What are honeypots, honey baits, honey tags, honeynets, honey farms... in network security?

As security practitioners, whether we are doing penetration testing or doing drill defense, we have all come into contact with honeypots to some extent. However, there are always a lot of words that appear with honeypots, such as honey bait, honey tag, honeynet, honey farm... What do these words mean? Today, I will use an article to explain all these concepts clearly.

[[415561]]

1. What is a honeypot?

The word honeypot was first used by hunters, that is, people who go hunting in the mountains. Hunters fill a jar with honey and set a trap to catch bears who like sweets. Later, in the field of network security, people called the bait that deceives attackers "honeypot".

A honeypot needs to be deployed based on a node. It may look like a Raspberry Pi, a camera, or a printer. It can be deployed at any network location and is usually used to collect attack intelligence reaching a specific network node and mitigate attacks on other production equipment and resources in the same network segment.

The working principle of a honeypot is simple and easy to understand. A successful honeypot is often disguised as a very attractive system. After the attacker enters, they may obtain the important data they want. However, from the moment the attacker enters, their actions will be fully recorded by the honeypot, becoming important information in the hands of the defender. Moreover, the business in the honeypot is not real, and the attacker will work in vain in the honeypot and gain nothing.

2. What is honey bait?

Honey bait is generally a file, and its working principle is similar to that of a honeypot, which also tricks attackers into opening or downloading it. When hackers see files such as "XX second half work plan.docx", "XX environment operation and maintenance manual.pdf", and "employee salary list-20210630.xslx", they often find it difficult to resist the urge to download them, and thus fall into the trap of the defender. When the defender finds that the files here have traces of being opened or the attacker performs some operations based on the content of the honey bait file, they can trace the source and find the compromised device.

3. What is a honey label?

We can further modify the honey bait and embed a hidden link in a Word document or PDF document. When the attacker opens the file, the link can be automatically triggered, and the defender can take the opportunity to obtain the attacker's real network address, browser fingerprint and other information, thereby directly tracing the attacker's true identity. This kind of honey bait with a URL address is a honey tag.

4. What is a Honeynet?

When we use honeypots, we often put many honeypots in a network to increase the chances of attackers hitting honeypots. Simply put, "a honeynet is a large area of ​​honeypots connected into a network", but this "network" needs to be strongly related to the business. When attackers try to break into our system, in order to get what they want (business data, files, etc.), they often focus on attacking nodes related to the business. Therefore, we can refer to the real business environment and place honeypots on the attacker's path, providing the attacker with space for lateral movement and more abundant intrusion interfaces. In this way, when the attacker steps on a series of honeypots, we can easily see the attacker's methods and habits.

This highly complex bait environment is called a honeynet.

Different business scenarios have different network topologies, and different workflows have different status update and control requirements. Therefore, building an effective honeynet is a big challenge for security personnel.

5. What is a honey farm?

Although honeynets are good, they are still a bit troublesome to use. Not only do they require a lot of management and maintenance work, but they also need to prevent the honeypot from being breached and the attacker from escaping from the honeypot to continue doing bad things. So how can we use honeypots without much effort and trouble?

The answer is to centralize malicious access and manage it in a unified way. As a result, honey farms that use redirection technology came into being.

Honey farms are also a form of distributed honeypots, but in honey farms, attackers hit virtual honeypots, which are then redirected to real honeypots that respond to them and then pass the responses to virtual honeypots.

The benefits of doing so are obvious. First, it is easier to deploy new honeypots, just install a redirector; second, it is easier to maintain and analyze, and the risk control of honeypots can be strengthened. Honeypots can also be used to produce highly accurate threat intelligence to supply firewalls, situational awareness and other equipment and systems; finally, the information obtained from the entire honeypot can reflect the overall security situation of the current network to a certain extent, which can help improve security strategies.

(6) I also want to get a set of “honey farm + honey label”, how should I start?

Here I would like to recommend the domestic HFish free honeypot (https://hFish.io). HFish is a honeypot framework written by a Chinese developer. It is easy to use and has friendly documentation. After 16 months of launch, HFish has received 2.6k stars on Github and has become a TOP5 GVP project in the security category on Gitee in China. At present, new versions are constantly being released, and all enterprises and individual users are authorized to use it permanently for free.