| |
| |
Preface | |
| |
| |
Foreword | |
| |
| |
| |
The Honeynet | |
| |
| |
| |
The Beginning | |
| |
| |
The Honeynet Project | |
| |
| |
The Honeynet Research Alliance | |
| |
| |
Managing It All: Lessons We've Learned | |
| |
| |
Summary | |
| |
| |
| |
Honeypots | |
| |
| |
Definition of Honeypots | |
| |
| |
Types of Honeypots | |
| |
| |
Uses of Honeypots | |
| |
| |
Summary | |
| |
| |
| |
Honeynets | |
| |
| |
The Value of a Honeynet | |
| |
| |
The Honeynet Architecture | |
| |
| |
Risk | |
| |
| |
Types of Honeynets | |
| |
| |
Summary | |
| |
| |
| |
GenI Honeynets | |
| |
| |
GenI Honeynet Architecture | |
| |
| |
GenI Options for Data Control | |
| |
| |
GenI Functionality for Data Capture | |
| |
| |
A Complete GenI Honeynet Setup Example | |
| |
| |
How It All Works Together: Example Attack Capture | |
| |
| |
Summary | |
| |
| |
| |
GenII Honeynets | |
| |
| |
GenII Honeynet Improvements | |
| |
| |
GenII Honeynet Architecture | |
| |
| |
GenII Data Control | |
| |
| |
Data Capture | |
| |
| |
GenII Honeynet Deployment | |
| |
| |
Summary | |
| |
| |
| |
Virtual Honeynets | |
| |
| |
What Is a Virtual Honeynet? | |
| |
| |
Self-Contained Virtual Honeynets | |
| |
| |
Hybrid Virtual Honeynets | |
| |
| |
Possible Implementation Solutions | |
| |
| |
Summary | |
| |
| |
| |
Distributed Honeynets | |
| |
| |
What Is a Distributed Honeynet? | |
| |
| |
Physical Distribution | |
| |
| |
Honeypot Farms | |
| |
| |
The Latency Problem | |
| |
| |
Setting Up a Honeypot Farm | |
| |
| |
Issues Common to All Distributed Honeynets | |
| |
| |
Summary | |
| |
| |
| |
Legal Issues | |
| |
| |
Monitoring Network Users | |
| |
| |
Crime and the Honeynet | |
| |
| |
Do No Harm: Liability to Others | |
| |
| |
Summary | |
| |
| |
| |
The Analysis | |
| |
| |
| |
The Digital Crime Scene | |
| |
| |
The Purpose and Value of Data Analysis | |
| |
| |
Capturing Different Types of Data Within the Honeynet | |
| |
| |
The Multiple Layers of Data Analysis and Their Value | |
| |
| |
Summary | |
| |
| |
| |
Network Forensics | |
| |
| |
Performing Network Forensics | |
| |
| |
Network Traffic 101 | |
| |
| |
Capturing and Analyzing Network Traffic | |
| |
| |
A Case Study from the Honeynet | |
| |
| |
Analyzing Nonstandard Protocols | |
| |
| |
Common Traffic Patterns for Forensic Analysts | |
| |
| |
Passive Fingerprinting | |
| |
| |
Summary | |
| |
| |
| |
Computer Forensics Basics | |
| |
| |
Overview | |
| |
| |
Analysis Environment | |
| |
| |
Data Acquisition | |
| |
| |
Summary | |
| |
| |
| |
UNIX Computer Forensics | |
| |
| |
Linux Background | |
| |
| |
Data Acquisition | |
| |
| |
The Analysis | |
| |
| |
Readiness Steps | |
| |
| |
Summary | |
| |
| |
| |
Windows Computer Forensics | |
| |
| |
Windows File Systems | |
| |
| |
Data Acquisition | |
| |
| |
Analysis of the System | |
| |
| |
Analysis with Autopsy and the Sleuth Kit | |
| |
| |
Summary | |
| |
| |
| |
Reverse Engineering | |
| |
| |
Introduction | |
| |
| |
Static Analysis | |
| |
| |
Active Analysis | |
| |
| |
A Walkthrough: The Honeynet Reverse Challenge | |
| |
| |
Summary | |
| |
| |
Further Reading | |
| |
| |
| |
Centralized Data Collection and Analysis | |
| |
| |
Centralizing Data | |
| |
| |
The Honeynet Security Console | |
| |
| |
Summary | |
| |
| |
| |
The Enemy | |
| |
| |
| |
Profiling | |
| |
| |
A Sociological Analysis of the Whitehat/Blackhat Community | |
| |
| |
"A Bug's Life": The Birth, Life, and Death of an Exploit | |
| |
| |
Intelligence-Based Information Security: Profiling and Much More | |
| |
| |
Bringing It All Together | |
| |
| |
Summary | |
| |
| |
| |
Attacks and Exploits: Lessons Learned | |
| |
| |
Overview | |
| |
| |
Types of Attacks | |
| |
| |
Who Is Performing Attacks? | |
| |
| |
Common Steps to Exploiting a System | |
| |
| |
Summary | |
| |
| |
| |
Windows 2000 Compromise and Analysis | |
| |
| |
Honeypot Setup and Configuration | |
| |
| |
Honeynet Setup and Configuration | |
| |
| |
The Attack Log | |
| |
| |
Threat Analysis/Profile | |
| |
| |
Lessons Learned for Defense | |
| |
| |
Lessons Learned About Attackers | |
| |
| |
Summary | |
| |
| |
| |
Linux Compromise | |
| |
| |
Honeynet Setup and Configuration | |
| |
| |
Forensics Procedure | |
| |
| |
The Day After | |
| |
| |
Event Summary | |
| |
| |
Summary | |
| |
| |
| |
Example of Solaris Compromise | |
| |
| |
Honeynet Setup and Configuration | |
| |
| |
The Events for Day 1 | |
| |
| |
Day 1 Summary of Events | |
| |
| |
The Events for Day 3 | |
| |
| |
Day 3 Summary of Events | |
| |
| |
Profiling of the Intruder | |
| |
| |
Summary | |
| |
| |
| |
The Future | |
| |
| |
Distributed Honeynets | |
| |
| |
Advanced Threats | |
| |
| |
Insider Threats | |
| |
| |
Law Enforcement Applications | |
| |
| |
Use and Acceptance | |
| |
| |
Blackhat Response | |
| |
| |
Summary | |
| |
| |
| |
IPTables Firewall Script | |
| |
| |
| |
Snort Configuration | |
| |
| |
| |
Swatch Configuration | |
| |
| |
| |
Network Configuration Summary | |
| |
| |
| |
Honeywall Kernel Configuration | |
| |
| |
| |
Genll rc.firewall Configuration | |
| |
| |
Resources and References | |
| |
| |
About the Authors | |
| |
| |
Index | |