Extrusion Detection: Security Monitoring for Internal Intrusions

Paperback (Print)
Buy New
Buy New from BN.com
$33.92
Used and New from Other Sellers
Used and New from Other Sellers
from $12.95
Usually ships in 1-2 business days
(Save 76%)
Other sellers (Paperback)
  • All (10) from $12.95   
  • New (7) from $29.48   
  • Used (3) from $12.95   

Overview

Overcome Your Fastest-Growing Security Problem: Internal, Client-Based Attacks

Today's most devastating security attacks are launched from within the company, by intruders who have compromised your users' Web browsers, e-mail and chat clients, and other Internet-connected software. Hardening your network perimeter won't solve this problem. You must systematically protect client software and monitor the traffic it generates.

Extrusion Detection is a comprehensive guide to preventing, detecting, and mitigating security breaches from the inside out. Top security consultant Richard Bejtlich offers clear, easy-to-understand explanations of today's client-based threats and effective, step-by-step solutions, demonstrated against real traffic and data. You will learn how to assess threats from internal clients, instrument networks to detect anomalies in outgoing traffic, architect networks to resist internal attacks, and respond effectively when attacks occur.

Bejtlich's The Tao of Network Security Monitoring earned acclaim as the definitive guide to overcoming external threats. Now, in Extrusion Detection , he brings the same level of insight to defending against today's rapidly emerging internal threats. Whether you're an architect, analyst, engineer, administrator, or IT manager, you face a new generation of security risks. Get this book and protect yourself.

Coverage includes

  • Architecting defensible networks with pervasive awareness: theory, techniques, and tools
  • Defending against malicious sites, Internet Explorer exploitations, bots, Trojans, worms, and more
  • Dissecting session and full-content data to reveal unauthorized activity
  • Implementing effective Layer 3 network access control
  • Responding to internal attacks, including step-by-step network forensics
  • Assessing your network's current ability to resist internal attacks
  • Setting reasonable corporate access policies
  • Detailed case studies, including the discovery of internal and IRC-based bot nets
  • Advanced extrusion detection: from data collection to host and vulnerability enumeration
About the Web Site

Get book updates and network security news at Richard Bejtlich's popular blog, taosecurity.blogspot.com, and his Web site, www.bejtlich.net.

Read More Show Less

Editorial Reviews

From Barnes & Noble
The Barnes & Noble Review
While companies have been aggressively defending their networks against attacks from the outside, hackers have discovered they can attack from the inside, by compromising the web software your people depend upon. Firewalls won’t fix that: You need a complete strategy for protecting client software and monitoring outbound traffic. That’s what Extrusion Detection delivers.

Author Richard Bejtlich is one of the world’s most respected security consultants (and author of the widely praised Tao of Network Security Monitoring). Here, he systematically demonstrates how to build networks that can detect and control intruders launching either server-side or client-side attacks. He ranges widely, covering theory, architecture, access policies and control, data collection, even packet analysis using open source tools.

Everything comes together with two detailed case studies -- including a fascinating look at the discovery of a malicious botnet using only session data. Bill Camarda, from the February 2006 Read Only

Read More Show Less

Product Details

  • ISBN-13: 9780321349965
  • Publisher: Addison-Wesley
  • Publication date: 11/8/2005
  • Pages: 416
  • Product dimensions: 7.00 (w) x 9.00 (h) x 1.00 (d)

Meet the Author

Richard Bejtlich is founder of TaoSecurity, a company that helps clients detect, contain, and remediate intrusions using Network Security Monitoring (NSM) principles. He was formerly a principal consultant at Foundstone--performing incident response, emergency NSM, and security research and training--and created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. For three years, Bejtlich defended U.S. information assets as a captain in the Air Force Computer Emergency Response Team (AFCERT). Formally trained as an intelligence officer, he is a graduate of Harvard University and of the U.S. Air Force Academy. He has authored or coauthored several security books, including The Tao of Network Security Monitoring (Addison-Wesley, 2004).

Read More Show Less

Read an Excerpt

Welcome to Extrusion Detection: Security Monitoring for Internal Intrusions. The goal of this book is to help you detect, contain, and remediate internal intrusions using network security monitoring (NSM) principles. This book will guide security architects and engineers who control and instrument networks, help analysts and operators to investigate internal network security events, and give technical managers the justification they need to fund internal security projects. Extrusion Detection is the sequel to my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection. While Extrusion Detection is a stand-alone work, I strongly recommend reading The Tao first, or at least having it nearby as a reference.

Those of you who have read The Tao will recall that the book focused on outsiders gaining unauthorized access to Internet-exposed servers. This threat model reflected the predominant mode of Internet exploitation in the 1990s. The primary means for attackers to exploit targets during the 1990s involved server-side attacks. Intruders gained unauthorized access by exploiting services offered by Internet-facing victims. Typical targets included Web servers, e-mail servers, domain name resolution (DNS) servers, and other programs that wait to answer queries from Internet users.1 If internal workstations were not obscured by network address translation (NAT) gateways or firewalls, they too could be attacked directly, but only if they offered services similar to the typical targets. Local file-sharing services employing Unix remote procedure calls (RPCs) or Windows Server Message Block (SMB) were high-priority targets.

With the advent of the firewall in the early 1990s and the adoption of private Request for Comments (RFC) 1918 space in the middle 1990s, internal workstations were seldom directly attacked, unlike their public server counterparts. Protection from the outsider threat required access control and limits on the exposure of Internet-facing hosts. Traditional monitoring efforts watched attacks from the Internet to exposed servers because intruders most often launched "server-side" attacks.

The current decade has seen this model turned inside-out. Beginning in 2000, and with increasing intensity since 2003, corporate and home users have been subjected to increasing numbers of "client-side" attacks. No longer are services offered by computers the only targets of attack. Now, the applications upon which users rely, such as Web browsers, e-mail clients, and chat programs are the targets.

Instead of an intruder attacking the Web server running on a company's Internet-facing server, the intruder attacks the Web browser of an internal user who surfs intentionally or accidentally to a malicious Web site. Alternatively, a user may receive a Trojan through a chat program and unwisely decide to run that executable while operating with administrator privileges. No longer is it sufficient for security staff to harden the network perimeter by limiting services exposed to the Internet. The perimeter network is still a crucial part of network infrastructure, despite calls for the "de-perimeterization" of enterprise networks. Now, software running on clients must be protected, and the traffic generated must be monitored for signs of compromise.

This book focuses on ways to deal with the threat to internal systems. By "internal systems," I mean those considered to be intranet, not Internet, hosts. Extrusion Detection is not about traditional hardening of internal hosts to the same degree as external hosts. Traditional internal host hardening means minimizing services offered by systems, thereby decreasing the likelihood of server-side attacks. In other words, I would not be offering new advice if I discussed how to control and detect attacks against the SMB server running on port 445 TCP on a Windows XP workstation. I may not address such practices in detail here, but reduction of server-side exposure is certainly a beneficial security practice.

Extrusion Detection explains how to engineer an internal network that can control and detect intruders launching server-side or client-side attacks. Client-side attacks are more insidious than server-side attacks, because the intruder targets a vulnerable application anywhere inside a potentially hardened internal network. A powerful means to detect the compromise of internal systems is to watch for outbound connections from the victim to systems on the Internet operated by the intruder. Here we see the significance of the word "extrusion" in the book's title. That is, in addition to watching connections inbound from the Internet, we watch for suspicious activity exiting the protected network.

Audience

This book is for architects, engineers, analysts, operators, and managers with intermediate to advanced knowledge of network security. Architects will learn ways to design networks better suited to surviving client-side (and server-side) attacks. Primarily using open source software, engineers will learn how to build solutions for controlling and instrumenting internal networks. Analysts and operators will learn how to interpret the data collected in order to discover and escalate indicators of compromise. Managers will read case studies of real malicious software and the consequences of poor internal security.

All readers will learn about the theory, techniques, and tools for implementing network security monitoring (NSM) for internal intrusions. Executives may use the material to assess the state of their networks in relation to the book's recommended best practices. Auditors can determine if their clients are collecting the network-based information that's needed for the appropriate control, detection, and response to intrusions.

Prerequisites

I have attempted to avoid duplication of material presented in other books, including The Tao. My purpose here is to publish as much new thought on internal security as possible and to have this book be a complement to previously published books. I expect my audience to bring a certain amount of knowledge to the table.

Core skills readers should possess in order to get the most from the book are:

  • Scripting and Programming: Familiarity with simple shell scripting is helpful when automating certain tasks.
  • Weapons and Tactics: Knowledge of tools and techniques for network attack and defense is assumed.
  • System Administration: Readers should be comfortable with installing software on the operating systems they use.
  • Telecommunications: An understanding of Transmission Control Protocol/Internet Protocol (TCP/IP) networking is absolutely essential.
  • Management and Policy: Appreciation of the laws, regulations, and other restrictions associated with network security is highly recommended.

Readers who believe they may be lacking in any of these areas can benefit from my recommended reading list, which is constantly updated and available at http://www.bejtlich.net/reading.html.

If I were to recommend a single book to read prior to this one, it would be The Tao of Network Security Monitoring: Beyond Intrusion Detection. In many ways, Extrusion Detection is an attempt to extend The Tao to the addressing of internal threats. While Extrusion Detection will function as a stand-alone work, your network security monitoring operations will greatly benefit from your reading The Tao.

A Note on Operating Systems

Where possible, the reference platform for this book is FreeBSD 5.3 or 5.4 RELEASE. In the cases where Linux is required, I use Slackware Linux 10.0. Some of the latest innovations in host-centric access control are supported only on commercial operating systems such as Microsoft Windows.

Generally speaking, any tool that compiles on FreeBSD will work on the Unix variant you choose. Tools that are closely tied to the OS kernel, such as the Packet Filter (Pf) firewall (http://www.openbsd.org/faq/pf/), may not be available on any OS other than those specified later in the book.

Scope

Extrusion Detection is divided into three parts that are followed by an epilogue and appendices. You can focus on the areas that interest you, because the sections are modular. You may wonder why greater attention is not paid to popular tools like Nmap or Snort. With Extrusion Detection, I hope to continue breaking new ground by highlighting ideas and tools seldom seen elsewhere. If I don't address a widely popular product, it's because it has received plenty of coverage in another book.

Part I mixes theory with architectural considerations. Chapter 1 is a recap of the major theories, tools, and techniques from The Tao. It is important for readers to understand that NSM has a specific technical meaning and that NSM is not the same process as intrusion detection or prevention. Chapter 2 describes the architectural requirements for designing a network best suited to detect, control, and respond to intrusions. Chapter 3 explains the theory of extrusion detection and sets the stage for the remainder of the book. Chapter 4 describes how to gain visibility to internal traffic. Part I concludes with Chapter 5, original material by financial security architect Ken Meyers that explains how internal network design can enhance the control and detection of internal threats.

Part II is aimed at security analysts and operators; it is traffic-oriented and requires basic understanding of TCP/IP and packet analysis. Chapter 6 offers a method of dissecting session and full content data to unearth unauthorized activity. From a network-centric perspective, Chapter 7 offers guidance on responding to intrusions. Chapter 8 concludes Part II by demonstrating principles of network forensics. The last two chapters are unique in that they use the term "network" to not mean "computer" or "enterprise." When I talk about network incident response or network forensics, I refer to traffic-oriented techniques and tools. This approach stands in sharp contrast to the host-centric methodologies found elsewhere. My material complements and does not replace those valuable resources.

Part III collects case studies of interest to all types of security professionals. Chapter 9 applies the lessons of Chapter 6 and explains how an internal bot net was discovered using traffic threat assessment. Chapter 10 exposes the inner workings of bot nets, through the eyes of Mike Heiser. As an analyst at Myrtle Beach-based managed security service provider LURHQ, Michael has a unique perspective that readers will appreciate.

An epilogue points to future developments. Appendix A describes how to install Argus and NetFlow collection tools to capture session data. Appendix B explains how to install a minimal Snort deployment in an emergency. Appendix C, by Tenable Network Security founder Ron Gula, examines the variety of host and vulnerability enumeration techniques available in commercial and open source tools. The book concludes with Appendix D, where Red Cliff Consulting expert Rohyt Belani offers guidance on internal host enumeration using open source tools.

Subjects Beyond the Scope of This BookI do not address the following topics in this book, consistent with my desire to avoid repeating material best addressed elsewhere (if possible). If you want to know more about these subjects, you may find the following books helpful.

  • Viruses, worms, and malware. The Art of Computer Virus Research and Defense by Peter Szor (Upper Saddle River, NJ: Addison-Wesley, 2005); Malware: Fighting Malicious Code by Ed Skoudis and Lenny Zeltser (Upper Saddle River, NJ: Prentice Hall, 2004).
  • Phishing. Phishing: Cutting the Identity Theft Line by Rachael Lininger (Boston, MA: John Wiley & Sons, 2005) or Phishing Exposed by Lance James (Boston, MA: Syngress, 2006).
  • Spam. Anti-Spam Toolkit by Paul Wolfe, Charlie Scott, and Mike W. Erwin (New York, NY: McGraw-Hill/Osborne, 2004); Inside the Spam Cartel by Spammer-X (Rockland, MA: Syngress, 2004); Slamming Spam: A Guide for System Administrators by Robert Haskins and Dale Nielsen (Upper Saddle River, NJ: Addison-Wesley, 2005).
  • Denial of Service. Internet Denial of Service: Attack and Defense Mechanisms by Jelena Mirkovic, et al. (Upper Saddle River, NJ: Prentice Hall, 2005).
Book Web Site

For more information on network security monitoring and extrusion detection, visit http://www.extrusiondetection.com.

1. In mid-August 2005, the Zotob worm is winding its way across the Internet by attacking SMB services on vulnerable Windows workstations. Even in late 2005, the traditional server-side attack is alive and well, alongside more recent client-side attacks. More information on Zotob is available at http://www.f-secure.com/v-descs/zotob_a.shtml.

0321349962P10262005

Read More Show Less

Table of Contents

Foreword.

Preface.

I. DETECTING AND CONTROLLING INTRUSIONS.

1. Network Security Monitoring Revisited.

Why Extrusion Detection?

Defining The Security Process

Security Principles

Network Security Monitoring Theory

Network Security Monitoring Techniques

Network Security Monitoring Tools

Conclusion

2. Defensible Network Architecture.

Monitoring the Defensible Network

Controlling the Defensible Network

Minimizing the Defensible Network

Keeping the Defensible Network Current

Conclusion

3. Extrusion Detection Illustrated.

Intrusion Detection Defined

Extrusion Detection Defined

History of Extrusion Detection

Extrusion Detection Through NSM

Conclusion

4. Enterprise Network Instrumentation.

Common Packet Capture Methods

PCI Tap

Dual Port Aggregator Tap

2X1 10/100 Regeneration Tap

2X1 10/100 SPAN Regeneration Tap

Matrix Switch

Link Aggregator Tap

Distributed Traffic Collection with Pf Dup-To

Squid SSL Termination Reverse Proxy

Conclusion

5. Layer 3 Network Access Control.

Internal Network Design

Internet Service Provider Sink Holes

Enterprise Sink Holes

Using Sink Holes to Identify Internal Intrusions

Internal Intrusion Containment

Notes on Enterprise Sink Holes in the Field

Conclusion

II. NETWORK SECURITY OPERATIONS.

6. Traffic Threat Assessment.

Why Traffic Threat Assessment?

Assumptions

First Cuts

Looking for Odd Traffic

Inspecting Individual Services: NTP

Inspecting Individual Services: ISAKMP

Inspecting Individual Services: ICMP

Inspecting Individual Services: Secure Shell

Inspecting Individual Services: Whois

Inspecting Individual Services: LDAP

Inspecting Individual Services: Ports 3003 to 9126 TCP

Inspecting Individual Services: Ports 44444 and 49993 TCP

Inspecting Individual Services: DNS

Inspecting Individual Services: SMTP

Inspecting Individual Services: Wrap-Up

Conclusion

7. Network Incident Response.

Preparation for Network Incident Response

Secure CSIRT Communications

Intruder Profiles

Incident Detection Methods

Network First Response

Network-Centric General Response and Remediation

Conclusion

8. Network Forensics.

What Is Network Forensics?

Collecting Network Traffic as Evidence

Protecting and Preserving Network-Based Evidence

Analyzing Network-Based Evidence

Presenting and Defending Conclusions

Conclusion

III. INTERNAL INTRUSIONS.

9. Traffic Threat Assessment Case Study.

Initial Discovery

Making Sense of Argus Output

Argus Meets Awk

Examining Port 445 TCP Traffic

Were the Targets Compromised?

Tracking Down the Internal Victims

Moving to Full Content Data

Correlating Live Response Data with Network Evidence

Conclusion

10. Malicious Bots.

Introduction to IRC Bots

Communication and Identification

Server and Control Channels

Exploitation and Propagation

Final Thoughts on Bots

Dialogue with a Bot Net Admin

Conclusion

Epilogue

Appendix A: Collecting Session Data in an Emergency.

Appendix B: Minimal Snort Installation Guide.

Appendix C: Survey of Enumeraiton Methods.

Appendix D: Open Source Host Enumeration.

Index.

Read More Show Less

Preface

Welcome to Extrusion Detection: Security Monitoring for Internal Intrusions. The goal of this book is to help you detect, contain, and remediate internal intrusions using network security monitoring (NSM) principles. This book will guide security architects and engineers who control and instrument networks, help analysts and operators to investigate internal network security events, and give technical managers the justification they need to fund internal security projects. Extrusion Detection is the sequel to my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection. While Extrusion Detection is a stand-alone work, I strongly recommend reading The Tao first, or at least having it nearby as a reference.

Those of you who have read The Tao will recall that the book focused on outsiders gaining unauthorized access to Internet-exposed servers. This threat model reflected the predominant mode of Internet exploitation in the 1990s. The primary means for attackers to exploit targets during the 1990s involved server-side attacks. Intruders gained unauthorized access by exploiting services offered by Internet-facing victims. Typical targets included Web servers, e-mail servers, domain name resolution (DNS) servers, and other programs that wait to answer queries from Internet users. 1 If internal workstations were not obscured by network address translation (NAT) gateways or firewalls, they too could be attacked directly, but only if they offered services similar to the typical targets. Local file-sharing services employing Unix remote procedure calls (RPCs) or Windows Server Message Block (SMB) were high-priority targets.

With the advent of the firewall in the early 1990s and the adoption of private Request for Comments (RFC) 1918 space in the middle 1990s, internal workstations were seldom directly attacked, unlike their public server counterparts. Protection from the outsider threat required access control and limits on the exposure of Internet-facing hosts. Traditional monitoring efforts watched attacks from the Internet to exposed servers because intruders most often launched "server-side" attacks.

The current decade has seen this model turned inside-out. Beginning in 2000, and with increasing intensity since 2003, corporate and home users have been subjected to increasing numbers of "client-side" attacks. No longer are services offered by computers the only targets of attack. Now, the applications upon which users rely, such as Web browsers, e-mail clients, and chat programs are the targets.

Instead of an intruder attacking the Web server running on a company's Internet-facing server, the intruder attacks the Web browser of an internal user who surfs intentionally or accidentally to a malicious Web site. Alternatively, a user may receive a Trojan through a chat program and unwisely decide to run that executable while operating with administrator privileges. No longer is it sufficient for security staff to harden the network perimeter by limiting services exposed to the Internet. The perimeter network is still a crucial part of network infrastructure, despite calls for the "de-perimeterization" of enterprise networks. Now, software running on clients must be protected, and the traffic generated must be monitored for signs of compromise.

This book focuses on ways to deal with the threat to internal systems. By "internal systems," I mean those considered to be intranet, not Internet, hosts. Extrusion Detection is not about traditional hardening of internal hosts to the same degree as external hosts. Traditional internal host hardening means minimizing services offered by systems, thereby decreasing the likelihood of server-side attacks. In other words, I would not be offering new advice if I discussed how to control and detect attacks against the SMB server running on port 445 TCP on a Windows XP workstation. I may not address such practices in detail here, but reduction of server-side exposure is certainly a beneficial security practice.

Extrusion Detection explains how to engineer an internal network that can control and detect intruders launching server-side or client-side attacks. Client-side attacks are more insidious than server-side attacks, because the intruder targets a vulnerable application anywhere inside a potentially hardened internal network. A powerful means to detect the compromise of internal systems is to watch for outbound connections from the victim to systems on the Internet operated by the intruder. Here we see the significance of the word "extrusion" in the book's title. That is, in addition to watching connections inbound from the Internet, we watch for suspicious activity exiting the protected network.

Audience

This book is for architects, engineers, analysts, operators, and managers with intermediate to advanced knowledge of network security. Architects will learn ways to design networks better suited to surviving client-side (and server-side) attacks. Primarily using open source software, engineers will learn how to build solutions for controlling and instrumenting internal networks. Analysts and operators will learn how to interpret the data collected in order to discover and escalate indicators of compromise. Managers will read case studies of real malicious software and the consequences of poor internal security.

All readers will learn about the theory, techniques, and tools for implementing network security monitoring (NSM) for internal intrusions. Executives may use the material to assess the state of their networks in relation to the book's recommended best practices. Auditors can determine if their clients are collecting the network-based information that's needed for the appropriate control, detection, and response to intrusions.

Prerequisites

I have attempted to avoid duplication of material presented in other books, including The Tao. My purpose here is to publish as much new thought on internal security as possible and to have this book be a complement to previously published books. I expect my audience to bring a certain amount of knowledge to the table.

Core skills readers should possess in order to get the most from the book are:

  • Scripting and Programming: Familiarity with simple shell scripting is helpful when automating certain tasks.
  • Weapons and Tactics: Knowledge of tools and techniques for network attack and defense is assumed.
  • System Administration: Readers should be comfortable with installing software on the operating systems they use.
  • Telecommunications: An understanding of Transmission Control Protocol/Internet Protocol (TCP/IP) networking is absolutely essential.
  • Management and Policy: Appreciation of the laws, regulations, and other restrictions associated with network security is highly recommended.

Readers who believe they may be lacking in any of these areas can benefit from my recommended reading list, which is constantly updated and available at http://www.bejtlich.net/reading.html.

If I were to recommend a single book to read prior to this one, it would be The Tao of Network Security Monitoring: Beyond Intrusion Detection. In many ways, Extrusion Detection is an attempt to extend The Tao to the addressing of internal threats. While Extrusion Detection will function as a stand-alone work, your network security monitoring operations will greatly benefit from your reading The Tao.

A Note on Operating Systems

Where possible, the reference platform for this book is FreeBSD 5.3 or 5.4 RELEASE. In the cases where Linux is required, I use Slackware Linux 10.0. Some of the latest innovations in host-centric access control are supported only on commercial operating systems such as Microsoft Windows.

Generally speaking, any tool that compiles on FreeBSD will work on the Unix variant you choose. Tools that are closely tied to the OS kernel, such as the Packet Filter (Pf) firewall (http://www.openbsd.org/faq/pf/), may not be available on any OS other than those specified later in the book.

Scope

Extrusion Detection is divided into three parts that are followed by an epilogue and appendices. You can focus on the areas that interest you, because the sections are modular. You may wonder why greater attention is not paid to popular tools like Nmap or Snort. With Extrusion Detection, I hope to continue breaking new ground by highlighting ideas and tools seldom seen elsewhere. If I don't address a widely popular product, it's because it has received plenty of coverage in another book.

Part I mixes theory with architectural considerations. Chapter 1 is a recap of the major theories, tools, and techniques from The Tao. It is important for readers to understand that NSM has a specific technical meaning and that NSM is not the same process as intrusion detection or prevention. Chapter 2 describes the architectural requirements for designing a network best suited to detect, control, and respond to intrusions. Chapter 3 explains the theory of extrusion detection and sets the stage for the remainder of the book. Chapter 4 describes how to gain visibility to internal traffic. Part I concludes with Chapter 5, original material by financial security architect Ken Meyers that explains how internal network design can enhance the control and detection of internal threats.

Part II is aimed at security analysts and operators; it is traffic-oriented and requires basic understanding of TCP/IP and packet analysis. Chapter 6 offers a method of dissecting session and full content data to unearth unauthorized activity. From a network-centric perspective, Chapter 7 offers guidance on responding to intrusions. Chapter 8 concludes Part II by demonstrating principles of network forensics. The last two chapters are unique in that they use the term "network" to not mean "computer" or "enterprise." When I talk about network incident response or network forensics, I refer to traffic-oriented techniques and tools. This approach stands in sharp contrast to the host-centric methodologies found elsewhere. My material complements and does not replace those valuable resources.

Part III collects case studies of interest to all types of security professionals. Chapter 9 applies the lessons of Chapter 6 and explains how an internal bot net was discovered using traffic threat assessment. Chapter 10 exposes the inner workings of bot nets, through the eyes of Mike Heiser. As an analyst at Myrtle Beach-based managed security service provider LURHQ, Michael has a unique perspective that readers will appreciate.

An epilogue points to future developments. Appendix A describes how to install Argus and NetFlow collection tools to capture session data. Appendix B explains how to install a minimal Snort deployment in an emergency. Appendix C, by Tenable Network Security founder Ron Gula, examines the variety of host and vulnerability enumeration techniques available in commercial and open source tools. The book concludes with Appendix D, where Red Cliff Consulting expert Rohyt Belani offers guidance on internal host enumeration using open source tools.

Subjects Beyond the Scope of This Book

I do not address the following topics in this book, consistent with my desire to avoid repeating material best addressed elsewhere (if possible). If you want to know more about these subjects, you may find the following books helpful.
  • Viruses, worms, and malware. The Art of Computer Virus Research and Defense by Peter Szor (Upper Saddle River, NJ: Addison-Wesley, 2005); Malware: Fighting Malicious Code by Ed Skoudis and Lenny Zeltser (Upper Saddle River, NJ: Prentice Hall, 2004).
  • Phishing. Phishing: Cutting the Identity Theft Line by Rachael Lininger (Boston, MA: John Wiley & Sons, 2005) or Phishing Exposed by Lance James (Boston, MA: Syngress, 2006).
  • Spam. Anti-Spam Toolkit by Paul Wolfe, Charlie Scott, and Mike W. Erwin (New York, NY: McGraw-Hill/Osborne, 2004); Inside the Spam Cartel by Spammer-X (Rockland, MA: Syngress, 2004); Slamming Spam: A Guide for System Administrators by Robert Haskins and Dale Nielsen (Upper Saddle River, NJ: Addison-Wesley, 2005).
  • Denial of Service. Internet Denial of Service: Attack and Defense Mechanisms by Jelena Mirkovic, et al. (Upper Saddle River, NJ: Prentice Hall, 2005).

Book Web Site

For more information on network security monitoring and extrusion detection, visit http://www.extrusiondetection.com.

1. In mid-August 2005, the Zotob worm is winding its way across the Internet by attacking SMB services on vulnerable Windows workstations. Even in late 2005, the traditional server-side attack is alive and well, alongside more recent client-side attacks. More information on Zotob is available at http://www.f-secure.com/v-descs/zotob_a.shtml.

0321349962P10262005

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Anonymous

    Posted April 5, 2006

    nice usage of sink holes

    This book is a fine complement to Bejtlich's Tao of Network Security Monitoring. At first, one might think there would be considerable overlap between the two. After all, both concern crackers attacking a company's network that sits on the Internet. Yet the author takes pains to point out key differences. Tao was about an external attacker going at your servers, where these might be web or database [or other types of] servers. The current text describes a qualitatively different game. Where a typical scenario might be one of your users, at her machine which is inside your network, surfing the Web. An attacker might try to target bugs in her browser, in order to install malware on her machine. This malware might then surveil that machine and others on the network, and hence ring home to the attacker's website. So extrusion detection involves at the very least defending your client machines, instead of your servers. Bejtlich gives detailed examples of how to use various tools, typically open source, to monitor your internal traffic, looking for tell tale signs of extrusion. Along the way, there is a nice description of two ways to use a sink hole. One is by an ISP, who is facing a Denial of Service attack against one of its customer's addresses. For this, a sink hole can be configured to divert those incoming packets, and protect the ISP's other customers. In a recent book, 'Internet Denial of Service' by Mirkovic et al, various anti-DoS methods were cited, and this usage of a sink hole is an excellent example of another such method. While DoS is not an internal attack, it is still a verious serious problem, and it is helpful to see a clear description of how to use a sink hole against it. The other method of using a sink hole involves configuring it to attract traffic from internal machines that have been subverted. Here, this is entirely in keeping with the book's remit.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)