For over two years a group of very talented folks have been collecting attack information on a honeynet and analyzing the activities of blackhats attacking an exposed and unprotected suite of computers of different types.

The result is Know Your Enemy - Revealing the Security Tools, Tactics, and Motives of the Blackhat Community. This is one of the most interesting books I've come across in a very long time.

Lance Spitzener, founder of the Honeynet Project tells us in the preface: "What makes our research unique is that we let the blackhat community teach us how they operate. Instead of trying to guess who the enemy is and to develop theories on how blackhats think and operate, we have them teach us their tools, tactics and motives." That is, indeed, a unique approach. The result is a mix of information on the honeynet and its role, the technical analysis of the data collected in the honeynet and a clear revelation of 'the enemy' including logs of chat sessions and analysis of tools and tactics.

A honeynet, for the uninitiated, is a collection of honeypots, individual computers set up to appear to be a legitimate network. The key to this particular research is that the various operating environments used on the honeynet were installed using their default settings. Nothing was done to attempt to protect the honeynet and nothing was done to lure attackers. In short, the honeynet just sat there, waiting to be attacked.

And attack they did. The authors tell us that the life expectancy of a default installation of a Red Hat Linux 6.2 server is less than 72 hours and a common implementation of Windows 98 was hacked five times in four days. When Spitzner connected his first default installation of Red Hat 5.0 in 1999, it was identified, probed and exploited. All in 15 minutes. With that attack the Honeynet Project was born. It now occupies the time and talents of 30 of the top security technologists in the world. This book is both their story and their discoveries. It is accompanied by a CD with lots of great backup information, scripts, data captures, etc.

The book is arranged in sections, or 'parts.' The first discusses the honeynets and honeypots themselves, along with the intrusion detection tools and techniques to support them. Part 2 digs into the findings and data and discusses how the team interpreted the data coming out of the attacks. Part 3 is an analysis of the 'enemy' from the team's observations, data analysis and actual logs of hacker conversations. There are several useful appendices with such things as SNORT (the Honeynet Project's intrusion detection system) rules, a list of the team members and a couple of very good fingerprint databases.

The book is complete, well-written and well-organized. The information is interesting and presented in a fast-moving, though technically complete manner. IT is appropriate for most levels of security professionals, managers and others involved in some of the technical aspects of information protection. Even non-technical readers with an interest in security will find this book manageable.

If you are on the front line in the war against blackhats, you need this book. It should be on every intrusion analyst's bookshelf as well. If you're just a 'run-of-the-mill' security professional (is there any such thing?) you will be fascinated. Finally, if you really want your management to get a solid idea of what your Internet-connected organization is up against, gift them with this book. It speaks volumes in its 313 pages.
 
 
Title: Know Your Enemy
Author: The Honeynet Project
Publisher: Addison-Wesley
Price: $39.99/£30.99 with CD-ROM
313 pages
ISBN 0-201-74613-1

 
Peter Stephenson is the director of technology services for QinetiQ Trusted Information Management, Inc. He may be reached at
prstephenson@qinetiq-tim.com