book

The Practice of Network Security Monitoring

by Richard Bejtlich

July 2013

Intermediate to advanced

376 pages

9h 44m

English

No Starch Press

Read now

Unlock full access

AudiencePrerequisitesA Note on Software and ProtocolsScopeAcknowledgmentsDisclaimer
An Introduction to NSMDoes NSM Prevent Intrusions?What Is the Difference Between NSM and Continuous Monitoring?How Does NSM Compare with Other Approaches?Why Does NSM Work?How NSM Is Set UpInstalling a TapWhen NSM Won’t WorkIs NSM Legal?How Can You Protect User Privacy During NSM Operations?A Sample NSM TestThe Range of NSM DataFull Content DataReviewing a Data SummaryInspecting PacketsUsing a Graphical Tool to View the TrafficExtracted Content DataSession DataTransaction DataStatistical DataMetadataAlert DataWhat’s the Point of All This Data?NSM DrawbacksWhere Can I Buy NSM?Where Can I Go for Support or More Information?Conclusion
A Sample Network for a Pilot NSM SystemTraffic Flow in a Simple NetworkPossible Locations for NSMIP Addresses and Network Address TranslationNet BlocksIP Address AssignmentsAddress TranslationNetwork Address TranslationAddress Translation in Wireless and Internal NetworksChoosing the Best Place to Obtain Network VisibilityLocation for DMZ Network TrafficLocations for Viewing the Wireless and Internal Network TrafficGetting Physical Access to the TrafficUsing Switches for Traffic MonitoringUsing a Network TapCapturing Traffic Directly on a Client or ServerChoosing an NSM PlatformTen NSM Platform Management RecommendationsConclusion
Stand-alone or Server Plus Sensors?Choosing How to Get SO Code onto HardwareInstalling a Stand-alone SystemInstalling SO to a Hard DriveConfiguring SO SoftwareChoosing the Management InterfaceInstalling the NSM Software ComponentsChecking Your InstallationConclusion
Installing an SO Server Using the SO .iso ImageSO Server ConsiderationsBuilding Your SO ServerConfiguring Your SO ServerInstalling an SO Sensor Using the SO .iso ImageConfiguring the SO SensorCompleting SetupVerifying that the Sensors Are WorkingVerifying that the Autossh Tunnel Is WorkingBuilding an SO Server Using PPAsInstalling Ubuntu Server as the SO Server Operating SystemChoosing a Static IP AddressUpdating the SoftwareBeginning MySQL and PPA Setup on the SO ServerConfiguring Your SO Server via PPABuilding an SO Sensor Using PPAsInstalling Ubuntu Server as the SO Sensor Operating SystemConfiguring the System as a SensorRunning the Setup WizardConclusion
Keeping SO Up-to-DateUpdating via the GUIUpdating via the Command LineLimiting Access to SOConnecting via a SOCKS ProxyChanging the Firewall PolicyManaging SO Data StorageManaging Sensor StorageChecking Database Drive UsageManaging the Sguil DatabaseTracking Disk UsageConclusion

SO Tool CategoriesSO Data Presentation ToolsPacket Analysis ToolsNSM ConsolesSO Data Collection ToolsSO Data Delivery ToolsRunning TcpdumpDisplaying, Writing, and Reading Traffic with TcpdumpUsing Filters with TcpdumpApplying FiltersSome Common FiltersExtracting Details from Tcpdump OutputExamining Full Content Data with TcpdumpUsing Dumpcap and TsharkRunning TsharkRunning DumpcapRunning Tshark on Dumpcap’s TrafficUsing Display Filters with TsharkTshark Display Filters in ActionRunning Argus and the Ra ClientStopping and Starting ArgusThe Argus File FormatExamining Argus DataConclusion
Using WiresharkRunning WiresharkViewing a Packet Capture in WiresharkModifying the Default Wireshark LayoutModifying the Layout Using the GUIModifying the Preferences FileSome Useful Wireshark FeaturesViewing Lower-Level Protocol Features in DetailOmitting Traffic to See RemnantsFollowing StreamsSetting the Protocol Decode Method with Decode AsFollowing Other StreamsUsing XplicoRunning XplicoCreating Xplico Cases and SessionsProcessing Network TrafficUnderstanding the Decoded TrafficGetting Metadata and Summarizing TrafficExamining Content with NetworkMinerRunning NetworkMinerCollecting and Organizing Traffic DetailsRendering ContentConclusion
An NSM-centric Look at Network TrafficUsing SguilRunning SguilSguil’s Six Key FunctionsSimple AggregationMetadata and Related DataQuerying Alert Data in SguilQuerying Session Data in SguilPivoting to Full Content DataCategorizing Alert DataUsing SquertUsing SnorbyUsing ELSAConclusion
The Enterprise Security CycleThe Planning PhaseThe Resistance PhaseThe Detection and Response PhasesCollection, Analysis, Escalation, and ResolutionCollectionTechnical SourcesNontechnical SourcesAnalysisIntrusions and IncidentsEvent ClassificationEscalationDocumentation of IncidentsNotification of IncidentsIncident Communication ConsiderationsResolutionContainment TechniquesSpeed of ContainmentRemediationUsing NSM to Improve SecurityBuilding a CIRTConclusion
Server-side Compromise DefinedServer-side Compromise in ActionStarting with SguilQuerying Sguil for Session DataReturning to Alert DataReviewing Full Content Data with TsharkUnderstanding the BackdoorWhat Did the Intruder Do?Initial AccessEnumerating the VictimAccessing CredentialsWhat Else Did the Intruder Do?Exploring the Session DataSearching Bro DNS LogsSearching Bro SSH LogsSearching Bro FTP LogsDecoding the Theft of Sensitive DataExtracting the Stolen ArchiveStepping BackSummarizing Stage 1Summarizing Stage 2Next StepsConclusion
Client-side Compromise DefinedClient-side Compromise in ActionGetting the Incident Report from a UserStarting Analysis with ELSAQuerying for the IP AddressChecking the Bro HTTP LogChecking Snort AlertsSearching for Other ActivityLooking for Missing TrafficAnalyzing the Bro dns.log FileChecking Destination PortsExamining the Command-and-Control ChannelInitial AccessImproving the ShellSummarizing Stage 1Pivoting to a Second VictimInstalling a Covert TunnelEnumerating the VictimSummarizing Stage 2Conclusion
Using Bro to Track ExecutablesHashing Downloaded Executables with BroSubmitting a Hash to VirusTotalUsing Bro to Extract Binaries from TrafficConfiguring Bro to Extract Binaries from TrafficCollecting Traffic to Test BroTesting Bro to Extract Binaries from HTTP TrafficExamining the Binary Extracted from HTTPTesting Bro to Extract Binaries from FTP TrafficExamining the Binary Extracted from FTPSubmitting a Hash and Binary to VirusTotalRestarting BroUsing APT1 IntelligenceUsing the APT1 ModuleInstalling the APT1 ModuleGenerating Traffic to Test the APT1 ModuleTesting the APT1 ModuleReporting Downloads of Malicious BinariesUsing the Team Cymru Malware Hash RegistryThe MHR and SO: Active by DefaultThe MHR and SO vs. a Malicious DownloadIdentifying the BinaryConclusion
ProxiesProxies and VisibilityTraffic from the Client to the ProxyTraffic from the Proxy to the Web ServerDealing with Proxies in Production NetworksChecksumsA Good ChecksumA Bad ChecksumIdentifying Bad and Good Checksums with TsharkHow Bad Checksums HappenBro and Bad ChecksumsSetting Bro to Ignore Bad ChecksumsConclusion
Cloud ComputingCloud Computing ChallengesCloud Computing BenefitsWorkflow, Metrics, and CollaborationWorkflow and MetricsCollaborationConclusion
SO Control Scripts/usr/sbin/nsm/usr/sbin/nsm_all_del/usr/sbin/nsm_all_del_quick/usr/sbin/nsm_sensor/usr/sbin/nsm_sensor_add/usr/sbin/nsm_sensor_backup-config/usr/sbin/nsm_sensor_backup-data/usr/sbin/nsm_sensor_clean/usr/sbin/nsm_sensor_clear/usr/sbin/nsm_sensor_del/usr/sbin/nsm_sensor_edit/usr/sbin/nsm_sensor_ps-daily-restart/usr/sbin/nsm_sensor_ps-restart/usr/sbin/nsm_sensor_ps-start/usr/sbin/nsm_sensor_ps-status/usr/sbin/nsm_sensor_ps-stop/usr/sbin/nsm_server/usr/sbin/nsm_server_add/usr/sbin/nsm_server_backup-config/usr/sbin/nsm_server_backup-data/usr/sbin/nsm_server_clear/usr/sbin/nsm_server_del/usr/sbin/nsm_server_edit/usr/sbin/nsm_server_ps-restart/usr/sbin/nsm_server_ps-start/usr/sbin/nsm_server_ps-status/usr/sbin/nsm_server_ps-stop/usr/sbin/nsm_server_sensor-add/usr/sbin/nsm_server_sensor-del/usr/sbin/nsm_server_user-addSO Configuration Files/etc/nsm//etc/nsm/administration.conf/etc/nsm/ossec//etc/nsm/pulledpork//etc/nsm/rules//etc/nsm/securityonion//etc/nsm/securityonion.conf/etc/nsm/sensortab/etc/nsm/servertab/etc/nsm/templates//etc/nsm/$HOSTNAME-$INTERFACE/barnyard2.confbpf.conf fileshttp_agent.confpads_agent.confpcap_agent.confprads.confsancp_agent.confsensor.confsnort_agent.confsnort.confsuricata.yaml/etc/cron.d/BroCapMeELSASquertSnorbySyslog-ng/etc/network/interfaces

Overview

Network security is not simply about building impenetrable walls — determined attackers will eventually overcome traditional defenses. The most effective computer security strategies integrate network security monitoring (NSM): the collection and analysis of data to help you detect and respond to intrusions.

In The Practice of Network Security Monitoring, Mandiant CSO Richard Bejtlich shows you how to use NSM to add a robust layer of protection around your networks — no prior experience required. To help you avoid costly and inflexible solutions, he teaches you how to deploy, build, and run an NSM operation using open source software and vendor-neutral tools.

You'll learn how to:

Determine where to deploy NSM platforms, and size them for the monitored networks
Deploy stand-alone or distributed NSM installations
Use command line and graphical packet analysis tools, and NSM consoles
Interpret network evidence from server-side and client-side intrusions
Integrate threat intelligence into NSM software to identify sophisticated adversaries

There's no foolproof way to keep attackers out of your network. But when they get in, you'll be prepared. The Practice of Network Security Monitoring will show you how to build a security net to detect, contain, and control them. Attacks are inevitable, but losing sensitive data shouldn't be.