Editing Honeypot (computing) (section)

==Types==

Honeypots can be differentiated based on whether they are physical or virtual:<ref name="A Virtual Honeypot Framework"/><ref name="dl.acm.org"/>
* Physical honeypot: a real machine with its own IP address, this machine simulates behaviors modeled by the system. Many times this modality is not used as much as the high price of acquiring new machines, their maintenance, and the complication affected by configuring specialized hardware<ref name="A Virtual Honeypot Framework"/><ref name="dl.acm.org"/>
* Virtual honeypot: the use of this type of honeypot allows one to install and simulate hosts on the network from different operating systems, but in order to do so, it is necessary to simulate the TCP/IP of the target operating system. This modality is more frequent.<ref name="A Virtual Honeypot Framework"/><ref name="dl.acm.org"/>
Honeypots can be classified based on their deployment (use/action) and based on their level of involvement. Based on deployment, honeypots may be classified as:<ref name=":0">{{Cite book|last1=Mokube|first1=Iyatiti|last2=Adams|first2=Michele|title=Proceedings of the 45th annual southeast regional conference |chapter=Honeypots: Concepts, approaches, and challenges |date=March 2007|chapter-url=https://doi.org/10.1145/1233341.1233399|pages=321–326|doi=10.1145/1233341.1233399|isbn=9781595936295 |s2cid=15382890}}</ref>
* production honeypots
* research honeypots
'''Production honeypots''' are easy to use, capture only limited information, and are used primarily by corporations. Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots.<ref name=":0" />

'''Research honeypots''' are run to gather information about the motives and tactics of the [[black hat (computer security)|black hat]] community targeting different networks. These honeypots do not add direct value to a specific organization; instead, they are used to research the threats that organizations face and to learn how to better protect against those threats.<ref>{{cite book| title=Honeypots tracking hackers| author=Lance Spitzner| publisher=[[Addison-Wesley]] | isbn=0-321-10895-7| year=2002| pages=68–70}}</ref> Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.<ref name="Attacks Landscape in the Dark Side of the Web">{{Cite web |url=http://www.madlab.it/papers/sac17_darknets.pdf |title=Attacks Landscape in the Dark Side of the Web |last=Katakoglu |first=Onur |date=2017-04-03 |website=acm.org |access-date=2017-08-09}}</ref>

Based on design criteria, honeypots can be classified as:<ref name=":0" />
* pure honeypots
* high-interaction honeypots
* low-interaction honeypots

'''Pure honeypots''' are full-fledged production systems. The activities of the attacker are monitored by using a bug tap that has been installed on the honeypot's link to the network. No other software needs to be installed. Even though a pure honeypot is useful, the stealthiness of the defense mechanisms can be ensured by a more controlled mechanism.

'''High-interaction honeypots''' imitate the activities of the production systems that host a variety of services and, therefore, an attacker may be allowed a lot of services to waste their time. By employing [[virtual machine]]s, multiple honeypots can be hosted on a single physical machine. Therefore, even if the honeypot is compromised, it can be restored more quickly. In general, high-interaction honeypots provide more security by being difficult to detect, but they are expensive to maintain. If virtual machines are not available, one physical computer must be maintained for each honeypot, which can be exorbitantly expensive. Example: [[Honeynet Project|Honeynet]].

'''Low-interaction honeypots''' simulate only the services frequently requested by attackers.<ref>{{Cite journal |last1=Litchfield |first1=Samuel |last2=Formby |first2=David |last3=Rogers |first3=Jonathan |last4=Meliopoulos |first4=Sakis |last5=Beyah |first5=Raheem |date=2016 |title=Rethinking the Honeypot for Cyber-Physical Systems |url=https://ieeexplore.ieee.org/document/7676152 |journal=IEEE Internet Computing |volume=20 |issue=5 |pages=9–17 |doi=10.1109/MIC.2016.103 |s2cid=1271662 |issn=1089-7801|url-access=subscription }}</ref> Since they consume relatively few resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time, and less code is required, reducing the complexity of the virtual system's security. Example: [[Honeyd]]. This type of honeypot was one of the first types being created in the late nineties and was mainly used for detecting attacks, not studying them.<ref>{{Cite book |last1=Göbel |first1=Jan Gerrit |last2=Dewald |first2=Andreas |last3=Freiling |first3=Felix |date=2011 |title=Client-Honeypots |url=http://dx.doi.org/10.1524/9783486711516 |doi=10.1524/9783486711516|isbn=978-3-486-71151-6 }}</ref>

'''Sugarcane''' is a type of honeypot that masquerades as an open proxy.<ref>{{cite book|url=https://books.google.com/books?id=ntsJqzfwFhkC&dq=honeypot+sugarcane&pg=PA25|title=Architecting Secure Software Systems Page 25 – CRC Press, Taylor & Francis Group|date=17 December 2008|isbn=9781420087857|last1=Talukder|first1=Asoke K.|last2=Chaitanya|first2=Manish|publisher=CRC Press }}</ref> It can often take form as a server designed to look like a misconfigured HTTP proxy.<ref>{{cite web|url=https://www.secureworks.com/blog/proxies|title=Exposing the Underground: Adventures of an Open Proxy Server|date=21 March 2011}}</ref> Probably the most famous open proxy was the default configuration of [[sendmail]] (before version 8.9.0 in 1998) which would forward email to and from any destination.<ref>{{cite web|url=https://lwn.net/Articles/240120/|title=Capturing web attacks with open proxy honeypots|date=3 July 2007}}</ref>

=== Deception technology ===
Recently, a new market segment called [[deception technology]] has emerged using basic honeypot technology with the addition of advanced automation for scale.  Deception technology addresses the automated deployment of honeypot resources over a large commercial enterprise or government institution.<ref>{{cite web|url=http://blogs.gartner.com/lawrence-pingree/2016/09/28/deception-related-technology-its-not-just-a-nice-to-have-its-a-new-strategy-of-defense/|title=Deception related technology – it's not just a "nice to have", it's a new strategy of defense – Lawrence Pingree|date=28 September 2016}}</ref>

=== Malware honeypots ===
A malware honeypot is a decoy designed to intentionally attract malicious software. It does this by imitating a vulnerable system or network, such as a web server. The honeypot is intentionally set up with security flaws that look to invite these malware attacks. Once attacked IT teams can then analyze the malware to better understand where it comes from and how it acts.<ref>{{Cite web |last=Praveen |date=2023-07-31 |title=What Is a Honeypot in Cybersecurity? Types, Implementation, and Real-World Applications |url=https://www.eccouncil.org/cybersecurity-exchange/ethical-hacking/what-are-honeypots-benefits-types/ |access-date=2023-12-05 |website=Cybersecurity Exchange |language=en-US}}</ref>

=== Spam versions ===
[[Spamming|Spammers]] abuse vulnerable resources such as [[open mail relay]]s and [[open proxy|open proxies]]. These are servers that accept e-mail from anyone on the Internet—including spammers—and send it to its destination. Some system administrators have created honeypot programs that masquerade as these abusable resources to discover spammer activity.

There are several capabilities such honeypots provide to these administrators, and the existence of such fake abusable systems makes abuse more difficult or risky.  Honeypots can be a powerful countermeasure to abuse from those who rely on very high-volume abuse (e.g., spammers).

These honeypots can reveal the abuser's [[IP address]] and provide bulk spam capture (which enables operators to determine spammers' [[URLs]] and response mechanisms). As described by M. Edwards at ITPRo Today:

{{Blockquote
|text=Typically, spammers test a mail server for open relaying by simply sending themselves an email message. If the spammer receives the email message, the mail server obviously allows open relaying. Honeypot operators, however, can use the relay test to thwart spammers. The honeypot catches the relay test email message, returns the test email message, and subsequently blocks all other email messages from that spammer. Spammers continue to use the antispam honeypot for spamming, but the spam is never delivered. Meanwhile, the honeypot operator can notify spammers' ISPs and have their Internet accounts canceled. If honeypot operators detect spammers who use open-proxy servers, they can also notify the proxy server operator to lock down the server to prevent further misuse.<ref>{{cite web|last1=Edwards|first1=M.|title=Antispam Honeypots Give Spammers Headaches|url=http://windowsitpro.com/exchange-server/antispam-honeypots-give-spammers-headaches|publisher=Windows IT Pro|access-date=11 March 2015|archive-url=https://web.archive.org/web/20170701040344/http://windowsitpro.com/exchange-server/antispam-honeypots-give-spammers-headaches|archive-date=1 July 2017|url-status=dead}}</ref> 
}}

The apparent source may be another abused system. Spammers and other abusers may use a chain of such abused systems to make detection of the original starting point of the abuse traffic difficult.

This in itself is indicative of the power of honeypots as [[anti-spam]] tools. In the early days of anti-spam honeypots, spammers, with little concern for hiding their location, felt safe testing for vulnerabilities and sending spam directly from their own systems. Honeypots made the abuse riskier and more difficult.

Spam still flows through open relays, but the volume is much smaller than in 2001-02. While most spam originates in the U.S.,<ref>{{cite web|title=Sophos reveals latest spam relaying countries|url=http://www.net-security.org/secworld.php?id=4085|work=Help Net Security|access-date=14 June 2013|date=24 July 2006}}</ref> spammers hop through open relays across political boundaries to mask their origin. Honeypot operators may use intercepted relay tests to recognize and thwart attempts to relay spam through their honeypots. "Thwart" may mean "accept the relay spam but decline to deliver it." Honeypot operators may discover other details concerning the spam and the spammer by examining the captured spam messages.

Open-relay honeypots include Jackpot, written in [[Java (programming language)|Java]] by Jack Cleaver; ''smtpot.py'', written in [[Python (programming language)|Python]] by Karl A. Krueger;<ref>{{cite web|title=Honeypot Software, Honeypot Products, Deception Software|url=http://www.honeypots.net/honeypots/products|year=2013|work=Intrusion Detection, Honeypots and Incident Handling Resources|publisher=Honeypots.net|url-status=dead|archive-url=https://web.archive.org/web/20031008120110/http://www.honeypots.net/honeypots/products|archive-date=8 October 2003|access-date=14 June 2013}}</ref> and spamhole, written in [[C (programming language)|C]].<ref>{{cite web|title=spamhole – The Fake Open SMTP Relay Beta|url=http://sourceforge.net/projects/spamhole/|work=SourceForge|publisher=Dice Holdings, Inc.|access-date=14 June 2013|author=dustintrammell|date=27 February 2013}}</ref> The ''Bubblegum Proxypot'' is an open-source honeypot (or "proxypot").<ref name="Ec-Council2009">{{cite book|author=Ec-Council|title=Certified Ethical Hacker: Securing Network Infrastructure in Certified Ethical Hacking|url=https://books.google.com/books?id=nERI0SQqF_sC&pg=SA3-PA23|access-date=14 June 2013|date=5 July 2009|publisher=Cengage Learning|isbn=978-1-4354-8365-1|pages=3–}}</ref>

=== Email trap ===
{{Main|Spamtrap}}
An email address that is not used for any other purpose than to receive spam can also be considered a spam honeypot. Compared with the term "[[spamtrap]]", the term "honeypot" might be more suitable for systems and techniques that are used to detect or counterattack probes. With a spamtrap, spam arrives at its destination "legitimately"—exactly as non-spam email would arrive.

An amalgam of these techniques is [[Project Honey Pot]], a distributed, open-source project that uses honeypot pages installed on websites around the world. These honeypot pages disseminate uniquely tagged spamtrap email addresses and [[spammers]] can then be tracked—the corresponding spam mail is subsequently sent to these spamtrap e-mail addresses.<ref>{{Cite news |title=What is a honeypot? |url=https://www.ionos.com/digitalguide/server/security/honeypots-it-security-through-decoy-programs/ |access-date=2022-10-14 |website=IONOS Digital Guide |date=8 August 2017 |language=en}}</ref>

=== Database honeypot ===
Databases often get attacked by intruders using [[SQL injection]]. As such activities are not recognized by basic firewalls, companies often use database firewalls for protection. Some of the available [[SQL database]] firewalls provide/support honeypot architectures so that the intruder runs against a trap database while the web application remains functional.<ref>{{cite web|url=http://www.dbcoretech.com/?p=453|archive-url=https://web.archive.org/web/20120308171843/http://www.dbcoretech.com/?p=453|title=Secure Your Database Using Honeypot Architecture|archive-date=March 8, 2012|date=August 13, 2010|publisher=dbcoretech.com}}</ref>

=== Industrial Control Systems honeypot ===
[[Industrial control system|Industrial Control Systems]] (ICS) are often the target of cyberattacks.<ref>{{Cite journal |last=Langner |first=Ralph |date=May 2011 |title=Stuxnet: Dissecting a Cyberwarfare Weapon |url=https://ieeexplore.ieee.org/document/5772960 |journal=IEEE Security & Privacy |volume=9 |issue=3 |pages=49–51 |doi=10.1109/MSP.2011.67 |s2cid=206485737 |issn=1558-4046|url-access=subscription }}</ref> One of the main targets within ICS are [[Programmable logic controller|Programmable Logic Controllers]].<ref>{{Cite journal |last1=Stouffer |first1=Keith |last2=Falco |first2=Joe |last3=Scarfone |first3=Karen |date=June 2011 |title=Guide to Industrial Control Systems (ICS) Security - Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) |url=http://dx.doi.org/10.6028/nist.sp.800-82|website=NIST Publications|number=NIST Special Publication (SP) 800-82 |location=Gaithersburg, MD|doi=10.6028/nist.sp.800-82|pages=155 pages|doi-access=free}}</ref> In order to understand intruders' techniques in this context, several honeypots have been proposed. Conpot <ref>{{Cite book |last1=Jicha |first1=Arthur |last2=Patton |first2=Mark |last3=Chen |first3=Hsinchun |title=2016 IEEE Conference on Intelligence and Security Informatics (ISI) |chapter=SCADA honeypots: An in-depth analysis of Conpot |date=September 2016 |chapter-url=https://ieeexplore.ieee.org/document/7745468 |pages=196–198 |doi=10.1109/ISI.2016.7745468|isbn=978-1-5090-3865-7 |s2cid=14996905 }}</ref><ref>{{Citation |title=Conpot |date=2023-06-23 |url=https://github.com/mushorg/conpot |access-date=2023-06-24 |publisher=MushMush}}</ref> is a low interaction honeypot capable of simulation Siemens PLCs. HoneyPLC is a medium interaction honeypot that can simulate Siemens, Rockwell and other PLC brands.<ref>{{Cite book |last1=López-Morales |first1=Efrén |title=Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security |last2=Rubio-Medrano |first2=Carlos |last3=Doupé |first3=Adam |last4=Shoshitaishvili |first4=Yan |last5=Wang |first5=Ruoyu |last6=Bao |first6=Tiffany |last7=Ahn |first7=Gail-Joon |date=2020-11-02 |publisher=Association for Computing Machinery |isbn=978-1-4503-7089-9 |series=CCS '20 |location=New York, NY, USA |pages=279–291 |chapter=HoneyPLC: A Next-Generation Honeypot for Industrial Control Systems |doi=10.1145/3372297.3423356 |hdl=2286/R.I.57069 |author-link7=Gail-Joon Ahn |chapter-url=https://dl.acm.org/doi/10.1145/3372297.3423356 |s2cid=226228191}}</ref><ref>{{Citation |title=HoneyPLC |date=2023-05-24 |url=https://github.com/sefcom/honeyplc |access-date=2023-06-24 |publisher=SEFCOM}}</ref>