A honeypot is
|“||a trap set to detect, deflect or in some manner counteract attempts at unauthorised use of information systems.||”|
|“||[a] deception technique in which a person seeking to defend computing devices and cyber infrastructure against cyber operations uses a virtual environment designed to lure the attention of intruders with the aim of: deceiving the intruders about the nature of the environment; having the intruders waste resources on the decoy environment; and gathering counterintelligence about the intruder's intent, identity, and means and methods of cyber operation.||”|
It is a special type of intrusion detection system that acts as a decoy server or system that gathers information about an attacker or intruder — such as the method of intrusion and the vulnerabilities exploited — in order to improve security methods.
To attract attackers, honeypots appear to contain important data, but instead contain false information. A honeypot can be set up to alert a system administrator of an attack via e-mail or pager, allowing the administrator to ensure that the honeypot is not used as a springboard for future attacks. The more realistic the system appears, the longer the attacker will stay and more will be disclosed about their techniques.
|“||The honeypot can be co-resident with the real targets the intruder would like to attack, but the honeypot itself is isolated from the rest of the systems being defended via software wrappers, separate hardware, and other isolation techniques such that the intruder's operations are contained.||”|
By reviewing the order, sequence, time stamps and type of packets used during a honeypot attack, the analyst may identify the tools and methodology being used by the attacker, their skill level, and their intentions (vandalism, data theft, remote launch point search, etc.).
Even though honeypots are purported to be one of the best ways to analyze the activity of a hacker, they also have problems associated with them, and thus their usefulness as a forensic tool is limited. The problems range from complicated implementation, to issues pertaining to security of the network they reside upon. The following is a list of problems associated with honeypots:
- Difficult to emulate services that will trick hackers
- Only capable of collecting a limited amount of information
- Could provide hacker with unexpected access to a system
- May placate hackers
- Providing administration to overlook honeypot.
- Limited or no evidentiary value.
- ↑ Malicious Software (Malware): A Security Threat to the Internet Economy, at 59.
- ↑ Tallinn Manual, at 213.
- ↑ [Id.