Slashdot Mirror

← Back to Stories (view on slashdot.org)

Know Your Enemy, 2nd Edition

Posted by ryuzaki0 on from the about-5'10"-and-arrogant dept.

Ben Rothke writes "Within law enforcement, establishing a modus operandi is one of the crucial things that can make the difference between finding a criminal and not. For example, a daylight murder with a single bullet to the head is quite different from finding a decapitated and mutilated body in a ditch. While both victims are equally dead, the manner of their deaths is radically different. So too with computer crime; knowing the modus operandi of the attacker can mean the difference between finding the perpetrator and not. In Know Your Enemy: Learning about Security Threats, the members of the Honeynet Project have written an excellent security reference that can enable one to begin to understand the motives of those who are attacking and compromising their systems." Read on for the rest of Rothke's review. Know Your Enemy : Learning about Security Threats (2nd Edition) author The Honeynet Project pages 742 publisher Pearson Education rating 8 reviewer Ben Rothke ISBN 0321166469 summary Observe intruders without putting your data at risk by building a tempting honeynet.

KYE was not written by a single author, rather by The Honeynet Project. They are a group of 30 individuals with complementary technical and legal skills. This diverse authorship creates a book with an abundance of valuable information.

The book details setting up a honeypot (a single host designed to gain the attention of network intruders) and a honeynet (a network designed to be penetrated to understand the motives of the attackers). If you can get an intruder to attack the bogus network, the double benefit is that 1) the attacker can do no damage to production data, while 2) his activities are being monitored, and with analysis can be understood.

The book's premise is that it is not simply enough to know you have enemies; you need to understanding what exactly it is they are doing, how they are doing it, the tools they are employing, and their objectives. Armed with such information, a company can ensure that they are best using their resources to defend and defeat their enemy.

This is the second edition of KYE and honeynets have changed significantly since the first edition came out. With that, the first five chapters of the book goes into what exactly a honeynet is, and then explains the differences between first and second-generation honeynets. The main difference between the editions is that the first edition focused more on honeypots, or individual hosts. The second edition expands that to networks meant to be broken into, namely honeynets.

The opening chapters also go into details about the specific value of honeynets. For those that entertain the idea that their honeynet is going to enable them to catch the next Kevin Mitnick, they will be clearly disappointed. The main benefit of honeypots and honeynets is information. Information is power, especially in computer security. For most hackers, their greatest fear is not necessarily getting caught, but rather having someone watch and gather information on them without their knowledge. And that is exactly what a honeynet attempts to do.

Chapter 8 (written by an attorney from the U.S. Dept. of Justice) concludes part one of the book with a look at the legal issues involved with honeynets. There are legal issues that one needs to take into consideration before rolling out a honeynet. Failing to take their legal issues to heart can change a honeynet from being an invaluable forensics tool into an expensive legal liability. Those in the corporate arena are well served to work with their legal counsel before deploying a honeynet.

Part 2 (chapters 9-15) goes into the important area of analysis. Collecting data, after all, is only the first part. Analyzing it and making sense of it all is the difference between an experienced detective and a Keystone Cop. The analogy is real in that a honeynet is a potential crime scene.

Data analysis and forensics are crucial in that it is the only way to interpret the various types of data involved. The key for those involved is turnout and extracting different types of data and turning that data into valuable information. Effective forensics enables digital investigators to know the difference between an innocuous attack and a malicious one.

While Part 2 is the most technical section of the book, Part 3 (chapters 16-21) attempts to explain the sociological reasons why whitehats and blackhats do what they do. Just as Clarice Starling in The Silence of the Lambs was able to profile Hannibal Lecter, knowing a profile of your adversary is crucial in containing the damage he can do. Identifying and understanding those attacking your system is just as important as the technical and analytical skills you will use in exposing them.

Know Your Enemy is a unique book in that it details how not to simply install and configure security devices, but how to use those devices to ensure a much greater level of security. It shows how you can take an offensive approach to computer security and to understand the mindset of the attacker. That is something not easily found in other books.

The CD-ROM that comes with the book includes 10 of the book's 21 chapters, a number of informative white papers, all of the open source tools that the authors use, and a video about honeynets.

Those who enjoyed Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage by Clifford Stoll will similarly find KYE entertaining and invaluable.

The companion web site for the book is honeynet.org/book. In and of itself, it is a great website, and complements a great book.

Overall, KYE is a most informative book on a fascinating subject. Unlike many computer security books, KYE is light on theory and screen dumps, but heavy on valuable and useful information on security hosts and networks from adversaries. If you are looking for a proactive way to secure your corporate network, Know Your Enemy is the perfect place to start.

You can purchase Know Your Enemy : Learning about Security Threats (2nd Edition) from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

8 of 103 comments (clear)

  1. Simulation... by Short+Circuit · · Score: 2, Interesting

    Has anyone ever made a door game that simulates hacking into a network? It'd make for an entertaining addition to a BBS.

    The other alternative could be to set up a honeynet behind a firewall, either using VMWare or old hardware, and give users access to (some) of the systems.

    --
    tasks(723) drafts(105) languages(484) examples(29106)
    1. Re:Simulation... by mike_stay · · Score: 4, Interesting

      Yeah, there's lots of them. here here here and here.

  2. Could someone elaborate on legal issues? by Tibor+the+Hun · · Score: 5, Interesting

    While "Chapter 8 (written by an attorney from the U.S. Dept. of Justice) concludes part one of the book with a look at the legal issues involved with honeynets. There are legal issues that one needs to take into consideration before rolling out a honeynet. Failing to take their legal issues to heart can change a honeynet from being an invaluable forensics tool into an expensive legal liability. Those in the corporate arena are well served to work with their legal counsel before deploying a honeynet." is legally a teriffic summary, could someone (legally) elaborate on the illegalities of honeypots and nets?

    --
    If you don't know what AltaVista is (was), get off my lawn.
    1. Re:Could someone elaborate on legal issues? by ewhac · · Score: 4, Interesting

      Others have already pointed out the wiretapping statutes you can run afoul of, but there are other concerns as well.

      For example: you deploy a honeynet for forensic analysis. A blackhat enters your network and, as you watch it happen, sets up a child porn server.

      What is your liability in this case? Aiding and abetting? Accessory? Heck, it doesn't even need to be as heinous as child porn -- it could simply be a w4r3z repository, in which case you could face contributory infringement charges.

      Schwab

      --
      Editor, A1-AAA AmeriCaptions
  3. How does it compare? by plcurechax · · Score: 3, Interesting


    Is it worth / recommended for the owner the first edition to buy/read the 2nd edition?

    How does it compare to the "additional material" originally presented in Honeypots: Tracking Hackers by Lance Spitzner (member of Honeynet Project) which was to address the growing and changing nature of honeypots and the early evolution of honeynets?

  4. I enjoyed Cuckoos Egg years ago.. by dan+dan+the+dna+man · · Score: 4, Interesting

    but I wouldn't use it as a textbook on "knowing the enemy" in a modern network environment. Your comparison worries me enough to warrant me not buying the book you're reviewing..

    --
    I don't read your sig, why do you read mine?
  5. Honeynet and Hacker Psychology by cbelt3 · · Score: 5, Interesting
    Interesting note in the article : "For most hackers, their greatest fear is not necessarily getting caught, but rather having someone watch and gather information on them without their knowledge. And that is exactly what a honeynet attempts to do. "

    Reminds me of what happened to Gene Hackman's character in The Conversation . I personally think that it's more of a challenge / territorial thing- that once hacked, you become motivated to try again without getting caught. Kind of like a Respawn... I agree with the article that the primary purpose is not to 'catch' the hamsters, but to learn their patterns as they race around in their safe little wheels.

    As far as organizing the system, why not set it up like George Carlin's old joke - When they put you on hold, they play music. Why not just connect all the people on hold together, and let them talk to each other ?

    1. Re:Honeynet and Hacker Psychology by minas-beede · · Score: 3, Interesting

      Interesting note in the article : "For most hackers, their greatest fear is not necessarily getting caught, but rather having someone watch and gather information on them without their knowledge. And that is exactly what a honeynet attempts to do. " Agreed. On a volume basis it's likely that most abuse is committed by spammers. They've suurvived for years precisely because they have not been watched in any manner (at the abuse level - all the attention is focused at and after the destination server.) Do even the crudest honeypot you can think of as an anti-spammer tool and you very likely will succeed in gathering information the spammer would rather you not have. Set up an MTA that doesn't ever deliver anything - you'll trap the test messages sent by spammers (mostly in China, Taiwan, and Korea now.) (Guess how I know.) What the heck, here's one: the spammer sends his test messages to a231.b233@msa.hinet.net. A US spammer has sent tests to smtps1@transedge.com, another to meristar1@cox.net. A more complete open relay honeypot can collect spam evidence as well. All the spam that comes ot the honeypot is spam that doens't get delivered independently of whether the intended victim has any protection mechanisms in place or not. Then there's open proxy honeypots. A few people have done honeypot-like things with wpam zombie servers. It's still a field in which very useful things can be done...