Application Network Defense – Building Intrusion Detection Honeypots

Application Network Defense – Building Intrusion Detection Honeypots
English | Tutorial | Size: 3.7 GB

When an attacker breaks into your network, you have a home-field advantage. But how do you use it?

Although different attackers might attack your network in unique ways, their broad motivations and movements reveal common patterns that defenders can take advantage of. When you pair these patterns with your knowledge of your own network, you create a scenario ripe for deception.
By strategically giving attackers things they want to find, you can lure them into exposing themselves. Intrusion Detection Honeypots are the tools that make this possible.

Intrusion Detection Honeypots are security resources placed inside your network whose value lies in being probed and attacked. These fake systems, services, and tokens lure attackers in, enticing them to interact. Unbeknownst to the attacker, those interactions generate logs that alert you to their presence and educate you about their tradecraft.

While traditional detection mechanisms like IDS can be effective, they are often time-consuming to maintain and tune. Analysts spend significant time dealing with false positives, which makes IDS inaccessible to smaller organizations. With honeypots placed inside your network, nobody should ever legitimately interact with one. Without legitimate traffic to sift through, any interaction becomes anomalous, limiting the potential for false positives. That makes IDH an incredibly high-efficacy form of intrusion detection that requires minimal tuning. IDH scales down just as well as it scales up.

While the concept of IDH has been around for a while, many myths exist about using honeypots for detection. Until recently, there hasn’t been any formal education on leveraging this technology in production networks.
It’s time we change that and empower defenders with the framework and tools they need to leverage deception against attackers.

Building Intrusion Detection Honeypots

Building Intrusion Detection Honeypots will teach you how to build, deploy, and monitor honeypots designed to catch intruders on your network. You’ll use free and open source tools to work through over a dozen different honeypot techniques, starting from the initial concept and working to your first alert.

Building Intrusion Detection Honeypots is the seminal course on strategic honeypot deployment for network defenders who want to leverage deception to find attackers on their network and slow them down.

You’ll learn.

What makes an intrusion detection honeypot different from research honeypots.
How to leverage the four characteristics of honeypots for the defender’s benefit: deception, interactivity, discoverability, and monitoring.
How to think deceptively with an overview of deception from a psychological perspective.
How to use the See-Think-Do framework to integrate honeypots into your network and lure attackers into your traps.
Tools and techniques for building service honeypots for commonly attacked services like HTTP, SSH, and RDP.
How to hide honey tokens amongst legitimate documents, files, and folder.
To entice attackers to use fake credentials that give them away.
Techniques for embedding honey credentials in services and memory so that attackers will find and attempt to use them.
How to build deception-based defenses against common attacks like Kerberoasting and LLMNR spoofing.
Monitoring strategies for capturing honeypot interaction and investigating the logs they generate.

For each honeypot, I’ll explain its overall goal and how it allows you to control what the attacker sees, thinks, and does. I’ll demonstrate the step-by-step instructions of how to build the honeypot. I’ll also advise on how to place it for discoverability in your network, and we’ll walk through considerations for making your honeypot more interactive to collect additional intelligence about the attacker. Finally, I’ll show you how to configure monitoring and alerting for the honeypot so you’ll know when an attacker interacts with it.

Intrusion Detection Honeypots are one of the most cost-effective, reliable forms of intrusion detection. If you want to start learning how to use deception against attackers with honey services, tokens, and credentials, Building Intrusion Detection Honeypots is the course you’re looking for.

You can view a detailed course syllabus here and a sample video here.

Building Intrusion Detection Honeypots Includes:

Over 12 hours of demonstration videos. These videos will provide step-by-step walkthroughs of setting up each individual honeypot and considerations for deception, discoverability, interactivity, and monitoring.

The Intrusion Detection Honeypots book. You’ll receive a free electronic copy of Intrusion Detection Honeypots: Detection through Deception by Chris Sanders.

Hands-on labs to help you develop and test your honeypots. For each honeypot I demonstrate, I’ll discuss how to get logs from it and ship them to monitoring infrastructure. If you’ve already got monitoring infrastructure to receive those logs, great! If not, I’ll show you how to build a simple ELK-based receiver to capture logs and how to leverage third-party automation services like Zapier to generate alerts. These mechanisms make honeypot-based alerting accessible to organizations of all sizes.

Configuration files to help you along. I’ll provide logging configurations (Logstash, Winlogbeat, Filebeat) and detection signatures (Sigma and Suricata) for every honeypot I demonstrate in the class.

Connect with deception-minded practitioners. You’ll build the honeypots I demonstrate and discuss unique ways to deploy deception techniques with other students.

Access to Chris Sanders office hours. I maintain open office hours for students of my Applied Network Defense courses, with a few sessions per month. I’ll be available during this time for face-to-face video to answer any questions you may have or anything you’d like to discuss related to the course material or how you might apply it in your work.

Participation in our student charitable profit-sharing program. A few times a year we designate a portion of our proceeds for charitable causes. AND students get to take part in nominating charities that are important to them to receive these donations.

Buy Long-term Premium Accounts To Support Me & Max Speed



If any links die or problem unrar, send request to

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.