A honeypot is a system, with the sole purpose of attracting potential intruders and recording their malicious activity, that will enable us to further analyse and understand their behaviour. A lot of devices can be classified as honeypots. Starting with simple honeypot systems, such as a piece of software listening on specific ports and alerting on connection attempts, to more advanced solutions, collecting large amount information about attacks in an intelligent fashion.
Honeypots are usually divided in to two groups: low interaction and high interaction. Low interaction honeypots mostly emulate system or services and are usually simple to setup. More advanced high interaction honeypots are built on real systems and/or using virtualization combined with complex monitoring software.
Because of their design, most honeypots closely resemble, but are not entirely akin to, a real system. This can be a potential benefit for attackers, allowing them to discover such devices and steer clear of them, or worse, using a known vulnerability to gain a real foothold on the underlying machine. Low interaction systems emulate simple protocols and services, thus it may be possible that potential attackers can identify such system by sending more complex requests. High interaction systems generally monitor all system activity and by design, will normally respond better to many requests.
In part 2 of this blog post series we will investigate some of the open source offerings and go on to installation and configuration of a honeypot cluster (“honeynet”) on Azure.