Extrusion Detection: Security Monitoring for Internal Intrusions

Extrusion Detection: Security Monitoring for Internal Intrusions

by Richard Bejtlich
Pub. Date:

Paperback - Rent for

Select a Purchase Option
  • purchase options
    $39.22 $54.99 Save 29% Current price is $39.22, Original price is $54.99. You Save 29%.
  • purchase options


Extrusion Detection: Security Monitoring for Internal Intrusions

Overcome Your Fastest-Growing Security Problem: Internal, Client-Based Attacks

Today's most devastating security attacks are launched from within the company, by intruders who have compromised your users' Web browsers, e-mail and chat clients, and other Internet-connected software. Hardening your network perimeter won't solve this problem. You must systematically protect client software and monitor the traffic it generates.

Extrusion Detection is a comprehensive guide to preventing, detecting, and mitigating security breaches from the inside out. Top security consultant Richard Bejtlich offers clear, easy-to-understand explanations of today's client-based threats and effective, step-by-step solutions, demonstrated against real traffic and data. You will learn how to assess threats from internal clients, instrument networks to detect anomalies in outgoing traffic, architect networks to resist internal attacks, and respond effectively when attacks occur.

Bejtlich's The Tao of Network Security Monitoring earned acclaim as the definitive guide to overcoming external threats. Now, in Extrusion Detection , he brings the same level of insight to defending against today's rapidly emerging internal threats. Whether you're an architect, analyst, engineer, administrator, or IT manager, you face a new generation of security risks. Get this book and protect yourself.

Coverage includes

  • Architecting defensible networks with pervasive awareness: theory, techniques, and tools
  • Defending against malicious sites, Internet Explorer exploitations, bots, Trojans, worms, and more
  • Dissecting session and full-content data to reveal unauthorized activity
  • Implementing effective Layer 3 network access control
  • Responding to internal attacks, including step-by-step network forensics
  • Assessing your network's current ability to resist internal attacks
  • Setting reasonable corporate access policies
  • Detailed case studies, including the discovery of internal and IRC-based bot nets
  • Advanced extrusion detection: from data collection to host and vulnerability enumeration
About the Web Site

Get book updates and network security news at Richard Bejtlich's popular blog, taosecurity.blogspot.com, and his Web site, www.bejtlich.net.

Product Details

ISBN-13: 9780321349965
Publisher: Addison-Wesley
Publication date: 11/22/2005
Pages: 416
Sales rank: 931,925
Product dimensions: 6.90(w) x 9.00(h) x 1.00(d)

Table of Contents




1. Network Security Monitoring Revisited.

Why Extrusion Detection?

Defining The Security Process

Security Principles

Network Security Monitoring Theory

Network Security Monitoring Techniques

Network Security Monitoring Tools


2. Defensible Network Architecture.

Monitoring the Defensible Network

Controlling the Defensible Network

Minimizing the Defensible Network

Keeping the Defensible Network Current


3. Extrusion Detection Illustrated.

Intrusion Detection Defined

Extrusion Detection Defined

History of Extrusion Detection

Extrusion Detection Through NSM


4. Enterprise Network Instrumentation.

Common Packet Capture Methods


Dual Port Aggregator Tap

2X1 10/100 Regeneration Tap

2X1 10/100 SPAN Regeneration Tap

Matrix Switch

Link Aggregator Tap

Distributed Traffic Collection with Pf Dup-To

Squid SSL Termination Reverse Proxy


5. Layer 3 Network Access Control.

Internal Network Design

Internet Service Provider Sink Holes

Enterprise Sink Holes

Using Sink Holes to Identify Internal Intrusions

Internal Intrusion Containment

Notes on Enterprise Sink Holes in the Field



6. Traffic Threat Assessment.

Why Traffic Threat Assessment?


First Cuts

Looking for Odd Traffic

Inspecting Individual Services: NTP

Inspecting Individual Services: ISAKMP

Inspecting Individual Services: ICMP

Inspecting Individual Services: Secure Shell

Inspecting Individual Services: Whois

Inspecting Individual Services: LDAP

Inspecting Individual Services: Ports 3003 to 9126 TCP

Inspecting Individual Services: Ports 44444 and 49993 TCP

Inspecting Individual Services: DNS

Inspecting Individual Services: SMTP

Inspecting Individual Services: Wrap-Up


7. Network Incident Response.

Preparation for Network Incident Response

Secure CSIRT Communications

Intruder Profiles

Incident Detection Methods

Network First Response

Network-Centric General Response and Remediation


8. Network Forensics.

What Is Network Forensics?

Collecting Network Traffic as Evidence

Protecting and Preserving Network-Based Evidence

Analyzing Network-Based Evidence

Presenting and Defending Conclusions



9. Traffic Threat Assessment Case Study.

Initial Discovery

Making Sense of Argus Output

Argus Meets Awk

Examining Port 445 TCP Traffic

Were the Targets Compromised?

Tracking Down the Internal Victims

Moving to Full Content Data

Correlating Live Response Data with Network Evidence


10. Malicious Bots.

Introduction to IRC Bots

Communication and Identification

Server and Control Channels

Exploitation and Propagation

Final Thoughts on Bots

Dialogue with a Bot Net Admin



Appendix A: Collecting Session Data in an Emergency.

Appendix B: Minimal Snort Installation Guide.

Appendix C: Survey of Enumeraiton Methods.

Appendix D: Open Source Host Enumeration.


Customer Reviews

Most Helpful Customer Reviews

See All Customer Reviews