Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Know Your Enemy", Honeynet Project

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKKNYREN.RVW 20020916 Know Your Enemy , Honeynet Project, 2002, 0-201-74613-1, U$39.99/C$59.95 %A Honeynet Project %C P.O. Box 520, 26 Prince Andrew
    Message 1 of 2 , Dec 30, 2002
    View Source
    • 0 Attachment
      BKKNYREN.RVW 20020916

      "Know Your Enemy", Honeynet Project, 2002, 0-201-74613-1,
      U$39.99/C$59.95
      %A Honeynet Project
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2002
      %G 0-201-74613-1
      %I Addison-Wesley Publishing Co.
      %O U$39.99/C$59.95 416-447-5101 fax: 416-443-0948
      %O http://www.amazon.com/exec/obidos/ASIN/0201746131/robsladesinterne
      %P 328 p. + CD-ROM
      %T "Know Your Enemy: Revealing the Security Tools, Tactics, and
      Motives of the Blackhat Community"

      I have frequently said that any book with "hack," or any variant
      thereof, in the title is automatically suspect. This work helps prove
      my point, first, because the Honeynet Project members have *not* used
      the term (they refer to attackers as blackhats), and the text also
      notes the problems with "exploit" type books: they list old and known
      attacks, most of which are protected against, and say nothing about
      the attackers and how they work. Chapter one points out the value of
      "knowing the enemy" and the beginnings of the Honeynet Project.

      Part one describes the honeynet. Chapter two explains what a honeynet
      is, and the difference between one and the traditional honeypots.
      Details on how a honeynet works, in terms of architecture, policies,
      and the risks and responsibilities of operating one, are presented in
      chapter three. Building a honeynet, in chapter four, presents
      specific details, although a number have already been given.

      Part two concerns the analysis of data collected from the Honeynet.
      Chapter five, on data analysis, points out the sources of data for
      logging, much of which has already been discussed. There is some more
      information on what we can find, but limited explanation of how to
      interpret it. The discussion of analyzing a compromised system, in
      chapter six, is more detailed and does a better job of explaining the
      logs, but relies on a blackhat document, which, while better than most
      such, still has the holes and gaps that characterize the genre.
      Additional details are provided in advanced data analysis, plus some
      material on data that is (and some that is not) useful in packets,
      plus forensic (data recovery) considerations, in chapter seven.
      (Interestingly, the Honeynet Project does not seem to be concerned
      with wiping a drive in order to deny information to blackhats.)
      Chapter eight examines data recovery tools and some results.

      Part three explains what the project has determined about "the enemy"
      by the types of attacks that have been launched and detected. Chapter
      nine is a general review of the random nature of attacks, the tools
      seen, motives theorized, and trends in attacks. The activities and
      signatures of the Bymer worm are described in chapter ten. An IRC
      conversation between a group of blackhats is provided in chapter
      eleven. While there is some interest in the account, the transcript
      occupies almost 100 pages (and almost a third of the total length of
      the book). Chapter twelve suggests the future activities of the
      Honeynet Project.

      Much of the material in the book is repeated, sometimes in a number of
      places. The text would definitely benefit from a tightening up of the
      material. In addition, the early examples are not thoroughly
      explained, making the reader initially feel that only a firewall audit
      log specialist would be able to understand what is being said.
      However, most of the book is written clearly and well, and it is
      definitely worth reading.

      copyright Robert M. Slade, 2002 BKKNYREN.RVW 20020916

      --
      ======================
      rslade@... rslade@... slade@... p1@...
      Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
      Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
      February 10, 2003 February 14, 2003 St. Louis, MO
      March 31, 2003 April 4, 2003 Indianapolis, IN
    • Rob, grandpa of Ryan, Trevor, Devon & Ha
      BKKNYREN.RVW 20040618 Know Your Enemy , Honeynet Project, 2004, 0-321-16646-9, U$49.99/C$71.99 %A Honeynet Project project@honeynet.org
      Message 2 of 2 , Aug 3, 2004
      View Source
      • 0 Attachment
        BKKNYREN.RVW 20040618

        "Know Your Enemy", Honeynet Project, 2004, 0-321-16646-9,
        U$49.99/C$71.99
        %A Honeynet Project project@... www.honeynet.orb/book/
        %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
        %D 2002
        %G 0-321-16646-9
        %I Addison-Wesley Publishing Co.
        %O U$49.99/C$71.99 416-447-5101 fax: 416-443-0948
        %O http://www.amazon.com/exec/obidos/ASIN/0321166469/robsladesinterne
        http://www.amazon.co.uk/exec/obidos/ASIN/0321166469/robsladesinte-21
        %O http://www.amazon.ca/exec/obidos/ASIN/0321166469/robsladesin03-20
        %P 768 p. + CD-ROM
        %T "Know Your Enemy, Second Edition: Learning About Security
        Threats"

        The first edition of "Know Your Enemy" was a lot of fun, and it also
        contained some valuable advice if you were brand new to the idea of a
        honeypot, and wanted to get started quickly. This second edition has
        taken advantage of another couple of years in the development of
        honeypots and honeynets, and provides guidance on a new generation of
        the technology. More than that, it promises, and mostly provides,
        more detailed information on the analytical aspects of honeynet
        operation, including the all-too-often neglected topic of network
        forensics. The page count has more than doubled.

        I have frequently said that any book with "hack," or any variant
        thereof, in the title is automatically suspect. This work helps prove
        my point, first, because the Honeynet Project members have not used
        the term (they refer to attackers as blackhats), and the text also
        notes the problems with "exploit" type books: they list old and known
        attacks, most of which are protected against, and say nothing about
        the attackers and how they work.

        Part one describes the honeynet. Chapter one points out the value of
        "knowing the enemy" and the history of the Honeynet Project. Chapter
        two explains what a honeypot is, leading to details on how a honeynet
        works, in terms of architecture, policies, and the risks and
        responsibilities of operating one, in chapter three. Building a first
        generation honeynet, in chapter four, presents specific details,
        although a number of concepts have already been given. The lessons
        from the early years of the project have led to a second generation of
        design, which is outlined in chapter five. Using a single machine to
        create a virtual network of simulated machines is described in chapter
        six. Chapter seven extends all of this into distributed networks of
        machines. A number of legal issues are discussed in chapter eight:
        specific citations are primarily from US laws, but general concepts
        are also examined.

        Part two concerns the analysis of data collected from the Honeynet.
        Chapter nine looks at the various sources of evidence. Network
        forensic ideas and tools are reviewed in chapter ten, although the
        material does tend to jump abruptly from Networking 101 to an
        assumption that the reader can parse Snort captures. Fundamentals of
        the data recovery aspects of computer forensics are given in chapter
        eleven, leading to the specifics of UNIX recovery in chapter twelve,
        and Windows in thirteen. (These chapters contain details of up to
        date tools not available in most of the standard computer forensic
        texts.) I was delighted to see that chapter fourteen addresses
        reverse engineering, although only in a limited subset of the full
        range of software forensics. Chapter fifteen reiterates the sources
        from chapter nine, and suggests centralized collection and management
        of data.

        Part three explains what the project has determined about "the enemy"
        by the types of attacks that have been launched and detected. Chapter
        sixteen takes a random crack at several topics related to the blackhat
        community: a number of points are interesting, but few are very
        helpful. A general overview of attacks in given in chapter seventeen.
        Specific attacks, and analyses, on Windows, Linux, and Solaris are
        detailed in chapters eighteen to twenty. Future trends are projected
        in chapter twenty one.

        The repetition of material that plagued the first edition has been
        cleaned up to a great extent, although the text would still benefit
        from a tightening up of the material in some chapters. In addition,
        the early examples are not thoroughly explained, making the reader
        initially feel that only a firewall audit log specialist would be able
        to understand what is being said. However, as with the first edition,
        most of the book is written clearly and well, and it is certainly
        worth reading. In addition, the new material definitely makes this
        not merely an interesting read, but something that has the potential
        to be a serious reference in the forensic field.

        copyright Robert M. Slade, 2004 BKKNYREN.RVW 20040618


        ====================== (quote inserted randomly by Pegasus Mailer)
        rslade@... slade@... rslade@...
        I have to share the credit. I invented it, but Bill made it
        famous. - IBM engineer Dave Bradley describing the
        control-alt-delete reboot sequence
        http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
      Your message has been successfully submitted and would be delivered to recipients shortly.