Placeholder Introduction and Application of Honeypot and Sandbox | SINSMART

The concept and characteristics of Honeypot

1. The concept of Honeypot

The concept of Honeypot began in the late 1980s, and its development can be roughly divided into five stages: the concept period (1989-1997), a new type of defensive thinking; the development period (1998), the release of Honeypot product DTK; perfection period (1999-2003), the honeynet technology was proposed, and the concept of distributed Honeypot appeared; the market application period (2004-2020), it was applied in many fields such as industrial control systems; the innovation and development period (2020-present), Honeypot technology innovation based on new attack methods and threat forms. The definition of Honeypot is: Honeypot is an active network defense technology that uses tools to lure attackers, allowing security personnel to observe attackers. It does not deal with attacks or vulnerabilities, but focuses on the attackers themselves.

2. The characteristics of Honeypot

First, Honeypot is, at its core, deceptive. By disguising as real and high-value decoys, deploying various decoy environments to attract attackers to attack, thus increasing the workload of attackers, delaying attacks and buying time for defense.

Second, Honeypot focuses on attackers. Previous defense methods focused more on the detection and handling of attack behaviors, which belonged to passive defense, while Honeypot focused on attackers, combined with social engineering, to study the behavior habits of attackers, so as to improve the success rate of entrapment.

Third, the advantage of Honeypot lies in discovering unknown attack methods. A major feature of Honeypot is to discover unknown attack methods by recording various behaviors of attackers in Honeypot, reverse the disadvantaged position of defenders, and effectively improve defense capabilities. system-wide multipoint defense.

The concept and characteristics of Sandbox

1. The concept of Sandbox

Essentially, sandboxing is about creating isolated isolated environments that can be used for specific security purposes. Sandbox is widely known as a browser security application to prevent viruses and Trojan horses from infecting the machine through the browser. The main mechanism is to control the calls of processes in Sandbox to local system resources by isolating resources such as processes and memory. Antimalware often uses isolated sandboxes to run malware samples to see how they behave. Inside the sandbox, by running samples of suspected malware, its attack methods can be studied. In the case of unknown software, this method can be used to determine whether a file is safe to run on a managed endpoint. If the software does not perform any malicious actions, it can be relayed to the end user. Again, this technique can be used to further investigate whether a suspected malware sample is a sophisticated campaign or a random target. The current Windows 10 and Windows 11 Professional editions also offer the Sandbox app.

2. Features of Sandbox

Sandbox technology has 4 characteristics:

Completely isolated and lightweight virtualization technology;

Automatically identify specific risky software and run in isolation;

All disk operations are placed in a buffer without real writing;

It is safe and leaves no traces, so you can use it with peace of mind and more peace of mind.

Difference Between Honeypot and Sandbox

The following describes the differences between Honeypot and Sandbox from the three aspects of purpose, implementation and deployment.

1. In terms of purpose

The same point: Whether it is Sandbox or Honeypot, the purpose of deployment is to discover malicious attacks.

Differences: It is necessary to judge the results of the Sandbox operation to determine whether the suspicious code behavior is malicious, and there is a certain false positive rate; the Honeypot is a bait, and any behavior of the Honeypot can be regarded as a malicious behavior, or even an attack behavior, which makes Honeypot has an extremely low false positive rate.

2. In terms of implementation

The same point: virtualization technology is used to build a safe isolation environment, and malicious behaviors and code behaviors are carried out in a safe isolation environment.

The difference: Sandbox mainly imitates an operating system, such as Linux or Windows. Due to performance requirements, it is relatively lightweight, without complex interaction capabilities, and some software components are not installed, which is easy to be detected and evaded by malware; Sandbox is generally Building a complete application system, such as a website, VPN device, etc., requires high performance, but it can realize more complex interactive behaviors, a higher degree of simulation, and is not easy to be discovered.

3. In terms of deployment

The same point: Support multiple deployment methods, which can be deployed independently or integrated with other systems.

The difference: Sandbox is a passive defense method, which is generally called and used, that is, when security equipment or personnel find suspicious files, they will put suspicious files into Sandbox to run detection, output certain analysis results, and be analyzed by technicians; Honeypot is an active Defensive means are generally deployed in the same network segment as the normal operating business system. Normal users will not access Honeypot. Only malicious scanning or security device drainage will access Honeypot, so Honeypot has an extremely low false positive rate. Attacks can be detected quickly.

Application of Honeypot and Sandbox

The following combines the specific applications of Honeypot and Sandbox to help readers better understand the relationship between the two.

1. Application of Sandbox

The Sandbox system is relatively simple in use and deployment. As shown in Figure 1, it is mainly deployed as a bypass device, which can be deployed independently or integrated with APT protection devices. In terms of use: One is manual use. Manually put suspicious files into the Sandbox to run, extract the API call information, file operation information, hash value, etc. of the program running, and quickly obtain the characteristic information of the file. For example, after finding a malicious program, use Sandbox Generate feature information for anti-virus software to upgrade the feature library; the second is to use it in conjunction, such as linkage with APT protection equipment, IPS, IDS and other protection detection equipment. After the protection detection equipment finds suspicious files, it will transfer the files to Sandbox for dynamic analysis. If the risk is high, file transfers are blocked or even malicious IP addresses are blocked. The existence of Sandbox can make up for the lack of dynamic analysis capabilities caused by the over-reliance of common network anti-virus devices on signature databases, and is a useful supplement. At present, many host antivirus software also have the Sandbox function, such as Tinder, but this will increase the occupation of host resources, and there is also the risk of malicious code escape in the Sandbox, so it is not used much in the production environment. Generally speaking, host anti-virus feature anti-virus + anti-virus gateway feature anti-virus combined with the Sandbox system is a relatively safe solution, which can cover the anti-virus requirements at the host level and network level. The independent Sandbox system can avoid the production server. interference.

2. Application of Honeypot

The application of Honeypot is relatively complicated. The deployment process of the author's unit is shared below. Honeypot deployment is divided into the following three steps.

The first step is to choose a suitable location. The essence of the Honeypot lies in trapping, so Honeypots are mainly deployed in three types of positions: the first type is the border part, which can realize the trapping of the initial attack, and a general-purpose Honeypot can be deployed in this part to lure the opponent to scan or even attack, so as to gain the opponent's The second type is near the nodes inside the network, such as the core routers and core switches. When the attacker breaks through the peripheral boundary and moves laterally, he can find his action track as soon as possible, locate the attack path and contain it; the third type is It is deployed in the same network segment of the core system to attract attackers, divert their attention, delay their attack behavior, and buy time for emergency response.

The second step is to deploy common decoys. After the deployment location is determined, a generic decoy can be deployed. Such decoys are mainly CMS systems, VPN devices, mail systems, etc. with high-risk vulnerabilities. They will pretend to be high-value targets with serious vulnerabilities, and attackers can find them through simple scanning and detection, thereby inducing attackers to attack, in order to Expose the attacker's information to achieve the purpose of early warning. But because of its versatility, it is also easier for attackers to see through.

The third step is to customize the deployment of bait and link it with other devices. In order to improve Honeypot's ability to capture attackers, many Honeypot products are deployed with customized baits, using real systems deployed in Honeypot system virtual machines to achieve personalized customization of baits. When faced with an APT attack, the attacker has a more obvious purpose. Compared with the general bait, it is difficult to produce an effect, and the success rate of the customized bait is much higher. At the same time, Honeypot can also be linked with other devices. On the one hand, after discovering the attacker through the Honeypot, you can use the border security device to block it, or use IPS and WAF to formulate custom security rules to block the attack behavior; on the other hand, when the border security device detects the attack When attacking attackers, use the traffic pulling method to guide the attackers into the Honeypot, analyze their attack behavior, and trace the source of the attack. The specific application is shown in Figure 2.


Although Honeypot and Sandbox are very similar in terms of implementation technology, they both build an isolated environment through lightweight virtualization, but they are quite different in specific application deployment and product design goals. To put it simply, Honeypot is an active defense tool that actively traps attackers; Sandbox is a passive defense tool that analyzes suspicious software and discovers attack behavior.

Leave a comment

Your cart