What is a Honeynet?
A Honeynet is a type of honeypot - or resource whose value is being probed, attacked, or compromised - that is designed specifically for research. The traditional value of honeypots has been their ability to deceive blackhats and detect attacks. Smokescreen Product Manager Amir Moin elaborates on the value of honeypots: “Organizations can reap a myriad of benefits from deploying honeypots as part of a comprehensive threat detection strategy. Quality deception technology can help identify targeted threats with a very low rate of false positives. This technology is highly effective in detecting credential phishing attacks, identifying privilege escalation and lateral movement, protecting remotely accessible services and improving active directory security.”
A Honeynet is different from a traditional honeypot - it can be categorized as a research honeypot. This does not make it a better solution than a traditional honeypot; merely it has a different purpose. Instead of a honeynet’s value lying in the ability to detect or deceive attackers, its value lies in the ability to gain information on threats. The two biggest design differences between classic honeypots and honeynets are:
- A honeynet is not a single system, but rather a network of multiple systems. This network sits behind an access control device where all inbound and outbound data is controlled and captured. This captured information is then analyzed to gain insight into the tools, tactics, and motives of the blackhat community. Honeynets can utilize multiple systems at the same time, such as Solaris, Linux, Windows NT, Cisco router, Alteon switch, etc. This creates a network environment that more realistically mirrors a production network. Also, by having different systems with different applications, such as a Linux DNS server or a web server administrators can learn about different tools and tactics. Perhaps certain blackhats target specific systems, applications or vulnerabilities. Having a variety of operating systems and applications enables researchers to accurately profile specific blackhat trends and signatures.
- All systems placed within the Honeynet are standard production systems. These are real systems and applications - the same ones that are found on the Internet. Nothing is emulated nor is anything done to make the systems less secure. The risks and vulnerabilities discovered within a Honeynet are the same as those that exist in many organizations today. One can simply take a system from a production environment and place it within the Honeynet.
It is these two design differences that make a Honeynet primarily a research tool. It can be used as a traditional honeypot, for purposes such as detecting unauthorized activity; however, a Honeynet requires significantly more work, risk and administration. It is simply not worth the effort of building and maintaining a Honeynet merely to detect attacks. For the sole purpose of detecting attacks, administrators are far better off with the simpler honeypot solution mentioned above.