Honeypots: the bitter candy for cybercriminals

representación de honeypots para ciberseguridad


One of the biggest challenges posed by the advancement of digitization in the industrial sector is to guarantee the security of information in critical infrastructures. Until recently, the industry’s OT and IT networks remained isolated, making it easier to ensure security in the operations network. Today, for reasons of efficiency and cost reduction, both networks coexist. This offers multiple advantages but also makes these networks more prone to cyberattacks. These attacks directed at systems that offer essential services, such as power plants, transportation systems, and hospitals, can create serious damage not only economically for the organization itself, but also for the safety of its users . For this reason, it is essential that organizations implement strong security measures to protect their systems and industrial networks.

A good starting point to improve security in the organization is to identify weak points of the industrial network through complementary security tools such as industrial honeypots. These tools have been used in the FACENDO 4.0 project with the objective of improving the safety of the automotive industry of the future.


Sweet baits to detect vulnerabilities

Honeypots are computer systems designed to appear vulnerable and attractive to attackers, so that they interact with them, enabling the study of their techniques and behaviors. By implementing industrial honeypots, organizations can gain insights of the threats they face, as well as improve their ability to detect and respond to cyberattacks.

According to Eric Cole, Ronald Krutz and James Conley, honeypots are “systems designed to look like something an intruder could attack” specifying that “they are built for many purposes, being the main one to deflect attacks and learn from them without compromising network security”. From the above, we can determine that these are security devices whose function is to decoy cybercriminals, keeping them away from the organization’s critical systems.

It is important that, when installing a honeypot in the network, its three basic principles are taken into account:

  • Honeypots are not production systems, so there should be no interaction with them
  • All traffic directed to a honeypot is potentially malicious
  • Any outgoing traffic implies that the honeypot has been compromised


The honeypot is a Swiss penknife of security

A honeypot deployed in an industrial network helps solving multiple security problems. On the one hand, it allows threats to be detected before they can cause real damage by luring attackers into a controlled environment, so the security team can analyze the techniques used to improve defense against future attacks. In addition, it allows to protect the organization’s critical assets by deceiving attackers into controlled environments, away from real systems. Another benefit that honeypots offer is that, after an attack is registered, they provide forensic information that can be analyzed by the security team and that will make it possible to identify the source of the attack and fortify the system against damage, identifying also possible vulnerabilities in the industrial network. 


The real vulnerability of honeypot

Despite the advantages offered by the use of honeypots for the security of an organization, it should be taken into account that they also have disadvantages. It is possible that the honeypot is identified by the attackers and they avoid interacting with it or, on the contrary, that the attacker interacts with it and generates false information that could mislead an analyst, or even attack the honeypot. It is also important to note that there is a risk that if a honeypot is not correctly configured, the attacker will take over the machine and can carry out lateral attacks against other assets of the organization.


Three types of honeypots

Usually, honeypots are classified based on the type of interaction they offer to the cyber attacker, differentiating between low, medium or high interaction honeypots. This level of interaction is important because it is linked to the existing possibilities of being discovered as an emulated system, to the amount of information that can be collected and to the risk that the organization is willing to assume.

Low-interaction honeypots simulate a specific service and allow the attacker to perform basic interactions, usually showing certain available ports but with limitations. Among its main advantages is its ease to be installed and configured, on the other hand, they are usually easily detectable and provide little information. Some of the honeypots of this type are the well-known HoneyD, Dionaea or Nepenthes.

Medium-interaction honeypots seek a trade-off between low-interaction and high-interaction honeypots, being easy to deploy while avoiding the risks introduced by high-interaction honeypots and overcoming the limitations of low-interaction honeypots. They are capable of capturing different malware samples that are attempted to be loaded onto devices by attackers. Some examples of this type of honeypots are Kippo and Cowrie.

High interaction honeypots are real devices in all respects, with an operating system and services configured, so they should not be considered as a product that is installed on a system. They are composed of a set of tools, an architecture, or an entire network of systems that are deployed to be attacked. Despite the integration and maintenance efforts involved, it must be taken into account that they are the most attractive to attackers, since they support all kinds of interactions, being the ones that can collect the most information and, therefore, the most useful from a research point of view. Some examples of this type of honeypots are HonSSH or Shiva.


The importance of location

In addition to the type of interaction chosen, these systems will provide more or less information depending on where they are located. Thus, if a honeypot is deployed in the external network, it is expected that cyber attackers will interact more with the system and therefore the information obtained will be more valuable to reinforce the organization’s network. Being deployed in an external network, the information collected by honeypots will not be altered by internal elements such as IDS or firewalls that can modify or block malicious actions. On the other hand, in case the honeypot is compromised, the internal network should not be affected.

Thanks to the properties and functionalities that they offer us, honeypots can be considered as valuable tools in order to improve network security. Although its results are useful for the expert, its use in conjunction with other security measures is recommended.

In Gradiant we use the data from the honeypots to classify the different types of attacks received using Machine Learning techniques, as well as to predict the volume of attacks that a certain organization will suffer. In this way, we value all the information provided by these systems to incorporate them into Industry 4.0.


Author: Araceli Goiriz Seoane, research engineer in the Security & Privacy department at Gradiant.





Facendo 4.0 (Industrial Competitiveness and Electromobility through Innovation and Digital Transformation) is the project launched by Stellantis Vigo, within the framework of the 4th call for aid from the Smart Factory Program of Xunta de Galicia, with the objective of contributing to increasing competitiveness and strengthening the business fabric of the Automotive Sector in Galicia.