{"id":62809,"date":"2018-08-29T13:50:42","date_gmt":"2018-08-29T20:50:42","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=62809"},"modified":"2018-08-29T13:50:42","modified_gmt":"2018-08-29T20:50:42","slug":"a-honeypot-guide-why-researchers-use-honeypots-for-malware-analysis","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/a-honeypot-guide-why-researchers-use-honeypots-for-malware-analysis\/","title":{"rendered":"A Honeypot Guide: Why Researchers Use Honeypots for Malware Analysis"},"content":{"rendered":"

\"What<\/a><\/p>\n

You may have heard the term “honeypot” thrown about in the security community from time to time. While it may spark your imagination, you may be wondering what is a honeypot and what role does it\u00a0play in the security industry? Certainly malware hunters\u00a0aren’t referring to Winnie the Pooh helping himself to jars and jars of honey, right? So,\u00a0what exactly do security researchers mean what talking about honeypots? <\/span><\/p>\n

A honeypot, in the Internet security world, is a real or simulated system designed to attract attacks on itself. Essentially they are virtual or physical machines that\u00a0are open to the real world whilst flaunting their intended vulnerabilities. Honeypots became popular amidst the wide spreading of worms<\/a> in the late 1990s and early 2000s. The main purposes of these traps were to capture and analyze attacks in order to improve defenses from malicious intrusions.<\/span><\/p>\n

Below is a simple, yet practical guide that covers the basic\u00a0types of honeypots, as well as how and why they help researchers analyze malware. Without further do, let’s get to it!<\/p>\n

What Are the Different Types of Honeypots<\/h3>\n

<\/b>There are two main categories of honeypots: high-interaction and low-interaction.\u00a0<\/span><\/p>\n

High-interaction<\/em>\u00a0honeypots are real physical machines with perhaps some software to aid analysis and configuration. The attacker has a large amount of freedom for nefarious actions within a high-interaction honeypot \u2014 hence the name. Usually the system will have vulnerabilities, which make it easy for attackers to gain access. While these can collect a large amount of forensic data for an analyst, they are expensive in their maintenance and are complex to deploy.<\/span><\/p>\n

Low-interaction<\/em>\u00a0honeypots\u00a0emulate\u00a0systems with vulnerabilities. For instance,\u00a0Dionaea<\/a> (named after the Venus flytrap) is a low-interaction honeypot, which emulates Windows protocol (SMTP, FTP, etc.) vulnerabilities that are targeted by malware. Low-interaction honeypots are relatively easy to deploy and use little resources due to the fact that these can quickly be deployed within a virtual machine. <\/span><\/p>\n

The problem with this approach is that an attacker has a greater chance of being aware that they are within a honeypot and can use it against the host. An attacker can \u2018fingerprint\u2019 a honeypot based on known characteristics of publicly available honeypots\u00a0like\u00a0the aforementioned Dionaea and Honeyd<\/a>.<\/span><\/p>\n

How Honeypots Help Malware Researchers<\/h3>\n

As previously stated, these systems can be used for malware analysts to collect current \u2018in-the-wild<\/a>\u2019 malware, an insight into hackers\u2019 attack patterns or as a decoy. Another common use for honeypots is within a large corporate network. A company can deploy a collection of honeypots, or a\u00a0honeynet<\/em>, within their network to mitigate attacks toward their corporate servers and instead direct them at the Honeynet.<\/span><\/p>\n

Though the development of new honeypots seemed to slow down after the mid 2000s, the applications and use of them have not ceased. As technology advances and data becomes more and more valuable, so will the sophistication and types of attacks on said technology.<\/span><\/p>\n

What\u00a0is Deception Technology?<\/h3>\n

A somewhat new\u00a0advancement on\u00a0the use of\u00a0honeypots is\u00a0Deception Technology<\/em>. <\/span><\/p>\n

Deception technology is the current approach to stopping advanced attacks. Deception technology aims to deceive attackers much like honeypots. The difference is that this technology is maintained by a company, which deploys a large system of decoy servers and\/or machines within your network and provides all of the capabilities of analysis and insight for you. This seems to be the current trend in network security; such that, more sophisticated defense mechanisms are needed in today’s world as cybercriminals use\u00a0more advanced\u00a0approaches to attacking network infrastructures.\u00a0<\/span><\/p>\n

Further reading:<\/strong><\/p>\n