Tao of Network Security Monitoring Beyond Intrusion Detection

Name: Tao of Network Security Monitoring Beyond Intrusion Detection
Price: 6.38 USD
Availability: InStock
ISBN: 9780321246776

ISBN-10: 0321246772

ISBN-13: 9780321246776

Edition: 2005

Authors: Richard Bejtlich

List price: $74.99

30 day, 100% satisfaction guarantee!

Marketplace

2 new & used from $6.38

what's this?

Rush Rewards U
Members Receive:

You have reached 400 XP and carrot coins. That is the daily max!

Description:

Once your security is breached, everyone will ask the same question: nowwhat? Answering this question has cost companies hundreds of thousands ofdollars in incident response and computer forensics fees. This book reducesthe investigative workload of computer security incident response teams(CSIRT) by posturing organizations for incident response success.Firewalls can fail. Intrusion-detection systems can be bypassed. Networkmonitors can be overloaded. These are the alarming but true facts aboutnetwork security. In fact, too often, security administrators' tools can serve asgateways into the very networks they are defending.Now, a novel approach to network monitoring seeks to overcome…

Book details

List price: $74.99
Copyright year: 2005
Publisher: Addison Wesley Professional
Publication date: 7/12/2004
Binding: Paperback
Pages: 832
Size: 7.00" wide x 9.00" long x 1.75" tall
Weight: 2.926
Language: English



Foreword


Preface


About the Author


About the Contributors



Introduction to Network Security Monitoring



The Security Process


What Is Security?


What Is Risk?


Threat


Vulnerability


Asset Value


A Case Study on Risk


Security Principles: Characteristics of the Intruder


Some Intruders Are Smarter Than You


Many Intruders Are Unpredictable


Prevention Eventually Fails


Security Principles: Phases of Compromise


Reconnaissance


Exploitation


Reinforcement


Consolidation


Pillage


Security Principles: Defensible Networks


Defensible Networks Can Be Watched


Defensible Networks Limit an Intruder's Freedom to Maneuver


Defensible Networks Offer a Minimum Number of Services


Defensible Networks Can Be Kept Current


Conclusion



What Is Network Security Monitoring?


Indications and Warnings


Collection, Analysis, and Escalation


Detecting and Responding to Intrusions


Why Do IDS Deployments Often Fail?


Outsiders versus Insiders: What Is NSM's Focus?


Security Principles: Detection


Intruders Who Can Communicate with Victims Can Be Detected


Detection through Sampling Is Better Than No Detection


Detection through Traffic Analysis Is Better Than No Detection


Security Principles: Limitations


Collecting Everything Is Ideal but Problematic


Real Time Isn't Always the Best Time


Extra Work Has a Cost


What NSM Is Not


NSM Is Not Device Management


NSM Is Not Security Event Management


NSM Is Not Network-Based Forensics


NSM Is Not Intrusion Prevention


NSM in Action


Conclusion



Deployment Considerations


Threat Models and Monitoring Zones


The Perimeter


The Demilitarized Zone


The Wireless Zone


The Intranet


Accessing Traffic in Each Zone


Hubs


SPAN Ports


Taps


Inline Devices


Wireless Monitoring


Sensor Architecture


Hardware


Operating System


Sensor Management


Console Access


In-Band Remote Access


Out-of-Band Remote Access


Conclusion



Network Security Monitoring Products



The Reference Intrusion Model


The Scenario


The Attack


Conclusion



Full Content Data


A Note on Software


Libpcap


Tcpdump


Basic Usage of Tcpdump


Using Tcpdump to Store Full Content Data


Using Tcpdump to Read Stored Full Content Data


Timestamps in Stored Full Content Data


Increased Detail in Tcpdump Full Content Data


Tcpdump and Berkeley Packet Filters


Tethereal


Basic Usage of Tethereal


Using Tethereal to Store Full Content Data


Using Tethereal to Read Stored Full Content Data


Getting More Information from Tethereal


Snort as Packet Logger


Basic Usage of Snort as Packet Logger


Using Snort to Store Full Content Data


Using Snort to Read Stored Full Content Data


Finding Specific Parts of Packets with Tcpdump, Tethereal, and Snort


Ethereal


Basic Usage of Ethereal


Using Ethereal to Read Stored Full Content Data


Using Ethereal to Rebuild Sessions


Other Ethereal Features


A Note on Commercial Full Content Collection Options


Conclusion



Additional Data Analysis


Editcap and Mergecap


Tcpslice


Tcpreplay


Tcpflow


Ngrep


IPsumdump


Etherape


Netdude


Using Netdude


What Do Raw Trace Files Look Like?


P0f


Conclusion



Session Data


Forms of Session Data


Cisco's NetFlow


Fprobe


Ng_netflow


Flow-tools


Flow-capture


Flow-cat and Flow-print


sFlow and sFlow Toolkit


Argus


Argus Server


Ra Client


Tcptrace


Conclusion



Statistical Data


What Is Statistical Data?


Cisco Accounting


Ipcad


Ifstat


Bmon


Trafshow


Ttt


Tcpdstat


MRTG


Ntop


Conclusion



Alert Data: Bro and Prelude


Bro


Installing Bro and BRA


Interpreting Bro Output Files


Bro Capabilities and Limitations


Prelude


Installing Prelude


Interpreting Prelude Output Files


Installing PIWI


Using PIWI to View Prelude Events


Prelude Capabilities and Limitations


Conclusion



Alert Data: NSM Using Sguil


Why Sguil?


So What Is Sguil?


The Basic Sguil Interface


Sguil's Answer to "Now What?"


Making Decisions with Sguil


Sguil versus the Reference Intrusion Model


Shellcode x86 Noop and Related Alerts


FTP Site Overflow Attempt Alerts


Scan nmap TCP Alerts


Misc Ms Terminal Server Request Alerts


Conclusion



Network Security Monitoring Processes



Best Practices


Assessment


Defined Security Policy


Protection


Access Control


Traffic Scrubbing


Proxies


Detection


Collection


Identification


Validation


Escalation


Response


Short-Term Incident Containment


Emergency Network Security Monitoring


Back to Assessment


Analyst Feedback


Conclusion



Case Studies for Managers


Introduction to Hawke Helicopter Supplies



Emergency Network Security Monitoring


Detection of Odd Orders


System Administrators Respond


Picking Up the Bat Phone


Conducting Incident Response


Incident Response Results



Evaluating Managed Security Monitoring Providers


HHS Requirements for NSM


HHS Vendor Questionnaire


Asset Prioritization



Deploying an In-House NSM Solution


Partner and Sales Offices


HHS Demilitarized Zone


Wireless Network


Internal Network


"But Who Shall Watch the Watchers?"


Other Staffing Issues


Conclusion



Network Security Monitoring People



Analyst Training Program


Weapons and Tactics


Definition


Tasks


References


Telecommunications


Definition


Tasks


References


System Administration


Definition


Tasks


References


Scripting and Programming


Definition


Tasks


References


Management and Policy


Definition


Tasks


References


Training in Action


Periodicals and Web Sites


Case Study: Staying Current with Tools


Conclusion



Discovering DNS


Normal Port 53 Traffic


Normal Port 53 UDP Traffic


Normal Port 53 TCP Traffic


Suspicious Port 53 Traffic


Suspicious Port 53 UDP Traffic


Suspicious Port 53 TCP Traffic


Malicious Port 53 Traffic


Malicious Port 53 UDP Traffic


Malicious Port 53 TCP and UDP Traffic


Conclusion



Harnessing the Power of Session Data


The Session Scenario


Session Data from the Wireless Segment


Session Data from the DMZ Segment


Session Data from the VLANs


Session Data from the External Segment


Conclusion



Packet Monkey Heaven


Truncated TCP Options


SCAN FIN


Chained Covert Channels


Conclusion



The Intruder versus Network Security Monitoring



Tools for Attacking Network Security Monitoring


Packit


IP Sorcery


Fragroute


LFT


Xprobe2


Cisco IOS Denial of Service


Solaris Sadmin Exploitation Attempt


Microsoft RPC Exploitation


Conclusion



Tactics for Attacking Network Security Monitoring


Promote Anonymity


Attack from a Stepping-Stone


Attack by Using a Spoofed Source Address


Attack from a Netblock You Don't Own


Attack from a Trusted Host


Attack from a Familiar Netblock


Attack the Client, Not the Server


Use Public Intermediaries


Evade Detection


Time Attacks Properly


Distribute Attacks Throughout Internet Space


Employ Encryption


Appear Normal


Degrade or Deny Collection


Deploy Decoys


Consider Volume Attacks


Attack the Sensor


Separate Analysts from Their Consoles


Self-Inflicted Problems in NSM


Conclusion


Epilogue: The Future of Network Security Monitoring


Remote Packet Capture and Centralized Analysis


Integration of Vulnerability Assessment Products


Anomaly Detection


NSM Beyond the Gateway


Conclusion



Appendixes



Protocol Header Reference



Intellectual History of Network Security Monitoring



Protocol Anomaly Detection


Index