Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community [Paperback]

The Honeynet Project (Author)

Book Description

Publication Date: August 31, 2001

This book shares the lessons of the Honeynet Project, in which leading security professionals built networks designed to be compromised. From this they learned everything possible from the "blackhat" hackers who took the bait: their tools, their tactics, and their motives. The insights in this book will go a long way towards helping security professionals protect their networks against real attacks. If that's not enough, the book shows you how to build your own honeynet, learning even more about today's most significant exploits -- and tomorrow's. Lance Spitzer, leader of The Honeynet Project, begins by introducing honeynets and honeypots (the parts that make up the honeynet network), explaining how they work, and showing how to build one. Next, Know Your Enemy focuses on an in-depth analysis of attacks, including detailed analyses of compromised systems, and techniques for containing blackhat hackers while you gather evidence and work to identify them. Part III takes you into the minds of the blackhat hackers, focusing on the evidence left by actual attacks -- not theory or speculation. For all computer security specialists, and network and system administrators concerned with intrusion detection and security.

Editorial Reviews

From the Back Cover

For centuries, military organizations have relied on scouts to gather intelligence about the enemy. The scouts' mission was to find out who the enemy was, what they were doing, how they might attack, the weapons they use, and their ultimate objectives. Time and again this kind of data has proven critical in defending against, and defeating, the enemy.

In the field of information security, scouts have never existed. Very few organizations today know who their enemy is or how they might attack; when they might attack; what the enemy does once they compromise a system; and, perhaps most important, why they attack.

The Honeynet Project is changing this. A research organization of thirty security professionals, the group is dedicated to learning the tools, tactics, and motives of the blackhat community. As with military scouts, the mission is to gather valuable information about the enemy.

The primary weapon of the Honeynet Project is the Honeynet, a unique solution designed to capture and study the blackhat's every move. In this book you will learn in detail not only what the Honeynet Project has discovered about adversaries, but also how Honeynets are used to gather critical information.

Know Your Enemy includes extensive information about

• The Honeynet: A description of a Honeynet; information on how to plan, build, and maintain one; and coverage of risks and other related issues.
• The Analysis: Step-by-step instructions on how to capture and analyze data from a Honeynet.
• The Enemy: A presentation of what the project learned about the blackhat community, including documented compromised systems.

Aimed at both security professionals and those with a nontechnical background, this book teaches the technical skills needed to study a blackhat attack and learn from it. The CD includes examples of network traces, code, system binaries, and logs used by intruders from the blackhat community, collected and used by the Honeynet Project.

0201746131B09252001

About the Author

The Honeynet Project is a nonprofit security research organization made up of volunteers. These volunteers are dedicated to learning the tools, tactics, and motives of the blackhat community and sharing lessons learned. The Honeynet Project has 30 members, and works with various other organizations through The Honeynet Research Alliance.

See all Editorial Reviews

Product Details

• Paperback: 352 pages
• Publisher: Addison-Wesley Professional (August 31, 2001)
• Language: English
• ISBN-10: 0201746131
• ISBN-13: 978-0201746136
• Product Dimensions: 9.2 x 7.4 x 0.9 inches
• Shipping Weight: 1.6 pounds
• Average Customer Review: 4.1 out of 5 stars  See all reviews (28 customer reviews)
• Amazon Best Sellers Rank: #2,119,544 in Books (See Top 100 in Books)

Customer Reviews

Most Helpful Customer Reviews

60 of 61 people found the following review helpful:

4.0 out of 5 stars One-of-a-kind; a must read for security professionals, September 25, 2001

By 

Richard Bejtlich "TaoSecurity" (Metro Washington, DC) - See all my reviews
(REAL NAME)   

This review is from: Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community (Paperback)

I am a senior engineer for network security operations. I reviewed and provided feedback on a draft of "Know Your Enemy" (KYE) and I am credited on page xiii. This book by the Honeynet Project breaks new ground in the security and publishing communities. It is the first substantial "intelligence report" on those who use the Internet for destructive means, and will enlighten readers of all skill and experience levels.

As a former Air Force intelligence officer, I share the Honeynet Project's desire to gain insight into the tools, tactics, and intentions of the enemy. After explaining the technical details of configuring the honeynet, the authors discuss the attacks launched against their monitored network. The book's level of detail is excellent, as it includes network traces, log entries, and even keystroke captures. This multi-dimensional analysis is exactly the sort of information needed by intrusion detectors and other security personnel.

Beyond the descriptions of various incidents, the authors reveal several key insights. First, the security community must look beyond the tools used by the adversary, and understand tactics and intentions. Second, data collection is critical; alerts mean little without supporting evidence. Third, defense in depth applies to intrusion detection, as it is best to use logs from routers, firewalls, IDS, and hosts together when analyzing events.

The main reason I gave the book four stars was the inclusion of 100 pages of IRC logs in chapter 11. This did not add much to the 328 page book. The analysis of the chat sessions near the end of the chapter was more helpful. That section could have paraphrased the chatting or made reference to transcripts on a CD-ROM. I also hope future Honeynet Project books address Windows NT/2000 compromises, and ways to perform digital forensics on those systems.

Overall, I found "Know Your Enemy" to be highly motivational. I was glad to finally see proof that the "good guys" share information! (I think we give the "bad guys" a little too much credit in that respect.) I plan to include this book in my recommended reading list for network security and intrusion detection professionals. It is simple and well-written, and contains the right sort of information for someone trying to understand common security incidents.

Cliff Stoll's book was the last to detail a truly high-end compromise, perpetrated by individuals employed by a foreign intelligence service. When will the Honeynet Project bag "the big one?"

(Disclaimer: The publisher sent me a free review copy.)

21 of 22 people found the following review helpful:

5.0 out of 5 stars Lance Spitzner "Know Your Enemy", April 23, 2002

By 

Dr Anton Chuvakin "Dr. Anton Chuvakin" (CA, USA) - See all my reviews

This review is from: Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community (Paperback)

"Know Your Enemy" from the Honeynet Project...
team (led by Lance Spitzner) is an amazing account on adventures in computer
security. This superb book provides the summary of two years of the project
operation. Aimed to gather and analyze more information about malicious
hackers, the project provided security community with unique insights into
attacks, tricks, and even personalities of hackers. The network (now a
combination of networks in several places worldwide) was deployed for the
single purpose of being penetrated by remote attackers (or blackhats, as
they are called in the book). Their actions were then recorded, studied and
presented in this book and papers on the project web site
.... Real production systems (Linux, UNIX,
Windows) were deployed within the Honeynet.

Leveraging his military background, Lance Spitzner explains why it is
crucial to get first hand information on computer underground operations.
"Information is power" and in computer security there is a serious lack of
information about the adversaries. Most of the available information comes
as 'too little, too late' such as for a company that gets first-hand
knowledge of hackers right after seeing "u r 0wned" on their web site. And
even in this case other companies cannot learn from mistakes, since the
break-in will be kept as secret as possible.

The typical Honeynet break-in produces the following information. What
reconnaissance activity was performed by an attacker before the intrusion?
Which network service was exploited? What exact exploit string or buffer
overflow was used? What attacked did after getting access to the system? How
he or she retained access to the system? How did he or she use the system?
The answers are in the book!

In some of the attacks, the logs of IRC (Internet Relay Chat) conversations
between hackers were recorded. They reveal not only the technology, but also
some of the motivations of intruders. Some stories from the book border on
impossible, such as the case where the streaming video sent by hackers was
captured by the Honeynet team.

The book also provides full details on designing, building and
maintaining the honeynet, including the risks of running a honeynet. To
be more precise, they describe a Generation I honeynet, since now the
project has moved to more sophisticated security technology. The
project uses stringent standards for data control (preventing attacker
from causing trouble to third parties), data collection (recording
everything that happens on the network) and data collection
(aggregating attack data from several honeynets).

Overall, as Bruce Schneier said in the book's foreword: "Great stuff,
and it 's all real"

Anton Chuvakin, Ph.D. is a Senior Security Analyst with a major
information security company.

18 of 19 people found the following review helpful:

5.0 out of 5 stars An extremely important security book & a fascinating read, March 12, 2002

By 

Ben Rothke "Author of 'Computer Security: 20 ... (USA) - See all my reviews
(REAL NAME)   

This review is from: Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community (Paperback)

Many an author has written about hackers and computer criminals, but more often it's not from first-hand knowledge. Know Your Enemy is unique is that it is written in the first person. The book is a chronicle of The Honeynet Project; which is a group of security professionals dedicated to learning the tools, tactics and motives of hackers in order to share what they have learned from those encounters. The group was formed due to the every growing complexity of today's networks, and that no single individual has the complete set of skills necessary to understand the forensics behind computer attacks.

The book centers around honey pots and honey network that the Honeynet Project designed. A honey pot is a computer designed to look like something that an intruder can hack into. One example of a honey pot is to install a machine on a network with no particular purpose other than to log all attempted accesses to it. Similarly, a honeynet is a network designed to be compromised.

The function of the honeynet is that when attackers probe, attack and attempt to hack a system, the administrators of the honeynet are able to observe all of their activities, and use that knowledge to design stronger systems. By building such a network and understanding the scope attacks against it, one can understand their adversary, and can better protect their corporate information systems assets.

The book is divided into three parts. The first part shows how the group planned and built the Honeynet. The second part goes into an in-depth analysis of the logs gathered during attacks. While part 3 looks at the threats, motives and tools that the enemy employs in their attacks.

The book is written by technical experts, but in a language that doesn't require a strong technical background. The book effectively shows how a hacker thinks and operates. Most often than not, the hacker simply bypasses the normal security mechanism in place. Know Your Enemy takes all of the lessons learned from hundreds of attacks against the honeynet and shows how to better design systems that is resilient against attack.

Know Your Enemy is not only an extremely important security book, it is a fascinating read. For any security practitioner wants to truly understand the risks their networks face on a daily basis, Know Your Enemy is a must read.