The Honeynet Project's first book details how a honeynet works, how to analzye the data once captured, how to prevent the honeynet machine from becoming a point to launch an attack on another network, and even a full account of a discussion between blackhats as they plot their next attack.
"There are three principal means of acquiring knowledge... observation of
nature, reflection, and experimentation," wrote Denis Diderot, the prominent
French writer back in the 1700s. The Honeynet Project was developed to gain
the knowledge of the blackhats by putting them in the unwitting role of the
teacher, sharing their most closely held secrets about their motivations,
attack techniques, and tools.
Founded in early 1999 by a former officer in the Army's Rapid Deployment
Force, Lance Spitzner transferred his Army intelligence and tactical knowledge
to the field of computer forensics. In doing so he started a fascinating
worldwide effort to track the habits of blackhats by placing production
systems on the Internet, then monitoring them once they've been breached,
and recording what they've done.
Formed from some of the brightest minds in computer security, forensics,
and even computer psychology, the Honeynet Project now consists of no less
than thirty individuals including Dave Dittrich,
Dug Song,
Marty Roesch,
Rain forest puppy and
Stuart McClure.
Having previously read Lance's
"Know Your Enemy" documents,
I was pleased when I received a copy of
"Know Your Enemy: Revealing the
Security Tools, Tactics, and Motives of the Blackhat Community" for
review.
The Honeynet Project began as a series of papers written by Lance Spitzner
entitled "Know Your Enemy," where Lance has written what he's learned from his
computer security experiences in this discipline. Specifically, the "Known
Your Enemy: Honeynets" paper provides a great deal of information to get
started with your own Honeynet.
From The Beginning
Chapter One starts with an introduction to the project and the goals they
are trying to achieve. "How do blackhats identify a vulnerable system? How
do they communicate among themselves? Are we dealing with a single threat
or a variety of threats?"
Chapter Two provides a basic description of a honeynet and how it all
began. The use of production systems of all types to create a network that
was specifically designed to be compromised is a new one. Previously, emulated
systems (in some cases called "honeypots") were placed on the Internet, but
often lacked the ability to contain the blackhat once the system was
compromised, were limited to specific operating systems or environments, or
unable to detect unknown vulnerabilities.
The systems on a Honeynet differ in that they are real and unmodified ones,
such as a default Linux installation, a Cisco router or a Sun server.
Traditionally, security measures configured by an organization to protect their
online assets are defensive. Access Control Lists on the router, firewall
on the Sun server, and SSH-only access to the Linux box. Honeynets instead
take a research and analysis approach, giving organizations the information
they need to protect their production systems from attacks.
A Honeynet is a controlled environment that takes the chaotic blackhat
activity on the Internet and rationalizes it into useful information that can
be used to protect a production network running a similar environment.
The Value of a Honeynet
The value to an organization deploying a new product online to be able
to first run it in an environment where they can track access to it by those
that have no purpose other than to attempt to breach it is quite extrodinary.
Is the new product, and the system it's running on, secure enough to withstand
repeated attacks on a network where the impact of a compromise is minimal?
Gone are the days where blackhats spend hours probing individual systems
for a vulnerability. It's now possible to scan an entire network segment
at a time, testing for series of vulnerabilities, then recording that
information in a database to later be used as a starting point. Chances
are good that even with an unadvertised web server you'll be poked or
prodded, even for attacks intended for entirely different architectures
than your own.
Using What You Know
The use of existing security tools such as an intrusion detection system to
create an account of the network activity, firewalls to prevent access
to production systems while at the same time preventing the Honeynet from
being used as a source for attacking other networks, and even social
engineering to make the system appear as if it's a production one and
"keep the Honeynet sweet", are all great methods for tracking every keystroke
and recording it and shows the Honeynet team have put a great deal of thought
into the process.
The recorded data is of no use if it's not analyzed. This is the meticulous
part of the project that requires attention to detail, a full working knowledge
of network protocols, and the ability to recognize how a collection of packets
either form a new attack or a component of an existing one.
Data Analysis
Part II starts with tips on how to analyze firewall logs, packets captured
by the IDS sniffer, using system logs to help determine how the attacker
got in and where he came from.
Chapter Six, "Analyzing a Compromised System", provides a detailed analysis
of a particular attack including how the blackhat compromised the system,
the method and exploit that was used (in this case the NXT BIND buffer
overflow), as well as what was done to the system once it was compromised.
Multiple systems were in fact involved in this particular attack, and
how in this case the scripted attacks are run to attempt to leave a backdoor
for later access and eventually a Trinoo DDoS attack.
Advanced Topics in Analysis
Advanced topics including passive fingerprinting, data forensics, and later
the Forensics Challenge are covered in great detail. The Forensics Challenge,
lead by team member Dave Dittrich, provided the disk images from an actual
compromised system to anyone interested in downloading them and attempting to
deciphering the data contained within to determine how the attack took
place.
Launched on January 15, 2001, the system images were of a Red Hat 6.2
system compromised the previous November. It details the use of The
Coroner's Toolkit (TCT) the computer forensics tool developed by Wietse
Venema, author of TCP Wrapper and several other staples of Internet
security.
Using TCT, it's often possible to determine what files may have been deleted,
retrieve their contents, and determine how they differ from the original
form. This is an attractive tool with a cool name and one that is indepensible
in the hands of someone with the sophisicated knowledge required to use it
correctly.
An extensive analysis of the challenge was performed by Dave Dittrich after
the project was over, concluding in the findings that an rpc.statd buffer
overflow. Dittrich includes a Time/Cost Analysis and the most interesting
pieces of information gathered from the images.
It turns out that the average time spent on the analysis by each entrant
was about 34 hours. That's nearly a week's worth of analysis for what took
an attacker about a half-hour to exploit.
Dittrich concludes that the average cost of cleanup of a single incident to
be approximately US$2000. An interesting point is raised on the Forensic
Challenge web page. "But all it takes to re-install Red Hat is 30 minutes.
How do you come up with US$2000 damage?" His answer is equally as interesting:
When a system is compromised, and the data on it and its network are
compromised, it is not simple to determine the extent of the damage
without a lot of work. We do not know if the blackhat stole peoples
passwords, hacked other systems, has implemented sniffers, etc. This
argues for strong prevention, defense in depth (including monitoring in
depth), and trained responders. If all the administrator does is re-install
the OS, they are doing a wholly inadequate job of responding to a security
incident, as the extent of damage may be far greater then a single system.
What Makes Them Tick?
Chapter Nine and Ten details the trends, motives, tools, and methodologies
that are used by blackhats. While some attacks are launched by script kiddies,
others are launched by advanced users who develop their own tools and leave
behind sophisticated backdoors. Regardless of who you are and what systems
you run, states the authors, your organization is at risk.
Chapter Eleven, which makes up a significant part of the book, is an actual
account of a conversation between a group of blackhats as they discuss the
compromise of a Solaris 2.6 system under the control of the Honeynet
group.
In Their 0wn Words
Every step of the process is detailed "In Their Own Words." An IRC chat
session between d1ck and j4n3 over a seven day period provides the Honeynet
team with information on their motives, demeanor, habits, and abilities.
"They may not be technically competent or even understand the tools
they are using. However, by focusing on a larger number of systems,
they can achieve dramatic results. This is not a threat to take lightly."
Script kiddies have time on their hands to keep trying until they
are successful.
The chapter outlines the social structure created within the group including
expert analysis by Max Kilger, the team's psychologist and is truly
fascinating. It at times plays out like a high school clique, except with
the number of compromised systems making up the social order.
The Future
The final chapter discusses the future of the Honeynet. New techniques
for capturing and auditing data are being developed including realtime
decryption of encrypted traffic, more advanced filtering methods to reduce
the false positives, the creation of more realistic environments, and
continued pursuit of previously unknown vulnerabilities.
Distributed Honeynets sound particularly interesting. By having multiple
systems configured throughout the world, it may be possible to better
determine attack trends. Attacks on systems that are prepared to handle
the next denial of service or buffer overflow could very well be used to
alert system administrators across the world of an impending new attack,
providing the necessary lead time to protect themselves.
The Authors
One of the most compelling reasons to buy this book is the authors. Written
by some of the most authoritative authors in the field of computer science
with Lance Spitzner at the healm, you'll find no more definitive
reference. The authors have an obvious zeal about their work as computer
scientists sharing their experiences with the Internet community at large.
The book is well written and provides sufficient information for an
enthusiastic computer security professional to build his own Honeynet
for research. It must be stressed, however, that Honeynet's aren't for
everyone. Undesired consequences could occur of the Honeynet is misconfigured
and potentially used as a point to attack other networks. If your logging
or auditing is misconfigured, an attack could go unnoticed, potentially
putting at risk real systems leading to system administrators knocking on your
door wondering why you're attacking them.
After you've read or at least have handy "Building Internet Firewalls"
and "Network
Intrusion Detection," this book is a must-have for anyone interesting in
knowing what makes the blackhat tick.
Honeynet Resources
Network Intrusion Detection Using
Snort
This document takes you through the basics of
intrusion detection, the steps necessary to configure a host to run
the snort network intrusion detection system, testing its operation,
and alerting you to possible intrusion events.
http://www.linuxsecurity.com/feature_stories/using-snort.html The Coroner's Toolkit
TCT is a collection of programs by Dan Farmer and
Wietse Venema for a post-mortem analysis of a UNIX system after
break-in. The software was presented first in a Computer Forensics
Analysis class in August 1999 (handouts can be found
here). Examples of using TCT can also be found on-line in a series of
columns
in the Doctor Dobb's Journal.
http://www.porcupine.org/forensics/tct.html Honeynet Project's 'honey pot' a sweet
success in trapping hacker attacks
Fresh off their success in monitoring the group and
handing over the evidence to federal authorities, the Honeynet team
took a deeper look at the traffic they were capturing and found
something worth investigating further.
http://www.infoworld.com/articles/op/xml/00/11/27/001127opswatch.xml Complete contents of Chapter One
The Battleground. A description of where
it all started.
http://www.linuxsecurity.com/feature_stories/HONEY1.pdf
Part 1: The Honeynet
Complete contents of the introduction to Part 1:
The Honeynet and also Chapter 2: What A Honeynet Is. The answers
to the question of "What is a Honeynet?", how it differs from a
a honeypot, and essential information needed to get started.
http://www.linuxsecurity.com/feature_stories/HONEY2.pdf Honeynet Forensic Challenge Images
The download area for the Honeynet Forensics
Challenge. This includes the images necessary to particpate in the
Forensic Challenge offered by the Honeynet Project in early 2001.
http://honeynet.linuxsecurity.com/ Hackers caught in security 'honeypot'
When a group of suspected Pakistani hackers broke
into a U.S.-based computer system in June, they thought they had
found a vulnerable network to use as an anonymous launching pad to
attack Web sites across India.
http://www.zdnet.com/zdnn/stories/news/0,4586,2666273,00.html Know Your Enemy: Honeynets
The "Know Your Enemy: Honeynets" article,
also written by the Honeynet Project, includes essential information
to get started building your own Honeynet, the value of a honeynet,
how it works, information about data capture and control, and even
info on the next generation honeynet currently in development.
http://www.linuxsecurity.com/content/view/117597/49/
LinuxSecurity.com Mailing Lists
Only registered users can write comments.
Please login or register. Powered by AkoComment! |
