Know Your Enemy

For centuries, military organizations have relied on scouts to gather intelligence about the enemy. The scouts' mission was to find out who the enemy was, what they were doing, how they might attack, the weapons they use, and their ultimate objectives. Time and again this kind of data has proven critical in defending against, and defeating, the enemy.

In the field of information security, scouts have never existed. Very few organizations today know who their enemy is or how they might attack; when they might attack; what the enemy does once they compromise a system; and, perhaps most important, why they attack.

The Honeynet Project is changing this. A research organization of thirty security professionals, the group is dedicated to learning the tools, tactics, and motives of the blackhat community. As with military scouts, the mission is to gather valuable information about the enemy.

The primary weapon of the Honeynet Project is the Honeynet, a unique solution designed to capture and study the blackhat's every move. In this book you will learn in detail not only what the Honeynet Project has discovered about adversaries, but also how Honeynets are used to gather critical information.

Know Your Enemy includes extensive information about

• The Honeynet: A description of a Honeynet; information on how to plan, build, and maintain one; and coverage of risks and other related issues.
• The Analysis: Step-by-step instructions on how to capture and analyze data from a Honeynet.
• The Enemy: A presentation of what the project learned about the blackhat community, including documented compromised systems.

Aimed at both security professionals and those with a nontechnical background, this book teaches the technical skills needed to study a blackhat attack and learn from it. The CD includes examples of network traces, code, system binaries, and logs used by intruders from the blackhat community, collected and used by the Honeynet Project.

1. The Battleground
1. The Honeynet
2. What a Honeynet Is
• Honeypots
• Honeynets
• Value of a Honeynet
• The Honeypots in the Honeynet
• Summary
3. How a Honeynet Works
• Data Control
• Data Capture
• Access Control Layer
• Network Layer
• System Layer
• Off-Line Layer
• Social Engineering
• Risk
• Summary
4. Building a Honeynet
• Overall Architecture
• Data Control
• Data Capture
• Maintaining a Honeynet and Reacting to Attacks
• Summary
2. The Analysis
5. Data Analysis
• Firewall Logs
• IDS Analysis
• System Logs
• Summary
6. Analyzing a Compromised System
• The Attack
• The Probe
• The Exploit
• Gaining Access
• The Return
• Analysis Review
• Summary
7. Advanced Data Analysis
• Passive Fingerprinting
• The Signatures
• The ICMP Example
• Forensics
• Summary
8. Forensic Challenge
• Images
• The Coroner's Toolkit
• MAC Times
• Deleted Inodes
• Data Recovery
• Summary
3. The Enemy
9. The Enemy
• The Threat
• The Tactics
• The Tools
• The Motives
• Changing Trends
• Summary
10. Worms at War
• The Setup
• The First Worm
• The Second Worm
• The Day After
• Summary
11. In Their Own Words
• The Compromise
• Reading the IRC Chat Sessions
• Day 1, June 4
• Day 2, June 5
• Day 3, June 6
• Day 4, June 7
• Day 5, June 8
• Day 6, June 9
• Day 7, June 10
• Analyzing the IRC Chat Sessions
• Profiling Review
• Psychological Review
• Summary
12. The Future of the Honeynet
• Future Developments
• Conclusion

1. Snort Configuration
• Snort Start-Up Script
• Snort Configuration File, snort.conf.
2. Swatch Configuration File
3. Named NXT HOWTO
4. NetBIOS Scans
5. Source Code for bj.c
6. TCP Passive Fingerprint Database
7. ICMP Passive Fingerprint Database
8. Honeynet Project Members

The classical text on honeypots. I personally believe this is a bit overhyped, especially as half the book is IM transcripts.

Read it as an introductionary text on the subject, because it doesn't exists that many books.