Alert Logic Cloud Security Report: Honeypots Deep Dive

By Jackie Hugele, guest blogger, Alert Logic

Every year since 2011, Alert Logic has been sharing threat research data that we collect from the thousands of organizations that use our security solutions in our Cloud Security Report. Our goal is to help organizations understand if and how the threat landscape differs in cloud versus on-premises environments so you can better protect your organization and yourself.

In our Spring 2014 edition, we added an additional data source: a honeypot network that we deployed in public cloud infrastructure across the globe.

What’s a Honeypot?

First, to level set, a honeypot is a decoy system configured to be intentionally vulnerable, deployed to gather information about attackers and their exploitation methods. While honeypots are not typically the target of highly sophisticated attacks, they are subject to many undefined attacks, and provide a window into the types of threats being launched against the cloud.

Honeypots allow researchers to:


Honeypots are also deployed in the corporate space to find attacks that hit a particular company and/or industry. These honeypots are built on the edge of a corporate network, and made deliberately vulnerable so that they will be compromised.

Alert Logic Honeypot Network & Results

We set up our honeypots in three geographies: North America, Europe and Asia. Here are a few of interesting discoveries we made in our honeypot network:

  • Overall, the highest volume of attacks occurred in Europe, where honeypots had four times the number of attacks as the U.S., and double the number of attacks as Asia. This is likely due to the presence of highly organized crime circuits, which are basically malware factories, in Russia and Eastern Europe. Malware produced in these “factories” is typically tested in Europe before deployment in the U.S. Similarly, honeypots in Asia experienced more than twice as many attacks as those in the U.S. This finding came as something of a surprise, given that the U.S. is generally considered a more valuable target.
  • Worldwide, attacks on Microsoft-DS (Port 445) accounted for the majority (51%) of honeypot incidents. Microsoft-DS (port 445) supports direct hosted “NetBIOS-less” SMB traffic and file-sharing in Windows environments, and it represents an easy target, when open, for accessing files and providing the ability to infect systems.
  • 14% of the malware collected through the honeypot network was considered not detectable by 51 of the world’s top antivirus vendors. This does not mean that the malware is considered a zero-day; rather it indicates that a malicious attacker repackaged an older variant of malware such as Zeus or Conficker.

While highly sophisticated attacks are unlikely to be launched against honeypot environments, analyzing honeypot data enables us to monitor the types of threats being launched against the cloud, such as the types of malware being deployed, and what specific layers are being attacked (e.g., the operating system, databases). In addition, the use of honeypots provides additional visibility into what security solutions are best suited to defend against these types of attacks

Additional Data Alert Logic Cloud Security Report

The honeypot data is just a part of the information and analysis available in the Alert Logic Cloud Security Report. The majority of the data that we analyze comes from the thousands of organizations that use Alert Logic solutions as part of their on-premises, cloud or hybrid datacenter. Download the full report to learn more about the rate at which attacks are increasing, where the attack patterns are the same and where they differ in different IT environments, and some tips on how to protect your datacenter, wherever it’s located.

Read the 2014 Cloud Security Report and let us know what you think.