Bot Protection

Expert Q&A: How to use honeypots to lure and trap bots

Expert Q&A: How to use honeypots to lure and trap bots

As bots become more sophisticated, detection and blocking need to stay one step ahead of them. In this conversation with Itay Binder, Cyber Security Research Manager at PerimeterX, we discuss one method used to attract and trap bad bots. He explains how PerimeterX uses the honeypot method to achieve better decision making about “bot or not” and how that disrupts the cost model for attackers.

What is the honeypot method? How is this method used to fight bad bots?

When talking about honeypots in cybersecurity, we’re referring to a method used to attract attackers by simulating how vulnerabilities behave in a system or by luring an attacker to a specific endpoint. Since there is no reason for a legitimate user to access this type of endpoint, honeypots are an effective way of differentiating between legitimate human users and bots. Any attempt to communicate with the endpoint is considered suspicious and is easily flagged.

One example of a honeypot is adding an HTML input element on the page, but hiding it using the CSS. Legitimate human users will not be able to see the input element and so will never access it. Another example of a honeypot is to place two clickable elements, one on top of the other, in the same exact position on the page. A legitimate user will only be able to click on the upper element, whereas a bot scanning the page will click on both elements.

Would a human user ever be exposed to a honeypot?

No. Honeypots are hidden code on a webpage with no visibility to the user when the HTML or JavaScript is rendered in their browser. When a legitimate user browses the webpage they will see the regular webpage. Bots, on the other hand, scan the code and interact with it. For example, a bot might click a link that the hidden code refers to or attempt to scrape a photo that wouldn’t be visible to a legitimate user.

How does the honeypot method fit in with the rest of a bot management approach?

The PerimeterX Platform architecture is based on the three elements: The PerimeterX Sensor, the PerimeterX Enforcer and the PerimeterX Detector. Each element is specially designed to work together to handle evolving automated attacks and zero-day threats.

The Sensor collects and sends hundreds of client-side signals to the Detector for analysis. The Detector evaluates data in real time using machine learning and behavioral analytics to create a risk score. The Enforcer is the gatekeeper for threat response policies generated by the Detector.

The honeypot method is one of the ways we enrich our data across all three elements to determine whether or not traffic should be blocked.

Can you give an example of how PerimeterX uses honeypots?

One specific example can be seen in how we are using honeypots in PerimeterX Human Challenge. When we were developing Human Challenge, we started to see a trend of increased CAPTCHA solvers; an extremely cost-effective method attackers use to quickly bypass CAPTCHA challenges. Human Challenge is the first user-friendly verification that protects web and mobile applications from CAPTCHA-solving bots and CAPTCHA farms while also improving the customer’s experience in the application. Without going into too much detail, one way we accomplished this was by focusing on building honeypots to make Human Challenge much more difficult and much more expensive for bots to solve.

How does using honeypots break down the cost model for attackers?

We can arm our honeypots with techniques taken from the cryptographic fields which cause bots that reach the honeypots to have to put effort and computing risk into passing the challenge that is served - like a kind of computing challenge in order to get the page render.

This will affect performance, especially for large-scale attacks with millions of requests per minute. If the attacker is running a machine on the cloud in order to reach a lot of webpages, they will eventually have to pay for larger CPU usage and memory usage, making the attack less and less profitable. The attacker will experience a slow down in their performance and a higher resource usage, reducing the likelihood of repeated attacks.

PerimeterX Bot Defender protects your web and mobile applications from bots. It provides the highest level of bot detection accuracy, identifying even the most sophisticated bot attacks with exceptional accuracy. Blocking alone is not enough; different modes of attack responses like honeypots, misdirection or serving deceptive content is required for optimal bot management.

Schedule a free demo of Bot Defender to learn more.

Forrester Report

PerimeterX Named a Leader in the Forrester Wave™: Bot Management, Q2 2022

Download Report
© PerimeterX, Inc. All rights reserved.