| |
| |
| Preface | |
| |
| |
| Foreword | |
| |
| |
| |
| The Honeynet | |
| |
| |
| |
| The Beginning | |
| |
| |
| The Honeynet Project | |
| |
| |
| The Honeynet Research Alliance | |
| |
| |
| Managing It All: Lessons We've Learned | |
| |
| |
| Summary | |
| |
| |
| |
| Honeypots | |
| |
| |
| Definition of Honeypots | |
| |
| |
| Types of Honeypots | |
| |
| |
| Uses of Honeypots | |
| |
| |
| Summary | |
| |
| |
| |
| Honeynets | |
| |
| |
| The Value of a Honeynet | |
| |
| |
| The Honeynet Architecture | |
| |
| |
| Risk | |
| |
| |
| Types of Honeynets | |
| |
| |
| Summary | |
| |
| |
| |
| GenI Honeynets | |
| |
| |
| GenI Honeynet Architecture | |
| |
| |
| GenI Options for Data Control | |
| |
| |
| GenI Functionality for Data Capture | |
| |
| |
| A Complete GenI Honeynet Setup Example | |
| |
| |
| How It All Works Together: Example Attack Capture | |
| |
| |
| Summary | |
| |
| |
| |
| GenII Honeynets | |
| |
| |
| GenII Honeynet Improvements | |
| |
| |
| GenII Honeynet Architecture | |
| |
| |
| GenII Data Control | |
| |
| |
| Data Capture | |
| |
| |
| GenII Honeynet Deployment | |
| |
| |
| Summary | |
| |
| |
| |
| Virtual Honeynets | |
| |
| |
| What Is a Virtual Honeynet? | |
| |
| |
| Self-Contained Virtual Honeynets | |
| |
| |
| Hybrid Virtual Honeynets | |
| |
| |
| Possible Implementation Solutions | |
| |
| |
| Summary | |
| |
| |
| |
| Distributed Honeynets | |
| |
| |
| What Is a Distributed Honeynet? | |
| |
| |
| Physical Distribution | |
| |
| |
| Honeypot Farms | |
| |
| |
| The Latency Problem | |
| |
| |
| Setting Up a Honeypot Farm | |
| |
| |
| Issues Common to All Distributed Honeynets | |
| |
| |
| Summary | |
| |
| |
| |
| Legal Issues | |
| |
| |
| Monitoring Network Users | |
| |
| |
| Crime and the Honeynet | |
| |
| |
| Do No Harm: Liability to Others | |
| |
| |
| Summary | |
| |
| |
| |
| The Analysis | |
| |
| |
| |
| The Digital Crime Scene | |
| |
| |
| The Purpose and Value of Data Analysis | |
| |
| |
| Capturing Different Types of Data Within the Honeynet | |
| |
| |
| The Multiple Layers of Data Analysis and Their Value | |
| |
| |
| Summary | |
| |
| |
| |
| Network Forensics | |
| |
| |
| Performing Network Forensics | |
| |
| |
| Network Traffic 101 | |
| |
| |
| Capturing and Analyzing Network Traffic | |
| |
| |
| A Case Study from the Honeynet | |
| |
| |
| Analyzing Nonstandard Protocols | |
| |
| |
| Common Traffic Patterns for Forensic Analysts | |
| |
| |
| Passive Fingerprinting | |
| |
| |
| Summary | |
| |
| |
| |
| Computer Forensics Basics | |
| |
| |
| Overview | |
| |
| |
| Analysis Environment | |
| |
| |
| Data Acquisition | |
| |
| |
| Summary | |
| |
| |
| |
| UNIX Computer Forensics | |
| |
| |
| Linux Background | |
| |
| |
| Data Acquisition | |
| |
| |
| The Analysis | |
| |
| |
| Readiness Steps | |
| |
| |
| Summary | |
| |
| |
| |
| Windows Computer Forensics | |
| |
| |
| Windows File Systems | |
| |
| |
| Data Acquisition | |
| |
| |
| Analysis of the System | |
| |
| |
| Analysis with Autopsy and the Sleuth Kit | |
| |
| |
| Summary | |
| |
| |
| |
| Reverse Engineering | |
| |
| |
| Introduction | |
| |
| |
| Static Analysis | |
| |
| |
| Active Analysis | |
| |
| |
| A Walkthrough: The Honeynet Reverse Challenge | |
| |
| |
| Summary | |
| |
| |
| Further Reading | |
| |
| |
| |
| Centralized Data Collection and Analysis | |
| |
| |
| Centralizing Data | |
| |
| |
| The Honeynet Security Console | |
| |
| |
| Summary | |
| |
| |
| |
| The Enemy | |
| |
| |
| |
| Profiling | |
| |
| |
| A Sociological Analysis of the Whitehat/Blackhat Community | |
| |
| |
| "A Bug's Life": The Birth, Life, and Death of an Exploit | |
| |
| |
| Intelligence-Based Information Security: Profiling and Much More | |
| |
| |
| Bringing It All Together | |
| |
| |
| Summary | |
| |
| |
| |
| Attacks and Exploits: Lessons Learned | |
| |
| |
| Overview | |
| |
| |
| Types of Attacks | |
| |
| |
| Who Is Performing Attacks? | |
| |
| |
| Common Steps to Exploiting a System | |
| |
| |
| Summary | |
| |
| |
| |
| Windows 2000 Compromise and Analysis | |
| |
| |
| Honeypot Setup and Configuration | |
| |
| |
| Honeynet Setup and Configuration | |
| |
| |
| The Attack Log | |
| |
| |
| Threat Analysis/Profile | |
| |
| |
| Lessons Learned for Defense | |
| |
| |
| Lessons Learned About Attackers | |
| |
| |
| Summary | |
| |
| |
| |
| Linux Compromise | |
| |
| |
| Honeynet Setup and Configuration | |
| |
| |
| Forensics Procedure | |
| |
| |
| The Day After | |
| |
| |
| Event Summary | |
| |
| |
| Summary | |
| |
| |
| |
| Example of Solaris Compromise | |
| |
| |
| Honeynet Setup and Configuration | |
| |
| |
| The Events for Day 1 | |
| |
| |
| Day 1 Summary of Events | |
| |
| |
| The Events for Day 3 | |
| |
| |
| Day 3 Summary of Events | |
| |
| |
| Profiling of the Intruder | |
| |
| |
| Summary | |
| |
| |
| |
| The Future | |
| |
| |
| Distributed Honeynets | |
| |
| |
| Advanced Threats | |
| |
| |
| Insider Threats | |
| |
| |
| Law Enforcement Applications | |
| |
| |
| Use and Acceptance | |
| |
| |
| Blackhat Response | |
| |
| |
| Summary | |
| |
| |
| |
| IPTables Firewall Script | |
| |
| |
| |
| Snort Configuration | |
| |
| |
| |
| Swatch Configuration | |
| |
| |
| |
| Network Configuration Summary | |
| |
| |
| |
| Honeywall Kernel Configuration | |
| |
| |
| |
| Genll rc.firewall Configuration | |
| |
| |
| Resources and References | |
| |
| |
| About the Authors | |
| |
| |
| Index | |