- FINDINGS: These papers cover what we have learned about cyber threats.
Who they are, how they operate, and why. These papers are listed from most current to oldest.
We listed this section first as it is the more popular of the two.
- TECHNOLOGY / TECHNIQUES: These papers cover how we learn what we learn, including
papers covering honeynets, Sebek, and analysis techniques. These papers are more technical, and designed
for geeks who want to understand, and perhaps even deploy our technology.
WARNING: Not all of these papers are current. Please be sure to check the "Last Modified" date to
see when the paper was last updated. Some of our original papers are very old and are posted
primarily for historical purposes.
Know Your Enemy Lite: Proxy Threats - Socks v666
- 29 January, 2008
This paper is our first ever "KYE Lite" paper. These are shorter papers that focus on very
specific topics. In this paper we discuss: the basic operational concept of how reverse tunnel proxies work, a new customized control protocol in use, the advantages to the criminal community, a detailed example and it's similarities to legacy SOCKS protocols, and how this activity can be further identified including mitigation strategies.
Know Your Enemy: Behind the Scenes of Malicious Web Servers
- 7 November, 2007
In this paper, we increase our understanding of malicious web servers through analysis of several web exploitation kits that have appeared in 2006/07: WebAttacker, MPack, and IcePack. Our discoveries will necessitate adjustments on how we think about malicious web servers and will have direct implications on client honeypot technology and future studies..
Know Your Enemy: Malicious Web Servers
- 14 August, 2007
In this paper, we take an in-depth
look at malicious web servers that attack web browsers and we evaluate several defensive
strategies that can be employed to counter this threat of client-side attacks. All the malicious
web servers identified in this study were found with our client honeypot
Know Your Enemy: Fast-Flux Service Networks
- 15 July, 2007
This whitepaper details a growing technique within the criminal community called
fast-flux networks. This is an architecture that builds more robust networks for malicious
activity while making them more difficult to track and shutdown. This is the first KYE
paper we are releasing in both .pdf and .html format.
Know Your Enemy: Web Application Threats
- 07 February, 2007
This paper provides behind the scenes information on various HTTP-based attacks against
web applications, including remote file inclusion and exploitation of the PHPShell application.
The paper is based on the research and data collected from the Chicago Honeynet Project, the
New Zealand Honeynet Project and the German Honeynet Project during multiple honeypot compromises.
Along with the release of this paper, comes new functionality to the Google Hack Honeypot (GHH),
used extensively in the paper. GHH now includes an automated malware collection function, as well
as remote XML-RPC logging for SSL support.
Know Your Enemy: Phishing
- 17 May, 2005
This paper documents how attackers build and use their infrastructure
for Phishing based attacks. This highly technical and indepth paper
is based on data captured and analyzed from the UK and German Honeynet
Know Your Enemy: Tracking Botnets
- 14 March, 2005
This paper documents what Botnets are, who is using them, how, and why.
It also introduces the tools 'mwcollect' and 'drone' which can be used for
collecting malware and tracking Botnet activity.
Know Your Enemy: Trends
- 21 December, 2004
This paper documents how over the past several years, the life expectancy has
dramatically increased for unpatched or vulnerable Linux systems. The purpose
of this paper is to make you ask "Why is no one hacking Linux anymore?".
Know Your Enemy: Honeynets in Universities
- 26 April, 2004
This paper covers how academic institutions can deploy honeynets in their
networks. We cover the lessons learned from GA Tech deploying a honeynet on
their internal .edu network, how they got permission, and the successes they
had. The purpose of this paper is to make it easier for any university or
college to deploy a honeynet, for either research or operational activity.
Profiles - Automated Credit Card Fraud
- 10 July, 2003
A look at just how easy, automated, and wide spread credit
card fraud and identity theft has become, even amongst unskilled
Know Your Enemy: Motives - 27 June, 2000
This paper studies the motives and psychology of a group of simple attackers,
all in their own words.
Know Your Enemy: Statistics - 23 July, 2001
This paper analyzes eleven months of data collected by the Honeynet Project.
Based on this data, we demonstrate just how active the blackhat community is.
We also demonstrate that it may be possible to predict future
Know Your Enemy: A Forensics Analysis - 23 May, 2000
This paper studies step by step a successful attack of a system. However,
instead of focusing on the tools and tactics
used, we focus on our analysis techniques and how we pieced the information
together. The purpose is to give you the skills necessary to analyze and
learn on your own the threats your organization faces.
Know Your Enemy: Worms at War - 7 November, 2000
See how worms probe for and compromise vulnerable Microsoft Windows systems.
Based on the first Microsoft honeypot compromised
in the Honeynet Project.
Know Your Enemy: III - 27 March, 2000
What happens after the script kiddie gains root. Specifically, how they
cover their tracks while they monitor your system. The paper goes through
step by step on a system that was compromised, with system logs and keystrokes
to verify each step.
Know Your Enemy: II - 18 June, 2001
How to determine what the enemy is doing by analyzing your system log files.
Includes examples based on two commonly used scanning tools, sscan and nmap.
Know Your Enemy - 21 July, 2000
The tools and methodology of the most common black-hat threat on the Internet,
the Script Kiddie. By understanding how they attack and what they are looking
for, you can better protect your
systems and network.
TECHNOLOGY / TECHNIQUES
Know Your Enemy: Honeywall CDROM
- 17 May, 2004
This paper introduces you to the concepts of the Honeywall CDROM, a bootable
Honeynet gateway. Anyone wanting to deploy a honeynet
should seriously consider this solutions, as it standardizes deployments
and combines all of our tools, including data control, data capture, and
Know Your Enemy: Sebek
- 17 November, 2003
A detailed look into one of the Project's primary tools for
an attacker's activity on a honeypot, even encrypted
activity, such as SSH, burneye, and IPSec. This paper covers what Sebek
is, its value, how it works, strengths and weaknesses, and how to analyze
data recovered by Sebek.
Know Your Enemy: GenII Honeynets - 10 May, 2005
This papers describes step-by-step how to build, deploy, and test a 2nd
generation (GenII) Honeynet using the latest technologies. GenII Honeynets are
considered easier to deploy, harder to detect, and safer to maintain then the
original GenI technologies.
Know Your Enemy: Honeynets - 10 May, 2005
This paper is an overview of the concepts, values, risks, and issues of Honeynets. This paper
does not discuss the technical details of Honeynet technologies.
Know Your Enemy: Defining Virtual Honeynets - 27 January, 2003
This paper defines what a Virtual Honeynet is, its advantages and disadvantages,
and the different way they can be deployed.
Know Your Enemy: Learning with User-Mode Linux - 20 December, 2002
This paper explains step by step how to build a GenI virtual Honeynet using
OpenSource software. Deploy a complete Honeynet using nothing more than an old
486 computer and free software!
Know Your Enemy: Passive Fingerprinting - 04 March, 2002
This paper details how to passively learn about the enemy, without them
knowing about it. Specifically, how to determine the operating system of a remote
host using passive sniffer traces only.