The symantec threatcon level has been raised to level 2

******ebook converter DEMO Watermarks*******

******ebook converter DEMO Watermarks*******

The Tao of Network Security Monitoring

Beyond Intrusion Detection

Richard Bejtlich

Boston • San Francisco • New York • Toronto • Montreal London • Munich • Paris • Madrid

Capetown • Sydney • Tokyo • Singapore • Mexico City

******ebook converter DEMO Watermarks*******

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and Addison-Wesley was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals. This is a book about network monitoring. The act of collecting traffic may violate local, state, and national laws if done inappropriately. The tools and techniques explained in this book should be tested in a laboratory environment, separate from production networks. None of the tools or techniques should be tested with network devices outside of your responsibility or authority. Suggestions on network monitoring in this book shall not be construed as legal advice. The author and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein. The publisher offers discounts on this book when ordered in quantity for bulk purchases and special sales. For more information, please contact: U.S. Corporate and Government Sales

(800) 382-3419 corpsales@pearsontechgroup.com

For sales outside of the U.S., please contact: International Sales

(317) 581-3793 international@pearsontechgroup.com

Visit Addison-Wesley on the Web: www.awprofessional.com Library of Congress Cataloging-in-Publication Data Bejtlich, Richard. The Tao of network security monitoring : beyond intrusion detection / Richard Bejtlich. p. cm. ISBN 0-321-24677-2 (pbk.)

******ebook converter DEMO Watermarks*******

mailto:corpsales@pearsontechgroup.com
mailto:international@pearsontechgroup.com
http://www.awprofessional.com
1. Computer networks—Security measures. I. Title.

TK5105.59.B44 2004 005.8-dc 22 2004007857 Copyright © 2005 by Pearson Education, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior consent of the publisher. Printed in the United States of America. Published simultaneously in Canada. For information on obtaining permission for use of material from this work, please submit a written request to: Pearson Education, Inc.

Rights and Contracts Department 75 Arlington Street, Suite 300 Boston, MA 02116 Fax: (617) 848-7047

ISBN 0-321-24677-2 Text printed in the United States on recycled paper at Courier Stoughton in Stoughton, Massachusetts. 10th Printing March 2010

******ebook converter DEMO Watermarks*******

TO MY WIFE, AMY: LOVE IS CERTAIN, LOVE IS KIND. IT ISN'T SOMETHING THAT WE FIND. IT'S

SOMETHING THAT WE DO.

******ebook converter DEMO Watermarks*******

Contents

Foreword Preface About the Author About the Contributors Part I. Introduction to Network Security Monitoring Chapter 1. The Security Process What Is Security? What Is Risk? Threat Vulnerability Asset Value A Case Study on Risk Security Principles: Characteristics of the Intruder Some Intruders Are Smarter Than You Many Intruders Are Unpredictable Prevention Eventually Fails Security Principles: Phases of Compromise Reconnaissance Exploitation Reinforcement Consolidation Pillage

******ebook converter DEMO Watermarks*******

Security Principles: Defensible Networks Defensible Networks Can Be Watched Defensible Networks Limit an Intruder's Freedom to Maneuver Defensible Networks Offer a Minimum Number of Services Defensible Networks Can Be Kept Current Conclusion Chapter 2. What Is Network Security Monitoring? Indications and Warnings Collection, Analysis, and Escalation Detecting and Responding to Intrusions Why Do IDS Deployments Often Fail? Outsiders versus Insiders: What Is NSM's Focus? Security Principles: Detection Intruders Who Can Communicate with Victims Can Be Detected Detection through Sampling Is Better Than No Detection Detection through Traffic Analysis Is Better Than No Detection Security Principles: Limitations Collecting Everything Is Ideal but Problematic Real Time Isn't Always the Best Time Extra Work Has a Cost What NSM Is Not NSM Is Not Device Management NSM Is Not Security Event Management NSM Is Not Network-Based Forensics NSM Is Not Intrusion Prevention NSM in Action ******ebook converter DEMO Watermarks*******

Conclusion Chapter 3. Deployment Considerations Threat Models and Monitoring Zones The Perimeter The Demilitarized Zone The Wireless Zone The Intranet Accessing Traffic in Each Zone Hubs SPAN Ports Taps Inline Devices Wireless Monitoring Sensor Architecture Hardware Operating System Sensor Management Console Access In-Band Remote Access Out-of-Band Remote Access Conclusion Part II. Network Security Monitoring Products Chapter 4. The Reference Intrusion Model The Scenario The Attack ******ebook converter DEMO Watermarks*******

Conclusion Chapter 5. Full Content Data A Note on Software Libpcap Tcpdump Basic Usage of Tcpdump Using Tcpdump to Store Full Content Data Using Tcpdump to Read Stored Full Content Data Timestamps in Stored Full Content Data Increased Detail in Tcpdump Full Content Data Tcpdump and Berkeley Packet Filters Tethereal Basic Usage of Tethereal Using Tethereal to Store Full Content Data Using Tethereal to Read Stored Full Content Data Getting More Information from Tethereal Snort as Packet Logger Basic Usage of Snort as Packet Logger Using Snort to Store Full Content Data Using Snort to Read Stored Full Content Data Finding Specific Parts of Packets with Tcpdump, Tethereal, and Snort Ethereal Basic Usage of Ethereal Using Ethereal to Read Stored Full Content Data Using Ethereal to Rebuild Sessions Other Ethereal Features

******ebook converter DEMO Watermarks*******

A Note on Commercial Full Content Collection Options Conclusion Chapter 6. Additional Data Analysis Editcap and Mergecap Tcpslice Tcpreplay Tcpflow Ngrep IPsumdump Etherape Netdude Using Netdude What Do Raw Trace Files Look Like? P0f Conclusion Chapter 7. Session Data Forms of Session Data Cisco's NetFlow Fprobe Ng_netflow Flow-tools Flow-capture Flow-cat and Flow-print sFlow and sFlow Toolkit Argus ******ebook converter DEMO Watermarks*******

Argus Server Ra Client Tcptrace Conclusion Chapter 8. Statistical Data What Is Statistical Data? Cisco Accounting Ipcad Ifstat Bmon Trafshow Ttt Tcpdstat MRTG Ntop Conclusion Chapter 9. Alert Data: Bro and Prelude Bro Installing Bro and BRA Interpreting Bro Output Files Bro Capabilities and Limitations Prelude Installing Prelude Interpreting Prelude Output Files Installing PIWI Using PIWI to View Prelude Events ******ebook converter DEMO Watermarks*******

Prelude Capabilities and Limitations Conclusion Chapter 10. Alert Data: NSM Using Sguil Why Sguil? So What Is Sguil? The Basic Sguil Interface Sguil's Answer to “Now What?” Making Decisions with Sguil Sguil versus the Reference Intrusion Model SHELLCODE x86 NOOP and Related Alerts FTP SITE Overflow Attempt Alerts SCAN nmap TCP Alerts MISC MS Terminal Server Request Alerts Conclusion Part III. Network Security Monitoring Processes Chapter 11. Best Practices Assessment Defined Security Policy Protection Access Control Traffic Scrubbing Proxies Detection Collection Identification ******ebook converter DEMO Watermarks*******

Validation Escalation Response Short-Term Incident Containment Emergency Network Security Monitoring Back to Assessment Analyst Feedback Conclusion Chapter 12. Case Studies for Managers Introduction to Hawke Helicopter Supplies Case Study 1: Emergency Network Security Monitoring Detection of Odd Orders System Administrators Respond Picking Up the Bat Phone Conducting Incident Response Incident Response Results Case Study 2: Evaluating Managed Security Monitoring Providers HHS Requirements for NSM HHS Vendor Questionnaire Asset Prioritization Case Study 3: Deploying an In-House NSM Solution Partner and Sales Offices HHS Demilitarized Zone Wireless Network Internal Network “But Who Shall Watch the Watchers?”

******ebook converter DEMO Watermarks*******

Other Staffing Issues Conclusion Part IV. Network Security Monitoring People Chapter 13. Analyst Training Program Weapons and Tactics Definition Tasks References Telecommunications Definition Tasks References System Administration Definition Tasks References Scripting and Programming Definition Tasks References Management and Policy Definition Tasks References Training in Action Periodicals and Web Sites ******ebook converter DEMO Watermarks*******

Case Study: Staying Current with Tools Conclusion Chapter 14. Discovering DNS Normal Port 53 Traffic Normal Port 53 UDP Traffic Normal Port 53 TCP Traffic Suspicious Port 53 Traffic Suspicious Port 53 UDP Traffic Suspicious Port 53 TCP Traffic Malicious Port 53 Traffic Malicious Port 53 UDP Traffic Malicious Port 53 TCP and UDP Traffic Conclusion Chapter 15. Harnessing the Power of Session Data The Session Scenario Session Data from the Wireless Segment Session Data from the DMZ Segment Session Data from the VLANs Session Data from the External Segment Conclusion Chapter 16. Packet Monkey Heaven Truncated TCP Options SCAN FIN Chained Covert Channels Conclusion ******ebook converter DEMO Watermarks*******

Part V. The Intruder versus Network Security Monitoring Chapter 17. Tools for Attacking Network Security Monitoring Packit IP Sorcery Fragroute LFT Xprobe2 Cisco IOS Denial of Service Solaris Sadmin Exploitation Attempt Microsoft RPC Exploitation Conclusion Chapter 18. Tactics for Attacking Network Security Monitoring Promote Anonymity Attack from a Stepping-Stone Attack by Using a Spoofed Source Address Attack from a Netblock You Don't Own Attack from a Trusted Host Attack from a Familiar Netblock Attack the Client, Not the Server Use Public Intermediaries Evade Detection Time Attacks Properly Distribute Attacks Throughout Internet Space Employ Encryption Appear Normal Degrade or Deny Collection ******ebook converter DEMO Watermarks*******

Deploy Decoys Consider Volume Attacks Attack the Sensor Separate Analysts from Their Consoles Self-Inflicted Problems in NSM Conclusion Epilogue. The Future of Network Security Monitoring Remote Packet Capture and Centralized Analysis Integration of Vulnerability Assessment Products Anomaly Detection NSM Beyond the Gateway Conclusion Part VI. Appendixes Appendix A. Protocol Header Reference Appendix B. Intellectual History of Network Security Monitoring Appendix C. Protocol Anomaly Detection Index

******ebook converter DEMO Watermarks*******

Foreword

We've all heard the phrase “knowledge will set you free.” When it comes to real-world network security, I can think of no other phrase with which security professionals must arm themselves. Whether you are brand new to network intrusion detection, an incident responder, or a long-time network security veteran, you must always boil any situation down to its basic facts. The book you are about to read will arm you with the knowledge you need to defend your network from attackers, both the obvious and the not so obvious. Unlike other computer security books that focus on catching the “hack of the week,” this book will equip you with the skills needed to perform in-depth analysis of new and emerging threats. This book discusses many different approaches to network security. It also describes how to communicate and in some cases justify security monitoring efforts. This is important because many organizations may not readily appreciate the need for monitoring— until it is too late. Frequently I run into security “professionals” who rely on “cookbook” methodologies or their favorite tools. Too often, these people do not have a broad understanding of how networks really work and are not effective in increasing their network's defensive posture or communicating with the network administrators. Although there is no substitute for actual system and network administration experience, by reading this book you will undoubtedly come away knowing more relevant information than when you started. In many large organizations, to gain the respect of the system or network administrators, you need to be able to converse at their level—even if it is way above or below your expertise. The amount of plain talk in this book struck me as amazing. Firewalls can fail! Intrusion detection systems can be bypassed! Network monitors can be overloaded! We don't normally hear these messages from our vendors, nor do we hear it from our security administrators. Neither the vendor nor the administrator would be very successful if they focused on all the things that could go wrong. Unfortunately, this creates many false perceptions in the minds of managers and users. ******ebook converter DEMO Watermarks*******

You will enjoy the many examples in this book that show how a network is compromised and how it could have been prevented with some extra monitoring. Another dirty little secret that many security professionals don't speak much about is that our own tools are sometimes the most insecure portion of a network. You may be quite surprised to find out that the server set up to do sniffing or monitoring may be the gateway into the very network you are defending. You will learn ways to mitigate that threat too. I strongly urge you to try using the tools described throughout this book while you are reading it. All of the tools are available for FreeBSD, Linux, and, in many cases, Windows. Although it may take longer to read the book, learning by using is more effective than skimming the command-line syntax. If you are new to network security, don't put this book back on the shelf! This is a great book for beginners. I wish I had access to it many years ago. If you've learned the basics of TCP/IP protocols and run an open source or commercial intrusion detection system, you may be asking, “What's next?” If so, this book is for you. Some people have been performing network security monitoring for a very long time, and this book reviews that history. It will expose you to many other forms of monitoring that are not pure intrusion detection. The information about how you can use various tools to enhance your network security monitoring activities is an excellent resource all on its own. I wish you the best of luck monitoring and defending your network! Ron Gula

CTO and Founder of Tenable Network Security Original author of the Dragon Intrusion Detection System

******ebook converter DEMO Watermarks*******

Preface

Welcome to The Tao of Network Security Monitoring: Beyond Intrusion Detection. The goal of this book is to help you better prepare your enterprise for the intrusions it will suffer. Notice the term “will.” Once you accept that your organization will be compromised, you begin to look at your situation differently. If you've actually worked through an intrusion—a real compromise, not a simple Web page defacement—you'll realize the security principles and systems outlined here are both necessary and relevant. This book is about preparation for compromise, but it's not a book about preventing compromise. Three words sum up my attitude toward stopping intruders: prevention eventually fails. Every single network can be compromised, either by an external attacker or by a rogue insider. Intruders exploit flawed software, misconfigured applications, and exposed services. For every corporate defender, there are thousands of attackers, enumerating millions of potential targets. While you might be able to prevent some intrusions by applying patches, managing configurations, and controlling access, you can't prevail forever. Believing only in prevention is like thinking you'll never experience an automobile accident. Of course you should drive defensively, but it makes sense to buy insurance and know how to deal with the consequences of a collision. Once your security is breached, everyone will ask the same question: now what? Answering this question has cost companies hundreds of thousands of dollars in incident response and computer forensics fees. I hope this book will reduce the investigative workload of your computer security incident response team (CSIRT) by posturing your organization for incident response success. If you deploy the monitoring infrastructure advocated here, your CSIRT will be better equipped to scope the extent of an intrusion, assess its impact, and propose efficient, effective remediation steps. The intruder will spend less time stealing your secrets, damaging your reputation, and abusing your resources. If you're fortunate and collect the right information in a forensically sound manner, you might provide the evidence needed to put an intruder in jail.

******ebook converter DEMO Watermarks*******

Audience

This book is for security professionals of all skill levels and inclinations. The primary audience includes network security architects looking for ways to improve their understanding of their network security posture. My goal is to provide tools and techniques to increase visibility and comprehension of network traffic. If you feel let down by your network-based intrusion detection system (NIDS), this book is definitely for you. I explain why most NIDS deployments fail and how you can augment existing NIDS with open source tools. Because this book focuses on open source tools, it is more likely to be accepted in smaller, less bureaucratic organizations that don't mandate the use of commercial software. Furthermore, large organizations with immense bandwidth usage might find some open source tools aren't built to handle outrageous traffic loads. I'm not convinced the majority of Internet-enabled organizations are using connections larger than T-3 lines, however.1 While every tool and technique hasn't been stress-tested on high-bandwidth links, I'm confident the material in this book applies to a great majority of users and networks. If you're a network security analyst, this book is also for you. I wrote this book as an analyst, for other analysts. This means I concentrate on interpreting traffic, not explaining how to install and configure every single tool from source code. For example, many books on “intrusion detection” describe the Transmission Control Protocol/Internet Protocol (TCP/IP) suite and how to set up the Snort open source IDS engine with the Analysis Console for Intrusion Databases (ACID) interface. These books seldom go further because they soon encounter inherent investigative limitations that restrict the usefulness of their tools. Since my analytical techniques do not rely on a single product, I can take network-based analysis to the next level. I also limit discussion of odd packet header features, since real intrusions do not hinge on the presence of a weird TCP flag being set. The tools and techniques in this book concentrate on giving analysts the information they need to assess intrusions and make decisions, not just identify mildly entertaining reconnaissance patterns.

******ebook converter DEMO Watermarks*******

This book strives to not repeat material found elsewhere. You will not read how to install Snort or run Nmap. I suggest you refer to the recommended reading list in the next section if you hunger for that knowledge. I introduce tools and techniques overlooked by most authors, like the material on protocol anomaly detection by Brian Hernacki, and explain how you can use them to your advantage. Technical managers will appreciate sections on best practices, training, and personnel issues. All the technology in the world is worthless if the staff manning it doesn't understand their roles, responsibilities, and escalation procedures. Managers will also develop an intuition for the sorts of information a monitoring process or product should provide. Many vendors sell services and products named with combinations of the terms “network,” “security,” and “monitoring.” This book creates a specific definition for network security monitoring (NSM), built on a historical and operational foundation. Prerequisites

I've tried to avoid duplicating material presented elsewhere, so I hope readers lacking prerequisite knowledge take to heart the following reading suggestions. I highly recommend reading the following three books prior to this one. If you've got the necessary background, consider these titles as references. • Internet Site Security, by Erik Schetina, Ken Green, and Jacob Carlson

(Boston, MA: Addison-Wesley, 2002). This is an excellent “security 101” book. If you need to start from the ground floor, this book is a great beginning.

• Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses, by Ed Skoudis (Upper Saddle River, NJ: Prentice Hall PTR, 2001). Counter Hack offers the best single-chapter introductions to TCP/IP, Microsoft Windows, UNIX, and security issues available.

• Hacking Exposed: Network Security Secrets and Solutions, 4th ed., by Stuart McClure, Joel Scambray, and George Kurtz (New York:

******ebook converter DEMO Watermarks*******

McGraw-Hill, 2003). Hacking Exposed explores the capabilities and intentions of digital threats. By knowing how to compromise computers, you'll understand the sorts of attacks network security monitoring practitioners will encounter.

If you need an introduction to intrusion detection theory, I recommend the following book: • Intrusion Detection, by Rebecca Gurley Bace (Indianapolis, IN: New

Riders, 2000). While not strictly needed to understand the concepts in this book, Intrusion Detection provides the history and mental lineage of IDS technology. As The Tao of Network Security Monitoring focuses on network-based tactics, you can turn to Intrusion Detection for insight on host-based detection or the merits of signature- or anomaly-based IDS.

It helps to have a good understanding of TCP/IP beyond that presented in the aforementioned titles. The following are a few of my favorite books on TCP/IP. • Internet Core Protocols: The Definitive Guide, by Eric A. Hall

(Cambridge, MA: O'Reilly, 2000). Many people consider Richard Stevens' TCP/IP Illustrated Volume 1: The Protocols (Reading, MA: Addison-Wesley, 1994) to be the best explanation of TCP/IP. I think Eric Hall's more recent book is better suited for modern network traffic analysts.

• Network Analysis and Troubleshooting, by J. Scott Haugdahl (Boston, MA: Addison-Wesley, 2000). Troubleshooting books tend to offer the more interesting explanations of protocols in action. Scott Haugdahl works his way up the seven layers of the Open Systems Interconnect (OSI) model, using packet traces and case studies.

• Troubleshooting Campus Networks: Practical Analysis of Cisco and LAN Protocols, by Priscilla Oppenheimer and Joseph Bardwell (Indianapolis, IN: Wiley, 2002). This title is considerably broader in scope than Scott Haugdahl's work, with coverage of virtual local area networks (VLANs), routing protocols, and wide area network (WAN) protocols like Asynchronous Transfer Mode (ATM).

One other book deserves mention, but I request you forgive a small amount ******ebook converter DEMO Watermarks*******

of self-promotion. The Tao of Network Security Monitoring is primarily about detecting incidents through network-based means. In some senses it is also an incident response book. Effective incident response, however, reaches far beyond network-based evidence. To learn more about host-based data, such as file systems and memory dumps, I recommend Real Digital Forensics (Boston, MA: Addison-Wesley, 2005). I wrote the network monitoring sections of the book, and coauthors Keith Jones and Curtis Rose did the host- and memory-level forensics. If you'd like to see the big picture for incident response, read Real Digital Forensics. A Note on Operating Systems

All of the tools I discuss in this book run on the FreeBSD (http://www.freebsd.org) operating system. FreeBSD is a UNIX-like, open source environment well suited for building network security monitoring platforms.2 If you're familiar with Linux or any other Berkeley Software Distribution (OpenBSD or NetBSD), you'll have no trouble with FreeBSD. I strongly recommend running NSM tools on UNIX-like platforms like the BSDs and Linux. You might consider trying a live CD-ROM FreeBSD distribution prior to committing a hard drive to installation. You may already know about Knoppix (http://www.knopper.net/knoppix/index-en.html), the most famous Linux-based live CD-ROM operating system. FreeBSD offers the FreeSBIE distribution (http://www.freesbie.org). FreeSBIE recently shipped version 1.0, based on the FreeBSD 5.2.1 RELEASE edition. Live distributions boot from the CD-ROM and run all programs within memory. They can be configured to write to removable media like USB thumb drives or the hard drive of the host computer. Live distributions are a good way to test hardware compatibility before going through the time and effort to install a new operating system on a system's hard drive. For example, before upgrading a FreeBSD 4.9–based system to version 5.2.1, I booted a FreeBSD 5.2.1–based live distribution and checked whether it saw all of the hardware properly. Figure 1 shows FreeSBIE 1.0 running several programs. Many security tools are included in the distribution, including Nessus, Nmap and NmapFE, Snort, ******ebook converter DEMO Watermarks*******

http://www.freebsd.org
http://www.knopper.net/knoppix/index-en.html
http://www.freesbie.org
and Ethereal. I am investigating building an NSM-minded FreeBSD-based live distribution to run the tools discussed in this book.

Figure 1. FreeSBIE 1.0 running Ethereal, NmapFE, Snort 2.1.0, and The Gimp

If you want to learn about FreeBSD, I suggest these books. • FreeBSD: An Open-Source Operating System for Your Personal

Computer, 2nd ed., by Annelise Anderson (Portola Valley, CA: Bit Tree Press, 2001). Absolute UNIX newbies will find Annelise Anderson's book the gentlest introduction to FreeBSD.

• Absolute BSD: The Ultimate Guide to FreeBSD, by Michael Lucas (San Francisco, CA: No Starch Press, 2002). Michael Lucas has an uncanny ability to answer the questions his readers are bound to ask. Keep in mind that Annelise Anderson's book and Absolute BSD focus on FreeBSD 4.x, so certain details might change with FreeBSD 5.x.

• The Complete Guide to FreeBSD, 4th ed., by Greg Lehey (Cambridge, MA: O'Reilly, 2003). Greg Lehey covers more than just FreeBSD; he

******ebook converter DEMO Watermarks*******

addresses system and network administration issues as well. This is the first book explicitly written with FreeBSD 5.x in mind.

I'm often asked why I use FreeBSD and not OpenBSD. I use FreeBSD because I believe it is the best general-purpose operating system available. It has more applications in its ports tree, a larger development community, and better network and multiprocessor performance. I develop and test all of my applications and techniques on FreeBSD. OpenBSD is more innovative in terms of security, with integrated defensive features like Systrace, the Pf firewall, increased use of privilege separation, and relentless removal of coding flaws. I believe OpenBSD may be a superior platform for building dedicated “security appliances.” Once the application is tested under a general-purpose operating system like FreeBSD, it can be deployed on a security-minded platform like OpenBSD. As the TrustedBSD project (http://www.trustedbsd.org) brings additional security features into the FreeBSD 5.x tree, FreeBSD's security features are competing well with OpenBSD. FreeBSD is beginning to adopt security systems like mandatory access control that are found in commercial operating systems like Trusted Solaris. In reality all three major BSD projects feed security ideas into each other, so competition among the projects is not a huge concern. Linux and Windows users might wonder where I stand on their operating systems. I believe Linux benefits from having a very large development community. Because so many coders run Linux, users are more likely to see patches introduced to improve Tcpdump's performance or implement other features useful to security professionals. I still prefer the BSDs to Linux because Linux is a kernel supplemented by tools selected by various distribution aggregators.3 There is also doubt about which Linux distribution is most likely to be used by the community. Prior to the arrival of Fedora Core, Red Hat Linux was more or less the de facto standard. Debian may be the heir to Red Hat's throne, but that situation remains in flux. This is not the best environment for developing security applications and standards. Windows is an operating system for consumers. It was designed to “make life easy” at the expense of security and operational transparency. The underlying Windows design model has not withstood connectivity to the Internet very

******ebook converter DEMO Watermarks*******

http://www.trustedbsd.org
well. The operating system provides far too many services on single ports. How can one disable port 135 or 139 TCP, for example, without breaking a dozen built-in applications? I believe the supposed ease of use of a Windows system, even if one accepted this feature to be true, is far outweighed by the risk of introducing the operating system in a critical security role. Those adding a security platform to a network should not violate the first rule of the Hippocratic Oath: do no harm. I have far more confidence in the reliability and resiliency of a FreeBSD or other UNIX system compared to a Windows system. Scope

The book is broken into five major parts, followed by an epilogue and appendices. You can focus on the areas that interest you, as the sections were written in a modular manner. You may wonder why greater attention is not paid to popular tools like Nmap or Snort. With The Tao of Network Security Monitoring, I hope to break new ground by highlighting ideas and tools seldom seen elsewhere. If I don't address a widely popular product, it's because it has received plenty of coverage in another book. Part I offers an introduction to NSM, an operational framework for the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. Part I begins with an analysis of the terms and theory held by NSM practitioners. Chapter 1 discusses the security process and defines words like security, risk, and threat. It also makes assumptions about intruders and their prey that set the stage for NSM operations. Chapter 2 addresses NSM directly, explaining why NSM is not implemented by modern NIDSs alone. Chapter 3 focuses on deployment considerations, such as how to access traffic using hubs, taps, SPAN ports, and inline devices. Part II begins an exploration of the NSM “product, process, and people” triad. Chapter 4 is a case study called the “reference intrusion model.” This is an incident explained from the point of view of an omniscient observer. During this intrusion, the victim collected full content data in two locations. We will use those two trace files while explaining the tools discussed in Part II. Following the reference intrusion model, I devote chapters to each of the four types of data that must be collected to perform NSM—full content, ******ebook converter DEMO Watermarks*******

session, statistical, and alert data. Chapters 5 through 10 describe open source tools tested on the FreeBSD operating system and available on other UNIX derivatives. Part II also includes a look at tools to manipulate and modify traffic. Featured in Part II are little-discussed NIDSs like Bro and Prelude, and the first true open source NSM suite, Sguil. Part III continues the NSM triad by discussing processes. If analysts don't know how to handle events, they're likely to ignore them. I provide best practices in Chapter 11 and follow with Chapter 12, written explicitly for technical managers. That material explains how to conduct emergency NSM in an incident response scenario, how to evaluate monitoring vendors, and how to deploy an NSM architecture. Part IV, intended for analysts and their supervisors, completes the NSM triad. Entry-level and intermediate analysts frequently wonder how to move to the next level of their profession. In Chapter 13, I offer some guidance for the five topics with which a security professional should be proficient: weapons and tactics, telecommunications, system administration, scripting and programming, and management and policy. Chapters 14 through 16 offer case studies, showing analysts how to apply NSM principles to intrusions and related scenarios. Part V is the offensive counterpart to the defensive aspects of Parts II, III, and IV. I discuss how to attack products, processes, and people. Chapter 17 examines tools to generate arbitrary packets, manipulate traffic, conduct reconnaissance, and exploit flaws in Cisco, Solaris, and Microsoft targets. In Chapter 18 I rely on my experience performing detection and response to show how intruders attack the mind-set and procedures on which analysts rely. An epilogue on the future of NSM follows Part V. The appendices feature several TCP/IP protocol header charts and explanations. I also wrote an intellectual history of network security, with excerpts and commentary on the most important papers written during the last 25 years. Please take the time to at least skim that appendix; you'll see that many of the “revolutionary ideas” often heralded in the press were in some cases proposed decades ago. Neither Part V nor other parts are designed as “hacking” references. You will not find “elite” tools to compromise servers; if so inclined, refer to the

******ebook converter DEMO Watermarks*******

suggested reading list. The tools I profile were selected for the traffic they generate. By looking at packets created by readily available offensive tools, analysts learn to identify normal, suspicious, and malicious traffic. Welcome Aboard

I hope you find this book useful and enjoyable. I welcome feedback on its contents, especially tips on better uses of tools and tactics. While doing research I was amazed at the amount of work done in the field of intrusion detection over the last 25 years. Intrusion detection is only one component of NSM, but it is the general community in which NSM practitioners feel most at home. Much of what I present is the result of standing on the shoulders of giants.4 Our community is blessed by many dedicated and talented people who contribute code, ideas, and resources to Internet security issues. I hope my contribution is worthy of the time you dedicate to reading it. Acknowledgments

I would first like to thank my wife Amy for her encouragement and understanding. Many nights I wrote until two or three o'clock in the morning. I appreciate the space and time she gave me to complete this book, as well as the unconditional love and support she has shown as my wife. Our dog Scout was also helpful, reminding me to stop writing every once in a while to play fetch with him. I thank my parents and sisters for providing a nurturing childhood home and encouraging a desire to learn. I owe a lot to the NSM gurus I met as a captain in the Air Force. These include Bamm Visscher, author of Sguil and the person who's been a great mentor and friend for the last five years. I enjoyed working with some real security professionals in the Air Force Computer Emergency Response Team (AFCERT) where I started my NSM journey: Sam Adams, Dave Bibighaus, Dustin Childs, Steve Chism, LeRoy Crooks, John Curry, DeWayne Duff, Ryan Gurr, Steve Heacox, Bill Kelly, Zeb King, Jason Mathews, Bruce

******ebook converter DEMO Watermarks*******

McGilvery, Don Nelson, Will Patrick, Greg Patton, Chuck Port, Jason Potopa, Chad Renfro, Chris Rochester, Billy Rodriguez, Christi Ruiz, Marty Schlachter, Jay Schwitzgebel, Mark Shaw, Larry Shrader, Byron Thatcher, Ralph Toland, and Rich Zanni. I appreciate Cheryl Knecht's patience when I caught my first reconnaissance activity from Russia. I'd also like to recognize my former supervisors in the Air Intelligence Agency's plans division, Jesse Coultrap and J.J. Romano, who acted when they realized I would be happier in the AFCERT. At Ball Aerospace & Technologies Corporation, Bamm, Dave Wheeler, and I built an NSM operation from scratch. When writing this book I kept in mind the needs of our first analysts, who in many ways were guinea pigs for the “new NSM” built on the ruins of the “good ol' days” of AFCERT NSM operations. I know some of them are watching your networks right now. Working at Foundstone gave me the chance to work on the incident response side of the NSM experience. I learned from my former boss Kevin Mandia that “we win some, and we lose some.” Forensic gurus Keith Jones and Matt Pepe showed how to replace people with very small scripts, usually named “parser.” Julie Darmstadt was there to see me “pit out” in front of dozens of students and was ready to carry a class forward when we risked another “debacle.” The Addison-Wesley team helped make this book a reality. Jessica Goldstein guided me through the writing process with skill and tact. Chrysta Meadowbrooke copyedited the text with incredible attention to detail. Heather Mullane, Chanda Leary-Coutu, and Joan Murray helped bring news of my work to readers worldwide. Talented reviewers, including Luca Deri, Ron Gula, Aaron Higbee, Kirby Kuehl, Paul Myrick, and Marcus Ranum, kept me on track. I appreciate the contributions to Chapter 9 by Bro expert Christopher Manders, Prelude-IDS founder Yoanne Vandoorselaere, and IT solution provider Dreamlab. Brian Hernacki wrote the great appendix on protocol anomaly detection. Amy Fisher of Net Optics gave expert advice on Chapter 3. I've learned quite a bit while reviewing books for Amazon.com. I appreciate the review copies sent by Joan Murray at Pearson Education, Bettina Faltermeier at McGraw-Hill/Osborne, Amy Pedersen at Syngress, Eric Holmgren at Wiley, and my friends at O'Reilly. I was tempted to cover much

******ebook converter DEMO Watermarks*******

http://Amazon.com
more ground than what appears here, but I defer to subjects better covered by other authors like Ross Anderson and Ed Skoudis. I would also like to thank the members of the FreeBSD community who devote themselves to the world's most capable operating system. Articles and books by Dru Lavigne, Greg Lehey, and Michael Lucas have been extremely helpful. I encourage anyone looking for a coherent, consistent, stable, feature-rich operating system to consider FreeBSD. I hope those of us who benefit from open source projects support them by purchasing distributions from vendors like FreeBSDMall.com and BSDMall.com. In addition to the FreeBSD community, I tip my hat to all of the developers of the open source software profiled in this book. Open source software is proving to be the wave of the past and the future. I have yet to find a software requirement not met by open source software. The next time you need an application, search an archive like SourceForge.net. If you don't find what you need, consider hiring a developer to write the code and then release it to the world under a license approved by the Open Source Initiative (http://www.opensource.org).

******ebook converter DEMO Watermarks*******

http://FreeBSDMall.com
http://BSDMall.com
http://SourceForge.net
http://www.opensource.org
About the Author

Richard Bejtlich is a security engineer in ManTech International Corporation's Computer Forensics and Intrusion Analysis division. He was previously a principal consultant at Foundstone, performing incident response, emergency network security monitoring, and security research. Prior to joining Foundstone in 2002, Richard served as senior engineer for managed network security operations at Ball Aerospace & Technologies Corporation. He helped organize and train 12 analysts offering outsourced network security monitoring for commercial clients. Richard's technical interpretation of network traffic helped identify and mitigate over three dozen intrusions during his 15 months at BATC. From 1998 to 2001 Richard defended global American information assets as a captain in the Air Force Computer Emergency Response Team (AFCERT). He led the AFCERT's real-time intrusion detection mission, supervising 60 civilian and military analysts. Richard's network security monitoring work supported law enforcement investigations and the Air Force's response to the Melissa, ILOVEYOU, and Y2K rollover incidents. Richard is a recognized voice in the computer security community. He has written several papers on network security monitoring and made technical presentations at SANS, FIRST, Infragard, ISSA, and SHADOW conferences. He reviews computer and security books for Amazon.com and is consulted by publishers to scrutinize book proposals and drafts. He wrote original material for Hacking Exposed, 4th ed., and Incident Response, 2nd ed., both published by McGraw-Hill/Osborne. Richard is also coauthor of Real Digital Forensics, published by Addison-Wesley. Formally trained as a military intelligence officer, Richard deployed to Europe in 1997 to support NATO information collection efforts during the Bosnia-Herzegovina conflict. He is a 1994 graduate of the United States Air Force Academy, where he earned bachelor of science degrees in history and political science and minor degrees in French and German. He earned a master's degree in public policy from Harvard University in 1996. He received his CISSP certification in 2001 and his Certified Information ******ebook converter DEMO Watermarks*******

http://Amazon.com
Forensics Investigator credentials in early 2004. His home page is at http://www.taosecurity.com and his Web blog resides at http://taosecurity.blogspot.com.

******ebook converter DEMO Watermarks*******

http://www.taosecurity.com
http://taosecurity.blogspot.com
About the Contributors

About the Contributing Author

Brian Hernacki (Protocol Anomaly Detection, Appendix C)

Brian Hernacki is an architect in the Symantec Research Labs, where he works with a dedicated team to develop future technologies. With more than ten years of experience with computer security and enterprise software development, he has also conducted research and commercial product development in a number of security areas, including intrusion detection and analysis techniques. Brian previously led the development, design, and architecture of products and the investigation and research of new technologies at Recourse Technologies. He has been involved in numerous intrusion detection evaluation efforts and speaks often on the subject. Before working at Recourse Technologies, Brian served as a senior software developer, group manager, and product architect at Netscape Communications Corporation, where he played a pivotal role in the development of a number of high-end enterprise and service provider server products. Prior to Netscape, his experience included engineering and management positions at Computer Aided Engineering Network (CAEN), where he developed a network-wide intrusion detection system and maintenance and system reliability tools. Brian earned a bachelor of science degree in computer engineering, with honors, from the University of Michigan. About the Technical Contributors

Christopher Jay Manders (Bro and BRA, Chapter 9)

******ebook converter DEMO Watermarks*******

Christopher Jay Manders is a cyber-security analyst, computer systems engineer, and entrepreneur who lives in San Francisco, California. He has managed large and small projects that range from ISP services to security and intrusion analysis and vulnerability assessment. He has worked with Bro and other intrusion detection and analysis tools for over seven years and has over ten years of UNIX systems administration and programming experience. He currently works for Lawrence Berkeley National Laboratory, where he is a division security liaison and group leader. Christopher programs in his spare time on such projects as the BRA user environment for Bro and systems administration tools for sending MIME attachments using Perl from a UNIX command line. One of his upcoming projects focuses on responding to and reporting scans reported by Bro. Christopher also translates Nepali (Gorkhali) literature for amusement and pleasure with friends and family. Yoanne Vandoorselaere (Prelude, Chapter 9)

Yoanne Vandoorselaere is a development engineer and specialist in networking and security. He is the project leader for Prelude (http://www.prelude-ids.org), a hybrid intrusion detection system he initiated in 1998. He tutors students pursuing their master's degrees at ESIEA (Ecole Supérieure d'Informatique–Electronique–Automatique, http://www.esiea.fr). Yoanne lives in Lyon, France, and spends most of his time developing Prelude and contributing to open source software.

******ebook converter DEMO Watermarks*******

http://www.prelude-ids.org
http://www.esiea.fr
Part I. Introduction to Network Security Monitoring

******ebook converter DEMO Watermarks*******

1. The Security Process

You've just hung up the phone after speaking with a user who reported odd behavior on her desktop. She received a pop-up message that said “Hello!” and she doesn't know what to do. While you listened to her story, you read a trouble ticket opened by your network operations staff noting an unusual amount of traffic passing through your border router. You also noticed the delivery of an e-mail to your abuse account, complaining that one of your hosts is “attacking” a small e-commerce vendor in Massachusetts. Your security dashboard joins the fray by offering its blinking red light, enticing you to investigate a possible intrusion by external parties. Now what? This question is familiar to anyone who has suspected one or more of their computers have been compromised. Once you think one of your organization's assets has been exploited, what do you do next? Do you access the suspect system and review process tables and directory listings for improper entries? Do you check firewall logs for odd entries, only to remember you (like most organizations) only record traffic rejected by the firewall?1 (By definition, rejected traffic can't hurt you. Only packets allowed through the firewall have any effect, unless the dropped packets are the result of a denial-of-service attack.) Do you hire consultants who charge $200+ per hour, hoping they can work a one-week miracle to solve problems your organization created during a five-year period? There must be a better way. My answer is network security monitoring (NSM), defined as the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. This book is dedicated to NSM and will teach you the tools and techniques to help you implement NSM as a model for security operations. Before describing the principles behind NSM, it's helpful to share an understanding of security terminology. Security professionals have a habit of using multiple terms to refer to the same idea. The definitions here will allow us to understand where NSM fits within an organization's security posture. Readers already familiar with security principles may wish to skim this chapter for highlighted definitions and then ******ebook converter DEMO Watermarks*******

move directly to Chapter 2 for a more detailed discussion of NSM. What Is Security?

Security is the process of maintaining an acceptable level of perceived risk. A former director of education for the International Computer Security Association, Dr. Mitch Kabay, wrote in 1998 that “security is a process, not an end state.”2 No organization can be considered “secure” for any time beyond the last verification of adherence to its security policy. If your manager asks, “Are we secure?” you should answer, “Let me check.” If he or she asks, “Will we be secure tomorrow?” you should answer, “I don't know.” Such honesty will not be popular, but this mind-set will produce greater success for the organization in the long run. During my consulting career I have met only a few high-level executives who truly appreciated this concept. Those who believed security could be “achieved” were more likely to purchase products and services marketed as “silver bullets.”3 Executives who grasped the concept that security is a process of maintaining an acceptable level of perceived risk were more likely to commit the time and resources needed to fulfill their responsibilities as managers. The security process revolves around four steps: assessment, protection, detection, and response (see Figure 1.1).4

1. Assessment is preparation for the other three components. It's stated as a separate action because it deals with policies, procedures, laws, regulations, budgeting, and other managerial duties, plus technical evaluation of one’s security posture. Failure to account for any of these elements harms all of the operations that follow.

2. Protection is the application of countermeasures to reduce the likelihood of compromise. Prevention is an equivalent term, although one of the tenets of this book is that prevention eventually fails.

3. Detection is the process of identifying intrusions. Intrusions are policy violations or computer security incidents. Kevin Mandia and Chris Prosise define an incident as any “unlawful, unauthorized, or

******ebook converter DEMO Watermarks*******

unacceptable action that involves a computer system or a computer network.”5

As amazing as it may sound, external control of an organization's systems is not always seen as a policy violation. When confronting a determined or skilled adversary, some organizations choose to let intruders have their way—as long as the intruders don't interrupt business operations.6 Toleration of the intrusion may be preferred to losing money or data. 4. Response is the process of validating the fruits of detection and taking steps to remediate intrusions. Response activities include “patch and proceed” as well as “pursue and prosecute.” The former approach focuses on restoring functionality to damaged assets and moving on; the latter seeks legal remedies by collecting evidence to support action against the offender.

Figure 1.1. The security process

With this background, let's discuss some concepts related to risk. What Is Risk?

******ebook converter DEMO Watermarks*******

The definition of security mentioned risk, which is the possibility of suffering harm or loss. Risk is a measure of danger to an asset. An asset is anything of value, which in the security context could refer to information, hardware, intellectual property, prestige, and reputation. The risk should be defined explicitly, such as “risk of compromise of the integrity of our customer database” or “risk of denial of service to our online banking portal.” Risk is frequently expressed in terms of a risk equation, where risk = threat × vulnerability × asset value Let's explore the risk equation by defining its terms in the following subsections. Threat