Identifying network attacks with Honeypots

In my last blog post about Advanced Persistent Threats (APTs) I provided a list strategies organisations can use to identify whether they are the victims of this type of silent attack. In this post, I want to go into more detail about about the first one one the list, Honeypots.

What is a Honeypot?

A Honeypot is a decoy computer system deployed into a network for the purpose of detecting and alerting of an attack. Honeypots simulate real-world production computer systems that an attacker might try to target, such as servers, PCs and network devices. If the Honeypot detects an access attempt, it can alert a security administrator and collect information for further analysis.

Honeypots are typically used as an early warning system that a network may be under attack. Security researchers use Honeypots as a data collection system to help them identify unknown vulnerabilities and new attack methods.

Types of Honeypots

Honeypots come in low, medium and high-interaction variants. A low-interaction Honeypot is usually easy to setup and maintain, and is best used for identifying an opportunistic attack, such as a network scan performed by malware looking for its next target. It does this by listening for connection attempts on commonly targeted network ports, such as SSH or SMB and alerts an administrator. This type of Honeypot may produce false positives, since it only detects connection attempts and not intent.

At the other end of the spectrum are high-interaction Honeypots. These are far more difficult to setup and maintain, but are also more likely to identify a targeted attack. They appear to an attacker just like a real system and can even simulate known vulnerabilities so they can identify the source of an active exploitation attempt. They are far less likely to produce false positives than low-interaction Honeypots.

Purpose and placement

Honeypots can be placed in your internal network, DMZ or internet-facing perimeter network. Where you deploy your Honeypot depends on what it is that you want it to do. In general, you want your Honeypot on the same network as the production systems you are trying to protect.

For example, a security researcher might deploy a Honeypot on a perimeter network that simulates a fake website. This Honeypot can be used to collect statistics on website hacking attempts, such as commonly used IP addresses or attack methods, which can then be used to strengthen commercial security software.

A DMZ network is an intermediary between the public internet and the internal network. There’s usually no reason for anyone to be poking around on this network, so a Honeypot placed here can alert you to a breach before an attacker is on your internal network.

Finally, you can deploy a Honeypot on your internal network, such as one that simulates a vulnerable file server, or SSH server that simulates a router with a default password. These Honeypots can identify threats on your internal network, like malware, users with bad intentions or the existence of an Advanced Persistent Threat.

Which Honeypot should I use?

Unfortunately, there’s no simple answer to this question. Solutions vary from simple Open Source software to complex commercial products, and can run on Linux or Windows, depending on what you’re trying to do. As of this writing, the Awesome Honeypots list on GitHub is a good place to start. This will help you identify what purpose each honeypot serves.

Products to consider

Given the rate of change around these products, I won’t be making any specific recommendations, but here is a list of options for your consideration.

Free Honeypot Platforms

T-Pot is a free platform that brings together a variety of honeypots. It runs on the Ubuntu Linux operating system with the purpose of being an early warning system.

HoneyDrive is a pre-configured Linux distro that includes much the same tools as T-Pot. It comes as an OVA file for installation as a VMware ESXi virtual machine.

Commercial Products

HoneyBOT is a low-cost, medium-interaction honeypot for Windows operating systems.

KFSensor is another honeypot for Windows, like HoneyBOT, but includes a range of features that make it more suitable for medium to large businesses.

Canary seems to have a unique solution, designed to minimize the effort required for network and security admins. Rather than deploying software, you order your Canary device, give it a profile, such as a Windows Server or network switch and plug it into your network.

Other things to note

Just like a Honeypot behaves like a real computer system, a “Honeynet” behaves like a complete network, including servers, PCs and network devices, designed for the purpose of luring potential attackers away from your production network. Honeynets are typically used in large enterprises where they can be actively monitored and maintained.

Old, unpatched computers running unsupported operating systems are usually considered a risk to network security, but you might just want to keep one as a trap for a would-be hacker, who may see this as a soft target.

Hopefully the information I’ve provided helps you to know if and how a Honeypot can help protect your network. It’s important to note that Honeypots come with no guarantees, they are just another tool in the cyber security toolkit.


Domenic has consulted to Australian businesses of all sizes for over 20 years, delivering end-to-end IT solutions.  He has expertise in Information Security, Remote Access and Desktop Management, in addition to traditional cloud and on-premises infrastructure solutions.