Building Intrusion Detection Honeypots
When an attacker breaks into your network, you have a home-field advantage. But how do you use it?
Although different attackers might attack your network in unique ways, their broad motivations and movements reveal common patterns that defenders can take advantage of. When you pair these patterns with your knowledge of your own network, you create a scenario ripe for deception.
By strategically giving attackers things they want to find, you can lure them into exposing themselves. Intrusion Detection Honeypots are the tools that make this possible.
Intrusion Detection Honeypots are security resources placed inside your network whose value lies in being probed and attacked. These fake systems, services, and tokens lure attackers in, enticing them to interact. Unbeknownst to the attacker, those interactions generate logs that alert you to their presence and educate you about their tradecraft.
While traditional detection mechanisms like IDS can be effective, they are often time-consuming to maintain and tune. Analysts spend significant time dealing with false positives, which makes IDS inaccessible to smaller organizations. With honeypots placed inside your network, nobody should ever legitimately interact with one. Without legitimate traffic to sift through, any interaction becomes anomalous, limiting the potential for false positives. That makes IDH an incredibly high-efficacy form of intrusion detection that requires minimal tuning. IDH scales down just as well as it scales up.
While the concept of IDH has been around for a while, many myths exist about using honeypots for detection. Until recently, there hasn’t been any formal education on leveraging this technology in production networks.
It’s time we change that and empower defenders with the framework and tools they need to leverage deception against attackers.
Building Intrusion Detection Honeypots will teach you how to build, deploy, and monitor honeypots designed to catch intruders on your network. You’ll use free and open source tools to work through over a dozen different honeypot techniques, starting from the initial concept and working to your first alert.
Building Intrusion Detection Honeypots is the seminal course on strategic honeypot deployment for network defenders who want to leverage deception to find attackers on their network and slow them down.
- What makes an intrusion detection honeypot different from research honeypots.
- How to leverage the four characteristics of honeypots for the defender’s benefit: deception, interactivity, discoverability, and monitoring.
- How to think deceptively with an overview of deception from a psychological perspective.
- How to use the See-Think-Do framework to integrate honeypots into your network and lure attackers into your traps.
- Tools and techniques for building service honeypots for commonly attacked services like HTTP, SSH, and RDP.
- How to hide honey tokens amongst legitimate documents, files, and folder.
- To entice attackers to use fake credentials that give them away.
- Techniques for embedding honey credentials in services and memory so that attackers will find and attempt to use them.
- How to build deception-based defenses against common attacks like Kerberoasting and LLMNR spoofing.
- Monitoring strategies for capturing honeypot interaction and investigating the logs they generate.
For each honeypot, I’ll explain its overall goal and how it allows you to control what the attacker sees, thinks, and does. I’ll demonstrate the step-by-step instructions of how to build the honeypot. I’ll also advise on how to place it for discoverability in your network, and we’ll walk through considerations for making your honeypot more interactive to collect additional intelligence about the attacker. Finally, I’ll show you how to configure monitoring and alerting for the honeypot so you’ll know when an attacker interacts with it.
Intrusion Detection Honeypots are one of the most cost-effective, reliable forms of intrusion detection. If you want to start learning how to use deception against attackers with honey services, tokens, and credentials, Building Intrusion Detection Honeypots is the course you’re looking for.
Building Intrusion Detection Honeypots Includes:
Over 12 hours of demonstration videos. These videos will provide step-by-step walkthroughs of setting up each individual honeypot and considerations for deception, discoverability, interactivity, and monitoring.
The Intrusion Detection Honeypots book. You’ll receive a free electronic copy of Intrusion Detection Honeypots: Detection through Deception by Chris Sanders.
Hands-on labs to help you develop and test your honeypots. For each honeypot I demonstrate, I’ll discuss how to get logs from it and ship them to monitoring infrastructure. If you’ve already got monitoring infrastructure to receive those logs, great! If not, I’ll show you how to build a simple ELK-based receiver to capture logs and how to leverage third-party automation services like Zapier to generate alerts. These mechanisms make honeypot-based alerting accessible to organizations of all sizes.
Configuration files to help you along. I’ll provide logging configurations (Logstash, Winlogbeat, Filebeat) and detection signatures (Sigma and Suricata) for every honeypot I demonstrate in the class.
Connect with deception-minded practitioners. You’ll build the honeypots I demonstrate and discuss unique ways to deploy deception techniques with other students.
Access to Chris Sanders office hours. I maintain open office hours for students of my Applied Network Defense courses, with a few sessions per month. I’ll be available during this time for face-to-face video to answer any questions you may have or anything you’d like to discuss related to the course material or how you might apply it in your work.
Participation in our student charitable profit-sharing program. A few times a year we designate a portion of our proceeds for charitable causes. AND students get to take part in nominating charities that are important to them to receive these donations.
Frequently Asked Questions
Is this course live?
This is NOT a live course. It’s an online video course you can take at your own pace.
How long do I have access to the course material?
You have access to the course for six months following your purchase date. If you need more time, you can extend your access for a small monthly fee.
Are there any prerequisites or lab requirements for this course?
This course is designed for all security practitioner skill levels and assumes no prior honeypot experience. However, it is helpful to have a basic understanding of security monitoring. There are no specific system requirements for this course, but if you want to follow along building every honeypot I discuss, you’ll need access to Windows and Linux systems.
How much overlap is there between the book and the course?
The Building Intrusion Detection Honeypots course is based on the Intrusion Detection Honeypots: Detection through Deception book. You can think of the book as a textbook for the course. However, the course allows for more detailed hands-on demonstrations, the discussion of additional nuance, and coverage of more scenarios for deploying honeypots on your network. The course also contains additional honeypot techniques not covered in the book and will have more added over time.
How much time does it take to do this course?
Given the amount of content, it takes people dramatically different times to complete the material. If you focus most of your time on it, you can complete everything in about a week. Most choose to spread it out over a few weeks as they practice the concepts demonstrated.
How many CPEs/CMUs is this course worth?
Organizations calculate continuing education credits in different ways, but they are often based on the length of the training. This course averages 15 hours of video+lab work.
Do you offer discounts for groups from the same organization?
Yes. To inquire about discounts or group invoices, please contact us at firstname.lastname@example.org.
Bulk discounts are available for organizations that want to purchase multiple licenses for this training course. Please contact us to discuss payment and pricing.