One of most exciting areas to emerge in information security has been honeynets. These networks are designed to be compromised in order to capture all the tools and activities of the attackers. We had the opportunity to talk with members of the Honeynet Project, a nonprofit security research organization, and the group's founder, Lance Spitzner, about their latest book, Know Your Enemy: Learning About Security Threats, Second Edition (Addison-Wesley, 0-321-16646-9). We asked many questions and discovered some surprising truths about security. Read on for the rest of the story.

LWM: What is the Honeynet Project?
Honeynet Project: It's a volunteer organization dedicated to researching and learning about cyber-threats, and sharing the lessons we learn. We're made up of 30 security professionals worldwide. We learn about cyber threats by deploying networks around the world to be compromised. Once compromised, we capture all of the attacker's tools and activity, then analyze and learn from that. The value of this research is that there is very little theory involved; we are capturing and seeing what is happening on the Internet today.

LWM: What is a honeynet?
HP: A honeynet is the primary tool we use to capture the attacker's activity. It's a type of honeypot, specifically a high-interaction honeypot. As a honeypot, honeynets work on the concept that they should not see any activity; no one has authorization to interact with them. As a result, any inbound or outbound connections to the honeynet are most likely unauthorized activities. This simple concept makes it highly effective in detecting and capturing both known and unknown activity. Honeynets work as highly controlled networks made up of real systems and applications for attackers to probe and compromise.

LWM: What is Know Your Enemy about?
HP: The book is about honeynets: how to use them, and what you can learn. We divided it into three parts. The first part is focused on what honeynets are, how they work, the different types, and technical details on how you can deploy them safely. The second part focuses on how to analyze all the different data a honeynet can collect (network and host-based forensics, reverse engineering, centralized data correlation, etc.). The third part contains specific examples of several honeynets being hacked, including Win2000, Linux, and Solaris. What makes the book so interesting is that it ties all these different elements together. You can learn more at www.honeynet.org/book/.

LWM: Who wrote this book?
HP: The book was not written by a single individual, but by leading experts in the field. We attempted to combine the best experiences and skills from some of the leading individuals. The book was organized by the Honeynet Project, but the contributing authors include members of the Honeynet Research Alliance, individuals from the Department of Justice, and others who have helped us in the past and wanted to contribute. Some examples of authors include Honeynet Project members Brian Carrier, who wrote several forensic chapters, and Max Kilger, who wrote about profiling. Honeynet Research Alliance contributions include the work from the Greek Honeynet Project about hacked Linux systems, and the Mexican Honeynet Project writing about hacked Solaris systems. Finally, we had outside experts help out, including Richard Salgado from the DoJ, who wrote about legal issues, and Dion Mendel from Australia, who wrote about reverse engineering.

LWM: Why was this book written?
HP: Honeynets are a powerful but complex security tool. It's very difficult to understand all the issues involved from a single white paper. For example, there are five chapters alone dedicated simply to what honeynets are and different ways of deploying them (GenI, GenII, distributed, virtual, etc.). However, even after you deploy a honeynet, you've fought only half the battle. The purpose of honeynets is to provide data on cyber threats, which someone still has to analyze and convert to information. That was one of the biggest emphases of this book: how to convert the data to information. I feel that it was one of the strongest parts of our book. Finally, we ended the book by providing several examples of real-world attacks. One of the most interesting chapters of the last section would be the one on the psychology and profiles of many of today's common threats.

LWM: What is one of the most interesting things you learned?
HP: Absolutely anything with an IP stack is a target and, if connected to the Internet, will be mercilessly probed and attacked. When I originally started this research in 1998/99, I thought only high-value targets, like companies or government organizations, were targeted. I quickly learned that your home Windows 98 computer is just as much of a target. I would estimate that today any computer connected to the Internet is probed at a minimum 20 times a day. However, don't take my word for it, install a host-based firewall and count the logs yourself. What frightens me about this is that most home owners don't feel they are targets, and as such have no concern about security.

LWM: Have you seen any trends?
HP: Two big ones in the past three years. First, the tools. The tools we're seeing being used on the Internet today are getting much more advanced, easier to use, automated, and effective. It's not so much that attackers are getting better, but the weapons in their arsenal are. Any kid today can download very powerful and highly automated hacking tools that allow him or her to scan millions of systems a night; if any of those systems are vulnerable, he or she can break them. This is one reason we keep seeing such a steady increase in scanning activity. It's not uncommon at all for attackers nowadays to have control of over 15,000 hacked computers. It's the highly automated tools that give many this capability.

Second, a very large percentage (and growing) of attacks appear to be criminally motivated. Hacking is not a crime; it has become a means to facilitate crime. People are doing it to steal credit cards, launch Spam or porn sites, get paid for Denial of Service Attacks, etc. It's astounding how many different ways you can make money by breaking into systems.

LWM: Who should be deploying honeynets?
HP: Honeynets in general don't secure your organization directly; they provide you with information. As such, honeynets most likely are not for most commercial organizations, as they are still doing battle with basic issues such as firewalls and patching. Honeynets are primarily for organizations interested in research or information gathering, such as universities, research students, government and military organizations, and security-related companies. However, regardless of whether you are going to deploy honeynets or not, this book provides a wealth of information on how to study and analyze attacks, and details examples of various attacks and the motives behind them.

About Lance Spitzner

Lance Spitzner is a geek whose passion is researching honeypot technologies. In October of 1999 Lance founded The Honeynet Project (www.honeynet.org), a nonprofit security research organization made up of volunteers. These volunteers are dedicated to learning the tools, tactics, and motives of the blackhat community and sharing the lessons learned. The Honeynet Project has 30 members, and works with various other organizations through The Honeynet Research Alliance.