"The text is comprehensive, an honest survey of every honeypot technology I had ever heard of and a number I read about for the first time."
--Stephen Northcutt, The SANS Institute
"One of the great byproducts of Lance's work with honeypots and honeynets is that he's helped give us a much clearer picture of the hacker in action."
--From the Foreword by Marcus J. Ranum
"From the basics of shrink-wrapped honeypots that catch script kiddies to the detailed architectures of next-generation honeynets for trapping more sophisticated bad guys, this book covers it all....This book really delivers new information and insight about one of the most compelling information security technologies today."
--Ed Skoudis, author of Counter Hack, SANS instructor, and Vice President of Security Strategy for Predictive Systems
Honeypots are unique technological systems specifically designed to be probed, attacked, or compromised by an online attacker. Implementing a honeypot provides you with an unprecedented ability to take the offensive against hackers. Whether used as simple "burglar alarms," incident response systems, or tools for gathering information about hacker motives and tactics, honeypots can add serious firepower to your security arsenal.
Honeypots: Tracking Hackers is the ultimate guide to this rapidly growing, cutting-edge technology. The book starts with a basic examination of honeypots and the different roles they can play, and then moves on to in-depth explorations of six specific kinds of real-world honeypots: BackOfficer Friendly, Specter, Honeyd, Homemade honeypots, ManTrap®, and Honeynets.
Honeypots also includes a chapter dedicated to legal issues surrounding honeypot use. Written with the guidance of three legal experts, this section explores issues of privacy, entrapment, and liability. The book also provides an overview of the Fourth Amendment, the Electronic Communications Privacy Act, the Wiretap Act, and the Pen/Trap Statute, with an emphasis on how each applies to honeypots.
With this book you will gain an understanding of honeypot concepts and architecture, as well as the skills to deploy the best honeypot solutions for your environment. You will arm yourself with the expertise needed to track attackers and learn about them on your own. Security professionals, researchers, law enforcement agents, and members of the intelligence and military communities will find this book indispensable.
Click below for Sample Chapter(s) related to this title:
Sample Chapter 4
Foreword: Giving the Hackers a Kick Where It Hurts.
1. The Sting: My Fascination with Honeypots.
The Lure of Honeypots.
How I Got Started with Honeypots.
Perceptions and Misconceptions of Honeypots.
Script Kiddies and Advanced Blackhats.
Everyone Is a Target.
Methods of Attackers.
Targets of Opportunity.
Targets of Choice.
Motives of Attackers.
Adapting and Changing Threats.
The History of Honeypots.
Recent History: Honeypots in Action.
Definitions of Honeypots.
How Honeypots Work.
Two Examples of Honeypots.
Types of Honeypots.
Advantages of Honeypots.
Return on Investment.
Disadvantages of Honeypots.
Narrow Field of View.
The Role of Honeypots in Overall Security.
Tradeoffs Between Levels of Interaction.
An Overview of Six Honeypots.
Overview of BOF.
The Value of BOF.
How BOF Works.
Installing, Configuring, and Deploying BOF.
Information Gathering and Alerting Capabilities.
Risk Associated with BOF.
Step 4—Attack System.
Step 5—Review Alerts.
Step 6—Save Alerts.
Overview of Specter.
The Value of Specter.
How Specter Works.
Installing and Configuring Specter.
Intelligence, Traps, Password Types, and Notification.
Starting the Honeypot.
Deploying and Maintaining Specter.
Information-Gathering and Alerting Capabilities.
Risk Associated with Specter.
Overview of Honeyd.
Value of Honeyd.
How Honeyd Works.
Responding to Attacks.
Installing and Configuring Honeyd.
Deploying and Maintaining Honeyd.
Risk Associated with Honeyd.
An Overview of Homemade Honeypots.
Port Monitoring Honeypots.
The Value of Port Monitoring.
How Homemade Port Monitors Work.
Risk Associated with Homemade Port Monitors.
The Value of Jails.
How Jails Work.
Installing and Configuring Jails.
Deploying and Maintaining Jails.
Information Gathering with Jails.
Risk Associated with Jails.
Overview of ManTrap.
The Value of ManTrap.
How ManTrap Works.
Adjustments to the Kernel.
How ManTrap Handles the File System.
The Resulting Cages and Their Limitations.
Installing and Configuring ManTrap.
Building the Host System.
iButton and Configuration Options.
Customizing the Cages.
Deploying and Maintaining ManTrap.
Data Capture in Practice: An Example Attack.
Viewing Captured Data
Data Capture at the Application Level.
Using a Sniffer with ManTrap.
Using iButton for Data Integrity.
Risk Associated with ManTrap.
Overview of Honeynets.
The Value of Honeynets.
Methods, Motives, and Evolving Tools.
How Honeynets Work.
Sweetening the Honeynet.
Deploying and Maintaining Honeynets.
Information Gathering: An Example Attack.
Risk Associated with Honeynets.
Specifying Honeypot Goals.
Selecting a Honeypot.
Commercial Versus Homemade Solutions.
Determining the Number of Honeypots.
Selecting Locations for Deployment.
Placement for Prevention.
Placement for Detection.
Placement for Response
Placement for Research.
Implementing Data Capture.
Maximizing the Amount of Data.
Adding Redundancy to Data Capture.
IP Addresses Versus Resolved Names.
Logging and Managing Data.
NAT and Private Addressing.
The Role of NAT with Honeypots.
Reliability of Alerts.
Determining Reaction Practices and Roles.
Documenting Reaction Practices.
Remote Access and Data Control.
A Simple Scenario: Low-Interaction Honeypots.
A Complex Scenario: High-Interaction Honeypots.
Matching Goals to Honeypot Solutions.
Deploying the Honeypots.
Maintaining the Honeypots.
Surviving and Responding to an Attack.
Matching Goals to Honeypot Solutions.
Deploying the Honeynet.
Maintaining the Honeynet.
Are Honeypots Illegal?
The Fourth Amendment.
Stored Information: The Electronic Communications Privacy Act.
Real-Time Interception of Information: The Wiretap Act and the Pen/Trap Statute.
From Misunderstanding to Acceptance.
Improving Ease of Use.
Closer Integration with Technologies.
Targeting Honeypots for Specific Purposes.
Expanding Research Applications.
Early Warning and Prediction.
Studying Advanced Attackers.
Identifying New Threats.
Deploying in Distributed Environments.
A Final Caveat.
It began as an innocent probe. A strange IP address was examining an unused service on my system. In this case, a computer based in Korea was attempting to connect to an RPC service on my computer. There is no reason why anyone would want to access this service, especially someone in Korea. Something was definitely up. Immediately following the probe, my Intrusion Detection System screamed an alert, an exploit had just been launched, my system was under assault! Seconds after the attack an intruder broke into my computer, executed several commands, then took total control of the system. My computer had just been hacked! I was elated, I could not have been happier.
Welcome to the exciting world of honeypots where we turn the tables on the badguys. Most of the security books you read today cover a variety of concepts and technologies, almost all are about keeping blackhats out. This book is different. It is about keeping the badguys in. It's about building computers that you want to be hacked. Traditionally, security has been purely defensive. There has been little an organization could do to take the initiative, to take the battle to the bad guys. Honeypots change the rules, they are a technology that allows organizations to take the offensive.
Honeypots come in a variety of shapes and sizes. Everything from a simple Windows system emulating a few services, to an entire network of productions systems waiting to be hacked. Honeypots also have a variety of values. Everything from a burglar alarm that detects an intruder, to a research tool that can be used to study the motives of the blackhat community. Honeypots are unique in that they are not a single tool to solve a specific problem. Instead, they are a highly flexible technology that can fulfill a variety of different roles. It is up to you how you want to use and deploy these technologies.
In this book, we explain what a honeypot is, how they work, and the different values this unique technology can have. We then go into detail on six different honeypot technologies. We take you through step-by-step how these honeypot solutions work, their advantages and disadvantages, and what a real attack looks like to each honeypot. Finally, we cover deployment and maintenance issues of honeypots. The goal of this book is to not just give you an understanding of honeypot concepts and architecture, but to give you the skills and experience to deploy the best honeypot solutions for your environment. Throughout the book are examples based on real world experiences, almost all the attacks discussed are based on real world incidents. You will see the blackhat community at their best, and some at their worst. Best of all, you will arm yourself with the skills and knowledge to track these attackers and learn about them on your own.
I have been actively using honeypots for many years. I find them to be absolutely fascinating. They are an exciting technology that not only teaches you a great deal about blackhats, but also a great deal about yourself and security in general. I hope you enjoy this book as much as I have enjoyed writing and learning about honeypot technologies.Audience
This book is intended for the security professional. Anyone involved in protecting or securing computer resources will find this resource valuable. It is the first publication dedicated to honeypot technologies, a tool that more and more computer security professionals will want to take advantage of once they understand its power and flexibility.
Due to honeypots' unique capabilities, other individuals and organizations will be extremely interested in this book. Military organizations can apply these technologies to Cyberwarfare. Universities and security research organizations will find tremendous value in the material concerning research honeypots. Intelligence organizations can apply this book to intelligence and counter-intelligence activities. Members of law enforcement can use this material for capturing of criminal activities. Legal professionals will find chapter fifteen to be one of the first definitive resources concerning the legal issues of honeypots.CD-ROM
This book has a CD-ROM accompanying it. The purpose of the CD-ROM is to give you additional information discussed in the book. It includes everything from whitepapers and source code to actual evaluation copies of software and data captures of real attacks. This will give you the hands on opportunity to develop your skills with honeypot technologies. Also included with the CD-ROM are all the URLs referenced in the book, so you can learn more about the technologies discussed.Web site
This book will have a Web site dedicated to it. The purpose of the Web site is to keep this material updated. If any discrepancies or mistakes are identified in the book, the Web site will have updates and correction. For example, if any of the URLs mentioned in the book have changed or been removed, the Web site will have the latest links. Also, new technologies are always being developed and deployed. Visit the Web site to stay current with the latest in honeypot technologies.References
Each chapter ends with a references section. The purpose is to provide you with resources to gain additional information about topics discussed in the book. Examples of references include Web sites that focus on securing operating systems and books that specialize in forensic analysis.
Giving the Hackers a Kick Where It Hurts
I'm an unabashed Lance Spitzner fan. This is the guy whose cell phone voice message says, "I'm busy geeking out right now, but leave a message, and I'll get back to you as soon as I can." I don't know when he actually stops geeking out long enough to sleep. I sometimes wonder if there are actually two of him. His enthusiasm for what he's doing bleeds over into all aspects of his life. Ideas for cool stuff erupt from him like a volcano and swirl around him, sucking in casual bystanders and students alike. It's somewhat intimidating to share a stage with him at a conference. He makes just about everyone else look uninteresting and tepid by comparison. Lance is a man who loves what he's doing, and what he loves doing is tracking hackers, sharing that information, and making a difference.
A lot of people like to reserve the term "hacker" for the techno-elite computer hobbyist--those media darlings often described as "misunderstood whiz-kids" or similar nonsense. One of the great by-products of Lance's work with honeypots and honeynets is that he's helped give us a much clearer picture of the hacker in action: often technically unsophisticated kids playing around with technologies they barely understand. In Know Your Enemy the Honeynet Project demonstrated just how active and unskilled most hackers are. What's that--you don't believe it? Set up your own honeypot or honeynet and see for yourself. This book gives you the necessary tools and concepts to do it!
I think it's a great thing for the security community that Lance has written this book. In the past, the hackers roamed our networks with supreme confidence in their anonymity. They take advantage of systems they've compromised to chat with their buddies safely or to launch attacks against other systems and sites without fear of detection. Now, however, they may pause to wonder if their bases of operation are safe--whether they're actually planning their attacks and deploying their tricks under a microscope.
Honeypots are going to become a critical weapon in the good guys' arsenals. They don't catch only the lame hackers. Sometimes they catch the new tools and are able to reduce their effectiveness in the wild by letting security practitioners quickly react before they become widespread. They don't catch just the script kiddies outside your firewall but the hackers who work for your own company. They don't catch just unimportant stuff; sometimes they catch industrial spies. They can be time- and effort-consuming to set up and operate, but they're fun, instructive, and a terrific way for a good guy to gain an education on computer forensics in a real-world, low-risk environment.
Right now there are about a half-dozen commercial honeypot products on the market. Lance covers several of them in this book, as well as "homemade" honeypots and honeynets, focusing on how they operate, their value, how to implement them, and their respective advantages. I predict that within one year, there will be dozens of commercial honeypots. Within two years, there will be a hundred. This is all good news for the good guys because it'll make it easier for us to deploy honeypots and harder for the bad guys to recognize and avoid them all. When you're trying to defend against an unknown new form of attack, the best defense is an unknown new form of defense. Honeypots will keep the hackers on their toes and, I predict, will do a lot to shatter their sense of invulnerability. This book is a great place to start learning about the currently available solutions.
In this book Lance also tackles the confusion surrounding the legality of honeypots. Lots of practitioners I've talked to are scared to dabble in honeypots because they're afraid it may be considered entrapment or somehow illegal. It's probably a good idea to read the chapter on legal issues twice. It may suprise you. Welcome to the cutting edge of technology, where innovation happens and the law is slow to catch up to new concepts. Meanwhile, you can bet that with renewed concerns about state-sponsored industrial espionage and terrorism the "big boys" will be setting up honeypots of their own. I'd hate to be a script kiddy who chose to launch his next attack from a CIA honeypot system! When the big boys come into the honeypot arena, you can bet that they'll make sure it's legal.
The sheer variety and options for mischief with honeypots are staggering. (There is even a honeypot for spam e-mails.) You can use the concepts in this book to deploy just about any kind of honeypot you can imagine. Would you like to build a honeypot for collecting software pirates? I don't think that's been done yet. How about a honeypot that measures which hacking tools are most popular by tracking hits against an index page? I don't think that's been done yet, either. The possibilities are endless, and I found it difficult to read this book without thinking, "What if . . . ?" over and over again.
I hope you enjoy this book and I hope it inspires you to exercise your own creativity and learn what the bad guys are up to and then share it with the security community. Then follow Lance's lead, and make a difference.
--Marcus J. Ranum
Click below to download the Index file related to this title: