# BSIDES PR 2024 ### Get presentation You can download the presentation below: {% file src="" %} ### Honeypot definition A honeypot is a cybersecurity defense resource whose value lies in being probed, attacked, or compromised. A honeypot is a security mechanism that creates a virtual trap to lure attackers. Common characteristics: * Deceptive * Discoverable * Interactive * Monitored ### Honeypots types #### Research * **Research Honeypots** typically manifest as simulated systems or services and are primarily used to observe attacker behavior or track the spread of malware. These honeypots generate extensive log data but generally do not interact deeply with attackers. Therefore, they are considered **low-interaction honeypots**. | Talking Points | Description | | ------------------------------------ | ------------------------------------------------------------------------------------------------------------- | | Observation of Attacker Behavior | Research honeypots are utilized to observe the behavior of attackers, providing insights for threat analysis. | | Tracking Self-Replicating Malware | They are instrumental in tracking the spread and behavior of self-replicating malware across networks. | | Utilization by Threat Researchers | These honeypots are primarily used by threat researchers to gather intelligence on cyber threats. | | Public Accessibility | Research honeypots are typically visible from the internet, allowing for widespread data collection. | | Generation of Log Data | They generate extensive log data, providing valuable information for analysis and research purposes. | | Manifestation as Systems or Services | They manifest as simulated systems or services, mimicking real-world targets to attract attackers. | #### Production * **Production Honeypots**, on the other hand, function as Intrusion Detection Systems (IDS) within a network. They generate alerts upon detecting suspicious activity and may trigger responses if attackers interact with them. Since they actively monitor and respond to network activity, they are considered **high-interaction honeypots**. | Talking Points | Description | | ----------------------------------- | ---------------------------------------------------------------------------------------------------------------- | | Intrusion Detection System (IDS) | Production honeypots function as IDS, detecting the presence of attackers within a network. | | Deployment by Blue Teamers | Blue teamers deploy these honeypots for defensive purposes, enhancing the security posture of their networks. | | Internal Visibility | They are visible internally within the network, allowing for monitoring and detection of internal threats. | | Alert Generation | Production honeypots generate alerts upon detecting suspicious activity, enabling timely response to threats. | | Manifestation as Services or Tokens | They manifest as services or tokens within the network, mimicking legitimate assets to lure attackers. | | Low False Positive Rate | Known for their low false positive rate, as legitimate traffic is minimal within honeypot environments. | | Concealment from Attackers | They are designed to be difficult for attackers to differentiate from genuine assets within the network. | | Triggered Response | If attackers identify and interact with a production honeypot, it triggers a response for further investigation. | ### References {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %}