Slashdot Mirror
Tracking Hackers
The structure of the book is different from the "Know Your Enemy": Lance starts from the very beginning - namely, his first honeypot penetration experience and then goes on to talk about all aspects of honeypots. In-depth and structured background on honeypot technology is provided. Honeypots are sorted by the level of interaction with attacker they are able to provide.
In addition, the book covers the business benefits of using honeypots. By classifying the value of honeypots into prevention, detection and response (exactly as done in Honeynet Project white papers) Lance Spitzner analyzes the honeypot technology contributions to an overall security posture. Also, the book describes the differences between the research and production honeypots and demonstrates the benefits of both for various deployment scenarios.
A good part of the book is devoted to particular honeypot solutions: 'honeyd' by Niels Provos and several commercial honeypots with detailed explanation of how they work. For example, there is a clear description of ARP spoofing and how it is used by the 'honeyd' honeypot daemon. An interesting chapter on "homegrown" honeypot solutions (such as the ones used to capture popular worms of 2001) sheds some light on the simplest honeypots that can be built for specific purposes, such as to capture a popular attack by means of a simple port listener. Use of UNIX chroot() jail environment for honeypots is also analyzed.
Of course, a special chapter is devoted to honeynets - Project's primary weapon in a war against malicious hackers. The Generation II (GenII) honeynet technology is first introduced in a book. The chapter not only lists honeynet deployment and maintenance suggestions, but also talks about the risks of honeynets.
Another great feature of the book is a chapter on honeypot implementation strategies and methods, such as using NAT to forward traffic to a honeypot and DMZ honeypot installation. The information is then further demonstrated using the two full honeypot case studies, from planning to operation.
What is even more important, maintaining the honeypot architecture is covered in a separate chapter. Honeypots are a challenge to run, mainly since no 'lock it down and maintain state' is possible. One has to constantly build defenses and hide and dodge attacks that cannot be defended against.
"Tracking hackers" also has a "Legal Issues" chapter, written with a lot of feedback from the DoJ official. It dispels some of the misconceptions about the honeypots such as the "entrapment" issue, summarizes wiretap laws and related data capture problems.
The book describes an almost cutting edge of the honeypot research and technology. To truly get the cutting edge and to know about the Honeynet Project latest activities in detail, wait for the second edition of "Know Your Enemy" (coming out next year). In "Tracking Hackers" Lance makes some predictions about honeypots in "Future of Honeypots" chapter. Honeypot-based early warning system and distributed deployments, analysis of new threats and expanding research applications, making honeypots easier to deploy and maintain are all in this chapter.
To conclude, Marcus Ranum's enthusiastic preface is not an overstatement, it is indeed a great book for both security professionals and others interested in this exciting technology. While I was already familiar with most of the information in the book, it was a fascinating read! This is the kind of book you don't want or even cannot put down until the last page is turned.
Anton Chuvakin, Ph.D., GCIA (http://www.chuvakin.org) is a Senior Security Analyst with a major security company.
You can purchase Honeypots: Tracking Hackers from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
If so, we need more honeypots; if not, it's a waste of time.
Perhaps a honeynet on it's own is not terribly useful to the general population. However, the documentation, case studies and other material provided by this SPECIFIC honeynet project has enormous value. Their whitepapers are a very thorough look at real life hacking situations. I could see university classes formed based upon the research and publishing they have done.
As everybody knows, theory is great but real world examples can be just as, if not more, valuable. And here we have a project that has provided those examples.
Not only that, but imagine the time (read: money) and money spent on a honeynet, and watching a honeynet versus actually paying for better security software/people.
Unless you are in the security software biz, honeynets are a complete waste of money.
You have to place an advance order and wait a month and a bit till it comes out.
Amazon.com has a cheaper price ($31.49) and an early release date (Sept 20th) than Barnes&Noble.com ($35.99, release Sept 27th).
Looking forward on reading it :-)
Opensource=Openmind=Freedom