Virtual Honeypots: From Botnet Tracking to Intrusion Detection Book Review

This topic contains 3 replies, has 4 voices, and was last updated by  Kamilla 3 years, 9 months ago.

  • Author
    Posts
  • #1802
     Anonymous 
    Participant

    Virtual Honeypots: From Botnet Tracking to Intrusion Detection
    by Niels Provos(Author), Thorsten Holz (Author)

    5 stars

    Honeypots made easy

    Books that put institutional knowledge, or knowledge that people in the industry know but its not written down anywhere, are few and far between. This book succeeds in taking that institutional knowledge and putting it into a readable, functional, and well-organized format.

    Before I get into the chapter play by play stuff, let me just say that Chapter 8, Client Honeypots, is worth the price of the book. Client-side attacks are were everything is moving to and the days of a remote OS 0day or quickly fading away. One of the hardest things to automate and teach is client-side attacks because it used to involve user interaction (someone actually clicking on the email, link, .exe), but with the client honeypots they discuss in the book you can automate clicking on emails, clicking on links, spidering websites, and running the executables you download from the sites. You can also monitor your honeypot for changes after running the executable, good stuff!

    Most of the other reviewers said you can skip the introductory material, and you could, but its better than the usual “beginning of the book/background” material. The book starts with honeypot/honeynet introduction. Chapter 2 covers high interaction honeypots to include a good chunk of information on VMware and your other “virtual” options including User Mode Linux and Argos. Chapter 3 covers Low interaction honeypots like LaBrea, GHH, and PHP.HoP for your web based low interaction honeypots. Chapters 4 & 5 are a healthy dose of honeyd. Chapter 6 is collecting malware with Nepenthes and Honeytrap. Chapter 7 covers Hybrid systems. Chapter 8 is, as discussed, Client Honeypots. Chapter 9 is on detecting low and high interaction honeypots. Chapter 10 contains Case Studies, Chapter 11 is Tracking Botnets, and Chapter 12 closes out the book with analyzing malware with CWSandbox.

    My only gripes about the book were that they failed to talk about persistent versus non-persistent modes in VMware and there as no discussion of identifying VMware and Sebek in Windows. Configuring your virtual machine how you like it, then setting it to non-persistent is a great way to let users or attackers do whatever they want to the OS. The changes survive an OS reboot but if you reboot the virtual machine it goes back to the original state, very handy. The other gripe was a shortage of material on detection of Sebek on Windows hosts, its covered in-depth for Linux though. Detecting VMware and some other honeypot type tools like Sebek in Windows is fairly easy. Simply querying for their respective registry keys usually does the job 🙂

    Overall, a good book. Its useful, up-to-date, and relevant to security today.

  • #14619
     oleDB 
    Participant

    Good review. I was on the fence about getting this book, as we don’t really use honeypots at my work. However based on your recommendation I will read it anyway, just to learn more about it. Is the sandbox section any good? Thats my primary interest.

  • #14620
     Kev 
    Participant

    Very well done review and thanks for making the effort.

  • #14621
     Kamilla 
    Participant

    This is a very good post which I really enjoy reading. It is not every day that I have the possibility to see something like this.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?