Reviews the Honeynet Project's Know Your Enemy Book

    Date15 Dec 2001
    CategoryBook Reviews
    Posted ByBrittany Day
    The Honeynet Project's first book details how a honeynet works, how to analzye the data once captured, how to prevent the honeynet machine from becoming a point to launch an attack on another network, and even a full account of a discussion between blackhats as they plot their next attack.

    "There are three principal means of acquiring knowledge... observation of nature, reflection, and experimentation," wrote Denis Diderot, the prominent French writer back in the 1700s. The Honeynet Project was developed to gain the knowledge of the blackhats by putting them in the unwitting role of the teacher, sharing their most closely held secrets about their motivations, attack techniques, and tools.

    Founded in early 1999 by a former officer in the Army's Rapid Deployment Force, Lance Spitzner transferred his Army intelligence and tactical knowledge to the field of computer forensics. In doing so he started a fascinating worldwide effort to track the habits of blackhats by placing production systems on the Internet, then monitoring them once they've been breached, and recording what they've done.

    Formed from some of the brightest minds in computer security, forensics, and even computer psychology, the Honeynet Project now consists of no less than thirty individuals including Dave Dittrich, Dug Song, Marty Roesch, Rain forest puppy and Stuart McClure.

    Having previously read Lance's "Know Your Enemy" documents, I was pleased when I received a copy of "Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community" for review.

    The Honeynet Project began as a series of papers written by Lance Spitzner entitled "Know Your Enemy," where Lance has written what he's learned from his computer security experiences in this discipline. Specifically, the "Known Your Enemy: Honeynets" paper provides a great deal of information to get started with your own Honeynet.

    From The Beginning

    Chapter One starts with an introduction to the project and the goals they are trying to achieve. "How do blackhats identify a vulnerable system? How do they communicate among themselves? Are we dealing with a single threat or a variety of threats?"

    Chapter Two provides a basic description of a honeynet and how it all began. The use of production systems of all types to create a network that was specifically designed to be compromised is a new one. Previously, emulated systems (in some cases called "honeypots") were placed on the Internet, but often lacked the ability to contain the blackhat once the system was compromised, were limited to specific operating systems or environments, or unable to detect unknown vulnerabilities.

    The systems on a Honeynet differ in that they are real and unmodified ones, such as a default Linux installation, a Cisco router or a Sun server. Traditionally, security measures configured by an organization to protect their online assets are defensive. Access Control Lists on the router, firewall on the Sun server, and SSH-only access to the Linux box. Honeynets instead take a research and analysis approach, giving organizations the information they need to protect their production systems from attacks.

    A Honeynet is a controlled environment that takes the chaotic blackhat activity on the Internet and rationalizes it into useful information that can be used to protect a production network running a similar environment.

    The Value of a Honeynet

    The value to an organization deploying a new product online to be able to first run it in an environment where they can track access to it by those that have no purpose other than to attempt to breach it is quite extrodinary. Is the new product, and the system it's running on, secure enough to withstand repeated attacks on a network where the impact of a compromise is minimal? Gone are the days where blackhats spend hours probing individual systems for a vulnerability. It's now possible to scan an entire network segment at a time, testing for series of vulnerabilities, then recording that information in a database to later be used as a starting point. Chances are good that even with an unadvertised web server you'll be poked or prodded, even for attacks intended for entirely different architectures than your own.

    Using What You Know

    The use of existing security tools such as an intrusion detection system to create an account of the network activity, firewalls to prevent access to production systems while at the same time preventing the Honeynet from being used as a source for attacking other networks, and even social engineering to make the system appear as if it's a production one and "keep the Honeynet sweet", are all great methods for tracking every keystroke and recording it and shows the Honeynet team have put a great deal of thought into the process.

    The recorded data is of no use if it's not analyzed. This is the meticulous part of the project that requires attention to detail, a full working knowledge of network protocols, and the ability to recognize how a collection of packets either form a new attack or a component of an existing one.

    Data Analysis

    Part II starts with tips on how to analyze firewall logs, packets captured by the IDS sniffer, using system logs to help determine how the attacker got in and where he came from.

    Chapter Six, "Analyzing a Compromised System", provides a detailed analysis of a particular attack including how the blackhat compromised the system, the method and exploit that was used (in this case the NXT BIND buffer overflow), as well as what was done to the system once it was compromised.

    Multiple systems were in fact involved in this particular attack, and how in this case the scripted attacks are run to attempt to leave a backdoor for later access and eventually a Trinoo DDoS attack.

    Advanced Topics in Analysis

    Advanced topics including passive fingerprinting, data forensics, and later the Forensics Challenge are covered in great detail. The Forensics Challenge, lead by team member Dave Dittrich, provided the disk images from an actual compromised system to anyone interested in downloading them and attempting to deciphering the data contained within to determine how the attack took place.

    Launched on January 15, 2001, the system images were of a Red Hat 6.2 system compromised the previous November. It details the use of The Coroner's Toolkit (TCT) the computer forensics tool developed by Wietse Venema, author of TCP Wrapper and several other staples of Internet security.

    Using TCT, it's often possible to determine what files may have been deleted, retrieve their contents, and determine how they differ from the original form. This is an attractive tool with a cool name and one that is indepensible in the hands of someone with the sophisicated knowledge required to use it correctly.

    An extensive analysis of the challenge was performed by Dave Dittrich after the project was over, concluding in the findings that an rpc.statd buffer overflow. Dittrich includes a Time/Cost Analysis and the most interesting pieces of information gathered from the images.

    It turns out that the average time spent on the analysis by each entrant was about 34 hours. That's nearly a week's worth of analysis for what took an attacker about a half-hour to exploit.

    Dittrich concludes that the average cost of cleanup of a single incident to be approximately US$2000. An interesting point is raised on the Forensic Challenge web page. "But all it takes to re-install Red Hat is 30 minutes. How do you come up with US$2000 damage?" His answer is equally as interesting:

    When a system is compromised, and the data on it and its network are compromised, it is not simple to determine the extent of the damage without a lot of work. We do not know if the blackhat stole peoples passwords, hacked other systems, has implemented sniffers, etc. This argues for strong prevention, defense in depth (including monitoring in depth), and trained responders. If all the administrator does is re-install the OS, they are doing a wholly inadequate job of responding to a security incident, as the extent of damage may be far greater then a single system.

    What Makes Them Tick?

    Chapter Nine and Ten details the trends, motives, tools, and methodologies that are used by blackhats. While some attacks are launched by script kiddies, others are launched by advanced users who develop their own tools and leave behind sophisticated backdoors. Regardless of who you are and what systems you run, states the authors, your organization is at risk.

    Chapter Eleven, which makes up a significant part of the book, is an actual account of a conversation between a group of blackhats as they discuss the compromise of a Solaris 2.6 system under the control of the Honeynet group.

    In Their 0wn Words

    Every step of the process is detailed "In Their Own Words." An IRC chat session between d1ck and j4n3 over a seven day period provides the Honeynet team with information on their motives, demeanor, habits, and abilities. "They may not be technically competent or even understand the tools they are using. However, by focusing on a larger number of systems, they can achieve dramatic results. This is not a threat to take lightly." Script kiddies have time on their hands to keep trying until they are successful.

    The chapter outlines the social structure created within the group including expert analysis by Max Kilger, the team's psychologist and is truly fascinating. It at times plays out like a high school clique, except with the number of compromised systems making up the social order.

    The Future

    The final chapter discusses the future of the Honeynet. New techniques for capturing and auditing data are being developed including realtime decryption of encrypted traffic, more advanced filtering methods to reduce the false positives, the creation of more realistic environments, and continued pursuit of previously unknown vulnerabilities.

    Distributed Honeynets sound particularly interesting. By having multiple systems configured throughout the world, it may be possible to better determine attack trends. Attacks on systems that are prepared to handle the next denial of service or buffer overflow could very well be used to alert system administrators across the world of an impending new attack, providing the necessary lead time to protect themselves.

    The Authors

    One of the most compelling reasons to buy this book is the authors. Written by some of the most authoritative authors in the field of computer science with Lance Spitzner at the healm, you'll find no more definitive reference. The authors have an obvious zeal about their work as computer scientists sharing their experiences with the Internet community at large.

    The book is well written and provides sufficient information for an enthusiastic computer security professional to build his own Honeynet for research. It must be stressed, however, that Honeynet's aren't for everyone. Undesired consequences could occur of the Honeynet is misconfigured and potentially used as a point to attack other networks. If your logging or auditing is misconfigured, an attack could go unnoticed, potentially putting at risk real systems leading to system administrators knocking on your door wondering why you're attacking them.

    After you've read or at least have handy "Building Internet Firewalls" and "Network Intrusion Detection," this book is a must-have for anyone interesting in knowing what makes the blackhat tick.

    Honeynet Resources

    Network Intrusion Detection Using Snort

    This document takes you through the basics of intrusion detection, the steps necessary to configure a host to run the snort network intrusion detection system, testing its operation, and alerting you to possible intrusion events.

    The Coroner's Toolkit

    TCT is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in. The software was presented first in a Computer Forensics Analysis class in August 1999 (handouts can be found here). Examples of using TCT can also be found on-line in a series of columns in the Doctor Dobb's Journal.

    Honeynet Project's 'honey pot' a sweet success in trapping hacker attacks

    Fresh off their success in monitoring the group and handing over the evidence to federal authorities, the Honeynet team took a deeper look at the traffic they were capturing and found something worth investigating further.

    Complete contents of Chapter One

    The Battleground. A description of where it all started.

    Part 1: The Honeynet

    Complete contents of the introduction to Part 1: The Honeynet and also Chapter 2: What A Honeynet Is. The answers to the question of "What is a Honeynet?", how it differs from a a honeypot, and essential information needed to get started.

    Honeynet Forensic Challenge Images

    The download area for the Honeynet Forensics Challenge. This includes the images necessary to particpate in the Forensic Challenge offered by the Honeynet Project in early 2001.

    Hackers caught in security 'honeypot'

    When a group of suspected Pakistani hackers broke into a U.S.-based computer system in June, they thought they had found a vulnerable network to use as an anonymous launching pad to attack Web sites across India.,4586,2666273,00.html

    Know Your Enemy: Honeynets

    The "Know Your Enemy: Honeynets" article, also written by the Honeynet Project, includes essential information to get started building your own Honeynet, the value of a honeynet, how it works, information about data capture and control, and even info on the next generation honeynet currently in development. Mailing Lists

    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"5","type":"x","order":"1","pct":55.56,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":33.33,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"1","type":"x","order":"3","pct":11.11,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350


    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.