Honeypots Tracking Hackers
by Lance Spitzner
452 pages. Endnotes, index, five appendices, CD-ROM.
ISBN 0-321-10895-7 LoC QA769A25 S67 2002. $44.99.
Reviewed by Robert Bruen November 11, 2002
Honeypots/honeynets have matured into a field of their own with good reason. What started years ago as a deception toolkit has morphed into a tar pit and a weapon which has attracted the attention of some of the some three-letter government agencies. This title follows on the heels of Know Your Enemy, an excellent introduction to honeynets. The original Honeynet Project was a team working to understand what the activities of the blackhats. This book takes the next step incorporating what has been learned this past year or so. In addition it brings together the work of others, including commercial products. It seems to me that the idea of a system that is only there to see if someone is breaking into your network is a fairly sound idea. The system need not be expensive, especially if it is not tasked for anything else. It can used as a tool to study behavior on a global scale, either over time or at a single event time with the cooperation of lots of whitehats. It can be used as cousin to the usual intrusion detection systems already in place or as a way for law enforcement to get a better handle on what is happening in general.
Even though the basic idea is cheap and easy, the development process has added the usual layers of complexity, resulting even in a bit of competition among products. The complexity also demands some design work, policy creation, analysis and generally paying attention to the operation. Not only does one have to deal with all of this, but there may be legal ramifications, most notably, entrapment. While it appears that there is no legal hurdle to jump, it is always best to make sure. This requires becoming familiar with the issues and potential problems, at a minimum, then making a conscious decision about how to proceed. The drift of technology into social and legal arenas was inevitable and has been underway for years. Technical books need to address both technical topics and the social impact, which includes legal, economic, political, children, religious, and on and on. Fortunately, Spitzner has provided chapters that help. Issues are explained, relevant laws are quoted and important decision points are raised.
Among the layers of complexity are some interesting technical areas. The basic tenet is to have a system which gets broken into in order to observe the cracker. Easy enough, except how do know when someone has breached the wall? That would be either watching the system all time, which sounds impractical. Or logging everything, which is fine, unless you want to know when someone has just shown up. Alerting features are clearly required. This means a bit more than just an email, things like reliability, proper content and the ability to prioritize are important considerations for a meaningful alert system. As necessary as alerts are, one must also think about data capture and analysis. One must figure out how to contain crackers once they are inside. There are jails (chroot) and cages (ManTrap) with somewhat different implementations of confinement. The question is: how much should the cracker be allowed to do? Risk will vary depending on what access the cracker has to services. Six different honeypots are reviewed in enough detail to help make decisions on how to proceed ranging from commercial to OpenSource, from a limited set of features to full featured.
Honeypots is highly recommended reading for several reasons, not the least of which is that it comes from horse's mouth. It covers a wide range of technical and social implication points. It is a valuable resource for an idea whose time has come. Now the blackhats have to be a bit more careful when poking around in someone else's backyard. Not only are the honeypots waiting, but their operation is becoming more sophisticated everyday, due in some part because of this book. We can all benefit by learning more about the blackhats and you may want to implement your own honepot. Here is the resource.