Extrusion Detection

Series
Addison-Wesley
Author
Richard Bejtlich  
Publisher
Addison-Wesley
Cover
Softcover
Edition
1
Language
English
Total pages
416
Pub.-date
November 2005
ISBN13
9780321349965
ISBN
0321349962
Related Titles


Product detail

Product Price CHF Available  
9780321349965
Extrusion Detection
61.30 approx. 7-9 days

Description

Overcome Your Fastest-Growing Security Problem: Internal, Client-Based Attacks

Today's most devastating security attacks are launched from within the company, by intruders who have compromised your users' Web browsers, e-mail and chat clients, and other Internet-connected software. Hardening your network perimeter won't solve this problem. You must systematically protect client software and monitor the traffic it generates.

Extrusion Detection is a comprehensive guide to preventing, detecting, and mitigating security breaches from the inside out. Top security consultant Richard Bejtlich offers clear, easy-to-understand explanations of today's client-based threats and effective, step-by-step solutions, demonstrated against real traffic and data. You will learn how to assess threats from internal clients, instrument networks to detect anomalies in outgoing traffic, architect networks to resist internal attacks, and respond effectively when attacks occur.

Bejtlich's The Tao of Network Security Monitoring earned acclaim as the definitive guide to overcoming external threats. Now, in Extrusion Detection, he brings the same level of insight to defending against today's rapidly emerging internal threats. Whether you're an architect, analyst, engineer, administrator, or IT manager, you face a new generation of security risks. Get this book and protect yourself.

Coverage includes

  • Architecting defensible networks with pervasive awareness: theory, techniques, and tools
  • Defending against malicious sites, Internet Explorer exploitations, bots, Trojans, worms, and more
  • Dissecting session and full-content data to reveal unauthorized activity
  • Implementing effective Layer 3 network access control
  • Responding to internal attacks, including step-by-step network forensics
  • Assessing your network's current ability to resist internal attacks
  • Setting reasonable corporate access policies
  • Detailed case studies, including the discovery of internal and IRC-based bot nets
  • Advanced extrusion detection: from data collection to host and vulnerability enumeration
About the Web Site

Get book updates and network security news at Richard Bejtlich's popular blog, taosecurity.blogspot.com, and his Web site, www.bejtlich.net.



Table of Contents

Foreword.

Preface.

I. DETECTING AND CONTROLLING INTRUSIONS.

1. Network Security Monitoring Revisited.

    Why Extrusion Detection?

    Defining The Security Process

    Security Principles

    Network Security Monitoring Theory

    Network Security Monitoring Techniques

    Network Security Monitoring Tools

    Conclusion

2. Defensible Network Architecture.

    Monitoring the Defensible Network

    Controlling the Defensible Network

    Minimizing the Defensible Network

    Keeping the Defensible Network Current

    Conclusion

3. Extrusion Detection Illustrated.

    Intrusion Detection Defined

    Extrusion Detection Defined

    History of Extrusion Detection

    Extrusion Detection Through NSM    

    Conclusion

4. Enterprise Network Instrumentation.

    Common Packet Capture Methods

    PCI Tap

    Dual Port Aggregator Tap

    2X1 10/100 Regeneration Tap

    2X1 10/100 SPAN Regeneration Tap

    Matrix Switch

    Link Aggregator Tap

    Distributed Traffic Collection with Pf Dup-To

    Squid SSL Termination Reverse Proxy

    Conclusion

5. Layer 3 Network Access Control.

    Internal Network Design

    Internet Service Provider Sink Holes

    Enterprise Sink Holes

    Using Sink Holes to Identify Internal Intrusions

    Internal Intrusion Containment

    Notes on Enterprise Sink Holes in the Field    

    Conclusion

II. NETWORK SECURITY OPERATIONS.

6. Traffic Threat Assessment.

    Why Traffic Threat Assessment?

    Assumptions

    First Cuts

    Looking for Odd Traffic

    Inspecting Individual Services: NTP

    Inspecting Individual Services: ISAKMP

    Inspecting Individual Services: ICMP

    Inspecting Individual Services: Secure Shell

    Inspecting Individual Services: Whois

    Inspecting Individual Services: LDAP

    Inspecting Individual Services: Ports 3003 to 9126 TCP

    Inspecting Individual Services: Ports 44444 and 49993 TCP

    Inspecting Individual Services: DNS

    Inspecting Individual Services: SMTP

    Inspecting Individual Services: Wrap-Up

    Conclusion

7. Network Incident Response.

    Preparation for Network Incident Response

    Secure CSIRT Communications

    Intruder Profiles

    Incident Detection Methods

    Network First Response

    Network-Centric General Response and Remediation

    Conclusion

8. Network Forensics.

    What Is Network Forensics?

    Collecting Network Traffic as Evidence

    Protecting and Preserving Network-Based Evidence

    Analyzing Network-Based Evidence

    Presenting and Defending Conclusions

    Conclusion

III. INTERNAL INTRUSIONS.

9. Traffic Threat Assessment Case Study.

    Initial Discovery

    Making Sense of Argus Output

    Argus Meets Awk

    Examining Port 445 TCP Traffic

    Were the Targets Compromised?

    Tracking Down the Internal Victims

    Moving to Full Content Data

    Correlating Live Response Data with Network Evidence

    Conclusion

10. Malicious Bots.

    Introduction to IRC Bots

    Communication and Identification

    Server and Control Channels

    Exploitation and Propagation

    Final Thoughts on Bots

    Dialogue with a Bot Net Admin

    Conclusion

    Epilogue

Appendix A: Collecting Session Data in an Emergency.

Appendix B: Minimal Snort Installation Guide.

Appendix C: Survey of Enumeraiton Methods.

Appendix D: Open Source Host Enumeration.

Index.

Back Cover

Overcome Your Fastest-Growing Security Problem: Internal, Client-Based Attacks

Today's most devastating security attacks are launched from within the company, by intruders who have compromised your users' Web browsers, e-mail and chat clients, and other Internet-connected software. Hardening your network perimeter won't solve this problem. You must systematically protect client software and monitor the traffic it generates.

Extrusion Detection is a comprehensive guide to preventing, detecting, and mitigating security breaches from the inside out. Top security consultant Richard Bejtlich offers clear, easy-to-understand explanations of today's client-based threats and effective, step-by-step solutions, demonstrated against real traffic and data. You will learn how to assess threats from internal clients, instrument networks to detect anomalies in outgoing traffic, architect networks to resist internal attacks, and respond effectively when attacks occur.

Bejtlich's The Tao of Network Security Monitoring earned acclaim as the definitive guide to overcoming external threats. Now, in Extrusion Detection, he brings the same level of insight to defending against today's rapidly emerging internal threats. Whether you're an architect, analyst, engineer, administrator, or IT manager, you face a new generation of security risks. Get this book and protect yourself.

Coverage includes

  • Architecting defensible networks with pervasive awareness: theory, techniques, and tools
  • Defending against malicious sites, Internet Explorer exploitations, bots, Trojans, worms, and more
  • Dissecting session and full-content data to reveal unauthorized activity
  • Implementing effective Layer 3 network access control
  • Responding to internal attacks, including step-by-step network forensics
  • Assessing your network's current ability to resist internal attacks
  • Setting reasonable corporate access policies
  • Detailed case studies, including the discovery of internal and IRC-based bot nets
  • Advanced extrusion detection: from data collection to host and vulnerability enumeration
About the Web Site

Get book updates and network security news at Richard Bejtlich's popular blog, taosecurity.blogspot.com, and his Web site, www.bejtlich.net.



Author

Richard Bejtlich is founder of TaoSecurity, a company that helps clients detect, contain, and remediate intrusions using Network Security Monitoring (NSM) principles. He was formerly a principal consultant at Foundstone--performing incident response, emergency NSM, and security research and training--and created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. For three years, Bejtlich defended U.S. information assets as a captain in the Air Force Computer Emergency Response Team (AFCERT). Formally trained as an intelligence officer, he is a graduate of Harvard University and of the U.S. Air Force Academy. He has authored or coauthored several security books, including The Tao of Network Security Monitoring (Addison-Wesley, 2004).