What is the goal of a honeypot? It can be twofold and will vary depending on who is deploying it. The honeypot can act as a decoy that looks attractive enough to an attacker that it draws attention away from another resource that is more sensitive, giving you more time to react to the threat. A honeypot can also be used as a research tool by a company to gain insight into the types and evolution of attacks and give it time to adjust its strategies to deal with the problem.

The problem with honeypots? They need to look attractive but not so attractive that attackers will know that they are being observed and that they are attacking a noncritical resource. Ideally, you want an attacker to view the resource as vulnerable and not so out of place that he or she can detect that it is a ruse. When you configure a honeypot, you are looking to leave out patches and do minor configuration options someone might overlook and that an attacker will expect to find with a little effort.

A honeypot is a single system put in place to attract an attack and buy you more reaction time in the event of an attack. Under the right conditions, the honeypot will assist you in detecting an attack earlier than you would normally and allow you to shut it down before it reaches production systems.

A honeypot also can be used to support an additional goal: logging. By using a honeypot correctly and observing the attacks that take place around it, you can build a picture from the logs that will assist you in determining the types of attacks you will be facing. Once this information is gathered and a picture is built, you can start to anticipate the attacks and then plan and defend accordingly.

Building upon the core goal of a honeypot, which is to look like an attractive target, the next step is to set up a honeynet, which applies the lessons and goals of the honeypot on one vulnerable system to a group of vulnerable systems or a network.

One of the issues that comes up when discussing honeypots and honeynets is the issue of legality. Basically, the question is, if you put a honeypot out where someone can attack it and someone does, can you prosecute for a crime, and would the honeypot be admissible as evidence? Some people feel that this is a cut-and-dried issue of entrapment, but others disagree. You should look at this a little more closely to understand the issue.

It has been argued that honeypots are entrapment because when you place one out in public, you are enticing someone to attack it—at least that’s the theory. In practice, attorneys have argued this point a handful of times without success because of certain issues that have come up in other cases. Consider the police tactic of placing undercover female officers on a street corner playing the role of a prostitute. When officers stand there, they simply wait and don’t talk to anyone about engaging in any sort of activity, but when people approach the officer and ask about engaging in an illicit activity, they are arrested. A honeypot would be the same situation. No one forces attackers to go after honeypots; the attackers decide to do so on their own.