What Is a Honeypot?

A honeypot is a single security application set up to simulate a server or an entire subnet. In Turkish it means “honey jar”. The concept of a honeypot involves causing a hacker, when they violate the security of a network, to enter a virtually created trap system rather than the real system. The software used can closely monitor everything that happens on that system and may enable the attacker to be tracked and possibly identified. The core idea is to lay bait for a hacker attempting to infiltrate the system and have them compromise a specially prepared virtual network or computer. This way, information can be gathered about the cyber attacker and a great deal of intelligence can be obtained — from the techniques they used to their identity.

The underlying principle of honeypot systems is that any traffic coming to the honeypot machine should be treated as suspicious. Since these systems — which we call honeypots — are not real machines, there is no reason for any legitimate user to connect to them. Access can only be gained through a cyber attack (exploiting vulnerabilities, etc.). For this reason, anyone attempting to connect to this machine is considered a potential intruder. Honeypot systems also contain traps designed to keep the cyber attacker connected long enough to track where they are connecting from.

Spectre Honeypot

Spectre is a software-based honeypot solution. Product information can be found on the Specter website. Spectre software has the ability to emulate major internet protocols and services such as HTTP, FTP, POP3, SMTP and others. It can therefore behave exactly like a fully functional server. The software is designed to run on Windows 2000 or XP. While running on Windows, it can of course simulate AIX, Solaris, UNIX, Linux, Mac and Mac OS X.

Spectre works by running a number of services common to network servers. In fact, in addition to simulating multiple operating systems, it also has the ability to simulate the following services:

• SMTP
• FTP
• TELNET
• FINGER
• POP3
• IMAP4
• HTTP
• SSH
• DNS
• SUN-RPC

Although Spectre appears to be running these servers, it is actually monitoring all incoming traffic. Since it is not a real server on your network, no legitimate user should connect to it. Spectre logs all traffic going to the server for analysis. Users can configure it in one of five modes:

• Open Mode: In this mode, the system behaves like a poorly configured server from a security standpoint. The downside of this mode is that it is most effective at attracting and capturing amateur hackers.
• Secure Mode: This mode makes the system behave like a secure server. It is somewhat harder to understand compared to open mode.
• Failing Mode: This mode makes the system behave like a server with various hardware and software problems. It may attract some hackers because such a system is likely to be vulnerable.
• Strange Mode: In this mode, the system behaves unpredictably. This type of behaviour is more likely to attract a more skilled hacker’s attention, perhaps causing them to stay online longer as they try to understand what is going on. The longer the hacker stays connected, the greater the chance of tracking them.
• Aggressive Mode: This mode allows the system to actively track intruders and obtain their identity. It is most useful for catching intruders.

In all modes, Spectre logs activity including all information it can derive from incoming packets. It also attempts to leave traces on the attacker’s machine, providing clear evidence for any forensic analysis. A fake password file can be configured for users across all modes. These are particularly useful because most hackers attempt to access a password file to crack passwords. If successful, they can log in as a legitimate user.

• Easy Mode: In this mode, passwords are easy to crack and makes the attacker believe they have genuinely found legitimate passwords and usernames. A hacker with a legitimate login is less careful about covering their tracks. If you know the login is fake and the system is set up to monitor, you can trace the tracks back to the hacker.
• Normal Mode: This mode has somewhat harder passwords than easy mode, making it easier to monitor the attacker.
• Hard Mode: This mode uses harder-to-crack passwords. It offers what are called medium and hard passwords. The aim is to make hackers spend more time on the system attempting to crack the passwords, so they can be tracked more effectively.
• Fun Mode: This mode uses celebrity names as usernames, which serves to attract attention.
• Warning Mode: In this mode, the hacker receives a warning notifying them that they have been detected as cracking the password file. The theory behind this mode is that it allows you to see whether most hackers are testing whether they can crack a system and whether they have a specific target. Notifying this type of hacker that they have been detected is usually enough to deter them.

Symantec Decoy Server

Symantec is a popular security company well known for both its antivirus software and firewall solutions. Being such a major vendor, it also provides a honeypot solution. The first Symantec honeypot product was the Decoy Server. It mimicked a real server by simulating many server functions such as incoming and outgoing email traffic.

Since the Decoy Server operates as a honeypot, it also works as an IDS that tracks signs of attack. If an attack is detected, all traffic relating to that attack is logged for use in any investigation, prosecution or similar procedures that may arise.

Decoy Server was designed to be part of a series of enterprise security solutions working in tandem, including enterprise versions of Symantec’s antivirus software, firewall software and anti-spyware software.