When it comes to security monitoring, industries often focus on some kind of Intrusion Detection Systems (IDS), missing out on honeypots. Some organizations may even believe that honeypots aren’t relevant because they already invest in IDS. But that view misses the bigger picture — these technologies don’t compete; they complement each other.
What is an IDS?
Put simply, an Intrusion Detection System observes and analyzes security-relevant data (like logs and metrics) from systems or networks to identify attack patterns and raise alerts — typically to a Security Operations Center (SOC).
If the IDS can also react to detected threats (like updating firewall rules), it’s typically referred to as an Intrusion Detection and Prevention System (IDPS).
You may also encounter terms like EDR (Endpoint Detection and Response), SIEM (Security Information and Event Management), or XDR (Extended Detection and Response). In the end, these are flavors of IDPS, as they all boil down to the same foundation of collecting security information, recognizing malicious patterns and triggering alerts or responses.
Let’s make it more concrete and take a look at two common usage scenarios.
Imagine you operate a web server. It creates logs about each incoming request and also offers several system health metrics. An IDS would now be used to automatically consume and evaluate these logs and metrics for attack patterns, such as malicious incoming requests. In such a case, it would either raise an alert to a SOC or maybe even automatically reconfigure the firewall of the web server to block the IP of the request sender.
Other examples can be found in the automotive domain. Here, we can imagine an IDS sitting on a Gateway and monitoring the Controller Area Network (CAN). As CAN is very deterministic, you could have the IDS check the traffic for undefined messages, as they would most likely be sent by an attacker who is not aware of the actual legitimate communication.
To sum up, IDS or even IDPS are great security tools, as they allow targeted surveillance of your actual assets, creating a lot of insights and therefore enabling professional, secure operation of your systems and products.
However, as always, there is a downside.
IDS Complexity
The main issue with IDS, from my personal experience, is their complexity — most often seen in their false positives, meaning cases where the IDS raises an alert for actually legitimate system behavior.
Let’s revisit the automotive example. An IDS monitoring the CAN bus may raise alerts for undefined messages. That sounds straightforward — until you run into:
- Components that don’t follow their specifications or documentation and therefore send unknown messages
- IDS rule sets that don’t match the actual software versions within your vehicle and therefore don’t match the actual legitimate communication
So even in this scenario, complex problems already arise. Imagine the complexity you face when monitoring a dynamic system like high-performance, microprocessor-based vehicle components or the initially mentioned web server.
The result? Many organizations often reduce IDS scope to only the “quick wins,” leaving large parts of the attack surface unmonitored.
Honeypots and IDS: Better Together
So how can honeypots help?
What honeypots are and which benefits they provide was already described in previous blog posts, so make sure to check them out.
In this blog post, we now want to focus on how honeypots and IDS complement each other to easily increase the chances of catching attackers in our ecosystems.
First, it’s worth stating: honeypots require IDS. A honeypot is a decoy designed to attract attackers — but you obviously need something to observe its security information and raise alerts. That’s where IDS comes in.
But, two aspects help manage the IDS complexity when it comes to honeypot monitoring. First of all, honeypots are built to be monitored closely and provide the right data to feed into your IDS to ensure proper monitoring. Second — and this is the crucial one — honeypots have no legitimate interaction or usage as they are decoys. Meaning any interactions with them are most likely malicious, and therefore it’s much easier to configure IDS monitoring.
Having said that, the remaining question is how honeypots can now contribute to overall security monitoring. So let’s take up the main benefits of honeypots described in our other blog post.
Besides wasting attacker resources, honeypots allow easier early detection of attacker presence than IDS typically do. Why is that?
Honeypots are designed to be highly attractive to attackers, allowing us to assume that attackers will interact very early in their research/exploration phase with them, before moving on to better protected/isolated assets – combined with the easier monitoring, the honeypot will imediatly let us know about the attackers presence.
With this early detection in place, we can then be more relaxed when focusing our IDS efforts on just the critical attack paths of our actual assets.
That’s why honeypots and IDS are a great team. Because the honeypot provides you with brought coverage and early detection of attacker presence, allowing you to focus your IDS efforts on the attack paths that really matter.
In addition, using honeypots gives you learnings and insights into the actual tactics and procedures of real attackers. This intelligence can be used to strengthen your IDS pattern recognition on the actual assets.
Wrapping It Up
Honeypots and IDS aren’t rivals — they’re a powerful team. For the gamers among the readers: honeypots are like tanks in a video game — they draw attention and absorb attacks. IDS and the SOC act like healers and strategists, watching closely and reacting before serious damage occurs.
So use honeypots to detect early and gather intelligence, while wasting attacker resources. Use IDS to monitor critical attack paths in real assets and enforce reactions.
Together, they give you better coverage while keeping the overall cost/benefit ratio in the sweet spot.