Know Your Enemy, 2nd Edition 103
Know Your Enemy : Learning about Security Threats (2nd Edition) | |
author | The Honeynet Project |
pages | 742 |
publisher | Pearson Education |
rating | 8 |
reviewer | Ben Rothke |
ISBN | 0321166469 |
summary | Observe intruders without putting your data at risk by building a tempting honeynet. |
KYE was not written by a single author, rather by The Honeynet Project. They are a group of 30 individuals with complementary technical and legal skills. This diverse authorship creates a book with an abundance of valuable information.
The book details setting up a honeypot (a single host designed to gain the attention of network intruders) and a honeynet (a network designed to be penetrated to understand the motives of the attackers). If you can get an intruder to attack the bogus network, the double benefit is that 1) the attacker can do no damage to production data, while 2) his activities are being monitored, and with analysis can be understood.
The book's premise is that it is not simply enough to know you have enemies; you need to understanding what exactly it is they are doing, how they are doing it, the tools they are employing, and their objectives. Armed with such information, a company can ensure that they are best using their resources to defend and defeat their enemy.
This is the second edition of KYE and honeynets have changed significantly since the first edition came out. With that, the first five chapters of the book goes into what exactly a honeynet is, and then explains the differences between first and second-generation honeynets. The main difference between the editions is that the first edition focused more on honeypots, or individual hosts. The second edition expands that to networks meant to be broken into, namely honeynets.
The opening chapters also go into details about the specific value of honeynets. For those that entertain the idea that their honeynet is going to enable them to catch the next Kevin Mitnick, they will be clearly disappointed. The main benefit of honeypots and honeynets is information. Information is power, especially in computer security. For most hackers, their greatest fear is not necessarily getting caught, but rather having someone watch and gather information on them without their knowledge. And that is exactly what a honeynet attempts to do.
Chapter 8 (written by an attorney from the U.S. Dept. of Justice) concludes part one of the book with a look at the legal issues involved with honeynets. There are legal issues that one needs to take into consideration before rolling out a honeynet. Failing to take their legal issues to heart can change a honeynet from being an invaluable forensics tool into an expensive legal liability. Those in the corporate arena are well served to work with their legal counsel before deploying a honeynet.
Part 2 (chapters 9-15) goes into the important area of analysis. Collecting data, after all, is only the first part. Analyzing it and making sense of it all is the difference between an experienced detective and a Keystone Cop. The analogy is real in that a honeynet is a potential crime scene.
Data analysis and forensics are crucial in that it is the only way to interpret the various types of data involved. The key for those involved is turnout and extracting different types of data and turning that data into valuable information. Effective forensics enables digital investigators to know the difference between an innocuous attack and a malicious one.
While Part 2 is the most technical section of the book, Part 3 (chapters 16-21) attempts to explain the sociological reasons why whitehats and blackhats do what they do. Just as Clarice Starling in The Silence of the Lambs was able to profile Hannibal Lecter, knowing a profile of your adversary is crucial in containing the damage he can do. Identifying and understanding those attacking your system is just as important as the technical and analytical skills you will use in exposing them.
Know Your Enemy is a unique book in that it details how not to simply install and configure security devices, but how to use those devices to ensure a much greater level of security. It shows how you can take an offensive approach to computer security and to understand the mindset of the attacker. That is something not easily found in other books.
The CD-ROM that comes with the book includes 10 of the book's 21 chapters, a number of informative white papers, all of the open source tools that the authors use, and a video about honeynets.
Those who enjoyed Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage by Clifford Stoll will similarly find KYE entertaining and invaluable.
The companion web site for the book is honeynet.org/book. In and of itself, it is a great website, and complements a great book.
Overall, KYE is a most informative book on a fascinating subject. Unlike many computer security books, KYE is light on theory and screen dumps, but heavy on valuable and useful information on security hosts and networks from adversaries. If you are looking for a proactive way to secure your corporate network, Know Your Enemy is the perfect place to start.
You can purchase Know Your Enemy : Learning about Security Threats (2nd Edition) from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.
Not to be confused with "No, Your Enemy" (Score:3, Funny)
Re:Not to be confused with "No, Your Enemy" (Score:5, Funny)
Re:Not to be confused with "No, Your Enemy" (Score:1, Offtopic)
Re:Not to be confused with "No, Your Enemy" (Score:1, Offtopic)
Re:Not to be confused with "No, Your Enemy" (Score:1, Offtopic)
The basics are fairly obvious, the complex stuff varies so much it is not helpful to print:
1)There is little if any difference between women and men, except that generated by cultural differences.
2)The major cultural differences are: a)Women are expected to take care of any children they have so b)they have a more reasonable fear of sex, c)men persue the women, d) the women make them self more attractive pursuits via make up, etc., e) the women insist on cash for taking care of t
Re:Not to be confused with "No, Your Enemy" (Score:2)
Re:Not to be confused with "No, Your Enemy" (Score:2)
That's completely wrong. We are biochemically and physically very different. If you don't think that affects your personality, you should see how much food affects your behavior, disposition, and outlook. And food is pretty minor compared to the biological differences between men and women.
Honestly, there's a lot of difference between woman A and woman A (yes, I _meant_ to type that). When a woma
Re:Not to be confused with "No, Your Enemy" (Score:1)
Re:Not to be confused with "No, Your Enemy" (Score:2)
And for that, your argument fails.
Mentally, the so called "differences" between men and women are practically none existent, except for the cultural ones, at least as compared to the mental differences between say a white jewish guy and a black atheist guy.
The question here was what can we tell men about how women think differently from men, and the answer is basically, they think the same way men would if
Re:Not to be confused with "No, Your Enemy" (Score:3, Informative)
I think this is what you're looking for:
Book For Geeks [wikibooks.org]
Getting a Girl [wikibooks.org]
Re:Not to be confused with "No, Your Enemy" (Score:1)
Re:Not to be confused with "No, Your Enemy" (Score:2)
"NO!" - Your Enemy
before you know it.... (Score:5, Funny)
Programmer: I swear I didn't do it.
FBI: Well, you have a different style of formatting your code, we know it was you.
Re:before you know it.... (Score:1)
Maybe. Or maybe we'll just send these people [apple.com] around to pay you a visit.
Re:before you know it.... (Score:3, Funny)
Just another incrememt in security (Score:1)
Many hackers will buy this book. They will analyse the structure of the honeypot and honey net used to detect them. The will alter their strategy so as to counter this. They will use new tools so as to minimize detection and make it harder for analysts to profile. Though their objectives will not change there methods will, and many will mask their behaviour so as not to a
Hope its better than the first. (Score:5, Insightful)
Simulation... (Score:2, Interesting)
The other alternative could be to set up a honeynet behind a firewall, either using VMWare or old hardware, and give users access to (some) of the systems.
Re:Simulation... (Score:4, Interesting)
Re:Simulation... (Score:2)
Never mind that, the real question is: have any of these games ever done the "Ender's Game" trick and set up one of the levels to be a proxy server forwarding to the real world? (say, to SCO's legal department's file server?)
Could someone elaborate on legal issues? (Score:5, Interesting)
Re:Could someone elaborate on legal issues? (Score:5, Informative)
Same types of things apply to the internet.
You think you have some hacker dead to rights, and wind up being sued. You know, those "rights to privacy" slashdotters are always on about - other people have those too.
Re:Could someone elaborate on legal issues? (Score:4, Informative)
The many issue is for government (and perhaps government contractors) running honeypots/honeynets and the legal definition of entrapment.
The rest is mainly a risk taking or adversion decision. At the very least a criminal caught using evident from a honeypot/net may launch a lawsuit.
Re:Could someone elaborate on legal issues? (Score:2)
If I were a corporate IT director, I would absolutely not be concerned about this. As other posters have explained, it is not entrapment. A criminal has no reasonable expectation of privacy on someone else's property. If the intruder sued, the corporate lawyers would use every stonewalling tactic in the book, then launch a counter-suit for the intrusion. In the United States anyway, the one with the better lawyer wi
Re:Could someone elaborate on legal issues? (Score:2)
Re:Could someone elaborate on legal issues? (Score:2)
Sorry I wasn't clear, regardless of whether the lawsuit has merit it does tie up employee time, gathering and presenting evidence, and spends corporate dollars rather than contributing to profitable activities like developing and selling products.
A risk-adverse organization will avoid this expense whereas a larger organization that determines that it stands to gain from understanding its attackers, and so it may consider it a jusitifible expense.
Re:Could someone elaborate on legal issues? (Score:5, Interesting)
Others have already pointed out the wiretapping statutes you can run afoul of, but there are other concerns as well.
For example: you deploy a honeynet for forensic analysis. A blackhat enters your network and, as you watch it happen, sets up a child porn server.
What is your liability in this case? Aiding and abetting? Accessory? Heck, it doesn't even need to be as heinous as child porn -- it could simply be a w4r3z repository, in which case you could face contributory infringement charges.
Schwab
Re:Could someone elaborate on legal issues? (Score:2)
Re:Could someone elaborate on legal issues? (Score:1)
I could not imagine calling the police and actually telling them that there is illegal material on my network. And even if I did, I would fully expect them to look at me as the main "person of interest."
There is no way I'd be that trusting. But that's just me.
John
Re:What's the point ? (Score:4, Informative)
I don't think the wiretap laws apply: you aren't tapping a wire, you're watching traffic deliberately sent to your system. Your system, let me repeat.
I don't think entrapment applies (not even for law enforcement) the honeypot/honeynet is simply created, not advertised, and the felons seek it out on their own. That is not suggesting to someone that they commit a crime and then arresting them when they do. It's less a crime than for a shapely policewoman to wear a revealing red dress in a bar and then arrest a john who propositions her. If LEAs are worried about entrapment let them not set up honeypots. The book is for non-LEA people anyway.
P.S. I think that, many years ago, I saw that policewoman. Seriously.
Re:Could someone elaborate on legal issues? (Score:1)
Re:Could someone elaborate on legal issues? (Score:4, Informative)
How are wiretapping or entrapment even applicable? If a honeynet is a secure network (in this case, very light security) and is broken in to by a cracker, snooped around in, and exited, is this not synonymous to someone breaking and entering your home and leaving evidence at the crime scene? No one says that the network has to have a big sign over it that says "Honeynet - Hack here and you'll be caught!" For all anyone knows, it really could be a protected resource, so it's not like you're luring that burglar into the house and having the cops wait for him. As for wiretapping laws, the cracker has illegitimately accessed your system, and any information he leaves behind now exists on your storage property. Who's to say you can't use that information?
Re:Could someone elaborate on legal issues? (Score:5, Informative)
A good example of entrapment might be someone who had a regular job, but was very short on money. If the police approached him to make a quick drug sell and earn an easy $5000 and the individual wouldn't have considered selling drugs before the police approached him (upstanding citizen, etc.), then that would be entrapment. Honeypots/nets are only providing an opportunity to commit a crime and don't fit the other two conditions of entrapment.
Re:Could someone elaborate on legal issues? (Score:1)
If you deliberately deploy a less secure network (one that you designed to raise flags on automated scanning tools), then that could be viewed as the legal equivalent to leaving an open window in your house in front of a table with a pile of cash on it. You're inviting a potential criminal to pursue the "low hanging fruit".
Honeynets and Privacy (Score:2)
Re:Could someone elaborate on legal issues? (Score:1)
I have also read The art of deception [amazon.com] by Mitnick. I think people enjoying KYE [amazon.com] will enjoy Mitnicks book as well.
---- Friendly request to visit this site [elliottwave.com] if you're interested in elliott waves.
Honeypot/Honeynet? (Score:5, Funny)
Re:Honeypot/Honeynet? (Score:5, Funny)
Definition (Score:4, Funny)
How does it compare? (Score:4, Interesting)
Is it worth / recommended for the owner the first edition to buy/read the 2nd edition?
How does it compare to the "additional material" originally presented in Honeypots: Tracking Hackers by Lance Spitzner (member of Honeynet Project) which was to address the growing and changing nature of honeypots and the early evolution of honeynets?
I enjoyed Cuckoos Egg years ago.. (Score:5, Interesting)
Re:I enjoyed Cuckoos Egg years ago.. (Score:1)
Re:I enjoyed Cuckoos Egg years ago.. (Score:5, Insightful)
If I want a book to tell me about network security I don't want it written in laymans language - I want it written in a language a competent systems administrator appreciates. It's not about NAT'ing your home system, it's about protecting a network...
It's a bad parallel to draw as far as I'm concerned. Cuckoos Egg was a great book compared to some of the other books on "Hacking" that proliferated in the early 1990's, but it was never a manual on keeping your systems secured. The internet was a very different beast when that book was written.
Re:I enjoyed Cuckoos Egg years ago.. (Score:1)
I found it a fascinating account of Cliff Stoll's efforts to nab the patient, methodical computer cracker who was halfway around the world in another country with only a small, overlookable anomaly as the only clue that starts the pursuit in full swing.
I should still have it lying around somewhere (along with Steve Levy's Hackers) so that I could re-read it(them) someday....
Bryan Taylor
iamcf13@hotpop.com
SpamByte cod
Honeynet and Hacker Psychology (Score:5, Interesting)
Reminds me of what happened to Gene Hackman's character in The Conversation . I personally think that it's more of a challenge / territorial thing- that once hacked, you become motivated to try again without getting caught. Kind of like a Respawn... I agree with the article that the primary purpose is not to 'catch' the hamsters, but to learn their patterns as they race around in their safe little wheels.
As far as organizing the system, why not set it up like George Carlin's old joke - When they put you on hold, they play music. Why not just connect all the people on hold together, and let them talk to each other ?
Re:Honeynet and Hacker Psychology (Score:2, Funny)
And charge them $4.95/minute.
KFG
Re:Honeynet and Hacker Psychology (Score:1)
I'd strongly disagree with that. I think that most hackers would place getting caught as being the pinnacle of bad things that can happen as a result of hacking.
Re:Honeynet and Hacker Psychology (Score:4, Interesting)
Re:Call me silly... (Score:3, Insightful)
Sure, that makes reasonable sense. You forget, however, that the hardest killers to catch (those who kill strangers) aren't motivated by reason, but rather by a psychosexual urge for gratification. This means they tend to kill in whatever way best gratifies them, and that makes them profilable.
I imagine this
Differences (Score:5, Funny)
Perhaps, if you happen to be a crime scene investigator and are used to this. For me, both of the above items would fit quite nicely into the "Jesus Christ on a Popsicle Stick, I Just Found a Dead Body, HolyShitHolyShitHolyShit!" category.
What gentle prose... (Score:5, Funny)
Yikes - I hope you don't write the church newsletter.
Re:What gentle prose... (Score:2)
So... It's like the difference between UT2k4 and Doom3?
What does that have to do with anything? Am I missing the point?
m-
Re:What gentle prose... (Score:5, Funny)
Yikes - I hope you don't write the church newsletter.
You're right. The church newsletter needs to be clear. The above example mixes elements of MO and signature. Signature is born of the fantasy life of the criminal - it's the sorts of things that don't need to be done to accomplish the crime.
An MO might be using a 22 to the back of the skull - simple, effective, and it's not likely to leave a lot of blood spatter. This demonstrates criminal sophistication and planning.
The MO of the body in the ditch would depend on the cause of death, but clearly the homicide is a case of overkill. One does not need to decapitate someone to kill them - severing the carotid arteries is sufficient, if a bit messy and more likely to create blood spatter and other forensic evidence. That would indicate a lack of sophistication. The mutilation and decapitation indicate rage and some of the fantasy aspects of the criminal, and are part of the signature. The presence of the body in the ditch might simply be convenience, but it suggests an attempt to further degrade the victim. Victimology might give us further insight into the criminal's thoughts. Is the victim the primary target, or is the victim standing in for someone else.
A great book on this topic is the Crime Classification Manual [amazon.com]. It covers this in depth.
Funny you should mention the church newsletter. I no longer write ours. Perhaps I wasn't clear enough.
Re:What gentle prose... (Score:2)
I second the recommendation of the Crime Classification Manual, which was written by the guy at the FBI who is known for "profiling" serial killers. Suffice it to say that "profiling" criminals does not involve pseudo-ESP insights into the minds of the deranged, but instead involves the application of some common sense insights derived from large aggregations of data -- which is actually more interesting.
By way of example, there are about 5 reasons someone commits arson: vandalism, thrill-seeking/pervers
Re:What gentle prose... (Score:1)
Jonah Hex
Re:What gentle prose... (Score:2)
Let's get this straight - school burns down, it's OK to say it's a teenage male. Bank of New York explodes, it's not OK to say it's a middle eastern man aged 18-34?
Re:What gentle prose... (Score:2)
As a person who doesn't "get" racism at all, I believe that if sa 80% of Uzi shootings in Toronto are done by black males, 18-25 and 75% of 30-30 shootings are done by while males, 35-50 then when someone is shot with an Uzi, they might want to check the local black male population.
Racial profiling can also be bad of course, and one must always remember the other 20/25% (in my m
Soda profiling. (Score:5, Funny)
2) Track Mountain Dew purchases.
3) Use data to identify potential "troublemakers".
Re:Soda profiling. (Score:1)
Financial Motivations (Score:2)
Follow the link, read the excerpts (Score:5, Informative)
Still haven't used the links? Here's an excerpt from ch.16 that I find beautiful. Subject is an analysis of the Jargon File, believe it or not...
One of the more surprising (and prominent) thematic categories to arise from the analysis is the magic/religion category. While this was one of the a priori thematic categories that we anticipated would emerge from the analysis, it is one that often surprises people who are not familiar with the hacker community. The most common comment that arises when this result is discussed is "You mean hackers are religious??? You've got to be kidding."
The answer to this quandary can be found in the nature of the technology that lies at the heart of this counterculture. Many members of the hacker community deal with complex operating systems, program applications, and network architectures where it is often not possible to answer with certainty the question "If I perform action A, will the operating system/program/network behave precisely with result B?" That is, because of the complexity of modern operating systems, programs, and network topologies, there is a disconnect between the classical forces of cause and effect. Whenever you have a situation where you cannot logically reconstruct the linkage between cause and effect, you in effect have an instance of "magic." (emphasis mine)
Re:Follow the link, read the excerpts (Score:2)
Guy1: Hey, Jacktl, how'd you get the admin cg on my server?!
JackTl: Majik
Guy1: Arr, I don't like that.
Me: We should enjoy jacks capacity for mischief and making pretty things on other people's server.
JackTL: Yeah
Guy1: Put the CG away or I'll kick you.
Jack: Ok....[jack now goes limp for about 5 minutes]
*all of a sudden, about 20 small tanks decend upon guy1 with pull lasers and ta
Re:Follow the link, read the excerpts (Score:2)
Proving only that you didn't follow the link and read the chapter. That quote was included just because I thought it was neat.
Re:Follow the link, read the excerpts (Score:3, Informative)
Really, I think that most of this book stems from bosses not understanding
Re:Follow the link, read the excerpts (Score:2)
You wrote THREE paragraphs that have NOTHING to do with either my post, the chapter I linked to, or the original article.
However, I'm starting to see that simply mentioning the Jargon File is something of a troll. I apologize for my naivete. Truly, I must be new here.
Re:Follow the link, read the excerpts (Score:2)
Re:Follow the link, read the excerpts (Score:2)
Btw, I kind of flew off the handle there... sorry about that. Time to cut back on the coffee, i guess =p
Re:Follow the link, read the excerpts (Score:2)
Don't drink coffie. It's a bad solution for not having energy. Read this
http://www.ideatown.com/ntxa/index.html
I had really bad aggression problems until I started staying off that stuff. Eat fruit salad for breakfast after a good nights rest and if you really need it, take an energy drink instead of coffie since it's more powerful and they usually use a combo
Foreward? (Score:1)
I wouldn't be so sensitive about this if I didn't occasionally see "Foreward" and "Forward" in actual books. Really! I don't know about you, but when I am contradicted by real, bound paper books, it sometimes makes me momentarily doubt myself. (Nothing I read online ever has this effect on me). What
hacker/cracker and the jargon file (Score:2, Informative)
The jargon file explicitly states that it's about
"perl hackers" and such as opposed to "l33t h4xors" and such.
It would prefer you to call the latter "crackers" and not
taint the word "hacker" with their association at all. At the
very most, the cracker culture is a subculture of the
hacker culture that the jargon file describes. This is
a pretty obvious distinction that someone writing a book on the
subject really shouldn't have missed.
"motives" (Score:3, Informative)