Honeypots are generally used to supplement other IT security components, like the intrusion detection system (IDS) and firewalls. One aspect that makes honeypots particularly valuable assets is their ability to collect highly-relevant data that can help administrators find out valuable information. Given that honeypots don’t actually take on any actual network functions, any activity taking place in this control system poses a potential threat. All data collected by honeypots is relevant to your system’s security. If, on the other hand, productive systems are monitored, then this type of data analysis requires an additional process step in which data relevant to the attack has to be filtered out of the system’s entire dataset.
One thing to take into consideration, however, is that not every honeypot is able to deliver valuable information. If the offered bait is too unattractive or difficult to find, then it could also be the case that no attacks happen. This means that any investments made into the security systems were a waste of money.
Honeypots can help reveal crucial data to companies, but they also present additional risks. Given that the decoy system seeks to actively bait hackers, there’s always the risk that a break-in into the honeypot might lead to further damage in the network. This risk can be reduced by maximizing the separation between honeypots and productive systems, and by permanently monitoring all activities within the bait systems. What’s more, it’s also important to take into account that a compromised system could lead to hackers using this in order to launch external attacks. In order to prevent honeypots from being used as starting points for attacks, it’s crucial to keep outbound connections to an absolute minimum.
If a high-interaction server honeypot is equipped with the same security systems as the productive system, then this can be used for implementing quality control measures. In this case, the collected data is able to deliver direct feedback on how effective the security system is. If an infiltration is registered in the honeypot, then it’s also important to check whether or not the productive system has been infiltrated. What’s more, both systems have to be adjusted in order to defend against future attacks of similar patterns.