Extrusion Detection de Richard Bejtlich

Extrusion Detection: Security Monitoring for Internal Intrusions

Richard Bejtlich

en Limba Engleză Paperback – 31 oct 2005

Beginning in 2000, and ramping up from 2004, corporate and home users have been subjected to increasing numbers of "client-side" attacks. No longer are services offered by computers the only means of attack. Now, the applications upon which users rely, like Web browsers, e-mail clients, chat programs, and so on, are the targets. Instead of an intruder attacking the Web server running on a company's Internet-facing server, the intruder attacks the Web browser of an internal user surfing intentionally or accidentally to a malicious Web site. **This book is all about preventing, detecting, and mitigating breaches that result from e-mailed Trojans, spyware, malicious Web sites, etc. It's about dealing with all the problems exploits cause, since these days the most devastating attacks are accidentally launched by employees inside a company.

Citește tot Restrânge

Descriere

Overcome Your Fastest-Growing Security Problem: Internal, Client-Based Attacks
Today's most devastating security attacks are launched from within the company, by intruders who have compromised your users' Web browsers, e-mail and chat clients, and other Internet-connected software. Hardening your network perimeter won't solve this problem. You must systematically protect client software and monitor the traffic it generates.
Extrusion Detection is a comprehensive guide to preventing, detecting, and mitigating security breaches from the inside out. Top security consultant Richard Bejtlich offers clear, easy-to-understand explanations of today's client-based threats and effective, step-by-step solutions, demonstrated against real traffic and data. You will learn how to assess threats from internal clients, instrument networks to detect anomalies in outgoing traffic, architect networks to resist internal attacks, and respond effectively when attacks occur.
Bejtlich's The Tao of Network Security Monitoring earned acclaim as the definitive guide to overcoming external threats. Now, in Extrusion Detection, he brings the same level of insight to defending against today's rapidly emerging internal threats. Whether you're an architect, analyst, engineer, administrator, or IT manager, you face a new generation of security risks. Get this book and protect yourself.
Coverage includes

Architecting defensible networks with pervasive awareness: theory, techniques, and tools
Defending against malicious sites, Internet Explorer exploitations, bots, Trojans, worms, and more
Dissecting session and full-content data to reveal unauthorized activity
Implementing effective Layer 3 network access control
Responding to internal attacks, including step-by-step network forensics
Assessing your network's current ability to resist internal attacks
Setting reasonable corporate access policies
Detailed case studies, including the discovery of internal and IRC-based bot nets
Advanced extrusion detection: from data collection to host and vulnerability enumeration

About the Web Site Get book updates and network security news at Richard Bejtlich's popular blog, taosecurity.blogspot.com, and his Web site, www.bejtlich.net.

Cuprins

Foreword.
Preface.
I. DETECTING AND CONTROLLING INTRUSIONS.
1. Network Security Monitoring Revisited.
    Why Extrusion Detection?
    Defining The Security Process
    Security Principles
    Network Security Monitoring Theory
    Network Security Monitoring Techniques
    Network Security Monitoring Tools
    Conclusion
2. Defensible Network Architecture.
    Monitoring the Defensible Network
    Controlling the Defensible Network
    Minimizing the Defensible Network
    Keeping the Defensible Network Current
    Conclusion
3. Extrusion Detection Illustrated.
   Intrusion Detection Defined
    Extrusion Detection Defined
    History of Extrusion Detection
    Extrusion Detection Through NSM
    Conclusion
4. Enterprise Network Instrumentation.
    Common Packet Capture Methods
    PCI Tap
    Dual Port Aggregator Tap
    2X1 10/100 Regeneration Tap
    2X1 10/100 SPAN Regeneration Tap
    Matrix Switch
    Link Aggregator Tap
    Distributed Traffic Collection with Pf Dup-To
    Squid SSL Termination Reverse Proxy
    Conclusion
5. Layer 3 Network Access Control.
    Internal Network Design
    Internet Service Provider Sink Holes
    Enterprise Sink Holes
    Using Sink Holes to Identify Internal Intrusions
    Internal Intrusion Containment
    Notes on Enterprise Sink Holes in the Field
    Conclusion
II. NETWORK SECURITY OPERATIONS.
6. Traffic Threat Assessment.
    Why Traffic Threat Assessment?
    Assumptions
    First Cuts
    Looking for Odd Traffic
    Inspecting Individual Services: NTP
    Inspecting Individual Services: ISAKMP
    Inspecting Individual Services: ICMP
    Inspecting Individual Services: Secure Shell
    Inspecting Individual Services: Whois
    Inspecting Individual Services: LDAP
    Inspecting Individual Services: Ports 3003 to 9126 TCP
    Inspecting Individual Services: Ports 44444 and 49993 TCP
    Inspecting Individual Services: DNS
    Inspecting Individual Services: SMTP
    Inspecting Individual Services: Wrap-Up
    Conclusion
7. Network Incident Response.
    Preparation for Network Incident Response
    Secure CSIRT Communications
    Intruder Profiles
    Incident Detection Methods
    Network First Response
    Network-Centric General Response and Remediation
    Conclusion
8. Network Forensics.
    What Is Network Forensics?
    Collecting Network Traffic as Evidence
    Protecting and Preserving Network-Based Evidence
    Analyzing Network-Based Evidence
    Presenting and Defending Conclusions
    Conclusion
III. INTERNAL INTRUSIONS.
9. Traffic Threat Assessment Case Study.
    Initial Discovery
    Making Sense of Argus Output
    Argus Meets Awk
    Examining Port 445 TCP Traffic
    Were the Targets Compromised?
    Tracking Down the Internal Victims
    Moving to Full Content Data
    Correlating Live Response Data with Network Evidence
    Conclusion
10. Malicious Bots.
    Introduction to IRC Bots
    Communication and Identification
    Server and Control Channels
    Exploitation and Propagation
    Final Thoughts on Bots
    Dialogue with a Bot Net Admin
    Conclusion
    Epilogue
Appendix A: Collecting Session Data in an Emergency.
Appendix B: Minimal Snort Installation Guide.
Appendix C: Survey of Enumeraiton Methods.
Appendix D: Open Source Host Enumeration.
Index.

Notă biografică

Richard Bejtlich is founder of TaoSecurity, a company that helps clients detect, contain, and remediate intrusions using Network Security Monitoring (NSM) principles. He was formerly a principal consultant at Foundstone--performing incident response, emergency NSM, and security research and training--and created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. For three years, Bejtlich defended U.S. information assets as a captain in the Air Force Computer Emergency Response Team (AFCERT). Formally trained as an intelligence officer, he is a graduate of Harvard University and of the U.S. Air Force Academy. He has authored or coauthored several security books, including The Tao of Network Security Monitoring (Addison-Wesley, 2004).

Textul de pe ultima copertă

Overcome Your Fastest-Growing Security Problem: Internal, Client-Based Attacks

Today's most devastating security attacks are launched from within the company, by intruders who have compromised your users' Web browsers, e-mail and chat clients, and other Internet-connected software. Hardening your network perimeter won't solve this problem. You must systematically protect client software and monitor the traffic it generates.

"Extrusion Detection" is a comprehensive guide to preventing, detecting, and mitigating security breaches from the inside out. Top security consultant Richard Bejtlich offers clear, easy-to-understand explanations of today's client-based threats and effective, step-by-step solutions, demonstrated against real traffic and data. You will learn how to assess threats from internal clients, instrument networks to detect anomalies in outgoing traffic, architect networks to resist internal attacks, and respond effectively when attacks occur.

Bejtlich's "The Tao of Network Security Monitoring" earned acclaim as the definitive guide to overcoming external threats. Now, in "Extrusion Detection," he brings the same level of insight to defending against today's rapidly emerging internal threats. Whether you're an architect, analyst, engineer, administrator, or IT manager, you face a new generation of security risks. Get this book and protect yourself.

Coverage includesArchitecting defensible networks with pervasive awareness: theory, techniques, and tools Defending against malicious sites, Internet Explorer exploitations, bots, Trojans, worms, and moreDissecting session and full-content data to reveal unauthorized activityImplementing effective Layer 3 network access controlResponding to internal attacks, including step-by-step network forensics Assessing your network's current ability to resist internal attacksSetting reasonable corporate access policiesDetailed case studies, including the discovery of internal and IRC-based bot netsAdvanced extrusion detection: from data collection to host and vulnerability enumeration About the Web Site

Get book updates and network security news at Richard Bejtlich's popular blog, taosecurity.blogspot.com, and his Web site, www.bejtlich.net.

Extrusion Detection: Security Monitoring for Internal Intrusions

Preț: 288^.59 lei

Carte indisponibilă temporar

Specificații

Descriere

Cuprins

Notă biografică

Textul de pe ultima copertă

Papetărie, jocuri, reviste

Extrusion Detection: Security Monitoring for Internal Intrusions

Preț: 288.59 lei

Specificații

Descriere

Cuprins

Notă biografică

Textul de pe ultima copertă

Preț: 288^.59 lei