Know Your Enemy. 2nd ed. Learning About Security Threats
by The Honeynet Project
ISBN 0-321-16646-9. 6 appendices, Resources and References, Index, CD-ROM. 768 pages, $49.99
Reviewed by Bob Bruen July 18, 2004
The Honeynet Project has come a long way in the two years since the first edition of Know Your Enemy. The table of contents is still divided into three parts (The Honeynet, The Analysis and The Enemy), but the content shows great progress. The underlying idea of the honeynet is to have a place that crackers could break into while being observed. The idea is simple, but the architecture of the system has evolved into a sophisticated one. Moreover, the observation methodology has evolved significantly.
Not only are the tools are better, but so are the applications of the tools. This edition has expanded and improved sections on forensics, which seems rather an obvious outgrowth of the research. As with the rest of Honeynet tools, forensics is carried out with open source tools. In this case it is Sleuth Kit, Autopsy, netcat and built-in unix commands like dd. They also list a number of other useful tools, such as CDs that can boot a system for analysis or acquisition.
The new material on reverse engineering is a welcome addition. It has always been my opinion that analysis such as this is not complete without reverse engineering binary code or data files. Since blackhats generally do not leave source around, figuring out what they did can only be accomplished by reverse engineering. This section includes material on making reverse engineering more difficult, along with descriptions of code that will do this. It looks like one of those constantly escalating battles. An excellent tutorial on The Honeynet Reverse Challenge from the binary through disassembly to source code provides a practical demonstration on how reverse engineering works.
Since the first edition, Honeynets have gone into generations, GenI and GenII. Each is explained thoroughly, as are Sebek and other additional approaches such virtual honeynets, User Mode Linux and VMWare. There seems to be no limit to what can be done to learn about what happens to our systems. There is also no reason why the same tools and techniques can not be used to analyze normal systems that have not been compromised, but only failed or exhibited unexpected behavior.
The end goal of this work is to learn and understand the behavior of the blackhat. My sense is that the blackhat of today is somewhat different from the blackhat of several years ago, even though the basic techniques have evolved rather than made revolutionary advances. There seems to be more criminal intent now and this is reflected in how the Honeynet Project describes the events. The section on The Enemy has been expanded to include profiling. The psychological analysis has given way to the sociological analysis, that is to say the view has moved from the individual to the group.
The Enemy section has a wonderful analysis of the life cycle of an exploit that alone is worth the price of the book. I highly recommend this edition of Know Your Enemy for all the lessons provided. This is a great project that deserves the attention of all security people. The future looks better because of them.