Founded in early 1999 by a former officer in the Army's Rapid Deployment Force, Lance Spitzner transferred his Army intelligence and tactical knowledge to the field of computer forensics. In doing so he started a fascinating worldwide effort to track the habits of blackhats by placing production systems on the Internet, then monitoring them once they've been breached, and recording what they've done.

Formed from some of the brightest minds in computer security, forensics, and even computer psychology, the Honeynet Project now consists of no less than thirty individuals including Dave Dittrich, Dug Song, Marty Roesch, Rain forest puppy and Stuart McClure.

Having previously read Lance's "Know Your Enemy" documents, I was pleased when I received a copy of "Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community" for review.

The Honeynet Project began as a series of papers written by Lance Spitzner entitled "Know Your Enemy," where Lance has written what he's learned from his computer security experiences in this discipline. Specifically, the "Known Your Enemy: Honeynets" paper provides a great deal of information to get started with your own Honeynet.

Chapter Two provides a basic description of a honeynet and how it all began. The use of production systems of all types to create a network that was specifically designed to be compromised is a new one. Previously, emulated systems (in some cases called "honeypots") were placed on the Internet, but often lacked the ability to contain the blackhat once the system was compromised, were limited to specific operating systems or environments, or unable to detect unknown vulnerabilities.

The systems on a Honeynet differ in that they are real and unmodified ones, such as a default Linux installation, a Cisco router or a Sun server. Traditionally, security measures configured by an organization to protect their online assets are defensive. Access Control Lists on the router, firewall on the Sun server, and SSH-only access to the Linux box. Honeynets instead take a research and analysis approach, giving organizations the information they need to protect their production systems from attacks.

A Honeynet is a controlled environment that takes the chaotic blackhat activity on the Internet and rationalizes it into useful information that can be used to protect a production network running a similar environment.

The recorded data is of no use if it's not analyzed. This is the meticulous part of the project that requires attention to detail, a full working knowledge of network protocols, and the ability to recognize how a collection of packets either form a new attack or a component of an existing one.

Chapter Six, "Analyzing a Compromised System", provides a detailed analysis of a particular attack including how the blackhat compromised the system, the method and exploit that was used (in this case the NXT BIND buffer overflow), as well as what was done to the system once it was compromised.

Multiple systems were in fact involved in this particular attack, and how in this case the scripted attacks are run to attempt to leave a backdoor for later access and eventually a Trinoo DDoS attack.

Launched on January 15, 2001, the system images were of a Red Hat 6.2 system compromised the previous November. It details the use of The Coroner's Toolkit (TCT) the computer forensics tool developed by Wietse Venema, author of TCP Wrapper and several other staples of Internet security.

Using TCT, it's often possible to determine what files may have been deleted, retrieve their contents, and determine how they differ from the original form. This is an attractive tool with a cool name and one that is indepensible in the hands of someone with the sophisicated knowledge required to use it correctly.

An extensive analysis of the challenge was performed by Dave Dittrich after the project was over, concluding in the findings that an rpc.statd buffer overflow. Dittrich includes a Time/Cost Analysis and the most interesting pieces of information gathered from the images.

It turns out that the average time spent on the analysis by each entrant was about 34 hours. That's nearly a week's worth of analysis for what took an attacker about a half-hour to exploit.

Dittrich concludes that the average cost of cleanup of a single incident to be approximately US$2000. An interesting point is raised on the Forensic Challenge web page. "But all it takes to re-install Red Hat is 30 minutes. How do you come up with US$2000 damage?" His answer is equally as interesting:

When a system is compromised, and the data on it and its network are compromised, it is not simple to determine the extent of the damage without a lot of work. We do not know if the blackhat stole peoples passwords, hacked other systems, has implemented sniffers, etc. This argues for strong prevention, defense in depth (including monitoring in depth), and trained responders. If all the administrator does is re-install the OS, they are doing a wholly inadequate job of responding to a security incident, as the extent of damage may be far greater then a single system.

Chapter Eleven, which makes up a significant part of the book, is an actual account of a conversation between a group of blackhats as they discuss the compromise of a Solaris 2.6 system under the control of the Honeynet group.

The chapter outlines the social structure created within the group including expert analysis by Max Kilger, the team's psychologist and is truly fascinating. It at times plays out like a high school clique, except with the number of compromised systems making up the social order.

Distributed Honeynets sound particularly interesting. By having multiple systems configured throughout the world, it may be possible to better determine attack trends. Attacks on systems that are prepared to handle the next denial of service or buffer overflow could very well be used to alert system administrators across the world of an impending new attack, providing the necessary lead time to protect themselves.

The book is well written and provides sufficient information for an enthusiastic computer security professional to build his own Honeynet for research. It must be stressed, however, that Honeynet's aren't for everyone. Undesired consequences could occur of the Honeynet is misconfigured and potentially used as a point to attack other networks. If your logging or auditing is misconfigured, an attack could go unnoticed, potentially putting at risk real systems leading to system administrators knocking on your door wondering why you're attacking them.

After you've read or at least have handy "Building Internet Firewalls" and "Network Intrusion Detection," this book is a must-have for anyone interesting in knowing what makes the blackhat tick.