Four Honeypots

What is a Honeypot?

A honeypot is an asset designed to capture information about access and exploitation attempts. Honeypots are the most commonly used intruder trap in the security industry, as they have been traditionally used on the open Internet to capture public-facing attacker behaviour.

In today’s world, there is so much activity, scanning, and exploitation attempts on the open Internet that it takes a research team to understand all of the data a public-facing honeypot can capture.

Rapid7 Honeypots

A honeypot is a virtual server that you can deploy on your network from InsightIDR. Honeypots can look like any other machine on the network, or they can be deployed to look like something an attacker could target. You can have a single honeypot or multiple honeypots, and you can deploy them straight out of InsightIDR.

How Do They Work?

Honeypots lie in wait for “attacker” events to happen, such as a port scan or attempted user authentication, which immediately sets off an alarm. If you deploy the Rapid7 Honeypot and enable the associated alerts in InsightIDR, you will be notified if such activity occurs. Once attackers find an initial foothold in a network, their next step is typically a network scan to identify all the other assets in the network. All scanning or connection attempts are allowed. Each time a connection is attempted, the honeypot captures information about the source asset (and potentially user) associated with the connection. This data is immediately pushed up to the Insight platform, generating a Honeypot Access Alert.