book

The Practice of Network Security Monitoring

Name: The Practice of Network Security Monitoring
Author: Richard Bejtlich
ISBN: 9781593275099

by Richard Bejtlich

July 2013

Intermediate to advanced

376 pages

9h 44m

English

No Starch Press

Read now

Unlock full access

Dedication
Foreword
Preface
AudiencePrerequisitesA Note on Software and ProtocolsScopeAcknowledgmentsDisclaimer
I. Getting Started
1. Network Security Monitoring Rationale
An Introduction to NSMDoes NSM Prevent Intrusions?What Is the Difference Between NSM and Continuous Monitoring?How Does NSM Compare with Other Approaches?Why Does NSM Work?How NSM Is Set UpInstalling a TapWhen NSM Won’t WorkIs NSM Legal?How Can You Protect User Privacy During NSM Operations?A Sample NSM TestThe Range of NSM DataFull Content DataReviewing a Data SummaryInspecting PacketsUsing a Graphical Tool to View the TrafficExtracted Content DataSession DataTransaction DataStatistical DataMetadataAlert DataWhat’s the Point of All This Data?NSM DrawbacksWhere Can I Buy NSM?Where Can I Go for Support or More Information?Conclusion
2. Collecting Network Traffic: Access, Storage, and Management
A Sample Network for a Pilot NSM SystemTraffic Flow in a Simple NetworkPossible Locations for NSMIP Addresses and Network Address TranslationNet BlocksIP Address AssignmentsAddress TranslationNetwork Address TranslationAddress Translation in Wireless and Internal NetworksChoosing the Best Place to Obtain Network VisibilityLocation for DMZ Network TrafficLocations for Viewing the Wireless and Internal Network TrafficGetting Physical Access to the TrafficUsing Switches for Traffic MonitoringUsing a Network TapCapturing Traffic Directly on a Client or ServerChoosing an NSM PlatformTen NSM Platform Management RecommendationsConclusion
II. Security Onion Deployment
3. Stand-alone NSM Deployment and Installation
Stand-alone or Server Plus Sensors?Choosing How to Get SO Code onto HardwareInstalling a Stand-alone SystemInstalling SO to a Hard DriveConfiguring SO SoftwareChoosing the Management InterfaceInstalling the NSM Software ComponentsChecking Your InstallationConclusion
4. Distributed Deployment
Installing an SO Server Using the SO .iso ImageSO Server ConsiderationsBuilding Your SO ServerConfiguring Your SO ServerInstalling an SO Sensor Using the SO .iso ImageConfiguring the SO SensorCompleting SetupVerifying that the Sensors Are WorkingVerifying that the Autossh Tunnel Is WorkingBuilding an SO Server Using PPAsInstalling Ubuntu Server as the SO Server Operating SystemChoosing a Static IP AddressUpdating the SoftwareBeginning MySQL and PPA Setup on the SO ServerConfiguring Your SO Server via PPABuilding an SO Sensor Using PPAsInstalling Ubuntu Server as the SO Sensor Operating SystemConfiguring the System as a SensorRunning the Setup WizardConclusion
5. SO Platform Housekeeping
Keeping SO Up-to-DateUpdating via the GUIUpdating via the Command LineLimiting Access to SOConnecting via a SOCKS ProxyChanging the Firewall PolicyManaging SO Data StorageManaging Sensor StorageChecking Database Drive UsageManaging the Sguil DatabaseTracking Disk UsageConclusion

III. Tools
6. Command Line Packet Analysis Tools
SO Tool CategoriesSO Data Presentation ToolsPacket Analysis ToolsNSM ConsolesSO Data Collection ToolsSO Data Delivery ToolsRunning TcpdumpDisplaying, Writing, and Reading Traffic with TcpdumpUsing Filters with TcpdumpApplying FiltersSome Common FiltersExtracting Details from Tcpdump OutputExamining Full Content Data with TcpdumpUsing Dumpcap and TsharkRunning TsharkRunning DumpcapRunning Tshark on Dumpcap’s TrafficUsing Display Filters with TsharkTshark Display Filters in ActionRunning Argus and the Ra ClientStopping and Starting ArgusThe Argus File FormatExamining Argus DataConclusion
7. Graphical Packet Analysis Tools
Using WiresharkRunning WiresharkViewing a Packet Capture in WiresharkModifying the Default Wireshark LayoutModifying the Layout Using the GUIModifying the Preferences FileSome Useful Wireshark FeaturesViewing Lower-Level Protocol Features in DetailOmitting Traffic to See RemnantsFollowing StreamsSetting the Protocol Decode Method with Decode AsFollowing Other StreamsUsing XplicoRunning XplicoCreating Xplico Cases and SessionsProcessing Network TrafficUnderstanding the Decoded TrafficGetting Metadata and Summarizing TrafficExamining Content with NetworkMinerRunning NetworkMinerCollecting and Organizing Traffic DetailsRendering ContentConclusion
8. NSM Consoles
An NSM-centric Look at Network TrafficUsing SguilRunning SguilSguil’s Six Key FunctionsSimple AggregationMetadata and Related DataQuerying Alert Data in SguilQuerying Session Data in SguilPivoting to Full Content DataCategorizing Alert DataUsing SquertUsing SnorbyUsing ELSAConclusion
IV. NSM in Action
9. NSM Operations
The Enterprise Security CycleThe Planning PhaseThe Resistance PhaseThe Detection and Response PhasesCollection, Analysis, Escalation, and ResolutionCollectionTechnical SourcesNontechnical SourcesAnalysisIntrusions and IncidentsEvent ClassificationEscalationDocumentation of IncidentsNotification of IncidentsIncident Communication ConsiderationsResolutionContainment TechniquesSpeed of ContainmentRemediationUsing NSM to Improve SecurityBuilding a CIRTConclusion
10. Server-side Compromise
Server-side Compromise DefinedServer-side Compromise in ActionStarting with SguilQuerying Sguil for Session DataReturning to Alert DataReviewing Full Content Data with TsharkUnderstanding the BackdoorWhat Did the Intruder Do?Initial AccessEnumerating the VictimAccessing CredentialsWhat Else Did the Intruder Do?Exploring the Session DataSearching Bro DNS LogsSearching Bro SSH LogsSearching Bro FTP LogsDecoding the Theft of Sensitive DataExtracting the Stolen ArchiveStepping BackSummarizing Stage 1Summarizing Stage 2Next StepsConclusion
11. Client-side Compromise
Client-side Compromise DefinedClient-side Compromise in ActionGetting the Incident Report from a UserStarting Analysis with ELSAQuerying for the IP AddressChecking the Bro HTTP LogChecking Snort AlertsSearching for Other ActivityLooking for Missing TrafficAnalyzing the Bro dns.log FileChecking Destination PortsExamining the Command-and-Control ChannelInitial AccessImproving the ShellSummarizing Stage 1Pivoting to a Second VictimInstalling a Covert TunnelEnumerating the VictimSummarizing Stage 2Conclusion
12. Extending SO
Using Bro to Track ExecutablesHashing Downloaded Executables with BroSubmitting a Hash to VirusTotalUsing Bro to Extract Binaries from TrafficConfiguring Bro to Extract Binaries from TrafficCollecting Traffic to Test BroTesting Bro to Extract Binaries from HTTP TrafficExamining the Binary Extracted from HTTPTesting Bro to Extract Binaries from FTP TrafficExamining the Binary Extracted from FTPSubmitting a Hash and Binary to VirusTotalRestarting BroUsing APT1 IntelligenceUsing the APT1 ModuleInstalling the APT1 ModuleGenerating Traffic to Test the APT1 ModuleTesting the APT1 ModuleReporting Downloads of Malicious BinariesUsing the Team Cymru Malware Hash RegistryThe MHR and SO: Active by DefaultThe MHR and SO vs. a Malicious DownloadIdentifying the BinaryConclusion
13. Proxies and Checksums
ProxiesProxies and VisibilityTraffic from the Client to the ProxyTraffic from the Proxy to the Web ServerDealing with Proxies in Production NetworksChecksumsA Good ChecksumA Bad ChecksumIdentifying Bad and Good Checksums with TsharkHow Bad Checksums HappenBro and Bad ChecksumsSetting Bro to Ignore Bad ChecksumsConclusion
Conclusion
Cloud ComputingCloud Computing ChallengesCloud Computing BenefitsWorkflow, Metrics, and CollaborationWorkflow and MetricsCollaborationConclusion
A. SO Scripts and Configuration
SO Control Scripts/usr/sbin/nsm/usr/sbin/nsm_all_del/usr/sbin/nsm_all_del_quick/usr/sbin/nsm_sensor/usr/sbin/nsm_sensor_add/usr/sbin/nsm_sensor_backup-config/usr/sbin/nsm_sensor_backup-data/usr/sbin/nsm_sensor_clean/usr/sbin/nsm_sensor_clear/usr/sbin/nsm_sensor_del/usr/sbin/nsm_sensor_edit/usr/sbin/nsm_sensor_ps-daily-restart/usr/sbin/nsm_sensor_ps-restart/usr/sbin/nsm_sensor_ps-start/usr/sbin/nsm_sensor_ps-status/usr/sbin/nsm_sensor_ps-stop/usr/sbin/nsm_server/usr/sbin/nsm_server_add/usr/sbin/nsm_server_backup-config/usr/sbin/nsm_server_backup-data/usr/sbin/nsm_server_clear/usr/sbin/nsm_server_del/usr/sbin/nsm_server_edit/usr/sbin/nsm_server_ps-restart/usr/sbin/nsm_server_ps-start/usr/sbin/nsm_server_ps-status/usr/sbin/nsm_server_ps-stop/usr/sbin/nsm_server_sensor-add/usr/sbin/nsm_server_sensor-del/usr/sbin/nsm_server_user-addSO Configuration Files/etc/nsm//etc/nsm/administration.conf/etc/nsm/ossec//etc/nsm/pulledpork//etc/nsm/rules//etc/nsm/securityonion//etc/nsm/securityonion.conf/etc/nsm/sensortab/etc/nsm/servertab/etc/nsm/templates//etc/nsm/$HOSTNAME-$INTERFACE/barnyard2.confbpf.conf fileshttp_agent.confpads_agent.confpcap_agent.confprads.confsancp_agent.confsensor.confsnort_agent.confsnort.confsuricata.yaml/etc/cron.d/BroCapMeELSASquertSnorbySyslog-ng/etc/network/interfaces
Index
About the Author
B. Updates
Copyright

Content preview from The Practice of Network Security Monitoring

Chapter 2. Collecting Network Traffic: Access, Storage, and Management

Chapter 1 introduced the rationale for NSM. In this chapter, you’ll learn the details of collecting network traffic, specifically as they relate to access, storage, and management. Consistent with the overall theme of this book, this chapter is not an in-depth study of the topic, but rather a guide to help you identify where to put your first sensor and get started collecting network traffic.

A Sample Network for a Pilot NSM System

Chapter 1 introduced a simple network that could require NSM visibility, as reproduced in Figure 2-1. Each “cloud” in the network represents an infrastructure ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781457185175Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

The Practice of Network Security Monitoring

by Richard Bejtlich

Chapter 2. Collecting Network Traffic: Access, Storage, and Management

A Sample Network for a Pilot NSM System

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.