“Extrusion Detection”, Richard Bejtlich
“Extrusion Detection”, Richard Bejtlich, 2006, 0-321-34996-2,
%A Richard Bejtlich www.taosecurity.com taosecurity.blogspot.com
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%I Addison-Wesley Publishing Co.
%O U$49.99/C$69.99 416-447-5101 800-822-6339 firstname.lastname@example.org
%O Audience a+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P 385 p.
%T “Extrusion Detection:Security Monitoring for Internal Intrusions”
According to the preface, this book explains the use of extrusion detection (related to egress scanning), to detect intruders who are using client-side attacks to enter or work within your network. The audience is intended to be architects, engineers, analysts, operators and managers with an intermediate to advanced knowledge of network security. Background for readers should include knowledge of scripting, network attack tools and controls, basic system administration, TCP/IP, as well as management and policy. (It should also be understood that those who will get the most out of the text should know not only the concepts of TCP/IP, but advanced level details of packet and log structures.) Bejtlich notes that he is not explicitly addressing malware or phishing, and provides references for those areas. (It appears that the work is not directed at information which might detect insider attacks.)
Part one is about detecting and controlling intrusions. Chapter one reviews network security monitoring, with a basic introduction to security (brief but clear), and then gives an overview of monitoring and listing of some tools. Defensible network architecture, in chapter two, provides lucid explanations of the basics, but the later sections delve deeply into packets, scripts and configurations. Managers will understand the fundmental points being made, but pages of the material will be impenetrable unless you have serious hands-on experience with traffic analysis. Extrusion detection itself is illustrated with intelligible concepts and examples (and a useful survey of the literature) in chapter three. Chapter four examines both hardware and software instruments for viewing enterprise network traffic. Useful but limited instances of layer three network access controls are reviewed in chapter five.
Part two addresses network security operations. Chapter six delves into traffic threat assessment, and, oddly, at this point explains the details of logs, packets, and sessions clearly and in more detail. A decent outline of the advance planning and basic concepts necessary for network incident response is detailed in chapter seven (although the material is generic and has limited relation to the rest of the content of the book). Network forensics gets an excellent overview in chapter eight: not just technical points, but stressing the importance of documentation and transparent procedures.
Part three turns to internal intrusions. Chapter nine is a case study of a traffic threat assessment. It is, somewhat of necessity, dependent upon detailed examination of logs, but the material demands an advanced background in packet analysis. The (somewhat outdated) use of IRC channels in botnet command and control is reviewed in chapter ten.
Bejtlich’s prose is clear, informative, and even has touches of humour. The content is well-organized. (There is a tendency to use idiosyncratic acronyms, sometimes before they’ve been expanded or defined.) This work is demanding, particularly for those still at the intermediate level, but does examine an area of security which does not get sufficient attention.
copyright, Robert M. Slade 2010 BKEXTDET.RVW 20101023