Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Black

The Honeynet Project

  • 出版商: Addison-Wesley Professional
  • 出版日期: 2001-08-31
  • 售價: $199
  • 語言: 英文
  • 頁數: 352
  • 裝訂: Paperback
  • ISBN: 0201746131
  • ISBN-13: 9780201746136




For centuries, military organizations have relied on scouts to gather intelligence about the enemy. The scouts' mission was to find out who the enemy was, what they were doing, how they might attack, the weapons they use, and their ultimate objectives. Time and again this kind of data has proven critical in defending against, and defeating, the enemy.

In the field of information security, scouts have never existed. Very few organizations today know who their enemy is or how they might attack; when they might attack; what the enemy does once they compromise a system; and, perhaps most important, why they attack.

The Honeynet Project is changing this. A research organization of thirty security professionals, the group is dedicated to learning the tools, tactics, and motives of the blackhat community. As with military scouts, the mission is to gather valuable information about the enemy.

The primary weapon of the Honeynet Project is the Honeynet, a unique solution designed to capture and study the blackhat's every move. In this book you will learn in detail not only what the Honeynet Project has discovered about adversaries, but also how Honeynets are used to gather critical information.

Know Your Enemy includes extensive information about

  • The Honeynet: A description of a Honeynet; information on how to plan, build, and maintain one; and coverage of risks and other related issues.
  • The Analysis: Step-by-step instructions on how to capture and analyze data from a Honeynet.
  • The Enemy: A presentation of what the project learned about the blackhat community, including documented compromised systems.

Aimed at both security professionals and those with a nontechnical background, this book teaches the technical skills needed to study a blackhat attack and learn from it. The CD includes examples of network traces, code, system binaries, and logs used by intruders from the blackhat community, collected and used by the Honeynet Project.

Table of Contents

1. The Battleground.


2. What a Honeynet Is.

Value of a Honeynet.
The Honeypots in the Honeynet.


3. How a Honeynet Works.

Data Control.
Data Capture.
Access Control Layer.
Network Layer.
System Layer.
Off-Line Layer.

Social Engineering.

4. Building a Honeynet.

Overall Architecture.
Data Control.
Data Capture.
Maintaining a Honeynet and Reacting to Attacks.


5. Data Analysis.

Firewall Logs.
IDS Analysis.
System Logs.

6. Analyzing a Compromised System.

The Attack.
The Probe.
The Exploit.
Gaining Access.
The Return.
Analysis Review.

7. Advanced Data Analysis.

Passive Fingerprinting.
The Signatures.
The ICMP Example.


8. Forensic Challenge.

The Coroner's Toolkit.
MAC Times.
Deleted Inodes.
Data Recovery.


9. The Enemy.

The Threat.
The Tactics.
The Tools.
The Motives.
Changing Trends.

10. Worms at War.

The Setup.
The First Worm.
The Second Worm.
The Day After.

11. In Their Own Words.

The Compromise.
Reading the IRC Chat Sessions.
Day 1, June 4.
Day 2, June 5.
Day 3, June 6.
Day 4, June 7.
Day 5, June 8.
Day 6, June 9.
Day 7, June 10.

Analyzing the IRC Chat Sessions.
Profiling Review.
Psychological Review.


12. The Future of the Honeynet.

Future Developments.

Appendix A. Snort Configuration.

Snort Start-Up Script.
Snort Configuration File, snort.conf..

Appendix B. Swatch Configuration File.
Appendix C. Named NXT HOWTO.
Appendix D. NetBIOS Scans.
Appendix E. Source Code for bj.c.
Appendix F. TCP Passive Fingerprint Database.
Appendix G. ICMP Passive Fingerprint Database.
Appendix H. Honeynet Project Members.