"Extrusion Detection", Richard Bejtlich, 2006, 0-321-34996-2,
%A Richard Bejtlich www.taosecurity.com taosecurity.blogspot.com
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%I Addison-Wesley Publishing Co.
%O U$49.99/C$69.99 416-447-5101 800-822-6339 bkexpress@...
%O Audience a+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P 385 p.
%T "Extrusion Detection:Security Monitoring for Internal Intrusions"
According to the preface, this book explains the use of extrusion
detection (related to egress scanning), to detect intruders who are
using client-side attacks to enter or work within your network. The
audience is intended to be architects, engineers, analysts, operators
and managers with an intermediate to advanced knowledge of network
security. Background for readers should include knowledge of
scripting, network attack tools and controls, basic system
administration, TCP/IP, as well as management and policy. (It should
also be understood that those who will get the most out of the text
should know not only the concepts of TCP/IP, but advanced level
details of packet and log structures.) Bejtlich notes that he is not
explicitly addressing malware or phishing, and provides references for
those areas. (It appears that the work is not directed at information
which might detect insider attacks.)
Part one is about detecting and controlling intrusions. Chapter one
reviews network security monitoring, with a basic introduction to
security (brief but clear), and then gives an overview of monitoring
and listing of some tools. Defensible network architecture, in
chapter two, provides lucid explanations of the basics, but the later
sections delve deeply into packets, scripts and configurations.
Managers will understand the fundmental points being made, but pages
of the material will be impenetrable unless you have serious hands-on
experience with traffic analysis. Extrusion detection itself is
illustrated with intelligible concepts and examples (and a useful
survey of the literature) in chapter three. Chapter four examines
both hardware and software instruments for viewing enterprise network
traffic. Useful but limited instances of layer three network access
controls are reviewed in chapter five.
Part two addresses network security operations. Chapter six delves
into traffic threat assessment, and, oddly, at this point explains the
details of logs, packets, and sessions clearly and in more detail. A
decent outline of the advance planning and basic concepts necessary
for network incident response is detailed in chapter seven (although
the material is generic and has limited relation to the rest of the
content of the book). Network forensics gets an excellent overview in
chapter eight: not just technical points, but stressing the importance
of documentation and transparent procedures.
Part three turns to internal intrusions. Chapter nine is a case study
of a traffic threat assessment. It is, somewhat of necessity,
dependent upon detailed examination of logs, but the material demands
an advanced background in packet analysis. The (somewhat outdated)
use of IRC channels in botnet command and control is reviewed in
Bejtlich's prose is clear, informative, and even has touches of
humour. The content is well-organized. (There is a tendency to use
idiosyncratic acronyms, sometimes before they've been expanded or
defined.) This work is demanding, particularly for those still at the
intermediate level, but does examine an area of security which does
not get sufficient attention.
copyright, Robert M. Slade 2010 BKEXTDET.RVW 20101023
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
You're always a little disappointing in person because you can't
be the edited essence of yourself. - Mel Brooks