LET'S CONNECT!
Enter for a chance to win an eBook of your choice from InformIT. Fill out the form.
Register your product to gain access to bonus material or receive a coupon.
Listen to a recent interview with Richard Bejtlich, author of Extrusion Detection: Security Monitoring for Internal Intrusions, Real Digital Forensics: Computer Security and Incident Response, and The Tao of Network Security Monitoring: Beyond Intrusion Detection. Listen to the podcast now.
Overcome Your Fastest-Growing Security Problem: Internal, Client-Based Attacks
Today's most devastating security attacks are launched from within the company, by intruders who have compromised your users' Web browsers, e-mail and chat clients, and other Internet-connected software. Hardening your network perimeter won't solve this problem. You must systematically protect client software and monitor the traffic it generates.
Extrusion Detection is a comprehensive guide to preventing, detecting, and mitigating security breaches from the inside out. Top security consultant Richard Bejtlich offers clear, easy-to-understand explanations of today's client-based threats and effective, step-by-step solutions, demonstrated against real traffic and data. You will learn how to assess threats from internal clients, instrument networks to detect anomalies in outgoing traffic, architect networks to resist internal attacks, and respond effectively when attacks occur.
Bejtlich's The Tao of Network Security Monitoring earned acclaim as the definitive guide to overcoming external threats. Now, in Extrusion Detection, he brings the same level of insight to defending against today's rapidly emerging internal threats. Whether you're an architect, analyst, engineer, administrator, or IT manager, you face a new generation of security risks. Get this book and protect yourself.
Coverage includes
Get book updates and network security news at Richard Bejtlich's popular blog, taosecurity.blogspot.com, and his Web site, www.bejtlich.net.
Download the Sample
Chapter related to this title.
Foreword.
Preface.
I. DETECTING AND CONTROLLING INTRUSIONS.
1. Network Security Monitoring Revisited.
Why Extrusion Detection?
Defining The Security Process
Security Principles
Network Security Monitoring Theory
Network Security Monitoring Techniques
Network Security Monitoring Tools
Conclusion
2. Defensible Network Architecture.
Monitoring the Defensible Network
Controlling the Defensible Network
Minimizing the Defensible Network
Keeping the Defensible Network Current
Conclusion
3. Extrusion Detection Illustrated.
Intrusion Detection Defined
Extrusion Detection Defined
History of Extrusion Detection
Extrusion Detection Through NSM
Conclusion
4. Enterprise Network Instrumentation.
Common Packet Capture Methods
PCI Tap
Dual Port Aggregator Tap
2X1 10/100 Regeneration Tap
2X1 10/100 SPAN Regeneration Tap
Matrix Switch
Link Aggregator Tap
Distributed Traffic Collection with Pf Dup-To
Squid SSL Termination Reverse Proxy
Conclusion
5. Layer 3 Network Access Control.
Internal Network Design
Internet Service Provider Sink Holes
Enterprise Sink Holes
Using Sink Holes to Identify Internal Intrusions
Internal Intrusion Containment
Notes on Enterprise Sink Holes in the Field
Conclusion
II. NETWORK SECURITY OPERATIONS.
6. Traffic Threat Assessment.
Why Traffic Threat Assessment?
Assumptions
First Cuts
Looking for Odd Traffic
Inspecting Individual Services: NTP
Inspecting Individual Services: ISAKMP
Inspecting Individual Services: ICMP
Inspecting Individual Services: Secure Shell
Inspecting Individual Services: Whois
Inspecting Individual Services: LDAP
Inspecting Individual Services: Ports 3003 to 9126 TCP
Inspecting Individual Services: Ports 44444 and 49993 TCP
Inspecting Individual Services: DNS
Inspecting Individual Services: SMTP
Inspecting Individual Services: Wrap-Up
Conclusion
7. Network Incident Response.
Preparation for Network Incident Response
Secure CSIRT Communications
Intruder Profiles
Incident Detection Methods
Network First Response
Network-Centric General Response and Remediation
Conclusion
8. Network Forensics.
What Is Network Forensics?
Collecting Network Traffic as Evidence
Protecting and Preserving Network-Based Evidence
Analyzing Network-Based Evidence
Presenting and Defending Conclusions
Conclusion
III. INTERNAL INTRUSIONS.
9. Traffic Threat Assessment Case Study.
Initial Discovery
Making Sense of Argus Output
Argus Meets Awk
Examining Port 445 TCP Traffic
Were the Targets Compromised?
Tracking Down the Internal Victims
Moving to Full Content Data
Correlating Live Response Data with Network Evidence
Conclusion
10. Malicious Bots.
Introduction to IRC Bots
Communication and Identification
Server and Control Channels
Exploitation and Propagation
Final Thoughts on Bots
Dialogue with a Bot Net Admin
Conclusion
Epilogue
Appendix A: Collecting Session Data in an Emergency.
Appendix B: Minimal Snort Installation Guide.
Appendix C: Survey of Enumeraiton Methods.
Appendix D: Open Source Host Enumeration.
Index.
Welcome to Extrusion Detection: Security Monitoring for Internal Intrusions. The goal of this book is to help you detect, contain, and remediate internal intrusions using network security monitoring (NSM) principles. This book will guide security architects and engineers who control and instrument networks, help analysts and operators to investigate internal network security events, and give technical managers the justification they need to fund internal security projects. Extrusion Detection is the sequel to my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection. While Extrusion Detection is a stand-alone work, I strongly recommend reading The Tao first, or at least having it nearby as a reference.
Those of you who have read The Tao will recall that the book focused on outsiders gaining unauthorized access to Internet-exposed servers. This threat model reflected the predominant mode of Internet exploitation in the 1990s. The primary means for attackers to exploit targets during the 1990s involved server-side attacks. Intruders gained unauthorized access by exploiting services offered by Internet-facing victims. Typical targets included Web servers, e-mail servers, domain name resolution (DNS) servers, and other programs that wait to answer queries from Internet users.1 If internal workstations were not obscured by network address translation (NAT) gateways or firewalls, they too could be attacked directly, but only if they offered services similar to the typical targets. Local file-sharing services employing Unix remote procedure calls (RPCs) or Windows Server Message Block (SMB) were high-priority targets.
With the advent of the firewall in the early 1990s and the adoption of private Request for Comments (RFC) 1918 space in the middle 1990s, internal workstations were seldom directly attacked, unlike their public server counterparts. Protection from the outsider threat required access control and limits on the exposure of Internet-facing hosts. Traditional monitoring efforts watched attacks from the Internet to exposed servers because intruders most often launched "server-side" attacks.
The current decade has seen this model turned inside-out. Beginning in 2000, and with increasing intensity since 2003, corporate and home users have been subjected to increasing numbers of "client-side" attacks. No longer are services offered by computers the only targets of attack. Now, the applications upon which users rely, such as Web browsers, e-mail clients, and chat programs are the targets.
Instead of an intruder attacking the Web server running on a company's Internet-facing server, the intruder attacks the Web browser of an internal user who surfs intentionally or accidentally to a malicious Web site. Alternatively, a user may receive a Trojan through a chat program and unwisely decide to run that executable while operating with administrator privileges. No longer is it sufficient for security staff to harden the network perimeter by limiting services exposed to the Internet. The perimeter network is still a crucial part of network infrastructure, despite calls for the "de-perimeterization" of enterprise networks. Now, software running on clients must be protected, and the traffic generated must be monitored for signs of compromise.
This book focuses on ways to deal with the threat to internal systems. By "internal systems," I mean those considered to be intranet, not Internet, hosts. Extrusion Detection is not about traditional hardening of internal hosts to the same degree as external hosts. Traditional internal host hardening means minimizing services offered by systems, thereby decreasing the likelihood of server-side attacks. In other words, I would not be offering new advice if I discussed how to control and detect attacks against the SMB server running on port 445 TCP on a Windows XP workstation. I may not address such practices in detail here, but reduction of server-side exposure is certainly a beneficial security practice.
Extrusion Detection explains how to engineer an internal network that can control and detect intruders launching server-side or client-side attacks. Client-side attacks are more insidious than server-side attacks, because the intruder targets a vulnerable application anywhere inside a potentially hardened internal network. A powerful means to detect the compromise of internal systems is to watch for outbound connections from the victim to systems on the Internet operated by the intruder. Here we see the significance of the word "extrusion" in the book's title. That is, in addition to watching connections inbound from the Internet, we watch for suspicious activity exiting the protected network.
This book is for architects, engineers, analysts, operators, and managers with intermediate to advanced knowledge of network security. Architects will learn ways to design networks better suited to surviving client-side (and server-side) attacks. Primarily using open source software, engineers will learn how to build solutions for controlling and instrumenting internal networks. Analysts and operators will learn how to interpret the data collected in order to discover and escalate indicators of compromise. Managers will read case studies of real malicious software and the consequences of poor internal security.
All readers will learn about the theory, techniques, and tools for implementing network security monitoring (NSM) for internal intrusions. Executives may use the material to assess the state of their networks in relation to the book's recommended best practices. Auditors can determine if their clients are collecting the network-based information that's needed for the appropriate control, detection, and response to intrusions.
I have attempted to avoid duplication of material presented in other books, including The Tao. My purpose here is to publish as much new thought on internal security as possible and to have this book be a complement to previously published books. I expect my audience to bring a certain amount of knowledge to the table.
Core skills readers should possess in order to get the most from the book are:
Readers who believe they may be lacking in any of these areas can benefit from my recommended reading list, which is constantly updated and available at http://www.bejtlich.net/reading.html.
If I were to recommend a single book to read prior to this one, it would be The Tao of Network Security Monitoring: Beyond Intrusion Detection. In many ways, Extrusion Detection is an attempt to extend The Tao to the addressing of internal threats. While Extrusion Detection will function as a stand-alone work, your network security monitoring operations will greatly benefit from your reading The Tao.
Where possible, the reference platform for this book is FreeBSD 5.3 or 5.4 RELEASE. In the cases where Linux is required, I use Slackware Linux 10.0. Some of the latest innovations in host-centric access control are supported only on commercial operating systems such as Microsoft Windows.
Generally speaking, any tool that compiles on FreeBSD will work on the Unix variant you choose. Tools that are closely tied to the OS kernel, such as the Packet Filter (Pf) firewall (http://www.openbsd.org/faq/pf/), may not be available on any OS other than those specified later in the book.
Extrusion Detection is divided into three parts that are followed by an epilogue and appendices. You can focus on the areas that interest you, because the sections are modular. You may wonder why greater attention is not paid to popular tools like Nmap or Snort. With Extrusion Detection, I hope to continue breaking new ground by highlighting ideas and tools seldom seen elsewhere. If I don't address a widely popular product, it's because it has received plenty of coverage in another book.
Part I mixes theory with architectural considerations. Chapter 1 is a recap of the major theories, tools, and techniques from The Tao. It is important for readers to understand that NSM has a specific technical meaning and that NSM is not the same process as intrusion detection or prevention. Chapter 2 describes the architectural requirements for designing a network best suited to detect, control, and respond to intrusions. Chapter 3 explains the theory of extrusion detection and sets the stage for the remainder of the book. Chapter 4 describes how to gain visibility to internal traffic. Part I concludes with Chapter 5, original material by financial security architect Ken Meyers that explains how internal network design can enhance the control and detection of internal threats.
Part II is aimed at security analysts and operators; it is traffic-oriented and requires basic understanding of TCP/IP and packet analysis. Chapter 6 offers a method of dissecting session and full content data to unearth unauthorized activity. From a network-centric perspective, Chapter 7 offers guidance on responding to intrusions. Chapter 8 concludes Part II by demonstrating principles of network forensics. The last two chapters are unique in that they use the term "network" to not mean "computer" or "enterprise." When I talk about network incident response or network forensics, I refer to traffic-oriented techniques and tools. This approach stands in sharp contrast to the host-centric methodologies found elsewhere. My material complements and does not replace those valuable resources.
Part III collects case studies of interest to all types of security professionals. Chapter 9 applies the lessons of Chapter 6 and explains how an internal bot net was discovered using traffic threat assessment. Chapter 10 exposes the inner workings of bot nets, through the eyes of Mike Heiser. As an analyst at Myrtle Beach-based managed security service provider LURHQ, Michael has a unique perspective that readers will appreciate.
An epilogue points to future developments. Appendix A describes how to install Argus and NetFlow collection tools to capture session data. Appendix B explains how to install a minimal Snort deployment in an emergency. Appendix C, by Tenable Network Security founder Ron Gula, examines the variety of host and vulnerability enumeration techniques available in commercial and open source tools. The book concludes with Appendix D, where Red Cliff Consulting expert Rohyt Belani offers guidance on internal host enumeration using open source tools.
For more information on network security monitoring and extrusion detection, visit http://www.extrusiondetection.com.
1. In mid-August 2005, the Zotob worm is winding its way across the Internet by attacking SMB services on vulnerable Windows workstations. Even in late 2005, the traditional server-side attack is alive and well, alongside more recent client-side attacks. More information on Zotob is available at http://www.f-secure.com/v-descs/zotob_a.shtml.
Download the Foreword
file related to this title.
Download the Index
file related to this title.
Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.
This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.
To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:
For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.
For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.
Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.
Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.
If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.
On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.
We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.
Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.
Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.
This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.
This site currently does not respond to Do Not Track signals.
Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.
This site is not directed to children under the age of 13.
Pearson may send or direct marketing communications to users, provided that
Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.
If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.
Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.
Pearson does not rent or sell personal information in exchange for any payment of money.
While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.
California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.
Pearson may disclose personal information, as follows:
This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.
Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.
We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.
Last Update: November 17, 2020