In the field of computer security, a honeypot is a term used to refer to a trap set to detect, deflect, or counteract attempts at an unauthorized use or malicious use of information systems. Generally, a honeypot is a decoy server or end station that appears to be part of a network, but is actually isolated and monitored, and which appears to contain information or a resource of value to attackers. Honeypots allow system operators to learn how attackers probe and attempt to gain access to end stations by maintaining a record of the attacker's activities. Further, honeypots may also gather evidence to be used to assist in the apprehension or prosecution of attackers.
In essence, honeypots are security resources that are intended to be probed, attacked, and compromised to allow for information about the attacker and the techniques of the attacker to be discovered. Production honeypots, as compared to research honeypots that seek to research threats being used, are primarily used within a production network (i.e., a network actively used for other purposes unrelated to threat detection) along with other production computing resources used by authorized users of the production network to improve the security of the production network. Honeypots may also be classified as either high-interaction or low-interaction. High-interaction honeypots typically utilize actual computing resources or software (e.g., a fully-installed and configured Unix system) to interact with potential attackers to provide a detailed and complete view of an attack, whereas low-interaction honeypots typically emulate one or more potentially vulnerable services or software (e.g., a standalone FTP server, or a standard Unix server with several typically attacked services, such as Finger, Telnet, and also FTP) and thus typically cannot become infected or compromised by an attack.
Some security approaches have turned to the use of “honey tokens” to attempt to detect intrusions. The term “honey token” refers to honeypots that are not servers or server end stations. Instead, honey tokens are typically pieces of information placed in server data repositories that are easy to detect when used, and are rarely (if ever) used by an authorized user. For example, a honey token could be a user account configured for a server or server end station that is not assigned to or used by any authorized user, or a database entry that would typically only be selected by a malicious query. Thus, a compromise of the server (i.e., a data breach) can be identified when a honey token is detected outside of the server's data repository, or when an access to the honey token within the server data repository occurs. For example, upon an attempted use of the user account honey token (e.g., an attempt to log on to a server) or an attempted access of the database entry including a honey token, an alarm can be issued to indicate the compromise.
Accordingly, the use of honeypots and honey tokens are fairly widespread in Web security, malware, and phishing research. However, it is almost impossible to effectively employ honeypots to guard against threats that are internal to an organization (as opposed to threats coming from outside an organization) because attackers can quickly distinguish honeypots from production servers by detecting a lack of network traffic directed to the honeypot from authorized internal users. Additionally, the use of honey tokens for detecting internal threats is problematic because an attacker may not ever use a discovered honey token despite having compromised a server (or may only use the honey token much later, after much damage has already been done), and thus the compromise will not be detected. Further, attempting to detect an access to a honey token stored within a server data repository will lead to many “false positive” compromise alerts. For example, a honey token placed within a database record may inadvertently be accessed by authorized users performing legitimate tasks (such as generating reports based upon historical information from the database), and the presence of this honey token may affect the accuracy of information obtained from the database and/or other applications that depend upon the integrity of the information in the database.