Know Your Enemy, 2nd Edition

Ben Rothke writes "Within law enforcement, establishing a modus operandi is one of the crucial things that can make the difference between finding a criminal and not. For example, a daylight murder with a single bullet to the head is quite different from finding a decapitated and mutilated body in a ditch. While both victims are equally dead, the manner of their deaths is radically different. So too with computer crime; knowing the modus operandi of the attacker can mean the difference between finding the perpetrator and not. In Know Your Enemy: Learning about Security Threats, the members of the Honeynet Project have written an excellent security reference that can enable one to begin to understand the motives of those who are attacking and compromising their systems." Read on for the rest of Rothke's review. Know Your Enemy : Learning about Security Threats (2nd Edition) author The Honeynet Project pages 742 publisher Pearson Education rating 8 reviewer Ben Rothke ISBN 0321166469 summary Observe intruders without putting your data at risk by building a tempting honeynet.

KYE was not written by a single author, rather by The Honeynet Project. They are a group of 30 individuals with complementary technical and legal skills. This diverse authorship creates a book with an abundance of valuable information.

The book details setting up a honeypot (a single host designed to gain the attention of network intruders) and a honeynet (a network designed to be penetrated to understand the motives of the attackers). If you can get an intruder to attack the bogus network, the double benefit is that 1) the attacker can do no damage to production data, while 2) his activities are being monitored, and with analysis can be understood.

The book's premise is that it is not simply enough to know you have enemies; you need to understanding what exactly it is they are doing, how they are doing it, the tools they are employing, and their objectives. Armed with such information, a company can ensure that they are best using their resources to defend and defeat their enemy.

This is the second edition of KYE and honeynets have changed significantly since the first edition came out. With that, the first five chapters of the book goes into what exactly a honeynet is, and then explains the differences between first and second-generation honeynets. The main difference between the editions is that the first edition focused more on honeypots, or individual hosts. The second edition expands that to networks meant to be broken into, namely honeynets.

The opening chapters also go into details about the specific value of honeynets. For those that entertain the idea that their honeynet is going to enable them to catch the next Kevin Mitnick, they will be clearly disappointed. The main benefit of honeypots and honeynets is information. Information is power, especially in computer security. For most hackers, their greatest fear is not necessarily getting caught, but rather having someone watch and gather information on them without their knowledge. And that is exactly what a honeynet attempts to do.

Chapter 8 (written by an attorney from the U.S. Dept. of Justice) concludes part one of the book with a look at the legal issues involved with honeynets. There are legal issues that one needs to take into consideration before rolling out a honeynet. Failing to take their legal issues to heart can change a honeynet from being an invaluable forensics tool into an expensive legal liability. Those in the corporate arena are well served to work with their legal counsel before deploying a honeynet.

Part 2 (chapters 9-15) goes into the important area of analysis. Collecting data, after all, is only the first part. Analyzing it and making sense of it all is the difference between an experienced detective and a Keystone Cop. The analogy is real in that a honeynet is a potential crime scene.

Data analysis and forensics are crucial in that it is the only way to interpret the various types of data involved. The key for those involved is turnout and extracting different types of data and turning that data into valuable information. Effective forensics enables digital investigators to know the difference between an innocuous attack and a malicious one.

While Part 2 is the most technical section of the book, Part 3 (chapters 16-21) attempts to explain the sociological reasons why whitehats and blackhats do what they do. Just as Clarice Starling in The Silence of the Lambs was able to profile Hannibal Lecter, knowing a profile of your adversary is crucial in containing the damage he can do. Identifying and understanding those attacking your system is just as important as the technical and analytical skills you will use in exposing them.

Know Your Enemy is a unique book in that it details how not to simply install and configure security devices, but how to use those devices to ensure a much greater level of security. It shows how you can take an offensive approach to computer security and to understand the mindset of the attacker. That is something not easily found in other books.

The CD-ROM that comes with the book includes 10 of the book's 21 chapters, a number of informative white papers, all of the open source tools that the authors use, and a video about honeynets.

Those who enjoyed Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage by Clifford Stoll will similarly find KYE entertaining and invaluable.

The companion web site for the book is honeynet.org/book. In and of itself, it is a great website, and complements a great book.

Overall, KYE is a most informative book on a fascinating subject. Unlike many computer security books, KYE is light on theory and screen dumps, but heavy on valuable and useful information on security hosts and networks from adversaries. If you are looking for a proactive way to secure your corporate network, Know Your Enemy is the perfect place to start.

You can purchase Know Your Enemy : Learning about Security Threats (2nd Edition) from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

Re:Could someone elaborate on legal issues?

[stratjakt]

Look up the wiretapping laws in your state/jurisdiction. It varies from place to place. In some states it's legal to tape your phone calls, in some it requires that both parties agree to the recording. (Ie; Linda Tripp running afoul of MD's wiretapping laws when she taped Lewinski)

Same types of things apply to the internet.

You think you have some hacker dead to rights, and wind up being sued. You know, those "rights to privacy" slashdotters are always on about - other people have those too.

Re:Could someone elaborate on legal issues?

[plcurechax]

could someone (legally) elaborate on the illegalities of honeypots and nets?

The many issue is for government (and perhaps government contractors) running honeypots/honeynets and the legal definition of entrapment.

The rest is mainly a risk taking or adversion decision. At the very least a criminal caught using evident from a honeypot/net may launch a lawsuit.

Re:Could someone elaborate on legal issues?

[nlawalker]

IANAL, and I may be completely wrong here, but I'm just kind of curious. Parent brings forward a good topic for discussion.

How are wiretapping or entrapment even applicable? If a honeynet is a secure network (in this case, very light security) and is broken in to by a cracker, snooped around in, and exited, is this not synonymous to someone breaking and entering your home and leaving evidence at the crime scene? No one says that the network has to have a big sign over it that says "Honeynet - Hack here and you'll be caught!" For all anyone knows, it really could be a protected resource, so it's not like you're luring that burglar into the house and having the cops wait for him. As for wiretapping laws, the cracker has illegitimately accessed your system, and any information he leaves behind now exists on your storage property. Who's to say you can't use that information?

Re:Could someone elaborate on legal issues?

[afay]

As far as I can tell, entrapment would not apply at all in this case. Entrapment actually has a fairly strict legal definition. Giving someone the opportunity to commit a crime is not enough. The crime must have been suggested by government agents (police, FBI, whatever) and the person must have been unwilling to commit the crime before the agents talked to him/her (they had to convince him).

A good example of entrapment might be someone who had a regular job, but was very short on money. If the police approached him to make a quick drug sell and earn an easy $5000 and the individual wouldn't have considered selling drugs before the police approached him (upstanding citizen, etc.), then that would be entrapment. Honeypots/nets are only providing an opportunity to commit a crime and don't fit the other two conditions of entrapment.

Re:Not to be confused with "No, Your Enemy"

[antic]

I think this is what you're looking for:

Book For Geeks
Getting a Girl

Follow the link, read the excerpts

[tsm_sf]

The link provided (http://www.honeynet.org/book/) gives two chapters of the book in PDF form. They are both well worth the read. Especially chapter 16 on profiling. WARNING: Like all works of sociology, it will make you realize that we are just monkeys.


Still haven't used the links? Here's an excerpt from ch.16 that I find beautiful. Subject is an analysis of the Jargon File, believe it or not...

One of the more surprising (and prominent) thematic categories to arise from the analysis is the magic/religion category. While this was one of the a priori thematic categories that we anticipated would emerge from the analysis, it is one that often surprises people who are not familiar with the hacker community. The most common comment that arises when this result is discussed is "You mean hackers are religious??? You've got to be kidding."

The answer to this quandary can be found in the nature of the technology that lies at the heart of this counterculture. Many members of the hacker community deal with complex operating systems, program applications, and network architectures where it is often not possible to answer with certainty the question "If I perform action A, will the operating system/program/network behave precisely with result B?" That is, because of the complexity of modern operating systems, programs, and network topologies, there is a disconnect between the classical forces of cause and effect. Whenever you have a situation where you cannot logically reconstruct the linkage between cause and effect, you in effect have an instance of "magic." (emphasis mine)

Re:Follow the link, read the excerpts

[TyrranzzX]

I'll come out and say it, just from reading that paragraph I can tell this book is a big read for idiots who can't/don't understand the IT culture. About 99% of the IT culture can be inferred from reading, writing, and talking with people who are in the culture, and when people don't make the effort to understand that culture by at least trying to grasp some of the simpler consepts, they make themselves out to be a village idiot.

Really, I think that most of this book stems from bosses not understanding how the culture of IT people differs from that of the rest of the work force or corporate culture. It's nice that they don't want to offend IT people, as most people go out of their way to do so, but frankly, I think that most bosses don't understand precisely how their buisinesses work anymore and when their technicians know more about it than they do, they get insecure and feel inferior to the technicians who have to know how all parts of the business work or else they can't do their jobs. This is amplified, of course, when bosses come to rely on their IT staff for many of their decisions. When the bosses make decisions nowadays, they often have to do so taking advice from IT people, and if they don't fallow what the IT people say, who are often right, then their business often takes a big punishment. They desperatly want to be on par but don't understand how to becuase they come from a culture, the corporate culture, which disables them from doing so.

If bosses really want to understand the IT Culture, they should start by asking questions to their IT staff and taking notes, not by reading books who take something that can be inferred in about 10 seconds by a regular IT person and turning it into an incorrect 3 paragraph essay. If normal people really want to get on the good side of the culture, they should start with the words "thank you" and end with an apology for being dumb if they keep on having to ask stupid or similar questions over and over.

Re:What's the point ?

[minas-beede]

I think your example is probably close to what the book says (not having seen the book.) It's also a rather improbable scenario and seems to imply that if your honeypot/honeynet is vulnerable you bear some sort of liability that you wouldn't if it was just your desktop system that was abused in the same way. I don't understand that, and I also don't think such liability has ever been asserted in any case nor found to have existed by any court. I'm guessing the lawyer is Richard Salgado, who's issued this warning before. Notice that the nature of the warning he gives is that someone succeeds in committing abuse through your honeypot, which is not the goal when you set up the honeypot and is not normally what happens when you set up a honeypot. I think Salgado tries far too hard to find a problem where none exists - but then he's the lawyer, I'm not. (come to think of it, though, that's just how lawyers are.)

I don't think the wiretap laws apply: you aren't tapping a wire, you're watching traffic deliberately sent to your system. Your system, let me repeat.

I don't think entrapment applies (not even for law enforcement) the honeypot/honeynet is simply created, not advertised, and the felons seek it out on their own. That is not suggesting to someone that they commit a crime and then arresting them when they do. It's less a crime than for a shapely policewoman to wear a revealing red dress in a bar and then arrest a john who propositions her. If LEAs are worried about entrapment let them not set up honeypots. The book is for non-LEA people anyway.

P.S. I think that, many years ago, I saw that policewoman. Seriously.

hacker/cracker and the jargon file

[ldanna]

These fools did a detailed analysis of the jargon file.
The jargon file explicitly states that it's about
"perl hackers" and such as opposed to "l33t h4xors" and such.
It would prefer you to call the latter "crackers" and not
taint the word "hacker" with their association at all. At the
very most, the cracker culture is a subculture of the
hacker culture that the jargon file describes. This is
a pretty obvious distinction that someone writing a book on the
subject really shouldn't have missed.

"motives"

[alex_tibbles]

"Modus operandi" mean "means of operation", not motives. Understanding the means by which an attacker compromised a system is useful information but tells you next to nothing about why the attacker did it. Of course, a honeynet can tell you something about motives, perhaps.