A Honeypot and Honeynets is a tool that is designed to simulate an operational asset or environment but contains no data or assets of actual value. Ideally, an attacker will be distracted by the honeypot and will waste considerable resources and time trying to compromise a device or environment that has no real value. This allows the operator of the honeypot to learn the tools and approaches used by the attacker and learn how to build a stronger defense against attacks launched on systems of true value.
A honeynet is a type of high interaction honeypot (or honeypots) used to gather information on malicious activity by creating a network of seemingly real services and applications. The attacker may believe that they have found a real network, but in fact it is just a distraction that gathers data about the attacker. Since a honeynet has no real business operations, any activity within a honeynets is malicious.
A security researcher can use the data gathered from a honeynet to learn about attack tools, origins, and techniques. However, there has always been the allegation that a honeynet is a form of invitation, since it is usually public-facing and able to be accessed (with effort) from entities/locations external to the host organization. However, since a honeypot is passive and no activity should be expected on the honeypot, it is doubtful whether this is a valid argument. A more serious concern is that since a honeynet is by its nature an insecure system, there is the risk that an attacker that compromises a honeynet could use it as a platform to launch an attack against the systems or networks of other organizations, making the owner of the honeynet complicit in the attack. For this reason, the security manager should ensure that the IT Operations group, or whoever is responsible for looking after the honeynet, is diligently monitoring both inbound and outbound traffic so that any compromise of the honeynet would be identified and appropriate action taken in a timely manner.
