Customer Reviews

Extrusion Detection: Security Monitoring for Internal Intrusions

5 star:		(6)
4 star:		(5)
3 star:		(0)
2 star:		(0)
1 star:		(0)

 

 

Following the success of 'The Tao of Network Security Monitoring' last year, world renowned security expert Richard Bejtlich raises once again the standard for security professionals, this time by focusing on analyzing threats coming from within our network - a kind of underestimated area.

Traditionally, the point of network security is about keeping the bad guys out of a network ¡V ¡¥out¡¦ being where we hope they are to start with. Possible points of entry are considered to be devices accessible from the outside in some way, mostly servers and perhaps routers. Workstations with no address on the network have no apparent footprint that would betray their existence, so if potential intruders don't even know the hosts exist, and are unable to make any connection to them, how could they possibly exploit them? The truth is they can, in many ways, using not only technical skills but imagination and ability to exploit the human factor - against which no automated procedure or device can defend for long.

Furthermore, many administrators put all their effort and resources into trying to design an impenetrable network infrastructure, but ignore the fact that every prevention measure is bound to fail at any moment. These administrators put little or no thought into the possibility of a real intrusion and, as a result, when it occurs the network infrastructure they've built doesn't allow them to cut their losses to a minimum, regain control in a timely manner and collect credible evidence that may lead to a future investigation.

This, Richard Bejtlich's second book on the subject of network security, attempts to establish into readers' minds a solid grounding on how things are, while emphasizing common misconceptions of the past. By intentionally introducing concepts like 'Extrusion Detection', 'Defensible Network' and 'Pervasive Network Awareness' instead of relying on popular synonyms/counterparts, he addresses issues that have not been addressed - or given the appropriate importance - elsewhere.

Extrusion Detection is an extraordinary book in the sense that it moves in parallel between theory and practice, suggesting ways of thinking or functioning and explaining how these could be implemented utilizing available software.

Who should read this book?

Everyone will find in this book valuable ideas never considered before. Well, of course this is a network-security book, so those that will directly benefit from it are administrators and architects of large networks - or anyone that expects to find himself in such position.

What will you learn from this book?

Richard Bejtlich's book will take you deeply into the following skills:

- Designing defensible network infrastructures. As you will find out, a defensible network is a superset, and more accurate version, of what is referred to elsewhere as a 'secure network'. Given the fact that there can be no totally secure network, a defensible network is the best security status that can possibly be achieved through designing, monitoring, controlling and policing procedures.
- Deploying Intrusion Detection/Prevention Systems in a way that will maximize their efficiency.
- Following a series of technical practices to minimize the possibility of exposure of internal networks to the outside. Also dealing with the network effects of host-centric security threats like viruses, malware, trojans and worms, through traffic-control means.
- Designing and following security policies that will minimize the resistance, detection and counter-reaction abilities of internal networks to any intruders.
- Overcoming possible technical obstacles in order to have an appropriately monitored network, in other words achieving Pervasive Network Awareness. Available hardware and software products, as well as methods for their optimum deployment, are described in detail.
- Utilizing well-established techniques, like routing and traffic filtering/control in multiple layers to increase the network's defensibility.
- Capturing, analyzing, safekeeping and concentrating traffic in various levels. Making distinctions between malicious and legitimate traffic, detecting misconfiguration anomalies and taking the appropriate course of action in each circumstance.
- Responding, in the event of an intrusion, in a way that will minimize the consequences and the extent of the intrusion while gathering, analyzing and preserving all possible evidence. Classifying/assessing any possible threat and making the best decisions in real-time.
- Presenting evidence and conclusions derived by technical means, in a courtroom or to another, non-technical audience.

Recommended skills to get the most out of this book:

- Familiarity with basic networking and security concepts is required. You need to understand how TCP/IP works, how traffic filtering applies and how intruders commonly attack.
- Familiarity with open source operating systems is highly recommended. Though the book is written in such a way that its concepts apply beyond specific operating systems or other software and any specific instructions serve only as examples, it is true that some of the best security-related products are only available for unix platforms, so you should know how to find your way around installing and configuring them.
- Host-based security practices are not discussed, the reader is expected to know how to productively administer and secure the operating systems he deploys.
- Some of the techniques discussed involve writing basic scripts to make their deployment worthwhile and/or possible. Basic understanding of programming principles and familiarity with some scripting language is highly recommended.
- Extrusion detection does not differ in concept from intrusion detection. Any experience in intrusion detection techniques can easily be applied to extrusion detection and would be beneficial. Readers that are looking for a more thorough reading regarding those techniques are highly encouraged to read Richard Bejtlich's 'The TAO of Network Security Monitoring'.

Conclusion: This is a must-read for all security professionals or enthusiasts, networking architects and administrators that like to know what's going on in their network. I am confident that 90% of everyone that read it will make haste to implement many of the valuable ideas suggested, right after they finish reading!

First, this book should be called The Engineers Guide to Implementing Security to Detect and Prevent Malicious Traffic in Your Network. This is a very thorough book on how to detect malicious traffic leaving a network (hence Extrusion), with great illustrations and walkthroughs. There are chapters on planning, deployment, tuning and other key, often overlooked, aspects surrounding the wonderful world of Intrusion Detection.

The first hint that this book was a bit different is noticed in the Foreward. Marcus Ranum wrote the forward, or I should say guided the direction of the Foreward. Marcus opts for an interview with the author, versus "telling you a bunch of stuff about the book". The Foreward is a must when browsing this book. Very creative, something perhaps missing in the world of Information Security these days.

After the foreward, chapters include Defensible Network Architecture, a brief overview of IDS, Enterprise network Instrumentation (packet captures, tools and some techniques), Layer 3 Network Access Control, Traffic Threat Assessment, Network Incident Response, Network Forensics, and Internal Intrusions that discuss Traffic Threat Assessment Case Study and Malicious Bots. There are several Appendixes as well (a requirement for all technical books) that include how to Collect Session Data, minimal Snort Installation Guide, Enumeration Methods (identifying systems on a network), and Open Source Host Enumeration (doing it for free).

The author uses firewall technology, proxy technology, and IDS technology to define how to monitor and control traffic entering or leaving a network. Specific configurations that could be copied line by line and implemented into a network are provided.

Richard leaves nothing to the imagination in this book. All too often, the author understands the topic so well, they have an extreme difficult time relaying that, or make assumptions the readers understand it at their level. Richard does not make these same mistakes. In fact, where possible, there are packet captures, diagrams, or even a snapshot of the hardware being referenced.

All in all, if you are someone you know is responsible for managing, or deploying and Intrusion Detection scheme, this book will be extremely handy. Not only from the technical point of view, but from the architectural and management point of view. The only real chapter I had concerns with was the Incident Response chapter. It was designed for a technical person, versus a manager or someone developing a plan overall. Given this book is 100% geared for the technical, it is probably right on.

Now, they say that one way to be happy is to have low expectations about stuff. In case of me and this book, the opposite has happened: my expectations were really high. In fact, I was counting days until the book's arrival. Do not get me wrong, it's an excellent book, but it seems to fall slightly short of my lofty expectations.

My first unmet expectation was the term `extrusion' itself. I suspected that the book will have more coverage of real insider attacks, and not just infected misbehaving client PCs. The author does say that some use the term `extrusion' to refer to intellectual property theft (or `IP leakage') in his section on the `History of Extrusion Detection', but does not follow up on that. His definition of `extrusion detection' seem to be closer to the `detection of consequences of intrusion in the form of outbound connections', such as after a client-targeting attack, rather than a separate phenomenon of a trusted insider attack.

The second thing I did not quite like was too much overlapping material with Richard's previous book, `Tao of Network Security Monitoring.' For example, security process and security principles sections seem to be taken from his Tao book (which is a superb book, by itself!). Similarly, in my opinion, an in depth coverage of NSM methodology and `network forensics', presented in the Tao book should not have been repeated since the differences between applying NSM for intrusion and extrusion detection are really minor.

And, I liked pretty much everything else: detailed examples of `traffic threat assessment', unmatched technical accuracy, easy to follow style, etc. Coverage of bots in chapter 10 deserves a favorable mention as well as a strategy for network incident response. And, of course, Marcus Ranum interview as a preface was a brilliant idea. It was fun to read!

Overall, the book is highly recommended to all involved in maintaining security and responding to incidents. The book covers only the defense side, and only briefly mentions the attacker side.

Dr Anton Chuvakin, GCIA, GCIH, GCFA is a recognized security expert and book author. In his current role as a Security Strategist with netForensics, a security information management company, he is involved with defining future features and conducting security research. A frequent conference speaker, he also represents the company at various security meetings and standard organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and the upcoming "Hacker's Challenge 3". Anton also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal at info-secure.org and a blog at O'Reilly

This book is a fine complement to Bejtlich's Tao of Network Security Monitoring. At first, one might think there would be considerable overlap between the two. After all, both concern crackers attacking a company's network that sits on the Internet. Yet the author takes pains to point out key differences. Tao was about an external attacker going at your servers, where these might be web or database [or other types of] servers.

The current text describes a qualitatively different game. Where a typical scenario might be one of your users, at her machine which is inside your network, surfing the Web. An attacker might try to target bugs in her browser, in order to install malware on her machine. This malware might then surveil that machine and others on the network, and hence ring home to the attacker's website. So extrusion detection involves at the very least defending your client machines, instead of your servers.

Bejtlich gives detailed examples of how to use various tools, typically open source, to monitor your internal traffic, looking for tell tale signs of extrusion.

Along the way, there is a nice description of two ways to use a sink hole. One is by an ISP, who is facing a Denial of Service attack against one of its customer's addresses. For this, a sink hole can be configured to divert those incoming packets, and protect the ISP's other customers. In a recent book, "Internet Denial of Service" by Mirkovic et al, various anti-DoS methods were cited, and this usage of a sink hole is an excellent example of another such method. While DoS is not an internal attack, it is still a very serious problem, and it is helpful to see a clear description of how to use a sink hole against it.

The other method of using a sink hole involves configuring it to attract traffic from internal machines that have been subverted. Here, this is entirely in keeping with the book's remit.

I have had the pleasure of reading Extrusion Detection: Security Monitoring for Internal Intrusions by Richard Bejtlich. Richard Bejtlich picks up where he last left off with his first book Tao of Network Security Monitor: Beyond Intrusion Detection. His new book deals with a subject that many businesses don't wish to think about, and what over 50% of attacks come from, Security breaches that come from the inside an organization. It is very unfortunate that this fact was not taken into consideration in Microsoft's XP SP2 firewall.

Richard starts with a short review of network definitions. One concept I really like is the Defensible Network which he states is not necessarily a secure network, "quite accurate".

Richard includes a listing networking monitoring tools with where you can go to obtain them; Full Content Data, Session Data, and Statistical.

This book includes good illustrations, explained pieces of code (more toward the second half of the book), and includes pictures of familiar hardware.

A new definition for me was "the sink hole", that redirects unknown traffic away from the customers.

This book is a good read and a very good book to keep in one's reference library. I will be obtaining Richard Bejtlich's Tao of Network Security Monitor: Beyond Intrusion Detection and I suspect this will be just as good.

This is one of the authoritative books on Intrusion Detection and Incident Response, focusing on the insider threat. If you work in a SOC, do any kind of IDS analysis or InfoSec work, I highly recommend not only this book, but Richards entire collected work as "required reading".
Remember, 80% of attacks come from the inside!

Experience: 5 Years of IDS analysis & SOC leadership, 10 years of Security & SIEM Engineering

You don't need to be an Analyst within the government to find value here. The book gets into understanding ports, protocols and how they work to assist in determining odd traffic on the network. Today we have tools like ArcSight with serve up a lot of data to comb thru yet their courses do not teach you how to be an analyst. This book is based on teach anyone how to become a very good analyst.

I started as an Analyst in 2003 and the first real event was one trying to get out of the network. So this book, while dated, has some great tools for IA analysts out there to use everyday. It's interesting how network flow is just becoming a tool we use regularly today. Mr. Bejtlich provides alot of basic tools here for anyone to learn and then use on their network.

Can't wait to attend one of his classes.

This is my 2nd book by Bejtlich that I have read, with the first being The Tao of Network Security Monitoring: Beyond Intrusion Detection While the Tao of NSM focused mainly on detecting attacks coming in from the perimeter, this book focused on Network Security Monitoring principles as applied to traffic going out of the network.

Bejtlich starts out by doing an overview of Network Security Monitoring, referencing his earlier book as a more in-depth treatise on NSM. He then goes on to the theory and illustration of "Extrusion Detection." ("'The process of identifying unauthorized activity by inspecting outbound network traffic.") We see Extrusion Detection illustrated with the 4 types of NSM data. (Full Content, Session, Statistical, and Alert)

We then moved onto "Enterprise Network Instrumentation," which included discussions on network/packet capture equipment, some I had never seen before: SPAN Regeneration Taps, Link Aggregator Taps, etc.

The next section was probably my favorite: Enterprise Sink Holes. What a fantastic way to discover a local compromised host scanning your internal network. This section also had some great ways to do short-term containment (with a Sink Hole) on a loose worm. (The coolest, in my opinion, being Unicast Reverse Path Forwarding)

Next we have sections on Traffic Threat Assessments, Network Incident Response, and Network Forensics. The book finishes up with a case study on traffic threat assessment and a discussion on Malicious Bots.

I have to give this book 5 stars out of 5 for it's fresh and unique look at internal and outbound intrusions. Richard doesn't rehash what a thousand other network security pros have written.

Josh

This is a solid book and a detailed read. I was on the fence about giving it 4 or 5 stars; if I could I'd give it 4.5. While it didn't blow my socks off, I would suggest it to anybody interested in security monitoring in general. In terms of monitoring internal threats specifically it also has some useful information.

Thanks a lot, we are very happy to have this book in our library!