Know Your Enemy: Learning about Security Threats 2/e
Authors: The Honeynet Project
Available for download is chapter 8 entitled “Legal Issues”.
In order to defeat the enemy you must first understand the enemy. The Honeynet Project has been trying to understand the enemy for a while now, and they are willing to share all they have learned with the security community. Some years ago honeynets were considered to be an exotic way of learning about computer security. With the help of the Honeynet Project and their papers, conferences as well as Lance Spitzner’s Honeypots book, a myriad of security professionals all over the world have embraced honeynets and made them their weapon of choice.
Since the first edition of this title a lot has changed – everyone has learned a great deal and both the attackers and the technology have evolved. The second edition was on everyone’s wish list and here I am about to give you the details on this title. Will it help you learn more about the enemy? Read on and find out.
About the authors
The Honeynet Project is a nonprofit security research organization made up of volunteers. These volunteers are dedicated to learning the tools, tactics, and motives of the Blackhat community and sharing lessons learned. The Honeynet Project has 30 members, and works with various other organizations through The Honeynet Research Alliance.
Inside the book
The book starts with an overview of where honeynets began, how they were first developed and, naturally, why. As one of the authors, Lance Spitzner, notes in the introduction – this will help you better understand the development of the technology and the methods used.
You get deeper into the material by getting and understanding of what a honeypot is. Honeynets are nothing more than one type of honeypot so this is essential reading if you’re new to the technology. You learn about the advantages and disadvantages of using honeypots, the types of honeypots, etc.
As the book moves on, the material starts to get a bit more complex as it dwells into explaining honeynets, one of the most complex honeypot solutions. Explained here is data control, data capture and data collection along with the types of honeynets.
What follows is a sizeable illustration of first and second generation honeynets where you learn that the generations differ mostly in the methods and technologies used to implement data capture and data control. The most valuable part of these chapters is a real world full deployment example of a generation I honeynet.
In case you didn’t know, honeynets can also be deployed on a single computer system. These types of honeynets are called virtual honeynets and they are divided into two categories: self-contained and hybrid. Clearly depicted are the advantages and disadvantages of using them. As we move on you are introduced to distributed honeynets – the physically distributed honeynet and the honeypot farm.
One of the problems that make people think twice about deploying a honeynet is related to legal issues. Since there’s a lot to take into consideration before getting into user activity monitoring, I suggest you don’t skip this part. Another essential text for readers new to honeynets is the chapter entitled “The Digital Crime Scene” that contains introductory information on data analysis, the different types of captured data, and the multiple layers of analysis – network forensics, computer forensics, reverse engineering, and more.
Now that the basics have been covered, it’s time to get detailed information about certain topics. The book continues with a comprehensive overview of network forensics and computer forensics basics. You learn a great deal about the tools and techniques used to analyze network traffic as well as the attackers themselves as the material shows you what kind of damage they can do to a system. What new users will find also useful here is the brief but useful tool descriptions.
Teaching the approach of analyzing a system is easier with practical examples. The chapter “UNIX Computer Forensics” contains examples from the Honeynet Forensic Challenge which was released in 2001. You probably think that the tools and rootkits that were installed on the analyzed systems are outdated now, and that’s true. What’s important here is the analysis, and that has remained the same. The following chapter deals with Windows systems. All in all, this is very interesting material.
If you’re one of the advanced users that needs more technical material you’ll get you’re satisfaction as the book continues with an insight in reverse engineering. Shown are the concepts and methods behind reverse engineering along with a real-life example.
Since every type of honeynet is comprised of a variety of systems, data centralization is crucial if you want to be able to understand the actions of the attacker. Naturally, you get all the information on how to achieve this on your own and then the book moves on to discuss something even more interesting – profiling. To be really successful in uncovering the technical details behind an attack it’s essential that you understand the attacker and his motives. This way you’re able to anticipate his moves at times and truly understand his actions. Provided is a very interesting sociological analysis of the Whitehat/Blackhat community.
More practical knowledge coming next as you are introduced to the exploits and attacks that the Honeynet Project and Alliance members have seen across their networks. If this kind of technical detail wasn’t enough for you, than the next three chapters will make you smile. The authors provide examples of a Windows 2000 compromise, a Linux compromise and a Solaris compromise. The book closes as it should, with a look at the future of honeynets.
There are six appendixes to the book: IPTables firewall script, Snort configuration, Swatch configuration, Network configuration summary, Honeywall kernel configuration and GenII rc.firewall configuration.
About the CD-ROM
If you think that what you read above is all this book has to offer you’re in for a surprise. The CD-ROM that comes with this title is packed with data captures, tools and source code. But that’s not all, the authors made sure that the remaining free space was filled with interesting material like configuration files, logs, network captures and much more. This is truly a valuable addition to the book.
We all know that attackers are becoming more sophisticated and many times the security community has a hard time catching up. Honeynets are making the knowledge gap smaller and this book is what you need if you’re deploying a honeynet, this is essential reading.
One of the features that make this rather complex subject much easier to take in is the insightful figures, many of them. The writing style of the authors is clean and enables the reader to avoid confusion when the text turns overly technical. I’m sure this book will enable much more people to use honeynets.