Honeypots are a relatively new and highly dynamic technology. Because they are so dynamic, it is difficult to define just what they are. Honeypots are unique in that they are not a solution in and of themselves; they do not solve a specific security problem. Instead, they are highly flexible tools with many different information security applications.
This contrasts with such technologies as firewalls and intrusion detection systems (IDSs), which are easier to define and understand as they solve specific problems. Firewalls are a prevention technology; they are network or host solutions that keep attackers out. IDSs are a detection technology; their purpose is to detect and alert security professionals about unauthorized or malicious activity. Honeypots are tougher to define because they can be involved in aspects of prevention, detection, information gathering, and much more. For the purpose of this book, we will define a honeypot as follows:
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.
This definition was developed by members of the Honeypot mail list, a public forum made up of over 5,000 security professionals. The definition was difficult to develop, as honeypots can come in so many different shapes and sizes. As a result, this definition is very broad in scope, as it has to cover many different applications of honeypots. The definition of a honeypot does not indicate how a honeypot works or what its purpose is. Instead, its definition refers to how a honeypot generates its value. Simply put, honeypots are a technology whose value depends on the bad guys interacting with it. All honeypots work on the same concept: Nobody should be using or interacting with them-any transactions or interactions with a honeypot are by definition unauthorized.
A honeypot contains no value as a production-oriented component of an information infrastructure-it does no real productive service. Any transactions processed, any logins attempted, or any data files accessed on a honeypot are most likely malicious or unauthorized activities. For example, a honeypot system can be deployed on an internal network. This honeypot would have no production value and no one in the organization should be using it. It could appear to be a file server, a web server, or even an employee's workstation. If someone interacts with that system, they are most likely committing some unauthorized or malicious activity.
In fact, a honeypot does not even have to be a computer. It can be any type of digital entity (often called a honeytoken) that has no production value. For example, a hospital could create a false set of electronic patient records labeled George W. Bush. Because these records are honeypots, nobody should be accessing or interacting with them. These records could then be implanted into a hospital's patient database as a honeypot component. If any employee or attacker attempted to access these records, this would indicate unauthorized activity because no one should be using these records. If anyone or anything accesses the records, they could also generate an alert. It is the very simplicity of this concept that gives honeypots their tremendous advantages (and disadvantages).
(This article is excerpted from the recently published book "Know Your Enemy: Learning About Security Threats".)
Read Indepth Article at