New developments make honeypots even more valuable
By Roger A. Grimes
August 24, 2007
Longtime readers of my column know what a honeypot proponent I am. I run several around the world, collecting information on malware and malicious hackers, and I think every company should have one.
Companies should have a honeypot, not to learn hacker and malware tricks, but as an early warning system. All computer security defenses will ultimately fail. And if they fail and a bad thing gets by your defenses, what's the next best thing? Early warning.
Take a box you're getting ready to throw away, and make it a honeypot. Stick it somewhere in your environment where it's likely to get noticed by an intruder, and tell it to page your incident response team (or you) if anything unexpected tries to connect to it. It's a fake computer asset, and nothing (once you've fine-tuned the false positives out) should ever connect to it. When something does, it's more than likely malicious. I've caught many hackers this way, identified bots that no other defenses found, and even participated in the capture of a Russian hacker. Honeypots work. They are high value and low noise. I've always been perplexed about why they haven't had stronger adoption and use in the computer security community.
Perhaps part of the problem is that the honeypot development world can be quite frozen at times. Months and months go by without any significant updates, but this month has seen a cornucopia of new developments and updates. Here are some of my favorites:
New honeypot book
Niels Provos (creator of Honeyd and senior staff engineer at Google) and Thorsten Holz have written an excellent honeypot book in "Virtual Honeypots: From Botnet Tracking to Intrusion Detection."
As a seasoned honeypot and honeyclient professional (and honeypot book author), I had high hopes for this book -- and it delivers. Niels and Thorsten provide a solid reference to beginners and more experienced honeypot users alike. The book covers how to install and use (step by step) dozens of honeypot products.
The list of what they cover is far too long to report here, but let's say they get to 95 percent of what any honeypot enthusiast would want to read about. My favorite subjects in the book are user-mode Linux, Honeyd, Honeywall, honeyclients, collecting malware with honeypots, tracking botnets, and analyzing malware.
The only downsides I could even come up with is that the book deals with a lot of Unix/Linux-only products, just like the honeypot software world, which might be a put-off for Windows-only readers. And it didn't cover Kfsensor, my favorite Windows honeypot product. Other than that, it is an excellent, excellent book that I would recommend to any honeypot enthusiast. In the end, what I really liked about this book is its coverage of a wide range of products and its practical application to capturing and analyzing malware. It's a great addition to the books on honeypots already written by Lance Spitzner and myself.
Updated Honeyd for Windows
Honeyd, originally a Unix/Linux-only product by Niels Provos, is one of the best virtual honeypot software programs in existence. It is very flexible and useful. Michael Davis did the original Honeyd port to Windows (thank you very much, Michael), but that version didn't keep up as Windows XP and later came out. Changes in Microsoft Windows and a few other notorious bugs made it hard for me to ever recommend using Honeyd for Windows over the last year or so.
Instead, I'd suggest that people use the Unix/Linux version of Honeyd, but that meant learning new skills if you were a Windows-only person. Or they could use Kfsensor.
Jesper Jurcenoks, co-founder of netVigilance, has released an updated version of Honeyd for Windows. You can get it at the netVigilance Web site. Jesper and his company took the time to do a complete rewrite and free update of Honeyd for Windows. He even corrected one bug that remains in the Linux/Unix version to make sure it didn't get replicated to the Windows version, and netVigilance offers a $99 GUI configurator, which can save you hours of configuring and troubleshooting. Thanks to Jesper and netVigilance (and Michael Davis for his earlier contributions) for allowing us Windows security types to play with Niels' excellent honeypot software.
CaptureBAT is a neat, free tool for Win32 honeypots that analyzes file, registry, and process information. It's an excellent addition to Sebek in that it provides far more information. It works on all Win32 systems, including Vista, and comes with the ability to exclude predefined types of activity (which is a must when you're doing real-time file and registry analysis).
Capture-HPC is a high-interaction honeyclient. The New Zealand Honeypot Project, which produced Capture-HPC, also wrote an excellent white paper on using Capture-HPC to identify malicious Web servers. The group includes the paper, data, and tools for anyone to replicate, and it inspected more than 300,000 URLs (nearly 149,000 hosts) found on 194 malicious servers. It's an interesting read.
If you haven't investigated the honeypot world in a while, this is the time to come back and get involved.
Roger A. Grimes is contributing editor of the InfoWorld Test Center. He also writes the Security Adviser blog and the Security Adviser column.