Book Review: Intrusion Detection HoneyPots, Detection through Deception

Intrusion Detection HoneyPots, Detection through Deception

  • Author: Chris Sanders
  • Publisher : Applied Network Defense (30 Aug. 2020)
  • Language : English
  • Paperback : 238 pages
  • ISBN-10 : 1735188301
  • ISBN-13 : 978-1735188300



Let's get the important stuff out of the way first1)

Cookie Recipe: 🍪🍪🍪🍪🍪

These cookies are very very good. Having to convert from obscure measurements to something for the modern ages (metric) was well worth it.

1) Read the book You must :)

Conclusion: Recommended reading for everyone interested in honeypots, novice or expert.

While I've worked on most of the ideas and products discussed in the book, I really liked the structure and content of the book.
Came away from reading it with a more structured approach to how, when, and where to deploy honeypots - Really wish this book was available when I started messing with honeypots, it would certainly have saved me some time.

Noteworthy (to me)
Chapter 1, A brief History of Honeypots: While a brief chapter on the history of honeypots, it's always great to be reminded of The Cuckoos egg and Berferd, however it gets even better in the following chapters.

Chapter 2, Defining and Classifying Honeypots: As Chris state in the book, "All honeypots are deceptive, discoverable, interactive, and monitored", but not just that, he's also providing a good explanation of what that these characteristics mean and what questions to ask regarding your own deployment. This chapter also gave me a better understanding of Whaleys Deception Taxonomy - I'd say that theory and practice converged and I'll be able to utilize that understanding better going forward.
Chapter 3, Planning Honeypot-Based Detection: See - Think - Do! - Not just the words, but used to explain honeypots very clearly and precisely. Combined with the case study, it really sets the stage. I feel kinda verified, as it confirms (most of) the ideas and principles I've used when deploying honeypots :)
Chapter 4, Logging and Monitoring: Even for someone with extensive experience in logging and monitoring there's still a lot of food for thought in this chapter - not just for honeypots, but in general. I'll be using variations of Chris's "Log plumbing reference framework for logging and monitoring infrastructure" to explain to both business and other colleagues why we've implemented e.g. certificates for encryption and mutual authentication in our logging infrastructure.
Chapter 5, Building Your First Honeypot from scratch: Nice and pragmatic intro to what a honeypot could be, using Netcat (Specifically NCAT from Fyodor).
Chapter 6, Honey Services: No problem, let's just build a Windows based RDP honeypot, a SSH honeypot with Cowrie, and a multi-service honeypot using OpenCanary. Again very concise and clear guidance that takes you most of the way to deploying honeypots.

Chapter 7, Honey Tokens: Read the "From the Threnches" sidebar. Like other chapters the Sigma and Suricata rules are great inspiration.
Chapter 8, Honey Credentials: This chapter goes way further and provides several possible ways of deploying honeytokens. amongst those, an example on how to create a "LLMNR Broadcast Honeypot", rounding the chapter off with some cool awesomeness. One caution, though, I think it is a violation of GDPR to use previous employers accounts as honeytokens as discussed - I might well be wrong (IANAL), but better safe than sorry.
Chapter 9, Unconventional Honeypots: The idea of a DHCP honeypot is cool, not least because it is likely to delay the adversary, however with a lot of potential pitfalls (YOLO). This chapter also covers "cloned website honeytokens", Honey-tables, and more, rounding the chapter off with honey commands using aliases on Linux.
[1] Applied Network Defense: https://www.networkdefense.co/

No comments: