Managed Security Services

Know Your Enemy

The Honeynet Project set out to learn more about blackhat hackers. The book Know Your Enemy describes what the project did, what it learned, and what it hopes to achieve in the future.

by Alex Goldman ISP-Planet Associate Editor [January 27, 2003]

Most computer books follow a standard model. Before you start reading a book, say, on Linux programming or storage networking, you have a reasonable guess as to what the contents and the chapter structure will be. Such is not the case with the entirely non-standard book, Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community.

The book details The Honeynet Project, a long-term investigation into how and why computers connected to the Internet get hacked maliciously.

Far from being a standard "how to" computer tome, this is more like an academic paper detailing the methods and results of a scientific experiment. It is exhaustively footnoted, and comes with a CD-ROM containing many of the scripts the researchers used. Some readers will choose to skip over the technical details and screen dumps, while others will be fascinated by them.

The technology involved is neither sophisticated nor complicated. The book's purpose is not to teach anyone how to hack a computer—or how to protect a network. Those looking for up-to-date LAN security insights may not be interested in the psychology of blackhat hackers, and may be disappointed that most of the actual hacks discussed are out of date, simple, and widely known.

The point of Know Your Enemy is, essentially, to warn network administrators that their networks are vulnerable, and that any known exploit will be attempted on their network, probably sooner rather than later. Every network is probed, most within 24 hours of being connected to the Internet.

The authors (there are 30 of them, led by the project's founder, Lance Spitzner) describe what they did and what they learned. After a foreward by Counterpane's Bruce Schneier, the book opens, in Chapter 1, with a description of the genesis of The Honeynet Project. Spitzner writes (p.2), "for me, the battlefield landed in my wife's dining room in 1998. In the beginning of that year, I received my first dedicated connection to the Internet."

In order to see whether or not he was vulnerable, Spitzner set up a default installation of Red Hat Linux 5.0 to see whether or not it would be attacked, and hoping to learn from any attack that occurred. Within 15 minutes, it had been compromised. Spitzner writes (p.3), "I learned a lot from that experience, mainly how not to set up such an environment. After compromising the system, the blackhat quickly figured that something was not right, erased the hard drive, and never returned. I lost most of the valuable data that could have been gained, such as the blackhat's keystrokes, toolkits, and system activities."

Chapters 2, 3, and 4 describe what a honeynet is and how to do better than Spitzner did on his first attempt. A honeynet is a network set up to be hacked. It has little unusual protection, but all activity on the network is logged. The authors note that the volume of activity on a normal network is so large that it can be difficult to distinguish suspicious activity. In contast, all activity on a honeynet is by definition suspicious.

Chapters 5 through 8 tell how to analyze the data obtained from a honeynet. Chapters 9 and 10 describe hackers and their latest tools, worms. Chapter 11 is a fascinating transcript of a hacker discussion on IRC that occurred on a honeynet. Chapter 12 discusses the future of honeynets and The Honeynet Project.

Appendixes A though G provide details about specific exploits or honeynet tools. Appendix H describes the 30 members of The Honeynet Project. As mentioned, the book comes with a CD-ROM that contains tools and even more footnotes. The CD-ROM also contains the winning entries to a contest detailed in Chapter 8, "Forensic Challenge," which asked readers to perform their own data analysis. (The contest is now closed.)

In the introduction, Schneier says that honeynets will probably not be widely used on commercial networks because they require a lot of time. The authors provide the details, noting (p.47), "we discovered that every 30 minutes a blackhat spends on a compromised honeypot equals 30 to 40 work hours for data analysis. So even though the initial investment in a honeynet may seem low in price, it is a long-term investment."

The project found that honeypot data analysis also requires a broad skill set. The authors note (p.55), "we have learned that no single person can know all the answers during data analysis. Too much information requiring varying skill sets exists. That is why we have 30 members in our group."

In addition to a wide variety of technical skills, the group's honeynets produced data that required a wide variety of languages. Two examples divulged in the book are Romanian and Urdu (spoken in parts of the Indian subcontinent).

Anyone managing a large or frequently attacked network—or anyone who believes their computer has never been attacked—should read this book.

Lance Spitzner has since "gone solo" and released Honeypots: Tracking Hackers, which we will review in March.

A revised edition of Know Your Enemy should be published in early 2004 or towards the end of 2003.

—End