Honeypots: Free psy-ops weapons that can protect your network before defences fail

Feature The hackers breached the transport operator's systems and before they knew it had sent a passenger train hurtling into a wall. And the only reason you didn't read about it in the papers was that the systems were an entirely fictitious network created in 2015 to test just how far snoopers or crims would go in attacking vulnerable transport systems.

"HoneyTrain was also a great experiment to analyze the adversary's moral limits," says Lukas Rist (@glaslos), chief research officer with the Honeynet Project, which helped build the fake train system known as the HoneyTrain. "They had attackers derailing a train or running the train at full speed into a dead end."

Over the course of two weeks, HoneyTrain [PDF], complete with working model trains and real security CCTV camera footage of train stations, suffered a staggering 2.7 million attacks.

Those attacks are a graphic demonstration of "honeypots", the practice of deliberate deception aimed at observing attackers.

The practice is widely used in information security circles, thanks largely to the Honeynet Project, a non-profit much-respected security initiative that maintains and advocates for honeynets through 23 global chapters. Honeypots and the much larger and more complex honeynets are popular research tools to lure attackers, revealing their tools and tactics, but also operate as a line of defence for corporate networks.

A honeypot works like this: A hacker breaks into what they think is an unpatched and forgotten server on a company's corporate network, grabbing privileged Active Directory accounts from one place, and watching what looks like traffic indicating user activity. To the hacker, it looks like the entry point into a multi-million dollar enterprise.

But it’s all a mirage. All the servers they have accessed are carefully-prepared fakes, designed by corporate security to make the attacker believe they had broken into the corporate network. The attacker has wasted their time and, worse, revealed their attack techniques. Some even waste a piece of custom malware.

And that's just the way honeypot operators like it.

"We are providing a system that looks like a potential target to an adversary while we try to collect as much information about his tactics, techniques, and procedures," the Project's Lukas Rist says.

Security researchers love honeypots because they allow them to create networks that look like real-world critical systems in a bid to lure those who would disable or destroy, along with the myriad of harmless curious minds.

HoneyTrain is one of these endeavours, but there are scores more. Researchers have revealed hackers willing to break into medical devices, petrol (gas) stations, SCADA systems, and, of course, hopelessly insecure home routers.

The HoneyTrain honeypot. Image: Sophos.