Downloadable Sample Chapter
Download the Sample
Chapter related to this title.
Table of Contents
Foreword.
Preface.
I. DETECTING AND CONTROLLING INTRUSIONS.
1. Network Security Monitoring Revisited.
Why Extrusion Detection?
Defining The Security Process
Security Principles
Network Security Monitoring Theory
Network Security Monitoring Techniques
Network Security Monitoring Tools
Conclusion
2. Defensible Network Architecture.
Monitoring the Defensible Network
Controlling the Defensible Network
Minimizing the Defensible Network
Keeping the Defensible Network Current
Conclusion
3. Extrusion Detection Illustrated.
Intrusion Detection Defined
Extrusion Detection Defined
History of Extrusion Detection
Extrusion Detection Through NSM
Conclusion
4. Enterprise Network Instrumentation.
Common Packet Capture Methods
PCI Tap
Dual Port Aggregator Tap
2X1 10/100 Regeneration Tap
2X1 10/100 SPAN Regeneration Tap
Matrix Switch
Link Aggregator Tap
Distributed Traffic Collection with Pf Dup-To
Squid SSL Termination Reverse Proxy
Conclusion
5. Layer 3 Network Access Control.
Internal Network Design
Internet Service Provider Sink Holes
Enterprise Sink Holes
Using Sink Holes to Identify Internal Intrusions
Internal Intrusion Containment
Notes on Enterprise Sink Holes in the Field
Conclusion
II. NETWORK SECURITY OPERATIONS.
6. Traffic Threat Assessment.
Why Traffic Threat Assessment?
Assumptions
First Cuts
Looking for Odd Traffic
Inspecting Individual Services: NTP
Inspecting Individual Services: ISAKMP
Inspecting Individual Services: ICMP
Inspecting Individual Services: Secure Shell
Inspecting Individual Services: Whois
Inspecting Individual Services: LDAP
Inspecting Individual Services: Ports 3003 to 9126 TCP
Inspecting Individual Services: Ports 44444 and 49993 TCP
Inspecting Individual Services: DNS
Inspecting Individual Services: SMTP
Inspecting Individual Services: Wrap-Up
Conclusion
7. Network Incident Response.
Preparation for Network Incident Response
Secure CSIRT Communications
Intruder Profiles
Incident Detection Methods
Network First Response
Network-Centric General Response and Remediation
Conclusion
8. Network Forensics.
What Is Network Forensics?
Collecting Network Traffic as Evidence
Protecting and Preserving Network-Based Evidence
Analyzing Network-Based Evidence
Presenting and Defending Conclusions
Conclusion
III. INTERNAL INTRUSIONS.
9. Traffic Threat Assessment Case Study.
Initial Discovery
Making Sense of Argus Output
Argus Meets Awk
Examining Port 445 TCP Traffic
Were the Targets Compromised?
Tracking Down the Internal Victims
Moving to Full Content Data
Correlating Live Response Data with Network Evidence
Conclusion
10. Malicious Bots.
Introduction to IRC Bots
Communication and Identification
Server and Control Channels
Exploitation and Propagation
Final Thoughts on Bots
Dialogue with a Bot Net Admin
Conclusion
Epilogue
Appendix A: Collecting Session Data in an Emergency.
Appendix B: Minimal Snort Installation Guide.
Appendix C: Survey of Enumeraiton Methods.
Appendix D: Open Source Host Enumeration.
Index.
Preface
Untitled Document
Welcome to Extrusion Detection: Security Monitoring for Internal Intrusions.
The goal of this book is to help you detect, contain, and remediate internal
intrusions using network security monitoring (NSM) principles. This book will
guide security architects and engineers who control and instrument networks,
help analysts and operators to investigate internal network security events,
and give technical managers the justification they need to fund internal security
projects. Extrusion Detection is the sequel to my first book, The
Tao of Network Security Monitoring: Beyond Intrusion Detection. While Extrusion
Detection is a stand-alone work, I strongly recommend reading The Tao
first, or at least having it nearby as a reference.
Those of you who have read The Tao will recall that the book focused
on outsiders gaining unauthorized access to Internet-exposed servers. This threat
model reflected the predominant mode of Internet exploitation in the 1990s.
The primary means for attackers to exploit targets during the 1990s involved
server-side attacks. Intruders gained unauthorized access by exploiting services
offered by Internet-facing victims. Typical targets included Web servers, e-mail
servers, domain name resolution (DNS) servers, and other programs that wait
to answer queries from Internet users.1
If internal workstations were not obscured by network address translation (NAT)
gateways or firewalls, they too could be attacked directly, but only if they
offered services similar to the typical targets. Local file-sharing services
employing Unix remote procedure calls (RPCs) or Windows Server Message Block
(SMB) were high-priority targets.
With the advent of the firewall in the early 1990s and the adoption of private
Request for Comments (RFC) 1918 space in the middle 1990s, internal workstations
were seldom directly attacked, unlike their public server counterparts. Protection
from the outsider threat required access control and limits on the exposure
of Internet-facing hosts. Traditional monitoring efforts watched attacks from
the Internet to exposed servers because intruders most often launched "server-side"
attacks.
The current decade has seen this model turned inside-out. Beginning in 2000,
and with increasing intensity since 2003, corporate and home users have been
subjected to increasing numbers of "client-side" attacks. No longer are services
offered by computers the only targets of attack. Now, the applications upon
which users rely, such as Web browsers, e-mail clients, and chat programs are
the targets.
Instead of an intruder attacking the Web server running on a company's Internet-facing
server, the intruder attacks the Web browser of an internal user who surfs intentionally
or accidentally to a malicious Web site. Alternatively, a user may receive a
Trojan through a chat program and unwisely decide to run that executable while
operating with administrator privileges. No longer is it sufficient for security
staff to harden the network perimeter by limiting services exposed to the Internet.
The perimeter network is still a crucial part of network infrastructure, despite
calls for the "de-perimeterization" of enterprise networks. Now, software running
on clients must be protected, and the traffic generated must be monitored for
signs of compromise.
This book focuses on ways to deal with the threat to internal systems. By "internal
systems," I mean those considered to be intranet, not Internet, hosts. Extrusion
Detection is not about traditional hardening of internal hosts to the same degree
as external hosts. Traditional internal host hardening means minimizing services
offered by systems, thereby decreasing the likelihood of server-side attacks.
In other words, I would not be offering new advice if I discussed how to control
and detect attacks against the SMB server running on port 445 TCP on a Windows
XP workstation. I may not address such practices in detail here, but reduction
of server-side exposure is certainly a beneficial security practice.
Extrusion Detection explains how to engineer an internal network that
can control and detect intruders launching server-side or client-side attacks.
Client-side attacks are more insidious than server-side attacks, because the
intruder targets a vulnerable application anywhere inside a potentially hardened
internal network. A powerful means to detect the compromise of internal systems
is to watch for outbound connections from the victim to systems on the Internet
operated by the intruder. Here we see the significance of the word "extrusion"
in the book's title. That is, in addition to watching connections inbound from
the Internet, we watch for suspicious activity exiting the protected network.
Audience
This book is for architects, engineers, analysts, operators, and managers with
intermediate to advanced knowledge of network security. Architects will learn
ways to design networks better suited to surviving client-side (and server-side)
attacks. Primarily using open source software, engineers will learn how to build
solutions for controlling and instrumenting internal networks. Analysts and
operators will learn how to interpret the data collected in order to discover
and escalate indicators of compromise. Managers will read case studies of real
malicious software and the consequences of poor internal security.
All readers will learn about the theory, techniques, and tools for implementing
network security monitoring (NSM) for internal intrusions. Executives may use
the material to assess the state of their networks in relation to the book's
recommended best practices. Auditors can determine if their clients are collecting
the network-based information that's needed for the appropriate control, detection,
and response to intrusions.
Prerequisites
I have attempted to avoid duplication of material presented in other books,
including The Tao. My purpose here is to publish as much new thought
on internal security as possible and to have this book be a complement to previously
published books. I expect my audience to bring a certain amount of knowledge
to the table.
Core skills readers should possess in order to get the most from the book are:
- Scripting and Programming: Familiarity with simple shell scripting is helpful
when automating certain tasks.
- Weapons and Tactics: Knowledge of tools and techniques for network attack
and defense is assumed.
- System Administration: Readers should be comfortable with installing software
on the operating systems they use.
- Telecommunications: An understanding of Transmission Control Protocol/Internet
Protocol (TCP/IP) networking is absolutely essential.
- Management and Policy: Appreciation of the laws, regulations, and other
restrictions associated with network security is highly recommended.
Readers who believe they may be lacking in any of these areas can benefit from
my recommended reading list, which is constantly updated and available at http://www.bejtlich.net/reading.html.
If I were to recommend a single book to read prior to this one, it would be
The Tao of Network Security Monitoring: Beyond Intrusion Detection. In
many ways, Extrusion Detection is an attempt to extend The Tao
to the addressing of internal threats. While Extrusion Detection will
function as a stand-alone work, your network security monitoring operations
will greatly benefit from your reading The Tao.
A Note on Operating Systems
Where possible, the reference platform for this book is FreeBSD 5.3 or 5.4
RELEASE. In the cases where Linux is required, I use Slackware Linux 10.0. Some
of the latest innovations in host-centric access control are supported only
on commercial operating systems such as Microsoft Windows.
Generally speaking, any tool that compiles on FreeBSD will work on the Unix
variant you choose. Tools that are closely tied to the OS kernel, such as the
Packet Filter (Pf) firewall (http://www.openbsd.org/faq/pf/),
may not be available on any OS other than those specified later in the book.
Scope
Extrusion Detection is divided into three parts that are followed by
an epilogue and appendices. You can focus on the areas that interest you, because
the sections are modular. You may wonder why greater attention is not paid to
popular tools like Nmap or Snort. With Extrusion Detection, I hope to
continue breaking new ground by highlighting ideas and tools seldom seen elsewhere.
If I don't address a widely popular product, it's because it has received plenty
of coverage in another book.
Part I mixes theory with architectural considerations. Chapter 1 is a recap
of the major theories, tools, and techniques from The Tao. It is important
for readers to understand that NSM has a specific technical meaning and that
NSM is not the same process as intrusion detection or prevention. Chapter 2
describes the architectural requirements for designing a network best suited
to detect, control, and respond to intrusions. Chapter 3 explains the theory
of extrusion detection and sets the stage for the remainder of the book. Chapter
4 describes how to gain visibility to internal traffic. Part I concludes with
Chapter 5, original material by financial security architect Ken Meyers that
explains how internal network design can enhance the control and detection of
internal threats.
Part II is aimed at security analysts and operators; it is traffic-oriented
and requires basic understanding of TCP/IP and packet analysis. Chapter 6 offers
a method of dissecting session and full content data to unearth unauthorized
activity. From a network-centric perspective, Chapter 7 offers guidance on responding
to intrusions. Chapter 8 concludes Part II by demonstrating principles of network
forensics. The last two chapters are unique in that they use the term "network"
to not mean "computer" or "enterprise." When I talk about network incident response
or network forensics, I refer to traffic-oriented techniques and tools. This
approach stands in sharp contrast to the host-centric methodologies found elsewhere.
My material complements and does not replace those valuable resources.
Part III collects case studies of interest to all types of security professionals.
Chapter 9 applies the lessons of Chapter 6 and explains how an internal bot
net was discovered using traffic threat assessment. Chapter 10 exposes the inner
workings of bot nets, through the eyes of Mike Heiser. As an analyst at Myrtle
Beach-based managed security service provider LURHQ, Michael has a unique perspective
that readers will appreciate.
An epilogue points to future developments. Appendix A describes how to install
Argus and NetFlow collection tools to capture session data. Appendix B explains
how to install a minimal Snort deployment in an emergency. Appendix C, by Tenable
Network Security founder Ron Gula, examines the variety of host and vulnerability
enumeration techniques available in commercial and open source tools. The book
concludes with Appendix D, where Red Cliff Consulting expert Rohyt Belani offers
guidance on internal host enumeration using open source tools.
Subjects Beyond the Scope of This Book
I do not address the following topics in this book, consistent with my desire
to avoid repeating material best addressed elsewhere (if possible). If you want
to know more about these subjects, you may find the following books helpful.
- Viruses, worms, and malware. The Art of Computer Virus Research and Defense
by Peter Szor (Upper Saddle River, NJ: Addison-Wesley, 2005); Malware:
Fighting Malicious Code by Ed Skoudis and Lenny Zeltser (Upper Saddle
River, NJ: Prentice Hall, 2004).
- Phishing. Phishing: Cutting the Identity Theft Line by Rachael Lininger
(Boston, MA: John Wiley & Sons, 2005) or Phishing Exposed by Lance
James (Boston, MA: Syngress, 2006).
- Spam. Anti-Spam Toolkit by Paul Wolfe, Charlie Scott, and Mike W.
Erwin (New York, NY: McGraw-Hill/Osborne, 2004); Inside the Spam Cartel
by Spammer-X (Rockland, MA: Syngress, 2004); Slamming Spam: A Guide
for System Administrators by Robert Haskins and Dale Nielsen (Upper Saddle
River, NJ: Addison-Wesley, 2005).
- Denial of Service. Internet Denial of Service: Attack and Defense Mechanisms
by Jelena Mirkovic, et al. (Upper Saddle River, NJ: Prentice Hall, 2005).
Book Web Site
For more information on network security monitoring and extrusion detection,
visit http://www.extrusiondetection.com.
1. In mid-August 2005, the Zotob worm is winding
its way across the Internet by attacking SMB services on vulnerable Windows
workstations. Even in late 2005, the traditional server-side attack is alive
and well, alongside more recent client-side attacks. More information on Zotob
is available at http://www.f-secure.com/v-descs/zotob_a.shtml.
Foreword
Download the Foreword
file related to this title.
Index
Download the Index
file related to this title.