Title: Extrusion Detection, Security Monitoring for Internal Intrusions
Authors: Richard Bejtlich
Publisher: Addison-Wesley Professional
Published: November 18, 2005
Edition: 1st Edition
Following the success of ‘ The Tao of Network Security Monitoring' last year, world renowned security expert Richard Bejtlich raises once again the standard for security professionals, this time by focusing on analyzing threats coming from within our network - a kind of underestimated area.
Traditionally, the point of network security is about keeping the bad guys out of a network – ‘out' being where we hope they are to start with. Possible points of entry are considered to be devices accessible from the outside in some way, mostly servers and perhaps routers. Workstations with no address on the network have no apparent footprint that would betray their existence, so if potential intruders don't even know the hosts exist, and are unable to make any connection to them, how could they possibly exploit them? The truth is they can, in many ways, using not only technical skills but imagination and ability to exploit the human factor - against which no automated procedure or device can defend for long.
Furthermore, many administrators put all their effort and resources into trying to design an impenetrable network infrastructure, but ignore the fact that every prevention measure is bound to fail at any moment. These administrators put little or no thought into the possibility of a real intrusion and, as a result, when it occurs the network infrastructure they've built doesn't allow them to cut their losses to a minimum, regain control in a timely manner and collect credible evidence that may lead to a future investigation.
This, Richard Bejtlich's second book on the subject of network security, attempts to establish into readers' minds a solid grounding on how things are, while emphasizing common misconceptions of the past. By intentionally introducing concepts like “Extrusion Detection”, “Defensible Network” and “Pervasive Network Awareness” instead of relying on popular synonyms/counterparts, he addresses issues that have not been addressed - or given the appropriate importance - elsewhere.
Extrusion Detection is an extraordinary book in the sense that it moves in parallel between theory and practice, suggesting ways of thinking or functioning and explaining how these could be implemented utilizing available software.
Who should read this book?
Everyone will find in this book valuable ideas never considered before. Well, of course this is a network-security book, so those that will directly benefit from it are administrators and architects of large networks - or anyone that expects to find himself in such position.
What will you learn from this book?
Richard Bejtlich's book will take you deeply into the following skills:
• Designing defensible network infrastructures. As you will find out, a defensible network is a superset, and more accurate version, of what is referred to elsewhere as a “secure network”. Given the fact that there can be no totally secure network, a defensible network is the best security status that can possibly be achieved through designing, monitoring, controlling and policing procedures.
• Deploying Intrusion Detection/Prevention Systems in a way that will maximize their efficiency.
• Following a series of technical practices to minimize the possibility of exposure of internal networks to the outside. Also dealing with the network effects of host-centric security threats like viruses, trojans and worms, through traffic-control means.
• Designing and following security policies that will minimize the resistance, detection and counter-act abilities of internal networks to any intruders.
• Overcoming possible technical obstacles in order to have an appropriately monitored network, in other words achieving Pervasive Network Awareness . Available hardware and software products, as well as methods for their optimum deployment, are described in detail.
• Utilizing well-established techniques, like routing and traffic filtering/control in multiple layers to increase the network's defensibility.
• Capturing, analyzing, safekeeping and concentrating traffic in various levels. Making distinctions between malicious and legitimate traffic, detecting misconfiguration anomalies and taking the appropriate course of action in each circumstance.
• Responding, in the event of an intrusion, in a way that will minimize the consequences and the extent of the intrusion while gathering, analyzing and preserving all possible evidence. Classifying/assessing any possible threat and making the best decisions in real-time.
• Presenting evidence and conclusions derived by technical means, in a courtroom or to another, non-technical audience.
Recommended skills to get the most out of this book:
• Familiarity with basic networking and security concepts is required. You need to understand how TCP/IP works, how traffic filtering applies and how intruders commonly attack.
• Familiarity with open source operating systems is highly recommended. Though the book is written in such a way that its concepts apply beyond specific operating systems or other software and any specific instructions serve only as examples, it is true that some of the best security-related products are only available for unix platforms, so you should know how to find your way around installing and configuring them.
• Host-based security practices are not discussed, the reader is expected to know how to productively administer and secure the operating systems he deploys.
• Some of the techniques discussed involve writing basic scripts to make their deployment worthwhile and/or possible. Basic understanding of programming principles and familiarity with some scripting language is highly recommended.
• Extrusion detection does not differ in concept from intrusion detection. Any experience in intrusion detection techniques can easily be applied to extrusion detection and would be beneficial. Readers that are looking for a more thorough reading regarding those techniques are highly encouraged to read Richard Bejtlich's “ The TAO of Network Security Monitoring”.
Conclusion: This is a must-read for all security professionals or enthusiasts, networking architects and administrators that like to know what's going on in their network. I am confident that 90% of everyone that read it will make haste to implement many of the valuable ideas suggested, right after they finish reading!