Confusion About Honeypots

28 Jun 2009 Lance Spitzner

Honeypots have been actively used by the security community for over ten years now.  They are used for a variety of purposes, but now a days primarily for information gathering.   When honeypots first were being used they generated a great deal of discussion about the legal issues.  However, through the years this debate has died down, most organizations feeling these issues are minor.  I just wanted to share an update on these thoughts.

First, did you know that almost every security vendor (such as Symantec, MCafee, Websense, Sophs) and many country CERTs in the world are actively deploying these to help secure the Internet? Second, honeypots do not entice, trick or trap people.  Cyber attackers have to actively probe for and find honeypots on their own initiative, then break into the systems.  These are systems that have no production value, no one should be interacting with them.  In addition, these systems have no open accounts, they only way you can access the honeypot is to break into it.  Finally, no real monitoring happens until after the attacker breaks into the honeypot.  Lets use a non-technical example and compare this concept to car theft.  Say there was a large parking lot where a great deal of car theft was happening.  Law enforcement could put a car on the parking lot, lock the car, then put a video camera on it.  No one should be entering the car because no one is using it and the car is locked.  However if someone finds the car on their own initiative, breaks the locks, gets into the car then drives off that is when monitoring would be happening.  The same is true with honeypots.  Full data collection does not happen until the system is attacked, until the lock is broken.

If you are interested in more on the legal issues of honeypots, one of the best sources is still from our Know Your Enemy book, with the legal chapter freely available.


Lance Spitzner

President, Honeynet Project