Book review - "Honeypots: Tracking Hackers" by Lance Spitzner

[InfoSec News <isn () c4i org>]

Forwarded from: "Berislav Kucan" <berislav () globalnet hr>

"Honeypots: Tracking Hackers" review by Mirko  Zorz
http://www.net-security.org/review.php?id=16

Available for download is chapter 4 entitled "The Value of
Honeypots". 
http://www.net-security.org/dl/reviews/spitznerch04.pdf

Lance Spitzner is a geek who constantly plays with computers,
especially network security. His passion is researching honeypot
technologies and using them to learn more about the enemy. He is
founder of the Honeynet Project, moderator of the honeypot mailing
list and besides this book - co-author of "Know Your Enemy" and author
of several whitepapers. He works as a senior security architect for
Sun Microsystems, Inc.

What's interesting with honeypots is the fact that they began to be
widely used only in the past 2 years or so. I think that the majority
of the people heard about honeypots thanks to the Honeynet Project and
Lance Spitzner, whose excellent "Know Your Enemy" whitepaper series
became a sort of a bestseller among the security community. And now,
the man that started it all has written a book about it.

A book like no other

This biggest difference between this and other security books is the
fact that this one teaches you not to keep hackers at bay, but it
teaches you to make them stay and learn from their activities. All of
this takes place in a honeypot, a controlled environment.

The book starts with the idea that you don't know what honeypots are
and you are slowly introduced to the concept. But don't be fooled,
previous knowledge is necessary in order to understand all of the
things presented. What you'll learn while reading this book is that
honeypots don't catch only script kiddies but they are great in
tracking the activities of skilled blackhats and analyzing their
behavior and tools. Sometimes honeyports discover new techniques and
tools and by doing that they help the security community a great deal.

What honeypots are

The book starts with an in-depth explanation of what a honeypot is and
how it works. Lance Spitzner describes his first attempt of using a
honeypot and the first home-made honeypot he ever made. As he goes on,
the reader has the opportunity to learn a lot from the author's own
mistakes.

We also learn that, despite their rather recent integration in the
overall security architecture, honeypots are more than a decade old.

Attacks

Before showing us how a honeypot works, Lance Spitzner writes about
the attackers and by illustrating how they attack we start to learn
more about the value of honeypots.

The motives of the attackers and some of their tools are covered. We
are introduced to auto-rooters and mass-rooters, both illustrated with
examples. There's also a brief section dedicated to worms with the
explanation of how damaging they can be. As examples the author notes
CodeRed, CodeRed II and the Nimda worms.

When it comes to attackers, the author shows us how obviously skilled
blackhats are the biggest threat and thus the most interesting to
observe in caught in a honeypot.

History and definition

Now that we got all this info on the attackers Lance Spitzner moves on
to depict the history and definition of honeypots.

We see the evolution of honeypots, the people important for their
development, we learn how they work and we get all of that gift
wrapped with some examples. Sounds great? It is.

The next step is the definition of the value of honeypots. We learn
that their value depends on how they are built and used. Since they
don't address a specific problem, they are different from mechanisms
such as firewalls. The author clearly illustrates the advantages and
disadvantages of honeypots which clearly enables the reader to get
"the big picture".

The value of honeypots is also explained very well and allows the
reader to understand them and their role in the overall security
architecture.

Level of interaction

We learn to distinguish different types of honeypots by using a
concept that the author calls level of interaction. This means that we
categorize types of honeypots based on the level of interaction they
offer to the attackers.

As honeypots become more complex, the attacker can do more damage but
the honeypot collects more data. You have to figure out what you need
and deploy a honeypot designed just for that.

Lance Spitzner discusses:

 - Low-interaction honeypots
 - Medium-interaction honeypots
 - High-interaction honeypots

and lists the tradeoffs of using each type. Not to any surprise, we
also get an in-depth overview of the above mentioned types with their
advantages and disadvantages listed.

Inside the honeypots we go...

What follows all this info you may wonder? We dwell right into the
honeypots. We are presented with six honeypots, all with different
applications, on different operating systems and, of course, with
different interaction levels.

The presented honeypots are:

 - BackOfficer Friendly
 - Specter
 - Honeyd
 - Homemade
 - ManTrap
 - Honeynets

All the above mentioned honeypots are explained in great detail, each
one gets it's own chapter. We learn about their installation,
configuration, deployment, information gathering and alerting
capabilities. Furthermore, the author presents us with the risks
associated with the deployment of every presented honeypot.

Since honeynets are the most high-interaction solution possible, they
are explained with even more examples than the others.

Get it working, will you?

Enough with the analysis, it's time to implement your honeypot. What
you have to do is use all the knowledge accumulated so far and select
the optimal honeypot for your needs. Fear not as the author will
skillfully guide you through all the steps of implementing a honeypot.

Once you've implemented your honeypot, you'll need to maintain it.
When it comes to maintenance, the author divided the subject into
four areas:

Alert detection
Response policies
Data Analysis
Updates
Is there an abundance of details? Of course.

Now you got your honeypot running and you're maintaining it. What more
could you need? This is the time to bring together everything
presented so far and apply it to several very detailed theoretical
examples.

Legal issues and future predictions

In case you were wondering wether the deployment of a honeypot was
legal, there's a chapter dedicated to legal issues that will probably
answer most of your question. Note that all the legal information is
based on the law of the USA.

What could be a better closing for the book than a chapter dedicated
to the future of honeypots? What does the future hold according to
Lance Spitzner? Get the book and find out.

My 2 cents

This book definitely shows that honeypots are not something obscure
anymore. Both their implementation and usage has evolved and they
became an important learning method.

Through the book we are presented with a variety of real-life
examples. This, along with the numerous references and a CD-ROM packed
with whitepapers, source code and data captures of real attacks, makes
this book really complete.

If you're serious about setting up a honeypot than this is THE book to
read. It will give you all the necessary concepts, guidelines and
tools to get you started.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.