Rated by buyers 
-
Honeynet solutions were seen just as a research technology a couple of years ago. It is not the case anymore. Due to the inherent constraints and limitations of the current and widely deployed intrusion detection solutions, like IDS/IPS and antivirus, it is time to extended our detection arsenal and capabilities with new tools: virtual honeypots.
Do not get confused about the book title, specially about the "virtual" term. The main reason to mention virtual honeypots, although the book covers all kind of honeynet/honeypot technologies, is because during the last few years virtualization has been a key element in the deployment of honeynets. It has offered us a significant cost reduction, more flexibility, reusability and multiple benefits. The main drawback of this solution is the detection of virtual environments by some malware specimens.
The detection of honeypots has always been one of the main concerns in the honeynet community, basically because if the attacker can identify them, they are useless. For this reason, one of the chapters is just focused on providing some light, tips, and tricks about what an adversary can really accomplish. In fact, we have not seen lots of real-world incidents where the attacker actively checks the existence of honeynet setups.
I have been working with honeynets during the last 5 years. We founded the Spanish Honeynet Project on 2004, and almost at the same time we became part of The Honeynet Project and released the Scan of the Month 32. The main honeynet/pot book reference till last year was the book published by the Honeynet Project. As this is a quickly evolving field, definitely it has been replaced by this book, written by two project members.
The very first chapter is a very brief introduction to honeynet technologies and basic tools. You can jump through it if you are not new to this field. Then, the book covers the main two honeypots types: high and low interaction. The high interaction section provides details about the tools to virtualize your honeypots: VMware, UML, or more specific solutions, such as Argos. The low interaction section provides details about some the most relevant honeypot types to cover lots of detection scenarios: worms, traditional server attacks, Google Hacking, Web-based attacks, etc. It is a wide overview that will give you lot of ideas for new deployments.
The whole book has been cooked with a how-to mentality , and it explains in detail how to install and configure the different tools and software elements covered. Additionally, it provides guidelines, best practices, and analysis recommendations for each tool based on the authors experience. However, for the how to portions take into account that most of the solutions are Linux-based, and the installation and setup process will vary based on the tool version and the Linux distribution you are using (library dependencies, etc). In any case, the step by step guides are very useful as a general setup reference.
From my perspective, the most valuable part of the book is chapters 4 to 6. The authors, Niels Provos and Throsten Holz, are the lead developer/architect for honeyd (chapter 4 and 5) and strongly related with nephentes (chapter 6), respectively. These two are the most famous and advanced low-interaction server-based honeypot and malware honeypot. They know what they are talking about :), and you cannot find a better reference out there for these two tools. The book is an excellent guide, covering from the design principles and innovative deployment ideas, to all kinds of configuration options and possibilities, including limitations on real-world scenarios. Chapter 6 is complemented with other less popular malware-based honeypots (except for Honeytrap).
The book includes some extra material, covering academic and research hybrid solution, still on their early stages, but that can give you and idea of where these technologies are evolving to and the major challenges we are facing nowadays. This pretty much theoretical content is well balanced with the case studies chapter, where real incidents involving different honeypot types are presented. These are always a fun read and a way of getting experience and learn how to deal with intrusions.
Finally, one of the main expansion areas we are involved yesterday is the creation of new client-based honeypot technologies. This book section (highly recommended) does a great job introducing multiple high and low interaction honeyclients currently available, their benefits and drawbacks (chapter 7). This information is perfectly complemented by the last two chapters, focused on tracking botnets and analyzing malware with sandbox environments. Once a client is compromised, it typically becomes a member of a botnet, and for easy and quick categorization, we start by performing a malware analysis of the specimens. I recommend you to add all this knowledge to your incident handling and response capabilities.
Something I would have liked to see in the book is a section about a fully virtualized honeynet environment, showing how using VMware, you can build up a virtual Honeywall (just slightly mentioned on chapter 2) and different honeypots, creating a complete, cheap, mobile and multi-purpose virtual honeynet infrastructure. Also, we receive multiple questions related to this kind of setup in the Honeynet Project mailing lists, because all the previous whitepapers are obsoleted now. I've been deploying these type of solutions for fun and professionally during the last few years and I strongly recommend you to start using them. You won't be disappointed about how much you can learn of what is going on in your networks and systems, and this book is the best starting point.
If you have any relationship with the intrusion detection, incident handling and forensics, threat analysis, or SOC and CERT security side of things, definitely this book is for you. Go through it and improve your capabilities with easy to deploy virtual honeypot solutions. You just need a (not so new) computer, virtualization software, and some time!
Rated by buyers -
The book is well written and I feel that I will be successful in setting up my very first honey pot once I get my network segmented for security purposes.
Rated by buyers -
It's fairly difficult to find good books on digital defense. Breaking and entering seems to be more exciting than protecting victims. Thankfully, Niels Provos and Thorsten Holz show that defense can be interesting and innovative too. Their book Virtual Honeypots is your ticket for deploying defensive resources that will provide greater digital situational awareness.
A security technician with some degree of proficiency should be able to read Virtual Honeypots and then implement at least one of the solutions presented. This sounds like a fairly common event, but too often technical books do not provide the detail required to transform theory into practice. Virtual Honeypots offers installation and operational guidance for a variety of deception and analysis systems, primarily for server-oriented technologies. I especially gained a better understanding of Honeyd and Nepenthes, the two applications about which I cared the most.
While I liked the very first 2/3 of the book, I have to say I really enjoyed the last four chapters. These covered Detecting Honeypots, Case Studies, Tracking Botnets, and Analyzing Malware with CWSandbox. Of these the final chapter was superb. Ch 12 has probably the clearest explanation of hooking I've read anywhere. I am not a rootkit writer or Windows kernel programmer, but the text was so well written I had zero problems following along.
I gave Virtual Honeypots five stars because it is so unique and well-written, but I do have a few minor issues to mention. First, I was somewhat disappointed by the honeyclients section (ch 8). I was not as confident that I could implement a honeyclient solution after reading the great material on server-oriented honeypots. Perhaps the second edition or a separate book will give greater attention to this area. Second, I found a few small technical items. On p 4, it isn't accurate to say "TCP...[gives] each packet a sequence number." Bytes of application data are numbered, not packets. On p 13 we are told to use a snaplen of 1500 bytes, but this will cut off the last 14 bytes of many Ethernet frames. Try it with ping -s 1472 while sniffing with Tcpdump. As you can see, these minor issues are easily fixed in a future printing and do not justify dropping a star.
If you are at all interested in potentially deceiving intruders, buy and read Virtual Honeypots. You'll learn about more than VMware (QEMU, UML, etc.) as well as numerous open source tools you can download and try for free. I look forward to reading more from these authors -- perhaps a book of true case studies?
Rated by buyers -
Excellent, really good, sorry for my bad English, but is EXCELENT BOOK.
Regards
Carlos
Rated by buyers -
I have relatively little to add to the praise that has already been given of this book, but I found it extremely enjoyable. In particular, the chapters on collecting and analyzing malware were quite good, in my mind. I think the book delves a bit too deeply into man page territory with the level of detail provided on the minutia of utilities, but that doesn't detract from the book, as it is very clearly segmented away from loftier topics.
Overall, I found this book to be quite excellent, and very informative and accessible to those new to the arena of Honeypots.