Sometimes, cybersecurity can be a cat and mouse game between attackers and defenders of networks. Often on the blue side of the game, where defenders focus their efforts to thwart a cyber attacker, a honeypot may come into play.
A honeypot is a system that acts as a trap or decoy to attract an attacker and mimics a legitimate system or network with potential vulnerabilities with the goal of gathering intelligence.
There are many types of honeypots as of 2020 which can be used to identify types of threats. The entire purpose of a honeypot is to gather intelligence on attackers. In most cases a Honeypots offer a way to gather information which can help one understand current threats towards an application or business.
Honeypots monitor traffic coming into the network and one could assess the following information:
- What application layer is of interest?
- What data is of interest?
- What is the origin of the attacker? (Proxies, VPN and other techniques can be used to hide this so do not always take such information as the abosulte truth)
- Which tools is most likely used to perform the attack?
- What ports are being targeted?
- Times attack(s) are most active.
Example of attempts over the last 15 minutes targeting port 3389 Remote Desktop Protocol (RDP).