Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Black
The Honeynet Project
For centuries, military organizations have relied on scouts to gather intelligence about the enemy. The scouts' mission was to find out who the enemy was, what they were doing, how they might attack, the weapons they use, and their ultimate objectives. Time and again this kind of data has proven critical in defending against, and defeating, the enemy.
In the field of information security, scouts have never existed. Very few organizations today know who their enemy is or how they might attack; when they might attack; what the enemy does once they compromise a system; and, perhaps most important, why they attack.
The Honeynet Project is changing this. A research organization of thirty security professionals, the group is dedicated to learning the tools, tactics, and motives of the blackhat community. As with military scouts, the mission is to gather valuable information about the enemy.
The primary weapon of the Honeynet Project is the Honeynet, a unique solution designed to capture and study the blackhat's every move. In this book you will learn in detail not only what the Honeynet Project has discovered about adversaries, but also how Honeynets are used to gather critical information.
Know Your Enemy includes extensive information about
- The Honeynet: A description of a Honeynet; information on how to plan, build, and maintain one; and coverage of risks and other related issues.
- The Analysis: Step-by-step instructions on how to capture and analyze data from a Honeynet.
- The Enemy: A presentation of what the project learned about the blackhat community, including documented compromised systems.
Aimed at both security professionals and those with a nontechnical background, this book teaches the technical skills needed to study a blackhat attack and learn from it. The CD includes examples of network traces, code, system binaries, and logs used by intruders from the blackhat community, collected and used by the Honeynet Project.
Table of Contents
1. The Battleground.
I: THE HONEYNET.
2. What a Honeynet Is.
The Honeypots in the Honeynet.
3. How a Honeynet Works.
4. Building a Honeynet.
Maintaining a Honeynet and Reacting to Attacks.
II: THE ANALYSIS.
5. Data Analysis.
6. Analyzing a Compromised System.
7. Advanced Data Analysis.
The ICMP Example.
8. Forensic Challenge.
The Coroner's Toolkit.
III: THE ENEMY.
9. The Enemy.
10. Worms at War.
The First Worm.
The Second Worm.
The Day After.
11. In Their Own Words.
Reading the IRC Chat Sessions.
Day 2, June 5.
Day 3, June 6.
Day 4, June 7.
Day 5, June 8.
Day 6, June 9.
Day 7, June 10.
Analyzing the IRC Chat Sessions.
12. The Future of the Honeynet.
Appendix A. Snort Configuration.
Snort Configuration File, snort.conf..
Appendix B. Swatch Configuration File.
Appendix C. Named NXT HOWTO.
Appendix D. NetBIOS Scans.
Appendix E. Source Code for bj.c.
Appendix F. TCP Passive Fingerprint Database.
Appendix G. ICMP Passive Fingerprint Database.
Appendix H. Honeynet Project Members.