Extrusion detection: security monitoring for internal intrusions 0321349962, 1611631661, 9780321349965
Overcome Your Fastest-Growing Security Problem: Internal, Client-Based Attacks Today's most devastating security a
286 92 4MB
English Pages xxviii, 385 pages: illustrations; 24 cm [417] Year 2005;2006
Table of contents :
Cover......Page 1
Contents......Page 8
Foreword......Page 14
Preface......Page 22
PART I: DETECTING AND CONTROLLING INTRUSIONS......Page 30
Chapter 1 Network Security Monitoring Revisited......Page 32
Why Extrusion Detection?......Page 33
Defining the Security Process......Page 35
Security Principles......Page 37
Network Security Monitoring Theory......Page 39
Network Security Monitoring Techniques......Page 42
Network Security Monitoring Tools......Page 47
Conclusion......Page 53
Chapter 2 Defensible Network Architecture......Page 54
Monitoring the Defensible Network......Page 56
Controlling the Defensible Network......Page 62
Minimizing the Defensible Network......Page 95
Keeping the Defensible Network Current......Page 104
Conclusion......Page 105
Chapter 3 Extrusion Detection Illustrated......Page 108
Intrusion Detection Defined......Page 109
Extrusion Detection Defined......Page 112
History of Extrusion Detection......Page 113
Extrusion Detection Through NSM......Page 117
Conclusion......Page 133
Common Packet Capture Methods......Page 134
PCI Tap......Page 136
Dual Port Aggregator Tap......Page 143
2X1 10/100 Regeneration Tap......Page 145
2X1 10/100 SPAN Regeneration Tap......Page 148
Matrix Switch......Page 152
Link Aggregator Tap......Page 154
Distributed Traffic Collection with Pf Dup-To......Page 155
Squid SSL Termination Reverse Proxy......Page 159
Conclusion......Page 164
Internal Network Design......Page 166
Internet Service Provider Sink Holes......Page 170
Enterprise Sink Holes......Page 173
Using Sink Holes to Identify Internal Intrusions......Page 182
Internal Intrusion Containment......Page 185
Notes on Enterprise Sink Holes in the Field......Page 198
Conclusion......Page 200
PART II: NETWORK SECURITY OPERATIONS......Page 202
Why Traffic Threat Assessment?......Page 204
Assumptions......Page 208
First Cuts......Page 210
Looking for Odd Traffic......Page 216
Inspecting Individual Services: NTP......Page 225
Inspecting Individual Services: ISAKMP......Page 226
Inspecting Individual Services: Secure Shell......Page 227
Inspecting Individual Services: Whois......Page 228
Inspecting Individual Services: LDAP......Page 229
Inspecting Individual Services: Ports 3003 to 9126 TCP......Page 230
Inspecting Individual Services: Ports 44444 and 49993 TCP......Page 238
Inspecting Individual Services: DNS......Page 242
Inspecting Individual Services: Wrap-Up......Page 245
Conclusion......Page 246
Chapter 7 Network Incident Response......Page 248
Preparation for Network Incident Response......Page 249
Secure CSIRT Communications......Page 257
Intruder Profiles......Page 260
Incident Detection Methods......Page 261
Network First Response......Page 263
Network-Centric General Response and Remediation......Page 269
Conclusion......Page 273
Chapter 8 Network Forensics......Page 274
What Is Network Forensics?......Page 275
Collecting Network Traffic as Evidence......Page 277
Protecting and Preserving Network-Based Evidence......Page 288
Analyzing Network-Based Evidence......Page 295
Presenting and Defending Conclusions......Page 303
Conclusion......Page 304
PART III: INTERNAL INTRUSIONS......Page 306
Initial Discovery......Page 308
Making Sense of Argus Output......Page 311
Argus Meets Awk......Page 315
Examining Port 445 TCP Traffic......Page 317
Were the Targets Compromised?......Page 318
Tracking Down the Internal Victims......Page 322
Moving to Full Content Data......Page 325
Correlating Live Response Data with Network Evidence......Page 328
Conclusion......Page 334
Chapter 10 Malicious Bots......Page 336
Introduction to IRC Bots......Page 337
Communication and Identification......Page 339
Server and Control Channels......Page 340
Exploitation and Propagation......Page 343
Dialogue with a Bot Net Admin......Page 345
Conclusion......Page 348
Epilogue......Page 350
Appendix A: Collecting Session Data in an Emergency......Page 354
Appendix B: Minimal Snort Installation Guide......Page 362
Appendix C: Survey of Enumeration Methods......Page 372
Appendix D: Open Source Host Enumeration......Page 378
A......Page 400
C......Page 401
D......Page 402
E......Page 403
F......Page 404
I......Page 405
K......Page 406
M......Page 407
N......Page 408
P......Page 409
S......Page 410
T......Page 412
Z......Page 414
Cover......Page 1
Contents......Page 8
Foreword......Page 14
Preface......Page 22
PART I: DETECTING AND CONTROLLING INTRUSIONS......Page 30
Chapter 1 Network Security Monitoring Revisited......Page 32
Why Extrusion Detection?......Page 33
Defining the Security Process......Page 35
Security Principles......Page 37
Network Security Monitoring Theory......Page 39
Network Security Monitoring Techniques......Page 42
Network Security Monitoring Tools......Page 47
Conclusion......Page 53
Chapter 2 Defensible Network Architecture......Page 54
Monitoring the Defensible Network......Page 56
Controlling the Defensible Network......Page 62
Minimizing the Defensible Network......Page 95
Keeping the Defensible Network Current......Page 104
Conclusion......Page 105
Chapter 3 Extrusion Detection Illustrated......Page 108
Intrusion Detection Defined......Page 109
Extrusion Detection Defined......Page 112
History of Extrusion Detection......Page 113
Extrusion Detection Through NSM......Page 117
Conclusion......Page 133
Common Packet Capture Methods......Page 134
PCI Tap......Page 136
Dual Port Aggregator Tap......Page 143
2X1 10/100 Regeneration Tap......Page 145
2X1 10/100 SPAN Regeneration Tap......Page 148
Matrix Switch......Page 152
Link Aggregator Tap......Page 154
Distributed Traffic Collection with Pf Dup-To......Page 155
Squid SSL Termination Reverse Proxy......Page 159
Conclusion......Page 164
Internal Network Design......Page 166
Internet Service Provider Sink Holes......Page 170
Enterprise Sink Holes......Page 173
Using Sink Holes to Identify Internal Intrusions......Page 182
Internal Intrusion Containment......Page 185
Notes on Enterprise Sink Holes in the Field......Page 198
Conclusion......Page 200
PART II: NETWORK SECURITY OPERATIONS......Page 202
Why Traffic Threat Assessment?......Page 204
Assumptions......Page 208
First Cuts......Page 210
Looking for Odd Traffic......Page 216
Inspecting Individual Services: NTP......Page 225
Inspecting Individual Services: ISAKMP......Page 226
Inspecting Individual Services: Secure Shell......Page 227
Inspecting Individual Services: Whois......Page 228
Inspecting Individual Services: LDAP......Page 229
Inspecting Individual Services: Ports 3003 to 9126 TCP......Page 230
Inspecting Individual Services: Ports 44444 and 49993 TCP......Page 238
Inspecting Individual Services: DNS......Page 242
Inspecting Individual Services: Wrap-Up......Page 245
Conclusion......Page 246
Chapter 7 Network Incident Response......Page 248
Preparation for Network Incident Response......Page 249
Secure CSIRT Communications......Page 257
Intruder Profiles......Page 260
Incident Detection Methods......Page 261
Network First Response......Page 263
Network-Centric General Response and Remediation......Page 269
Conclusion......Page 273
Chapter 8 Network Forensics......Page 274
What Is Network Forensics?......Page 275
Collecting Network Traffic as Evidence......Page 277
Protecting and Preserving Network-Based Evidence......Page 288
Analyzing Network-Based Evidence......Page 295
Presenting and Defending Conclusions......Page 303
Conclusion......Page 304
PART III: INTERNAL INTRUSIONS......Page 306
Initial Discovery......Page 308
Making Sense of Argus Output......Page 311
Argus Meets Awk......Page 315
Examining Port 445 TCP Traffic......Page 317
Were the Targets Compromised?......Page 318
Tracking Down the Internal Victims......Page 322
Moving to Full Content Data......Page 325
Correlating Live Response Data with Network Evidence......Page 328
Conclusion......Page 334
Chapter 10 Malicious Bots......Page 336
Introduction to IRC Bots......Page 337
Communication and Identification......Page 339
Server and Control Channels......Page 340
Exploitation and Propagation......Page 343
Dialogue with a Bot Net Admin......Page 345
Conclusion......Page 348
Epilogue......Page 350
Appendix A: Collecting Session Data in an Emergency......Page 354
Appendix B: Minimal Snort Installation Guide......Page 362
Appendix C: Survey of Enumeration Methods......Page 372
Appendix D: Open Source Host Enumeration......Page 378
A......Page 400
C......Page 401
D......Page 402
E......Page 403
F......Page 404
I......Page 405
K......Page 406
M......Page 407
N......Page 408
P......Page 409
S......Page 410
T......Page 412
Z......Page 414
![Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks [1 ed.]
0596518161, 9780596518165](https://ebin.pub/img/200x200/security-monitoring-proven-methods-for-incident-detection-on-enterprise-networks-1nbsped-0596518161-9780596518165.jpg)
![Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks [1 ed.]
0596518161, 9780596518165](https://ebin.pub/img/200x200/security-monitoring-proven-methods-for-incident-detection-on-enterprise-networks-1nbsped-0596518161-9780596518165-z-1281171.jpg)
![Data-Driven Fault Detection and Reasoning for Industrial Monitoring [1 ed.]
9789811680441, 9789811680434](https://ebin.pub/img/200x200/data-driven-fault-detection-and-reasoning-for-industrial-monitoring-1nbsped-9789811680441-9789811680434.jpg)
![The Practice of Network Security Monitoring: Understanding Incident Detection and Response [1 ed.]
1593275099, 978-1593275099](https://ebin.pub/img/200x200/the-practice-of-network-security-monitoring-understanding-incident-detection-and-response-1nbsped-1593275099-978-1593275099.jpg)