Extrusion Detection: Security Monitoring for Internal Intrusions [Paperback]

Richard Bejtlich (Author)

Book Description

ISBN-10: 0321349962 | ISBN-13: 978-0321349965 | Publication Date: November 18, 2005

Overcome Your Fastest-Growing Security Problem: Internal, Client-Based Attacks

Today's most devastating security attacks are launched from within the company, by intruders who have compromised your users' Web browsers, e-mail and chat clients, and other Internet-connected software. Hardening your network perimeter won't solve this problem. You must systematically protect client software and monitor the traffic it generates.

Extrusion Detection is a comprehensive guide to preventing, detecting, and mitigating security breaches from the inside out. Top security consultant Richard Bejtlich offers clear, easy-to-understand explanations of today's client-based threats and effective, step-by-step solutions, demonstrated against real traffic and data. You will learn how to assess threats from internal clients, instrument networks to detect anomalies in outgoing traffic, architect networks to resist internal attacks, and respond effectively when attacks occur.

Bejtlich's The Tao of Network Security Monitoring earned acclaim as the definitive guide to overcoming external threats. Now, in Extrusion Detection, he brings the same level of insight to defending against today's rapidly emerging internal threats. Whether you're an architect, analyst, engineer, administrator, or IT manager, you face a new generation of security risks. Get this book and protect yourself.

Coverage includes

• Architecting defensible networks with pervasive awareness: theory, techniques, and tools
• Defending against malicious sites, Internet Explorer exploitations, bots, Trojans, worms, and more
• Dissecting session and full-content data to reveal unauthorized activity
• Implementing effective Layer 3 network access control
• Responding to internal attacks, including step-by-step network forensics
• Assessing your network's current ability to resist internal attacks
• Setting reasonable corporate access policies
• Detailed case studies, including the discovery of internal and IRC-based bot nets
• Advanced extrusion detection: from data collection to host and vulnerability enumeration

About the Web Site

Get book updates and network security news at Richard Bejtlich's popular blog, taosecurity.blogspot.com, and his Web site, www.bejtlich.net.

Editorial Reviews

About the Author

Richard Bejtlich is founder of TaoSecurity, a company that helps clients detect, contain, and remediate intrusions using Network Security Monitoring (NSM) principles. He was formerly a principal consultant at Foundstone--performing incident response, emergency NSM, and security research and training--and created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. For three years, Bejtlich defended U.S. information assets as a captain in the Air Force Computer Emergency Response Team (AFCERT). Formally trained as an intelligence officer, he is a graduate of Harvard University and of the U.S. Air Force Academy. He has authored or coauthored several security books, including The Tao of Network Security Monitoring (Addison-Wesley, 2004).

Excerpt. © Reprinted by permission. All rights reserved.

Welcome to Extrusion Detection: Security Monitoring for Internal Intrusions. The goal of this book is to help you detect, contain, and remediate internal intrusions using network security monitoring (NSM) principles. This book will guide security architects and engineers who control and instrument networks, help analysts and operators to investigate internal network security events, and give technical managers the justification they need to fund internal security projects. Extrusion Detection is the sequel to my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection. While Extrusion Detection is a stand-alone work, I strongly recommend reading The Tao first, or at least having it nearby as a reference.

Those of you who have read The Tao will recall that the book focused on outsiders gaining unauthorized access to Internet-exposed servers. This threat model reflected the predominant mode of Internet exploitation in the 1990s. The primary means for attackers to exploit targets during the 1990s involved server-side attacks. Intruders gained unauthorized access by exploiting services offered by Internet-facing victims. Typical targets included Web servers, e-mail servers, domain name resolution (DNS) servers, and other programs that wait to answer queries from Internet users.¹ If internal workstations were not obscured by network address translation (NAT) gateways or firewalls, they too could be attacked directly, but only if they offered services similar to the typical targets. Local file-sharing services employing Unix remote procedure calls (RPCs) or Windows Server Message Block (SMB) were high-priority targets.

With the advent of the firewall in the early 1990s and the adoption of private Request for Comments (RFC) 1918 space in the middle 1990s, internal workstations were seldom directly attacked, unlike their public server counterparts. Protection from the outsider threat required access control and limits on the exposure of Internet-facing hosts. Traditional monitoring efforts watched attacks from the Internet to exposed servers because intruders most often launched "server-side" attacks.

The current decade has seen this model turned inside-out. Beginning in 2000, and with increasing intensity since 2003, corporate and home users have been subjected to increasing numbers of "client-side" attacks. No longer are services offered by computers the only targets of attack. Now, the applications upon which users rely, such as Web browsers, e-mail clients, and chat programs are the targets.

Instead of an intruder attacking the Web server running on a company's Internet-facing server, the intruder attacks the Web browser of an internal user who surfs intentionally or accidentally to a malicious Web site. Alternatively, a user may receive a Trojan through a chat program and unwisely decide to run that executable while operating with administrator privileges. No longer is it sufficient for security staff to harden the network perimeter by limiting services exposed to the Internet. The perimeter network is still a crucial part of network infrastructure, despite calls for the "de-perimeterization" of enterprise networks. Now, software running on clients must be protected, and the traffic generated must be monitored for signs of compromise.

This book focuses on ways to deal with the threat to internal systems. By "internal systems," I mean those considered to be intranet, not Internet, hosts. Extrusion Detection is not about traditional hardening of internal hosts to the same degree as external hosts. Traditional internal host hardening means minimizing services offered by systems, thereby decreasing the likelihood of server-side attacks. In other words, I would not be offering new advice if I discussed how to control and detect attacks against the SMB server running on port 445 TCP on a Windows XP workstation. I may not address such practices in detail here, but reduction of server-side exposure is certainly a beneficial security practice.

Extrusion Detection explains how to engineer an internal network that can control and detect intruders launching server-side or client-side attacks. Client-side attacks are more insidious than server-side attacks, because the intruder targets a vulnerable application anywhere inside a potentially hardened internal network. A powerful means to detect the compromise of internal systems is to watch for outbound connections from the victim to systems on the Internet operated by the intruder. Here we see the significance of the word "extrusion" in the book's title. That is, in addition to watching connections inbound from the Internet, we watch for suspicious activity exiting the protected network.

Audience

This book is for architects, engineers, analysts, operators, and managers with intermediate to advanced knowledge of network security. Architects will learn ways to design networks better suited to surviving client-side (and server-side) attacks. Primarily using open source software, engineers will learn how to build solutions for controlling and instrumenting internal networks. Analysts and operators will learn how to interpret the data collected in order to discover and escalate indicators of compromise. Managers will read case studies of real malicious software and the consequences of poor internal security.

All readers will learn about the theory, techniques, and tools for implementing network security monitoring (NSM) for internal intrusions. Executives may use the material to assess the state of their networks in relation to the book's recommended best practices. Auditors can determine if their clients are collecting the network-based information that's needed for the appropriate control, detection, and response to intrusions.

Prerequisites

I have attempted to avoid duplication of material presented in other books, including The Tao. My purpose here is to publish as much new thought on internal security as possible and to have this book be a complement to previously published books. I expect my audience to bring a certain amount of knowledge to the table.

Core skills readers should possess in order to get the most from the book are:

• Scripting and Programming: Familiarity with simple shell scripting is helpful when automating certain tasks.
• Weapons and Tactics: Knowledge of tools and techniques for network attack and defense is assumed.
• System Administration: Readers should be comfortable with installing software on the operating systems they use.
• Telecommunications: An understanding of Transmission Control Protocol/Internet Protocol (TCP/IP) networking is absolutely essential.
• Management and Policy: Appreciation of the laws, regulations, and other restrictions associated with network security is highly recommended.

Readers who believe they may be lacking in any of these areas can benefit from my recommended reading list, which is constantly updated and available at http://www.bejtlich.net/reading.html.

If I were to recommend a single book to read prior to this one, it would be The Tao of Network Security Monitoring: Beyond Intrusion Detection. In many ways, Extrusion Detection is an attempt to extend The Tao to the addressing of internal threats. While Extrusion Detection will function as a stand-alone work, your network security monitoring operations will greatly benefit from your reading The Tao.

A Note on Operating Systems

Where possible, the reference platform for this book is FreeBSD 5.3 or 5.4 RELEASE. In the cases where Linux is required, I use Slackware Linux 10.0. Some of the latest innovations in host-centric access control are supported only on commercial operating systems such as Microsoft Windows.

Generally speaking, any tool that compiles on FreeBSD will work on the Unix variant you choose. Tools that are closely tied to the OS kernel, such as the Packet Filter (Pf) firewall (http://www.openbsd.org/faq/pf/), may not be available on any OS other than those specified later in the book.

Scope

Extrusion Detection is divided into three parts that are followed by an epilogue and appendices. You can focus on the areas that interest you, because the sections are modular. You may wonder why greater attention is not paid to popular tools like Nmap or Snort. With Extrusion Detection, I hope to continue breaking new ground by highlighting ideas and tools seldom seen elsewhere. If I don't address a widely popular product, it's because it has received plenty of coverage in another book.

Part I mixes theory with architectural considerations. Chapter 1 is a recap of the major theories, tools, and techniques from The Tao. It is important for readers to understand that NSM has a specific technical meaning and that NSM is not the same process as intrusion detection or prevention. Chapter 2 describes the architectural requirements for designing a network best suited to detect, control, and respond to intrusions. Chapter 3 explains the theory of extrusion detection and sets the stage for the remainder of the book. Chapter 4 describes how to gain visibility to internal traffic. Part I concludes with Chapter 5, original material by financial security architect Ken Meyers that explains how internal network design can enhance the control and detection of internal threats.

Part II is aimed at security analysts and operators; it is traffic-oriented and requires basic understanding of TCP/IP and packet analysis. Chapter 6 offers a method of dissecting session and full content data to unearth unauthorized activity. From a network-centric perspective, Chapter 7 offers guidance on responding to intrusions. Chapter 8 concludes Part II by demonstrating principles of network forensics. The last two chapter...

Product Details

• Paperback: 416 pages
• Publisher: Addison-Wesley Professional (November 18, 2005)
• Language: English
• ISBN-10: 0321349962
• ISBN-13: 978-0321349965
• Product Dimensions: 9.3 x 7 x 0.9 inches
• Shipping Weight: 1.6 pounds (View shipping rates and policies)
• Average Customer Review: 4.5 out of 5 stars  See all reviews (11 customer reviews)
• Amazon Best Sellers Rank: #582,646 in Books (See Top 100 in Books)

More About the Author

Richard Bejtlich is Chief Security Officer and Security Services Architect for MANDIANT. He was previously Director of Incident Response for General Electric, where he built and led the 40-member GE Computer Incident Response Team (GE-CIRT). Prior to GE, Richard operated TaoSecurity LLC as an independent consultant, protected national security interests for ManTech Corporation's Computer Forensics and Intrusion Analysis division, investigated intrusions as part of Foundstone's incident response team, and monitored client networks for Ball Corporation. Richard began his digital security career as a military intelligence officer at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a graduate of Harvard University and the United States Air Force Academy. He wrote "The Tao of Network Security Monitoring" and "Extrusion Detection," and co-authored "Real Digital Forensics." He also writes for his blog (taosecurity.blogspot.com) and teaches for Black Hat.

Customer Reviews

Most Helpful Customer Reviews

12 of 12 people found the following review helpful:

4.0 out of 5 stars An extraordinary book ..., December 5, 2005

By 

Christos Partsenidis (Thessaloniki, Greece - www.Firewall.cx) - See all my reviews
(REAL NAME)   

This review is from: Extrusion Detection: Security Monitoring for Internal Intrusions (Paperback)

Following the success of 'The Tao of Network Security Monitoring' last year, world renowned security expert Richard Bejtlich raises once again the standard for security professionals, this time by focusing on analyzing threats coming from within our network - a kind of underestimated area.

Traditionally, the point of network security is about keeping the bad guys out of a network ¡V ¡¥out¡¦ being where we hope they are to start with. Possible points of entry are considered to be devices accessible from the outside in some way, mostly servers and perhaps routers. Workstations with no address on the network have no apparent footprint that would betray their existence, so if potential intruders don't even know the hosts exist, and are unable to make any connection to them, how could they possibly exploit them? The truth is they can, in many ways, using not only technical skills but imagination and ability to exploit the human factor - against which no automated procedure or device can defend for long.

Furthermore, many administrators put all their effort and resources into trying to design an impenetrable network infrastructure, but ignore the fact that every prevention measure is bound to fail at any moment. These administrators put little or no thought into the possibility of a real intrusion and, as a result, when it occurs the network infrastructure they've built doesn't allow them to cut their losses to a minimum, regain control in a timely manner and collect credible evidence that may lead to a future investigation.

This, Richard Bejtlich's second book on the subject of network security, attempts to establish into readers' minds a solid grounding on how things are, while emphasizing common misconceptions of the past. By intentionally introducing concepts like 'Extrusion Detection', 'Defensible Network' and 'Pervasive Network Awareness' instead of relying on popular synonyms/counterparts, he addresses issues that have not been addressed - or given the appropriate importance - elsewhere.

Extrusion Detection is an extraordinary book in the sense that it moves in parallel between theory and practice, suggesting ways of thinking or functioning and explaining how these could be implemented utilizing available software.

Who should read this book?

Everyone will find in this book valuable ideas never considered before. Well, of course this is a network-security book, so those that will directly benefit from it are administrators and architects of large networks - or anyone that expects to find himself in such position.

What will you learn from this book?

Richard Bejtlich's book will take you deeply into the following skills:

- Designing defensible network infrastructures. As you will find out, a defensible network is a superset, and more accurate version, of what is referred to elsewhere as a 'secure network'. Given the fact that there can be no totally secure network, a defensible network is the best security status that can possibly be achieved through designing, monitoring, controlling and policing procedures.
- Deploying Intrusion Detection/Prevention Systems in a way that will maximize their efficiency.
- Following a series of technical practices to minimize the possibility of exposure of internal networks to the outside. Also dealing with the network effects of host-centric security threats like viruses, malware, trojans and worms, through traffic-control means.
- Designing and following security policies that will minimize the resistance, detection and counter-reaction abilities of internal networks to any intruders.
- Overcoming possible technical obstacles in order to have an appropriately monitored network, in other words achieving Pervasive Network Awareness. Available hardware and software products, as well as methods for their optimum deployment, are described in detail.
- Utilizing well-established techniques, like routing and traffic filtering/control in multiple layers to increase the network's defensibility.
- Capturing, analyzing, safekeeping and concentrating traffic in various levels. Making distinctions between malicious and legitimate traffic, detecting misconfiguration anomalies and taking the appropriate course of action in each circumstance.
- Responding, in the event of an intrusion, in a way that will minimize the consequences and the extent of the intrusion while gathering, analyzing and preserving all possible evidence. Classifying/assessing any possible threat and making the best decisions in real-time.
- Presenting evidence and conclusions derived by technical means, in a courtroom or to another, non-technical audience.

Recommended skills to get the most out of this book:

- Familiarity with basic networking and security concepts is required. You need to understand how TCP/IP works, how traffic filtering applies and how intruders commonly attack.
- Familiarity with open source operating systems is highly recommended. Though the book is written in such a way that its concepts apply beyond specific operating systems or other software and any specific instructions serve only as examples, it is true that some of the best security-related products are only available for unix platforms, so you should know how to find your way around installing and configuring them.
- Host-based security practices are not discussed, the reader is expected to know how to productively administer and secure the operating systems he deploys.
- Some of the techniques discussed involve writing basic scripts to make their deployment worthwhile and/or possible. Basic understanding of programming principles and familiarity with some scripting language is highly recommended.
- Extrusion detection does not differ in concept from intrusion detection. Any experience in intrusion detection techniques can easily be applied to extrusion detection and would be beneficial. Readers that are looking for a more thorough reading regarding those techniques are highly encouraged to read Richard Bejtlich's 'The TAO of Network Security Monitoring'.

Conclusion: This is a must-read for all security professionals or enthusiasts, networking architects and administrators that like to know what's going on in their network. I am confident that 90% of everyone that read it will make haste to implement many of the valuable ideas suggested, right after they finish reading!

10 of 10 people found the following review helpful:

4.0 out of 5 stars This book should be called The Engineers Guide to Implementing Security to Detect and Prevent Malicious Traffic in Your Network!, November 21, 2005

By 

Charles Hornat - www.infosecwriters.com (NY, USA) - See all my reviews

This review is from: Extrusion Detection: Security Monitoring for Internal Intrusions (Paperback)

First, this book should be called The Engineers Guide to Implementing Security to Detect and Prevent Malicious Traffic in Your Network. This is a very thorough book on how to detect malicious traffic leaving a network (hence Extrusion), with great illustrations and walkthroughs. There are chapters on planning, deployment, tuning and other key, often overlooked, aspects surrounding the wonderful world of Intrusion Detection.

The first hint that this book was a bit different is noticed in the Foreward. Marcus Ranum wrote the forward, or I should say guided the direction of the Foreward. Marcus opts for an interview with the author, versus "telling you a bunch of stuff about the book". The Foreward is a must when browsing this book. Very creative, something perhaps missing in the world of Information Security these days.

After the foreward, chapters include Defensible Network Architecture, a brief overview of IDS, Enterprise network Instrumentation (packet captures, tools and some techniques), Layer 3 Network Access Control, Traffic Threat Assessment, Network Incident Response, Network Forensics, and Internal Intrusions that discuss Traffic Threat Assessment Case Study and Malicious Bots. There are several Appendixes as well (a requirement for all technical books) that include how to Collect Session Data, minimal Snort Installation Guide, Enumeration Methods (identifying systems on a network), and Open Source Host Enumeration (doing it for free).

The author uses firewall technology, proxy technology, and IDS technology to define how to monitor and control traffic entering or leaving a network. Specific configurations that could be copied line by line and implemented into a network are provided.

Richard leaves nothing to the imagination in this book. All too often, the author understands the topic so well, they have an extreme difficult time relaying that, or make assumptions the readers understand it at their level. Richard does not make these same mistakes. In fact, where possible, there are packet captures, diagrams, or even a snapshot of the hardware being referenced.

All in all, if you are someone you know is responsible for managing, or deploying and Intrusion Detection scheme, this book will be extremely handy. Not only from the technical point of view, but from the architectural and management point of view. The only real chapter I had concerns with was the Incident Response chapter. It was designed for a technical person, versus a manager or someone developing a plan overall. Given this book is 100% geared for the technical, it is probably right on.

9 of 9 people found the following review helpful:

4.0 out of 5 stars Superb title, useful for all in security, December 1, 2005

By 

Dr Anton Chuvakin "Dr. Anton Chuvakin" (CA, USA) - See all my reviews

This review is from: Extrusion Detection: Security Monitoring for Internal Intrusions (Paperback)

Now, they say that one way to be happy is to have low expectations about stuff. In case of me and this book, the opposite has happened: my expectations were really high. In fact, I was counting days until the book's arrival. Do not get me wrong, it's an excellent book, but it seems to fall slightly short of my lofty expectations.

My first unmet expectation was the term `extrusion' itself. I suspected that the book will have more coverage of real insider attacks, and not just infected misbehaving client PCs. The author does say that some use the term `extrusion' to refer to intellectual property theft (or `IP leakage') in his section on the `History of Extrusion Detection', but does not follow up on that. His definition of `extrusion detection' seem to be closer to the `detection of consequences of intrusion in the form of outbound connections', such as after a client-targeting attack, rather than a separate phenomenon of a trusted insider attack.

The second thing I did not quite like was too much overlapping material with Richard's previous book, `Tao of Network Security Monitoring.' For example, security process and security principles sections seem to be taken from his Tao book (which is a superb book, by itself!). Similarly, in my opinion, an in depth coverage of NSM methodology and `network forensics', presented in the Tao book should not have been repeated since the differences between applying NSM for intrusion and extrusion detection are really minor.

And, I liked pretty much everything else: detailed examples of `traffic threat assessment', unmatched technical accuracy, easy to follow style, etc. Coverage of bots in chapter 10 deserves a favorable mention as well as a strategy for network incident response. And, of course, Marcus Ranum interview as a preface was a brilliant idea. It was fun to read!

Overall, the book is highly recommended to all involved in maintaining security and responding to incidents. The book covers only the defense side, and only briefly mentions the attacker side.

Dr Anton Chuvakin, GCIA, GCIH, GCFA is a recognized security expert and book author. In his current role as a Security Strategist with netForensics, a security information management company, he is involved with defining future features and conducting security research. A frequent conference speaker, he also represents the company at various security meetings and standard organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and the upcoming "Hacker's Challenge 3". Anton also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal at info-secure.org and a blog at O'Reilly