Honeypots as sticky as ever

Longtime readers of my column know what a honeypot proponent I am. I run several around the world, collecting information on malware and malicious hackers, and I think every company should have one. 

Companies should have a honeypot, not to learn hacker and malware tricks, but as an early warning system. All computer security defenses will ultimately fail. And if they fail and a bad thing gets by your defenses, what's the next best thing? Early warning.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

Take a box you're getting ready to throw away, and make it a honeypot. Stick it somewhere in your environment where it's likely to get noticed by an intruder, and tell it to page your incident response team (or you) if anything unexpected tries to connect to it. It's a fake computer asset, and nothing (once you've fine-tuned the false positives out) should ever connect to it. When something does, it's more than likely malicious. I've caught many hackers this way, identified bots that no other defenses found, and even participated in the capture of a Russian hacker. Honeypots work. They are high value and low noise. I've always been perplexed about why they haven't had stronger adoption and use in the computer security community.

Perhaps part of the problem is that the honeypot development world can be quite frozen at times. Months and months go by without any significant updates, but this month has seen a cornucopia of new developments and updates. Here are some of my favorites:

New honeypot book

Niels Provos (creator of Honeyd and senior staff engineer at Google) and Thorsten Holz have written an excellent honeypot book in "Virtual Honeypots: From Botnet Tracking to Intrusion Detection."

As a seasoned honeypot and honeyclient professional (and honeypot book author), I had high hopes for this book -- and it delivers. Niels and Thorsten provide a solid reference to beginners and more experienced honeypot users alike. The book covers how to install and use (step by step) dozens of honeypot products.

The list of what they cover is far too long to report here, but let's say they get to 95 percent of what any honeypot enthusiast would want to read about. My favorite subjects in the book are user-mode Linux, Honeyd, Honeywall, honeyclients, collecting malware with honeypots, tracking botnets, and analyzing malware.

The only downsides I could even come up with is that the book deals with a lot of Unix/Linux-only products, just like the honeypot software world, which might be a put-off for Windows-only readers. And it didn't cover Kfsensor, my favorite Windows honeypot product. Other than that, it is an excellent, excellent book that I would recommend to any honeypot enthusiast. In the end, what I really liked about this book is its coverage of a wide range of products and its practical application to capturing and analyzing malware. It's a great addition to the books on honeypots already written by Lance Spitzner and myself.