We've promised that we'll take the side of curious non-experts when it comes to helping companies navigate the sea of complex cybersecurity terminology. Today we're back to continue to chip away at that never-ending job, by answering the question: what is a honeypot?
Our perspective is that if we all get more savvy in understanding the real-world meaning of some of the terms that are thrown around casually in cybersecurity circles, we're all in a better position to take part in the conversation, as opposed to being a bystander while the "experts" leave us behind. So, today we'll take on the term "honeypot" and a few minutes from now you'll have a crystal clear understanding of what that means in the context of cybersecurity.
What is a Honeypot?
Imagine that you find that you are working on a prerelease website that you haven't told anyone about. It's financial-services oriented (something that is always a target for hackers).
You registered the domain name, and created a subdomain where you host the authentication-required pre-release site. But you haven't been promoting it anywhere. Intentionally. Because it's not production-ready yet. But, you begin to see an unusual number of failed login attempts. They seem to be coordinated in a manner that is more sophisticated than happenstance attempts by occasional malicious cyber criminals. Spooky.
As you rack your brain to think about how this particular pre-release website "got on the RADAR" of cyber criminals, you can think of only a couple places where the financial-services nature of the prerelease site is evident, and they are all places that you thought you had tightly controlled. A writeup in your source code repository (a README file). A presentation hosted on Google Drive shared with just two prospective investors. And, a shared document with a software development firm that you are considering hiring.
What you could do next, is to set up three more additional subdomains that visually resemble the authentic one, and update each of the three documents with separate URLs to the new subdomains -- the honeypots. This isn't the only investigatory strategy, but it's a valid one, and it could potentially lead to you observing that one of your honeypots is suddenly getting a lot of traffic. If that were to occur, you'd be one huge step closer to understanding the way that hackers are becoming aware of your hosts.
Key Tradeoffs to Consider
You wouldn't go to all of the trouble to set up one or more honeypots if you had a better and easier investigatory option. If you had a straightforward path to discern the intent, identity, or confidential information possessed by the hacker -- you'd go down that straightforward path instead of setting up a honeypot. But, since you've arrived at this "What is a honeypot?" article, we figure you are probably running low on good alternatives.
Wrapping Up
At Havoc Shield, we primarily work with companies that don't have a CISO (Chief Information Security Officer), so we tend to work heavily with people that have a motivation to overcome some security challenge -- or to improve their cybersecurity posture -- but don't have the time to spend their whole professional life dwelling on cybersecurity matters. It's through that lens that we answer questions like "What is a honeypot?" -- we think that democratizing access to knowledge about cybersecurity makes us all safer... especially when it feels inviting to non-cybersecurity professionals. Have any other terms you'd like us to explain in plain language? We're up for the challenge. Drop us a line here.