Using Honeypots to Improve Website Security

Too often, it’s the bad guys who get to make the first moves when it comes to cyberattacks. The only course of action for legitimate users can seem to be sitting back and waiting for something bad to happen, hoping that they’ll be able to withstand such an attack if it does take place. Of course, what users are really hoping for is that they’ll be able to slip under the radar of would-be attackers altogether, not doing anything that would attract attention to begin with.

But what if you went the other way and decided to preemptively strike against the cyberattackers, purposely leaving a tempting series of digital breadcrumbs in the form of a deliberately unsecured device that’s designed to attract attackers’ attention?

While such a move may seem foolhardy, or like waving a flag in front of a bull, it can also be a smart move — that will ultimately help improve your system or website security as a result. Welcome to the world of the honeypot.

A cyber sting operation

A honeypot is the computing equivalent of a police sting operation, in which a member of law enforcement pretends to be a criminal associate or a potential victim, going along with a suspect’s plans, in order to gain incriminating evidence of their wrongdoing. Another way to think of it is like a piece of cheese left on a mousetrap to lure a rodent.

It works by mimicking the appearance and operation of a network or system that might be the subject of a cyberattack. Honeypots can deflect attacks through diversion, offering a low-hanging fruit that cyberattackers will spend time trying to hack. It can also — and simultaneously — help reveal information about vulnerabilities in a system and showcase the way that attackers operate.

This data can then be used to help better defend against attacks, the same way that hearing about the way a thief burgled another house on your street could show you where to tighten up your own security. As such, honeypots can be used to collect threat intelligence and/or act as early warning alerts of a potential attack.

Hackers will waste their time and, in some cases, custom pieces of malware, while revealing their best tricks for circumventing security systems and architecture.

Honeypots are effective

Honeypots work. In 2015, internet security researchers used a honeypot called Project Honey Train to investigate the ways that cyberattackers might attack a vital infrastructure system — in this case what appeared to be an online railway control system. Their system was immensely detailed, complete with CCTV footage of real train stations, working model trains, and some realistic system vulnerabilities that were then “leaked” in online hacker chat rooms. In just a couple of weeks, the system was attacked a massive 2.7 million times. Had such an attack really taken place, targeting a railway control system, it could have cost the lives of, potentially, hundreds of people.

Honeypots aren’t just for endpoints, however. Websites can be honeypots as well, with a deliberately unsecured website used to attract automated attacks. Since November 2019, a sophisticated botnet called KashmirBlack botnet is reported to have infected hundreds of thousands of websites by attacking their underlying Content Management Systems (CMS).

Among the ways KashmirBlack can cause damage are crypto mining and defacement of websites. In order to better understand the way the botnet works, researchers recently created a honeypot server running one of the CMS portals frequently targeted by KashmirBlack attacks. This allowed them to gather various commands and scripts used by the botnet, as well as discovering other details concerning its functioning.

Turning the tables on the cyberattackers

Such honeypots can form a valuable tool on the part of security experts when it comes to identifying current attack trends and working out how to best defend against them. The key to honeypots is to deploy realistic honeypots in accessible locations. The goal is to create a system that will attract would-be cyberattackers because it provides them with what they believe is an easy (but not suspiciously easy) way to gain access to what appears to be a valuable resource. Once a honeypot is set up, whoever has done so can monitor access attempts and possible attacks to act as early warning tools to patch vulnerable systems.

Cybersecurity experts also use the data they gather from some endeavors to add new detection rules to Web Application Firewalls (WAF). This, in turn, can deepen their understanding of cyber threats in the wild and offer better protection solutions against attacks such as Distributed Denial of Service (DDoS) and more.

This last point is among the most important. Not every business owner (in fact, comparatively few) will have the resources or expertise to deploy honeypots. However, by utilizing the right tools (such as cutting edge WAFs) you can benefit from the fruits of this research. A WAF will incorporate this information to block malicious attacks, based on behavior and other metrics, while allowing good actors to get through unimpeded. Honeypots are one of the reasons these tools now work as well as they do.

Image Source: Google Images