Description
Honeypots and honeynets are very much en vogue nowadays. This course explains what honeypots are, what they are good for, when they can bring rapid ROI to an organization deploying them, and when they are only of academic interest.
This class will teach how to setup different types of honeypots and how to learn more about the tools, tactics, and motives of attackers, but also to swiftly detect and react to malware outbreaks in an organization. We will also show how honeypot technology can be used to estimate risks in a way management understands. The main focus of the course lies on learning more about autonomous spreading malware and botnets. We focus on different low-interaction honeypot solutions and honeyclients since these two tools can often be easily integrated into an existing infrastructure. We show how to use these tools together with CWSandbox, a malware analysis tool, to study botnets in detail and how to mitigate this threat within an organziation or a bigger network.
The course will be a mix of lectures and hands-on exercises, with a focus on practical techniques that have proven successful in the real world. The exercises involve for example setting up a honeypot, analyzing packet dumps, analyzing a given binary or shellcode, or extracting information from a given analysis report.
Topics:
You will learn during the course:
In-depth introduction to honeypots and honeynets
Overview of classical honeypots and honeyclients
Setting up different kinds of honeypots
Analyzing the collected information
Collecting malware with honeypots
Analyzing collected malware in an automated way
In-depth overview of current bots and botnets
Using honeypots to recognize infected machines
Protecting a network with the help of honeypots
Prerequisites
Students should be familiar with basic honeypot concepts and have a good understanding of TCP/IP networking and analysis tools like Wireshark. Basic understanding of the Windows OS and malware analysis are a bonus.
Prerequisite material
Students need to bring a computer configured with VMware and powerful enough to run two VMware sessions at once. Students also need to have an IRC client and the Python programming language installed. All additional tools will be provided during the course.
Instructor: Thorsten Holz
Thorsten Holz is a Ph.D. student at the Laboratory for Dependable Distributed Systems. He is one of the founders of the German Honeynet Project and has extensive background in the area of honeypots and bots/botnets. His research interests include the practical aspects of secure systems, but he is also interested in more theoretical considerations of dependable systems. In addition, he is the editor-in-chief of the German IT-security magazine MISC.
Instructor: Guillaume Valadon
No bio.