Know Your Enemy: Learning about Security Threats

By | September 6, 2004

Ever wanted to monitor what´s going on in the internet by seeing it first hand? Well honeypots enable you to do that. This book is an official release of the HoneyNET Project, the leaders in honeypot technology. The book “Know Your Enemy: Learning About Security Threats” is extremely informative and detailed. From here on out, I will be referring to this book as “KYE”(Know Your Enemy).

Authors: Honeynet Project, The

Pages: 800

Publisher: Addison Wesley Professional

ISBN: 0321166469

Available for download sample chapter 8 – “Legal Issues” and available for download sample chapter 16 – “Profiling”.

About the author

The Honeynet Project is a nonprofit security research organization made up of volunteers. These volunteers are dedicated to learning the tools, tactics, and motives of the blackhat community and sharing lessons learned. The Honeynet Project has 30 members, and works with various other organizations through The Honeynet Research Alliance.

The Book

Starting with Chapter one we get to see a brief history of the HoneyNET Project and how it came to be. It´s interesting to note how things used to be back around ´99, security-wise that is. In this chapter you will also get to hear more about the HoneyNET Project and how it works. It will discuss their Scan Of The Month(SoTM) which contain real situations, binaries, and logs that the HoneyNET people have seen on their nets. Another interesting part of this chapter is their discussion of the HoneyNET Research Alliance(HRA) which is a number of different honeynet projects sharing their info with each other. Believe it or not, there are more honeypots on the internet than you might think.

Chapter two is about different types of honeypots. It will discuss GenI and GenII honeypots, virtual honeypots, honeypots which emulate different services and operating systems, and it will detail their advantages and disadvantages. It tells about a few unique honeypot emulators like HoneyD and Symantec Decoy Server. This chapter is actually quite indepth on what honeypots are and what they are not. Definately an interesting chapter.

Chapter three is a short chapter detailing how they do certain things on the honeynet, like data capture, data control, etc. Short chapter, but also very revealing on the different ways they do things.

Chapter four is about GenI honeynets. This is a pretty long chapter, but it´s also very informative. It will tell you how to set up a GenI honeynet, the history of GenI honeynets, and what you need in order to set one up properly. A few nice examples are included, and you get to see illustrations of the network topology showing you what goes where and how the data is passed around. The steps for setting up a GenI honeynet are nice and detailed without being confusing. At the end of this chapter will be an example attack for you to read as well. The attack is pretty simple, but that´s how it should be since you are just getting started. When you think you´ve got this chapter down, go ahead and advance to the next one.

Chapter five details the workings of a GenII honeynet. In the very beginning is some information on the improvements over GenI honeynets. A number of different scripts and tools are used with GenII honeynets, and they are described as such. Some of the tools you will probably be using for your GenII honeynet, are Snort or Snort-Inline, IPTables, Sebek, the HoneyNET Projects´ own rc.firewall script for IPTables, and a couple of other analysis tools.

Chapter six deals with virtual honynets, how to set them up, and what the advantages and disadvantages are. Another rather short chapter, but informative none-the-less. Details on different kinds of virtual machines you can use, like VMWare, UML(UserModeLinux), and some others. If you want to set up a quick honeynet then a virtual one is probably the fastest way.

Chapter seven is distributed honeynets. This chapter is also short, and it covers Distributed Honeynets and Honey Farms. Directions on how to setup a honeyfarm are included in this chapter as well. Some issues with distributed honeynets are also discussed towards the end of the chapter.

Chapter eight is about the legal issues associated with honeynets. I personally skipped this one because it was rather boring, but if you are planning on setting up a honeynet, I definately recommend you review this chapter before doing so.

Part Two starts with chapter nine.

Chapters nine through thirteen concern analysis. Chapter nine, ten, and eleven are all basic analysis knowledge for you to review. The chapters here are all relatively short also, and each focus on a different operating system. Chapter fourteen is on reverse-engineering and disassembling software. It´s a reasonably long chapter, and includes much reverse-engineering and analysis information and techniques. Chapter fifteen is centralized data collection techniques and tools.

Part Three is called “The Enemy”, and starts with chapter sixteen.

Chapter sixteen is a long chapter about profiling. It has a lot of information such as the motives of “hackers”, and a nice detailed section called “A Bug´s Life” which talks about the initial discovery of an exploit, all the way to the “death”of it. This chapter is based more towards the social hierarchy of the “hacker” community. It details ranks and such, and how important a certain label can be in those communities. There is also an interesting sample at the end of the chapter for you to read.

Chapter seventeen is an extremely short chapter that touches briefly on some types of attacks, and the order with which an attacker exploits a system.

Chapters eighteen, nineteen, and twenty are all case studies for different operating systems*. Chapter eighteen is a Windows 2000 compromise and analysis for you to review, nineteen is a Linux break-in and analysis, and chapter twenty is a Solaris break-in and analysis. These case studies are very detailed and fun to read, so I recommend you check them out.

Chapter twenty-one is the final chapter, and it´s a very brief chapter called “The Future”. It´s basically about the future of honeynets, law-enforcement, and a few other things.

The appendix contains the HoneyNET Project´s “IPTables Firewall Script”, their custom Snort configuration, Swatch configuration, a summary of their network configuration, the HoneyWall kernel configuration, and a GenII rc.firewall script. Also, a big bonus for this book, is that it comes with a CD-ROM that includes all the files listed in the appendix, plus more case studies, tools, whitepapers, and more.

My Opinion

I personally enjoyed this book and would recommend it to anyone interested in honeypots. You will enjoy most of it, although some parts are dull or repetitive, most of it is good. I especially liked the case-studies and the profiling chapters. So if you are interested in honeynets, get this book.

Leave a Reply