Slashdot Mirror

← Back to Stories (view on slashdot.org)

Know Your Enemy, 2nd Edition

Posted by ryuzaki0 on from the about-5'10"-and-arrogant dept.

Ben Rothke writes "Within law enforcement, establishing a modus operandi is one of the crucial things that can make the difference between finding a criminal and not. For example, a daylight murder with a single bullet to the head is quite different from finding a decapitated and mutilated body in a ditch. While both victims are equally dead, the manner of their deaths is radically different. So too with computer crime; knowing the modus operandi of the attacker can mean the difference between finding the perpetrator and not. In Know Your Enemy: Learning about Security Threats, the members of the Honeynet Project have written an excellent security reference that can enable one to begin to understand the motives of those who are attacking and compromising their systems." Read on for the rest of Rothke's review. Know Your Enemy : Learning about Security Threats (2nd Edition) author The Honeynet Project pages 742 publisher Pearson Education rating 8 reviewer Ben Rothke ISBN 0321166469 summary Observe intruders without putting your data at risk by building a tempting honeynet.

KYE was not written by a single author, rather by The Honeynet Project. They are a group of 30 individuals with complementary technical and legal skills. This diverse authorship creates a book with an abundance of valuable information.

The book details setting up a honeypot (a single host designed to gain the attention of network intruders) and a honeynet (a network designed to be penetrated to understand the motives of the attackers). If you can get an intruder to attack the bogus network, the double benefit is that 1) the attacker can do no damage to production data, while 2) his activities are being monitored, and with analysis can be understood.

The book's premise is that it is not simply enough to know you have enemies; you need to understanding what exactly it is they are doing, how they are doing it, the tools they are employing, and their objectives. Armed with such information, a company can ensure that they are best using their resources to defend and defeat their enemy.

This is the second edition of KYE and honeynets have changed significantly since the first edition came out. With that, the first five chapters of the book goes into what exactly a honeynet is, and then explains the differences between first and second-generation honeynets. The main difference between the editions is that the first edition focused more on honeypots, or individual hosts. The second edition expands that to networks meant to be broken into, namely honeynets.

The opening chapters also go into details about the specific value of honeynets. For those that entertain the idea that their honeynet is going to enable them to catch the next Kevin Mitnick, they will be clearly disappointed. The main benefit of honeypots and honeynets is information. Information is power, especially in computer security. For most hackers, their greatest fear is not necessarily getting caught, but rather having someone watch and gather information on them without their knowledge. And that is exactly what a honeynet attempts to do.

Chapter 8 (written by an attorney from the U.S. Dept. of Justice) concludes part one of the book with a look at the legal issues involved with honeynets. There are legal issues that one needs to take into consideration before rolling out a honeynet. Failing to take their legal issues to heart can change a honeynet from being an invaluable forensics tool into an expensive legal liability. Those in the corporate arena are well served to work with their legal counsel before deploying a honeynet.

Part 2 (chapters 9-15) goes into the important area of analysis. Collecting data, after all, is only the first part. Analyzing it and making sense of it all is the difference between an experienced detective and a Keystone Cop. The analogy is real in that a honeynet is a potential crime scene.

Data analysis and forensics are crucial in that it is the only way to interpret the various types of data involved. The key for those involved is turnout and extracting different types of data and turning that data into valuable information. Effective forensics enables digital investigators to know the difference between an innocuous attack and a malicious one.

While Part 2 is the most technical section of the book, Part 3 (chapters 16-21) attempts to explain the sociological reasons why whitehats and blackhats do what they do. Just as Clarice Starling in The Silence of the Lambs was able to profile Hannibal Lecter, knowing a profile of your adversary is crucial in containing the damage he can do. Identifying and understanding those attacking your system is just as important as the technical and analytical skills you will use in exposing them.

Know Your Enemy is a unique book in that it details how not to simply install and configure security devices, but how to use those devices to ensure a much greater level of security. It shows how you can take an offensive approach to computer security and to understand the mindset of the attacker. That is something not easily found in other books.

The CD-ROM that comes with the book includes 10 of the book's 21 chapters, a number of informative white papers, all of the open source tools that the authors use, and a video about honeynets.

Those who enjoyed Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage by Clifford Stoll will similarly find KYE entertaining and invaluable.

The companion web site for the book is honeynet.org/book. In and of itself, it is a great website, and complements a great book.

Overall, KYE is a most informative book on a fascinating subject. Unlike many computer security books, KYE is light on theory and screen dumps, but heavy on valuable and useful information on security hosts and networks from adversaries. If you are looking for a proactive way to secure your corporate network, Know Your Enemy is the perfect place to start.

You can purchase Know Your Enemy : Learning about Security Threats (2nd Edition) from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

25 of 103 comments (clear)

  1. Not to be confused with "No, Your Enemy" by Anonymous Coward · · Score: 3, Funny

    My dating guide for single guys.

    1. Re:Not to be confused with "No, Your Enemy" by Jacer · · Score: 4, Funny

      If you could write a book "Know your enemy" intended to help single guys better understand women that actually had substance. You'd probably have a best seller on your hands.

      --
      --fetch daddy's blue fright wig, i must be handsome when i release my rage
  2. before you know it.... by Crzysdrs · · Score: 5, Funny

    We will be getting arrested on code profiling!

    Programmer: I swear I didn't do it.
    FBI: Well, you have a different style of formatting your code, we know it was you.

  3. Hope its better than the first. by j_kenpo · · Score: 5, Insightful

    I remember the first KYE, and I remember the most annoying thing was the last section was a huge dump of IRC logs from a bunch of script kiddies. While it wasn't a bad thing to get to know the enemy, I don't think it warrants the whole last 1/3 of the book being dedicated to it, maybe as an appendix. From the authors description it sounds more like this book is geared towards the wonders of the Honeynet.

  4. Could someone elaborate on legal issues? by Tibor+the+Hun · · Score: 5, Interesting

    While "Chapter 8 (written by an attorney from the U.S. Dept. of Justice) concludes part one of the book with a look at the legal issues involved with honeynets. There are legal issues that one needs to take into consideration before rolling out a honeynet. Failing to take their legal issues to heart can change a honeynet from being an invaluable forensics tool into an expensive legal liability. Those in the corporate arena are well served to work with their legal counsel before deploying a honeynet." is legally a teriffic summary, could someone (legally) elaborate on the illegalities of honeypots and nets?

    --
    If you don't know what AltaVista is (was), get off my lawn.
    1. Re:Could someone elaborate on legal issues? by stratjakt · · Score: 5, Informative

      Look up the wiretapping laws in your state/jurisdiction. It varies from place to place. In some states it's legal to tape your phone calls, in some it requires that both parties agree to the recording. (Ie; Linda Tripp running afoul of MD's wiretapping laws when she taped Lewinski)

      Same types of things apply to the internet.

      You think you have some hacker dead to rights, and wind up being sued. You know, those "rights to privacy" slashdotters are always on about - other people have those too.

      --
      I don't need no instructions to know how to rock!!!!
    2. Re:Could someone elaborate on legal issues? by plcurechax · · Score: 3, Informative

      could someone (legally) elaborate on the illegalities of honeypots and nets?

      The many issue is for government (and perhaps government contractors) running honeypots/honeynets and the legal definition of entrapment.

      The rest is mainly a risk taking or adversion decision. At the very least a criminal caught using evident from a honeypot/net may launch a lawsuit.

    3. Re:Could someone elaborate on legal issues? by ewhac · · Score: 4, Interesting

      Others have already pointed out the wiretapping statutes you can run afoul of, but there are other concerns as well.

      For example: you deploy a honeynet for forensic analysis. A blackhat enters your network and, as you watch it happen, sets up a child porn server.

      What is your liability in this case? Aiding and abetting? Accessory? Heck, it doesn't even need to be as heinous as child porn -- it could simply be a w4r3z repository, in which case you could face contributory infringement charges.

      Schwab

      --
      Editor, A1-AAA AmeriCaptions
    4. Re:Could someone elaborate on legal issues? by nlawalker · · Score: 4, Informative
      IANAL, and I may be completely wrong here, but I'm just kind of curious. Parent brings forward a good topic for discussion.

      How are wiretapping or entrapment even applicable? If a honeynet is a secure network (in this case, very light security) and is broken in to by a cracker, snooped around in, and exited, is this not synonymous to someone breaking and entering your home and leaving evidence at the crime scene? No one says that the network has to have a big sign over it that says "Honeynet - Hack here and you'll be caught!" For all anyone knows, it really could be a protected resource, so it's not like you're luring that burglar into the house and having the cops wait for him. As for wiretapping laws, the cracker has illegitimately accessed your system, and any information he leaves behind now exists on your storage property. Who's to say you can't use that information?

    5. Re:Could someone elaborate on legal issues? by afay · · Score: 4, Informative

      As far as I can tell, entrapment would not apply at all in this case. Entrapment actually has a fairly strict legal definition. Giving someone the opportunity to commit a crime is not enough. The crime must have been suggested by government agents (police, FBI, whatever) and the person must have been unwilling to commit the crime before the agents talked to him/her (they had to convince him).

      A good example of entrapment might be someone who had a regular job, but was very short on money. If the police approached him to make a quick drug sell and earn an easy $5000 and the individual wouldn't have considered selling drugs before the police approached him (upstanding citizen, etc.), then that would be entrapment. Honeypots/nets are only providing an opportunity to commit a crime and don't fit the other two conditions of entrapment.

      --
      Best slashdot comment
  5. Honeypot/Honeynet? by grunt107 · · Score: 4, Funny

    So... my #1 suspected enemy is Winnie the Pooh!!!

    1. Re:Honeypot/Honeynet? by GMFTatsujin · · Score: 5, Funny

      0h, b07h3r.

  6. Definition by nlawalker · · Score: 4, Funny

    Honeynet (noun): 1. Used to replace another noun indicating a network resource that has been Slashdotted in order to indicate slowness. Syn. Molassesnet, Ketchupnet. Ant. Local Area Network. Usage: "Fsking Slashdot! This place is a honeynet now."

  7. How does it compare? by plcurechax · · Score: 3, Interesting


    Is it worth / recommended for the owner the first edition to buy/read the 2nd edition?

    How does it compare to the "additional material" originally presented in Honeypots: Tracking Hackers by Lance Spitzner (member of Honeynet Project) which was to address the growing and changing nature of honeypots and the early evolution of honeynets?

  8. I enjoyed Cuckoos Egg years ago.. by dan+dan+the+dna+man · · Score: 4, Interesting

    but I wouldn't use it as a textbook on "knowing the enemy" in a modern network environment. Your comparison worries me enough to warrant me not buying the book you're reviewing..

    --
    I don't read your sig, why do you read mine?
    1. Re:I enjoyed Cuckoos Egg years ago.. by dan+dan+the+dna+man · · Score: 4, Insightful

      Because Cuckoos Egg is light on technical details, and is really throwaway, populist fluff. It wasn't written for a technical audience, just a curious one.
      If I want a book to tell me about network security I don't want it written in laymans language - I want it written in a language a competent systems administrator appreciates. It's not about NAT'ing your home system, it's about protecting a network...
      It's a bad parallel to draw as far as I'm concerned. Cuckoos Egg was a great book compared to some of the other books on "Hacking" that proliferated in the early 1990's, but it was never a manual on keeping your systems secured. The internet was a very different beast when that book was written.

      --
      I don't read your sig, why do you read mine?
  9. Honeynet and Hacker Psychology by cbelt3 · · Score: 5, Interesting
    Interesting note in the article : "For most hackers, their greatest fear is not necessarily getting caught, but rather having someone watch and gather information on them without their knowledge. And that is exactly what a honeynet attempts to do. "

    Reminds me of what happened to Gene Hackman's character in The Conversation . I personally think that it's more of a challenge / territorial thing- that once hacked, you become motivated to try again without getting caught. Kind of like a Respawn... I agree with the article that the primary purpose is not to 'catch' the hamsters, but to learn their patterns as they race around in their safe little wheels.

    As far as organizing the system, why not set it up like George Carlin's old joke - When they put you on hold, they play music. Why not just connect all the people on hold together, and let them talk to each other ?

    1. Re:Honeynet and Hacker Psychology by minas-beede · · Score: 3, Interesting

      Interesting note in the article : "For most hackers, their greatest fear is not necessarily getting caught, but rather having someone watch and gather information on them without their knowledge. And that is exactly what a honeynet attempts to do. " Agreed. On a volume basis it's likely that most abuse is committed by spammers. They've suurvived for years precisely because they have not been watched in any manner (at the abuse level - all the attention is focused at and after the destination server.) Do even the crudest honeypot you can think of as an anti-spammer tool and you very likely will succeed in gathering information the spammer would rather you not have. Set up an MTA that doesn't ever deliver anything - you'll trap the test messages sent by spammers (mostly in China, Taiwan, and Korea now.) (Guess how I know.) What the heck, here's one: the spammer sends his test messages to a231.b233@msa.hinet.net. A US spammer has sent tests to smtps1@transedge.com, another to meristar1@cox.net. A more complete open relay honeypot can collect spam evidence as well. All the spam that comes ot the honeypot is spam that doens't get delivered independently of whether the intended victim has any protection mechanisms in place or not. Then there's open proxy honeypots. A few people have done honeypot-like things with wpam zombie servers. It's still a field in which very useful things can be done...

  10. Differences by errxn · · Score: 5, Funny

    For example, a daylight murder with a single bullet to the head is quite different from finding a decapitated and mutilated body in a ditch.

    Perhaps, if you happen to be a crime scene investigator and are used to this. For me, both of the above items would fit quite nicely into the "Jesus Christ on a Popsicle Stick, I Just Found a Dead Body, HolyShitHolyShitHolyShit!" category.

    --
    In Soviet Russia, Chuck Norris will still kick your ass.
  11. What gentle prose... by ryanvm · · Score: 4, Funny

    For example, a daylight murder with a single bullet to the head is quite different from finding a decapitated and mutilated body in a ditch.

    Yikes - I hope you don't write the church newsletter.

    1. Re:What gentle prose... by Rob+Carr · · Score: 4, Funny
      For example, a daylight murder with a single bullet to the head is quite different from finding a decapitated and mutilated body in a ditch.

      Yikes - I hope you don't write the church newsletter.

      You're right. The church newsletter needs to be clear. The above example mixes elements of MO and signature. Signature is born of the fantasy life of the criminal - it's the sorts of things that don't need to be done to accomplish the crime.

      An MO might be using a 22 to the back of the skull - simple, effective, and it's not likely to leave a lot of blood spatter. This demonstrates criminal sophistication and planning.

      The MO of the body in the ditch would depend on the cause of death, but clearly the homicide is a case of overkill. One does not need to decapitate someone to kill them - severing the carotid arteries is sufficient, if a bit messy and more likely to create blood spatter and other forensic evidence. That would indicate a lack of sophistication. The mutilation and decapitation indicate rage and some of the fantasy aspects of the criminal, and are part of the signature. The presence of the body in the ditch might simply be convenience, but it suggests an attempt to further degrade the victim. Victimology might give us further insight into the criminal's thoughts. Is the victim the primary target, or is the victim standing in for someone else.

      A great book on this topic is the Crime Classification Manual. It covers this in depth.

      Funny you should mention the church newsletter. I no longer write ours. Perhaps I wasn't clear enough.

      --
      This sig seemed like a good idea at the time....
  12. Soda profiling. by mikeophile · · Score: 4, Funny

    1) Set up soda machine in office.
    2) Track Mountain Dew purchases.
    3) Use data to identify potential "troublemakers".

  13. Follow the link, read the excerpts by tsm_sf · · Score: 4, Informative

    The link provided (http://www.honeynet.org/book/) gives two chapters of the book in PDF form. They are both well worth the read. Especially chapter 16 on profiling. WARNING: Like all works of sociology, it will make you realize that we are just monkeys.


    Still haven't used the links? Here's an excerpt from ch.16 that I find beautiful. Subject is an analysis of the Jargon File, believe it or not...

    One of the more surprising (and prominent) thematic categories to arise from the analysis is the magic/religion category. While this was one of the a priori thematic categories that we anticipated would emerge from the analysis, it is one that often surprises people who are not familiar with the hacker community. The most common comment that arises when this result is discussed is "You mean hackers are religious??? You've got to be kidding."

    The answer to this quandary can be found in the nature of the technology that lies at the heart of this counterculture. Many members of the hacker community deal with complex operating systems, program applications, and network architectures where it is often not possible to answer with certainty the question "If I perform action A, will the operating system/program/network behave precisely with result B?" That is, because of the complexity of modern operating systems, programs, and network topologies, there is a disconnect between the classical forces of cause and effect. Whenever you have a situation where you cannot logically reconstruct the linkage between cause and effect, you in effect have an instance of "magic."     (emphasis mine)

    --
    Literalism isn't a form of humor, it's you being irritating.
  14. Re:What's the point ? by minas-beede · · Score: 3, Informative

    I think your example is probably close to what the book says (not having seen the book.) It's also a rather improbable scenario and seems to imply that if your honeypot/honeynet is vulnerable you bear some sort of liability that you wouldn't if it was just your desktop system that was abused in the same way. I don't understand that, and I also don't think such liability has ever been asserted in any case nor found to have existed by any court. I'm guessing the lawyer is Richard Salgado, who's issued this warning before. Notice that the nature of the warning he gives is that someone succeeds in committing abuse through your honeypot, which is not the goal when you set up the honeypot and is not normally what happens when you set up a honeypot. I think Salgado tries far too hard to find a problem where none exists - but then he's the lawyer, I'm not. (come to think of it, though, that's just how lawyers are.)

    I don't think the wiretap laws apply: you aren't tapping a wire, you're watching traffic deliberately sent to your system. Your system, let me repeat.

    I don't think entrapment applies (not even for law enforcement) the honeypot/honeynet is simply created, not advertised, and the felons seek it out on their own. That is not suggesting to someone that they commit a crime and then arresting them when they do. It's less a crime than for a shapely policewoman to wear a revealing red dress in a bar and then arrest a john who propositions her. If LEAs are worried about entrapment let them not set up honeypots. The book is for non-LEA people anyway.

    P.S. I think that, many years ago, I saw that policewoman. Seriously.

  15. Re:Simulation... by mike_stay · · Score: 4, Interesting

    Yeah, there's lots of them. here here here and here.