Saturday, July 24, 2004

Review of Know Your Enemy: 2nd Ed Exclusively at TaoSecurity

I just finishing reading the second edition of Know Your Enemy and wrote a review for Amazon.com. Unfortunately, Amazon.com is treating this completely new second edition as though it were the first edition. When I tried to post my review, I received this response:

"Oops! Only one review per customer per product set is allowed.

Your review was not accepted because we only allow each customer to write one review of each product set. An example of a product set is the collection of all editions of a book: hardcover, paperback, and audiobook. If you'd like, you can edit your existing review."

I'm sure Amazon.com does this to prevent multiple reviews by the same person, but these are two completely different books.

Amazon.com also harassed me to provide a real name to appear in my review. I had to tie this to a credit card. Aside from that aspect, I think this is a good idea. Review readers are supposed to believe the words of someone providing a "real name" rather than someone posting anonymously or using a pseudonym.

One final complaint -- I found my attempts to include " marks replaced by 'ampersand'quot; throughout the review. Amazon.com must be using a filtering mechanism to avoid cross-site scripting or similar attacks.
Because I don't want to edit my review of the first edition of Know Your Enemy, here is my review of the second edition:

"Nearly three years ago I gave the original "Know Your Enemy" (KYE:1E) four stars, subtracting a star for the inclusion of excessive IRC logs. I am very happy to rate the completely new second edition (KYE:2E) as a five star book, for three reasons. First, KYE:2E is one of the few books that rightfully concentrates on threats, not vulnerabilities, when discussing digital security. (Ed Skoudis' impressive "Malware" is another threat-oriented tome.) KYE:2E is a tour of multiple security disciplines, each addressed by a subject matter expert. Finally, KYE:2E is clear and cohesive, written by people who can communicate well. I highly recommend reading this book.

As a former Air Force intelligence officer, I performed threat analysis by studying Russian and other foes; not only did I look at their military equipment, but I also examined the foe themselves and their tactics. This is similar to examining a digital enemy's tools, as well as the intruder himself and his methodology. Lance Spitzner leverages his Army background through KYE:2E, bring this same focus to the study of black hats as he did against Russian tanks, their commanders, and their battle plans.

Threats are really the overlooked key to security. If a vulnerability exists in a critical asset, but no threat (meaning a party with the capabilities and intentions to exploit that weakness) exists, the target remains secure. Too often security practitioners think only of vulnerabilities, and waste time addressing flaws that no threat seeks to exploit.

KYE:2E addresses threats in numerous chapters, including several case studies (Windows, Linux, and Solaris compromises in ch 18-20) and sociological studies and lessons learned (ch 16-17).

Of the four aspects of the security process (assessment, protection, detection, and response), KYE:2E spends most of its time on detection and response. I was impressed by the repeated demonstrations of the recognition of the value of multiple forms of forensic evidence. Ch 3, for example, explicitly emphasizes the need to collect network-based alert, session, and full content data, supplemented by host-bases evidence, to detect and understand intrusions. The chapters on Windows- and UNIX-based forensic analysis are good introductions to the subject for those seeking a starting point.

KYE:2E is a collaborative effort that doesn't suffer the fate of similar team-authored books. I congratulate the editing team and lead editor for coordinating their efforts, since I found very few places where authors discussed the same issue twice. I found the technical discussions highly readable, especially sections on reverse engineering (ch 14) and Windows filesystems (ch 13). Ch 5 also featured excellent diagrams to explain key points on GenII honeynets. I was very pleased to see the excellent legal chapter available for download on the book's Web site. (.pdf)

I had very few complaints with KYE:2E, but I must highlight some bad advice in ch 15. While discussing best practices for saving Snort IDS logs and packets logged by Tcpdump (pp. 489-492), the authors recommend configuring Snort to send data directly to a database. This is an excellent way to cause Snort to drop packets and miss traffic, and was the reason Barnyard was invented. I also question the utility of storing full content data in a database, when putting it in that form renders most libpcap-oriented tools incapable of reading it.

KYE:2E is another must-buy for 2004. The book is a strong mix of hands-on technical configuration, defensive theory, and practical advice. Given the wide range of topics it expertly addresses, I expect everyone to find something of interest in this great book. I hope to see more information on anti-forensics, perhaps addressing tools like NoSEBrEaK, in future editions."

No comments: