks. They're also labor-intensive to configure and manage.

• A high-interaction honeypot uses virtual machines to keep potentially compromised systems

isolated. Multiple virtual honeypots can be run on a single physical device. This makes it easier to
scale up to multiple honeypots and to sandbox compromised systems and then shut them down and
restart them, restored to a pristine state. However, each VM is still a full-fledged server, with all the
attendant configuration costs.

• A low-interaction honeypot is a VM that only runs a limited set of services representing the most
common attack vectors, or the attack vectors that the team building the honeypot is most interested
in. This type of honeypot is easier to build and maintain and consumes fewer resources, but is more
likely to look "fake" to an attacker.

Another way to divide honeypots up is by the intentions behind those who build them i.e.,
distinction of types of honeypots according to the type of their deployment.
• Production Honeypots:- are easy to use, capture only limited information, and are used primarily
by corporations. Production honeypots are placed inside the production network with other
production servers by an organization to improve their overall state of security. Normally,
production honeypots are low-interaction honeypots, which are easier to deploy. They give less
information about the attacks or attackers than research honeypots.

• Research Honeypots:- are run to gather information about the motives and tactics of the black hat
community targeting different networks. These honeypots do not add direct value to a specific
organization; instead, they are used to research the threats that organizations face and to learn how
to better protect against those threats.[2] Research honeypots are complex to deploy and maintain,
capture extensive information, and are used primarily by research, military, or government
organizations Goals of Honeypot

Honeypots never hold any data that is valuable to the organization. The data may appear to be
valuable to an attacker, but its disclosure is harmless. Honeypots have two primary goals:

• Divert attackers from the live network. As long as an attacker is spending time in the honeypot, he
is not attacking live resources. • Allow observation of an attacker. While an attacker is in the
honeypot, security professionals are able to observe the attack and learn from the attacker’s
methodologies. Honeypots can also help security professionals learn about zero-day exploits, or
previously unknown attacks.

Honeynet Definition
A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that
an attacker's activities and methods can be studied and that information used to increase network
security. A honeynet contains one or more honey pots, which are computer systems on the Internet
expressly set up to attract and "trap" people who attempt to penetrate other people's computer
systems. Although the primary purpose of a honeynet is to gather information about attackers'
methods and motives, the decoy network can benefit its operator in other ways, for example by
diverting attackers from a real network and its resources. The Honeynet Project, a non-profit
research organization dedicated to computer security and information sharing, actively promotes
the deployment of honeynets.

The following characteristics are typical of honeynets:

• Network devices used as lures are set up with only “out of the box” default installations so that
they are deliberately made subject to all known vulnerabilities, exploits, and attacks.

• The devices used as lures do not include sensitive information, so these lures can be compromised,
or even destroyed, without causing damage, loss, or harm to the organization that presents them to
be attacked.
• Devices used as lures also include or are monitored by passive applications that can detect and
report on attacks or intrusions as soon as they start, so the process of backtracing and identification
can begin as soon as possible.

WHY HONEYPOT AND HONEYNET ARE OUTDATED

Honeypots and Honeynet are outdated inspite of their capabilities and potential to stop network
threats and attackers. This is because they have outlived their usefulnesses. Attackers who poise
threat to any organization are either using accounts within that organization or are creating onetime
/ single-exploit accounts that are beneficial for them. More than the one-time / single-exploit
accounts , it is the existing accounts that poise threat. Why bother to burn a new exploit against a
network, when one that has been around for a couple of years will still work?