[ISN] Book review - "Honeypots: Tracking Hackers" by Lance Spitzner

From: InfoSec News (isnat_private)
Date: Thu Nov 07 2002 - 02:54:58 PST

  • Next message: InfoSec News: "[ISN] Audit trails are vital for post-compromise investigations."

    Forwarded from: "Berislav Kucan" <berislavat_private>
    "Honeypots: Tracking Hackers" review by Mirko  Zorz
    Available for download is chapter 4 entitled "The Value of
    Lance Spitzner is a geek who constantly plays with computers,
    especially network security. His passion is researching honeypot
    technologies and using them to learn more about the enemy. He is
    founder of the Honeynet Project, moderator of the honeypot mailing
    list and besides this book - co-author of "Know Your Enemy" and author
    of several whitepapers. He works as a senior security architect for
    Sun Microsystems, Inc.
    What's interesting with honeypots is the fact that they began to be
    widely used only in the past 2 years or so. I think that the majority
    of the people heard about honeypots thanks to the Honeynet Project and
    Lance Spitzner, whose excellent "Know Your Enemy" whitepaper series
    became a sort of a bestseller among the security community. And now,
    the man that started it all has written a book about it.
    A book like no other
    This biggest difference between this and other security books is the
    fact that this one teaches you not to keep hackers at bay, but it
    teaches you to make them stay and learn from their activities. All of
    this takes place in a honeypot, a controlled environment.
    The book starts with the idea that you don't know what honeypots are
    and you are slowly introduced to the concept. But don't be fooled,
    previous knowledge is necessary in order to understand all of the
    things presented. What you'll learn while reading this book is that
    honeypots don't catch only script kiddies but they are great in
    tracking the activities of skilled blackhats and analyzing their
    behavior and tools. Sometimes honeyports discover new techniques and
    tools and by doing that they help the security community a great deal.
    What honeypots are
    The book starts with an in-depth explanation of what a honeypot is and
    how it works. Lance Spitzner describes his first attempt of using a
    honeypot and the first home-made honeypot he ever made. As he goes on,
    the reader has the opportunity to learn a lot from the author's own
    We also learn that, despite their rather recent integration in the
    overall security architecture, honeypots are more than a decade old.
    Before showing us how a honeypot works, Lance Spitzner writes about
    the attackers and by illustrating how they attack we start to learn
    more about the value of honeypots.
    The motives of the attackers and some of their tools are covered. We
    are introduced to auto-rooters and mass-rooters, both illustrated with
    examples. There's also a brief section dedicated to worms with the
    explanation of how damaging they can be. As examples the author notes
    CodeRed, CodeRed II and the Nimda worms.
    When it comes to attackers, the author shows us how obviously skilled
    blackhats are the biggest threat and thus the most interesting to
    observe in caught in a honeypot.
    History and definition
    Now that we got all this info on the attackers Lance Spitzner moves on
    to depict the history and definition of honeypots.
    We see the evolution of honeypots, the people important for their
    development, we learn how they work and we get all of that gift
    wrapped with some examples. Sounds great? It is.
    The next step is the definition of the value of honeypots. We learn
    that their value depends on how they are built and used. Since they
    don't address a specific problem, they are different from mechanisms
    such as firewalls. The author clearly illustrates the advantages and
    disadvantages of honeypots which clearly enables the reader to get
    "the big picture".
    The value of honeypots is also explained very well and allows the
    reader to understand them and their role in the overall security
    Level of interaction
    We learn to distinguish different types of honeypots by using a
    concept that the author calls level of interaction. This means that we
    categorize types of honeypots based on the level of interaction they
    offer to the attackers.
    As honeypots become more complex, the attacker can do more damage but
    the honeypot collects more data. You have to figure out what you need
    and deploy a honeypot designed just for that.
    Lance Spitzner discusses:
     - Low-interaction honeypots
     - Medium-interaction honeypots
     - High-interaction honeypots
    and lists the tradeoffs of using each type. Not to any surprise, we
    also get an in-depth overview of the above mentioned types with their
    advantages and disadvantages listed.
    Inside the honeypots we go...
    What follows all this info you may wonder? We dwell right into the
    honeypots. We are presented with six honeypots, all with different
    applications, on different operating systems and, of course, with
    different interaction levels.
    The presented honeypots are:
     - BackOfficer Friendly
     - Specter
     - Honeyd
     - Homemade
     - ManTrap
     - Honeynets
    All the above mentioned honeypots are explained in great detail, each
    one gets it's own chapter. We learn about their installation,
    configuration, deployment, information gathering and alerting
    capabilities. Furthermore, the author presents us with the risks
    associated with the deployment of every presented honeypot.
    Since honeynets are the most high-interaction solution possible, they
    are explained with even more examples than the others.
    Get it working, will you?
    Enough with the analysis, it's time to implement your honeypot. What
    you have to do is use all the knowledge accumulated so far and select
    the optimal honeypot for your needs. Fear not as the author will
    skillfully guide you through all the steps of implementing a honeypot.
    Once you've implemented your honeypot, you'll need to maintain it.
    When it comes to maintenance, the author divided the subject into
    four areas:
    Alert detection
    Response policies
    Data Analysis
    Is there an abundance of details? Of course.
    Now you got your honeypot running and you're maintaining it. What more
    could you need? This is the time to bring together everything
    presented so far and apply it to several very detailed theoretical
    Legal issues and future predictions
    In case you were wondering wether the deployment of a honeypot was
    legal, there's a chapter dedicated to legal issues that will probably
    answer most of your question. Note that all the legal information is
    based on the law of the USA.
    What could be a better closing for the book than a chapter dedicated
    to the future of honeypots? What does the future hold according to
    Lance Spitzner? Get the book and find out.
    My 2 cents
    This book definitely shows that honeypots are not something obscure
    anymore. Both their implementation and usage has evolved and they
    became an important learning method.
    Through the book we are presented with a variety of real-life
    examples. This, along with the numerous references and a CD-ROM packed
    with whitepapers, source code and data captures of real attacks, makes
    this book really complete.
    If you're serious about setting up a honeypot than this is THE book to
    read. It will give you all the necessary concepts, guidelines and
    tools to get you started.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 05:00:36 PST