Virtual Honeypots 50
rsiles writes "Honeynet solutions were seen just as a research technology a couple of years ago. It is not the case anymore. Due to the inherent constraints and limitations of the current and widely deployed intrusion detection solutions, like IDS/IPS and antivirus, it is time to extended our detection arsenal and capabilities with new tools: virtual honeypots. Do not get confused about the book title, specially about the "virtual" term. The main reason to mention virtual honeypots, although the book covers all kind of honeynet/honeypot technologies, is because during the last few years virtualization has been a key element in the deployment of honeynets. It has offered us a significant cost reduction, more flexibility, reusability and multiple benefits. The main drawback of this solution is the detection of virtual environments by some malware specimens." Read below for the rest of Raul's review.
The detection of honeypots has always been one of the main concerns in the honeynet community, because if the attacker can identify them, they are useless. For this reason, one of the chapters is just focused on providing some light tips and tricks about what an adversary can really accomplish. In fact, we have not seen lots of real-world incidents where the attacker actively checks the existence of honeynet setups.
| Virtual Honeypots: From Botnet Tracking to Intrusion Detection | |
| author | Niels Provos and Thorsten Holz |
| pages | 440 |
| publisher | Addison-Wesley Professional |
| rating | THE current reference about honeynet technologies and solutions. |
| reviewer | Raul Siles |
| ISBN | 0321336321 |
| summary | improve your capabilities with easy to deploy virtual honeypot solutions |
The first chapter is a very brief introduction to honeynet technologies and basic tools. You can jump through it if you are not new to this field. Then, the book covers the main two honeypot types: high and low interaction. The high interaction section provides details about the tools to virtualize your honeypots: VMware, UML, or more specific solutions, such as Argos. The low interaction section provides details about some the most relevant honeypot types to cover lots of detection scenarios: worms, traditional server attacks, Google Hacking, Web-based attacks, etc. It is a wide overview that will give you lot of ideas for new deployments.
The whole book has been cooked with a how-to mentality , and it explains in detail how to install and configure the different tools and software elements covered. Additionally, it provides guidelines, best practices, and analysis recommendations for each tool based on the authors experience. However, the how to portions take into account that most of the solutions are Linux-based, and the installation and setup process will vary based on the tool version and the Linux distribution you are using (library dependencies, etc). In any case, the step by step guides are very useful as a general setup reference.
From my perspective, the most valuable part of the book is chapters 4 to 6. The authors, Niels Provos and Throsten Holz, are the lead developers/architects for honeyd (chapter 4 and 5) and nephentes (chapter 6), respectively. These two are the most famous and advanced low-interaction server-based honeypot and malware honeypot. They know what they are talking about, and you cannot find a better reference out there for these two tools. The book is an excellent guide, covering the design principles and innovative deployment ideas, to all kinds of configuration options and possibilities, including limitations on real-world scenarios. Chapter 6 is complemented with other less popular malware-based honeypots (except for Honeytrap).
The book includes some extra material covering academic and research hybrid solutions still in their early stages, which can give you and idea of where these technologies are evolving to and the major challenges we are facing now. This pretty much theoretical content is well balanced with the case studies chapter, where real incidents involving different honeypot types are presented. These are always a fun read and a way of getting experience and learn how to deal with intrusions.
Finally, one of the main expansion areas we are involved today is the creation of new client-based honeypot technologies. This book section (highly recommended) does a great job introducing multiple high and low interaction honeyclients currently available, their benefits and drawbacks (chapter 7). This information is perfectly complemented by the last two chapters, focused on tracking botnets and analyzing malware with sandbox environments. Once a client is compromised, it typically becomes a member of a botnet, and for easy and quick categorization, we start by performing a malware analysis of the specimens. I recommend you to add all this knowledge to your incident handling and response capabilities.
Something I would have liked to see in the book is a section about a fully virtualized honeynet environment, showing how using VMware, you can build up a virtual Honeywall (just slightly mentioned on chapter 2) and different honeypots, creating a complete, cheap, mobile and multi-purpose virtual honeynet infrastructure. Also, we receive multiple questions related to this kind of setup in the Honeynet Project mailing lists, because all the previous whitepapers are obsoleted now. I've been deploying these type of solutions for fun and professionally during the last few years and I strongly recommend you to start using them. You won't be disappointed about how much you can learn of what is going on in your networks and systems, and this book is the best starting point.
If you have any relationship with the intrusion detection, incident handling and forensics, threat analysis, or SOC and CERT security side of things, definitely this book is for you. Go through it and improve your capabilities with easy to deploy virtual honeypot solutions. You just need a (not so new) computer, virtualization software, and some time.
I have been working with honeynets during the last 5 years. We founded the Spanish Honeynet Project on 2004, and almost at the same time we became part of The Honeynet Project and released the Scan of the Month 32. The main honeynet/pot book reference till last year was the book published by the Honeynet Project. As this is a rapidly evolving field, definitely it has been replaced by this book, written by two project members.
You can purchase Virtual Honeypots: From Botnet Tracking to Intrusion Detection from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Re: (Score:1)
eros.com had loads of them
Get it? Loads? Ah ha ha ha! I crack me up! Comedy fuckin' gold right there!
Re: (Score:3, Funny)
Speaking of the stench (Score:1)
I'm a bit disappointed.
Re: (Score:1)
yeas, but the old threats are still used today.
Re: (Score:2, Insightful)
And your book is titled....?
Seems you miss the point of this post....it is directed at those interested in getting started and wanting some info as to what tools to use, and what to expect for their time and effort.
Re: (Score:2)
Ah, I got hung up on the "last few years" bit.
Re: (Score:1, Funny)
In common usage, 2003 does fall within "last few years."
Admit it, you're one of those high-horse geeks that derides everything everyone else does because you firmly believe you are the ubergenius.
Re: (Score:1)
Re: (Score:1)
Bad idea... (Score:1)
O.o (Score:3, Informative)
I don't think that "Honeypot" means what you think it means. Having a honeypot on a "real" server would be like having a live chemical weapons training course in your house.
The whole point is study, and possibly early warning. I've got a "honeypot" (I'd call it a "canary") set up on my corporate DMZ which is made to look roughly like one of my second tier financial machines; it's only there to scream bloody murder if someone tries to log into it.
If someone does log into it, they'll know immediately it's a d
Re: (Score:1)
I canary is quite different.
It's a chunk of memory with a known value/checksum that you use as a shield against buffer overrun attacks.
Check the canary every once in a while or when touching certain pieces of data. If the canary is sick (has been tampered with by a program traipsing through trying to find offsets for attacks), bail out.
Re: (Score:1)
Grow up.
Book is useless.
Honeypots are useless.
They don't protect you, they simply let you analyze methods of attack. But when you open up known methods of attack, you don't learn anything about new ones. If someone can run code on your system, you're fucked. There's nothing to gain from analyzing what an attacker did to a honeypot after getting access unless you are a computer (in)security company.
Honeypots do not protect you.
They do not distract attackers since - surprise - they can attack many targets
Re: (Score:1)
so what's your point?
not everyone is as smart as you, and well,
some people need a book like this.
if you don't like it, dont buy it.
better.... write something WE can use.
Bill Gates is promising. âoeTwo years from no (Score:1)
Not really. (Score:5, Insightful)
Not really. We already know how machines are cracked.
All this research does is find out what tools are being used today.
And as you can see with the need to constantly download updated "virus signatures", that approach is useless in defending your systems.
To really defend your system, you need to be able to lock down all the executables on your system. And you need a way to verify that those executables stay locked down. And that there is no other way to get an executable to run on your system.
Interesting addition to security (Score:3, Interesting)
Sure, the idea has been around for a long while. But, real security is based on misinformation. If you want to protect some data, you create multiple copies of the data all of which appear to be about the same thing, but all reaching different conclusions.It is not so much a honeypot to attract, but a honeypot to create doubt.
It also buys you time; if you have multiple honeypots then the chance of your main systems being compromised is lessened. If it can be done quickly and inexpensively then it is probably worth it for some large companies.
If you think a honeypot should just be unpatched and ready for the taking, then you have the wrong approach, most should be patched at least to the level of your other systems. I suppose the term honeypot is wrong, decoys would be better. But, the same technology is being used.
Re: (Score:2, Insightful)
Sure, the idea has been around for a long while. But, real security is based on misinformation. If you want to protect some data, you create multiple copies of the data all of which appear to be about the same thing, but all reaching different conclusions.It is not so much a honeypot to attract, but a honeypot to create doubt.
That sounds a lot like security through obscurity to me.
As far as I'm concerned, a honeypot is not a security tool, its a security research tool, and there's a vast difference between the two
Re: (Score:2)
Right, a "free warez" folder isn't what the hardcore data criminal is looking for, whereas two very similar oracle databases, each with encrypted cc numbers but one bogus might be confusing enough to cause a slowdown that allows an attack to either be detected, thwarted, or tracked for evidence used in a prosecution.
Pretty isn't it? (Score:2, Funny)
http://xkcd.com/350/
A bit dated (Score:1)
Re: (Score:1)
please, please please...
Tell me one thing in the book that is dated.
http://www.neuraliq.com/ (Score:2)
Seems a lot of what this book talks about, is done by neuralip's devices.
Plug in 3 2 1 ... http://www.neuraliq.com/
Easy concept to stop confusion (Score:4, Informative)
Useful honeypots are patched to the level of the rest of your computers/servers on your network. Then you simply watch traffic running to (and from) them, because by default, they should have no traffic. (minus the broadcasts and regular auto discovery packets) You know that any traffic to and from this box is suspicious on the grounds that it is not actually used for anything.
Honeypots are NOT unpatched boxes completely exposed to the internet for all to attack. Unless you are into malware/virus research. Even then, patching allows you to keep up with the latest threats. If your patched box got owned, you need to look at it =)
Oblig XKCD (Score:4, Funny)
From the headline (Score:1)
Mantrap was one 8 years ago (Score:1)
When I was at Recourse (which got borged by Symantec) we had a virtual honeypot called Mantrap. It was on the market when I started there in 2001.
Trap them web crawlers (Score:1)