Land of Questions and Honey: Honeypots

Land of Questions and Honey: Honeypots 864 486 CyberVista now N2K

Land of Questions and Honey


Jung Lee, CyberVista Head of Certification Training Programs

Bee in the Know

Later this week I will be presenting a webinar on how to approach tricky questions that appear on cybersecurity certification exams. The hardest types of questions include answer choices that are misleading. The test makers use these answer choices to tempt and trick you into choosing the wrong answer. At CyberVista, we call these type of questions “honeypot questions.” Before you attend the webinar, it will be helpful to understand the honeypot reference as it is used in cybersecurity.

Honey, I Have Root Access

Honeypots are decoy systems, servers, or computers that lure in nefarious intruders in an effort to gather information about attackers, delay them, and keep them away from real, valuable systems. Honeypots look just like real systems, but they contain no sensitive information. Instead of valuable information, honeypots usually have intentional security flaws that make them even more attractive to hackers.

What You Can Learn and How You Can Use It

Honeypots can be used to gather helpful information about attackers’ methods. As an intruder attempts to exploit the pseudo flaw in your honeypot, your security team can observe the intruder and note their attack methods, exploitation tools, and other information that could lead to their identification. Forensic data captured from the honeypot can potentially be used as evidence in prosecuting the attacker in a court of law.
Honeypots can also be used to detect and thwart insider threats. Advanced Research and Development Activity (ARDA), a cybersecurity research organization, held a workshop that focused on using honeypots to expose insider threats. One insider threat situation revolved around Robert Hanssen, a notorious Russian spy who had infiltrated the FBI. The workshop hypothesized that a honeypot-related technology would have alerted authorities to Hanssen’s suspicious activities.

Enticement vs. Entrapment

Speaking of legal issues, honeypots dip into the nuances of what makes evidence admissible in court. Ethical security professionals should use honeypots as enticement only; meaning they simply set up the honeypot and passively wait for an intruder to detect and intrude into the honeypot. Any effort on behalf of the honeypot administrator to actively solicit an attacker into exploiting a honeypot system is illegal and any evidence captured against the intruder is inadmissible in court.