Extrusion Detection: Security Monitoring for Internal Intrusions
Written by Richard Bejtlich
First, this book should be called The Engineers Guide to Implementing Security to Detect and Prevent Malicious Traffic in Your Network. This is a very thorough book on how to detect malicious traffic leaving a network (hence Extrusion), with great illustrations and walkthroughs. There are chapters on planning, deployment, tuning and other key, often overlooked, aspects surrounding the wonderful world of Intrusion Detection.
The first hint that this book was a bit different is noticed in the Foreward. Marcus Ranum wrote the forward, or I should say guided the direction of the Foreward. Marcus opts for an interview with the author, versus "telling you a bunch of stuff about the book". The Foreward is a must when browsing this book. Very creative, something perhaps missing in the world of Information Security these days.
After the foreward, chapters include Defensible Network Architecture, a brief overview of IDS, Enterprise network Instrumentation (packet captures, tools and some techniques), Layer 3 Network Access Control, Traffic Threat Assessment, Network Incident Response, Network Forensics, and Internal Intrusions that discuss Traffic Threat Assessment Case Study and Malicious Bots. There are several Appendixes as well (a requirement for all technical books) that include how to Collect Session Data, minimal Snort Installation Guide, Enumeration Methods (identifying systems on a network), and Open Source Host Enumeration (doing it for free).
The author uses firewall technology, proxy technology, and IDS technology to define how to monitor and control traffic entering or leaving a network. Specific configurations that could be copied line by line and implemented into a network are provided.
Richard leaves nothing to the imagination in this book. All too often, the author understands the topic so well, they have an extreme difficult time relaying that, or make assumptions the readers understand it at their level. Richard does not make these same mistakes. In fact, where possible, there are packet captures, diagrams, or even a snapshot of the hardware being referenced.
All in all, if you are someone you know is responsible for managing, or deploying and Intrusion Detection scheme, this book will be extremely handy. Not only from the technical point of view, but from the architectural and management point of view. The only real chapter I had concerns with was the Incident Response chapter. It was designed for a technical person, versus a manager or someone developing a plan overall. Given this book is 100% geared for the technical, it is probably right on.