REVIEW: "Know Your Enemy", Honeynet Project

Discussion in 'Computer Security' started by Rob Slade, doting grandpa of Ryan and Trevor, Aug 3, 2004.

  1. BKKNYREN.RVW 20040618

    "Know Your Enemy", Honeynet Project, 2004, 0-321-16646-9,
    %A Honeynet Project www.honeynet.orb/book/
    %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
    %D 2002
    %G 0-321-16646-9
    %I Addison-Wesley Publishing Co.
    %O U$49.99/C$71.99 416-447-5101 fax: 416-443-0948
    %P 768 p. + CD-ROM
    %T "Know Your Enemy, Second Edition: Learning About Security

    The first edition of "Know Your Enemy" was a lot of fun, and it also
    contained some valuable advice if you were brand new to the idea of a
    honeypot, and wanted to get started quickly. This second edition has
    taken advantage of another couple of years in the development of
    honeypots and honeynets, and provides guidance on a new generation of
    the technology. More than that, it promises, and mostly provides,
    more detailed information on the analytical aspects of honeynet
    operation, including the all-too-often neglected topic of network
    forensics. The page count has more than doubled.

    I have frequently said that any book with "hack," or any variant
    thereof, in the title is automatically suspect. This work helps prove
    my point, first, because the Honeynet Project members have not used
    the term (they refer to attackers as blackhats), and the text also
    notes the problems with "exploit" type books: they list old and known
    attacks, most of which are protected against, and say nothing about
    the attackers and how they work.

    Part one describes the honeynet. Chapter one points out the value of
    "knowing the enemy" and the history of the Honeynet Project. Chapter
    two explains what a honeypot is, leading to details on how a honeynet
    works, in terms of architecture, policies, and the risks and
    responsibilities of operating one, in chapter three. Building a first
    generation honeynet, in chapter four, presents specific details,
    although a number of concepts have already been given. The lessons
    from the early years of the project have led to a second generation of
    design, which is outlined in chapter five. Using a single machine to
    create a virtual network of simulated machines is described in chapter
    six. Chapter seven extends all of this into distributed networks of
    machines. A number of legal issues are discussed in chapter eight:
    specific citations are primarily from US laws, but general concepts
    are also examined.

    Part two concerns the analysis of data collected from the Honeynet.
    Chapter nine looks at the various sources of evidence. Network
    forensic ideas and tools are reviewed in chapter ten, although the
    material does tend to jump abruptly from Networking 101 to an
    assumption that the reader can parse Snort captures. Fundamentals of
    the data recovery aspects of computer forensics are given in chapter
    eleven, leading to the specifics of UNIX recovery in chapter twelve,
    and Windows in thirteen. (These chapters contain details of up to
    date tools not available in most of the standard computer forensic
    texts.) I was delighted to see that chapter fourteen addresses
    reverse engineering, although only in a limited subset of the full
    range of software forensics. Chapter fifteen reiterates the sources
    from chapter nine, and suggests centralized collection and management
    of data.

    Part three explains what the project has determined about "the enemy"
    by the types of attacks that have been launched and detected. Chapter
    sixteen takes a random crack at several topics related to the blackhat
    community: a number of points are interesting, but few are very
    helpful. A general overview of attacks in given in chapter seventeen.
    Specific attacks, and analyses, on Windows, Linux, and Solaris are
    detailed in chapters eighteen to twenty. Future trends are projected
    in chapter twenty one.

    The repetition of material that plagued the first edition has been
    cleaned up to a great extent, although the text would still benefit
    from a tightening up of the material in some chapters. In addition,
    the early examples are not thoroughly explained, making the reader
    initially feel that only a firewall audit log specialist would be able
    to understand what is being said. However, as with the first edition,
    most of the book is written clearly and well, and it is certainly
    worth reading. In addition, the new material definitely makes this
    not merely an interesting read, but something that has the potential
    to be a serious reference in the forensic field.

    copyright Robert M. Slade, 2004 BKKNYREN.RVW 20040618


    ============= for back issues:
    [Base URL] site
    or mirror
    CISSP refs: [Base URL]mnbksccd.htm
    Security Dict.: [Base URL]secgloss.htm
    Security Educ.: [Base URL]comseced.htm
    Book reviews: [Base URL]mnbk.htm
    [Base URL]review.htm
    Security Educ.:
    Review mailing list: send mail to
    Rob Slade, doting grandpa of Ryan and Trevor, Aug 3, 2004
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. bigal

    Secret Project - Sun Keyboard Mod

    bigal, Aug 31, 2005, in forum: Case Modding
    Sep 26, 2005
  2. Silverstrand

    The Mini-ITX Project at XYZ Computing

    Silverstrand, Sep 19, 2005, in forum: Front Page News
    Sep 19, 2005
  3. RObErT_RaTh

    [WORKLOG] Project: Black Box

    RObErT_RaTh, Sep 26, 2005, in forum: Case Modding
    Oct 2, 2005
  4. Mike McGee
    Mike McGee
    Jul 12, 2004
  5. NZed