The Practical Intrusion Detection Handbook Book

1. Introduction.

Security versus Business. What Is Intrusion Detection? The Most Common Intrusion Detection. Network- vs. Host-based Intrusion Detection. Anatomy of an Intrusion Detection System. Command Console. Network Sensor. Alert Notification. Response Subsystem. Database. Network Tap. Anatomy of an Intrusion Detection Process. Traditional Audit versus Intrusion Detection. Integrity Checkers. A Conceptual View of Misuse Detection. Detecting Deviations from Acceptable Behavior. Detecting Adherence to Known Unacceptable Behavior. Summary.

2. A Historical Perspective.

A Timeline. The Early Systems. Early Capabilities Comparison. Effectiveness. SSO Support/SSO Interface. Adaptability/Flexibility. Historical Lessons. Summary.

3. Network-Based Intrusion Detection Systems.

Introduction. Network-based Detection. Unauthorized Access. Data/Resource Theft. Denial of Service. Architecture. Traditional Sensor-Based Architecture. Distributed Network-Node Architecture. The Network Intrusion Detection Engine. Network Signatures. Operational Concept. Tip-Off. Surveillance. Forensics Workbench. Benefits of Network-based Intrusion Detection. Outsider Deterrence. Detection. Automated Response and Notification. Challenges for Network-based Technologies. Packet Reassembly. High-Speed Networks. Sniffer Detection Programs. Switched Networks. Encryption. Summary.

4. Host-Based Intrusion Detection Systems.

Introduction. Host-based Detection. Abuse of Privilege Attack Scenarios. Critical Data Access and Modification. Changes in Security Configuration. Architecture. Centralized Host-Based Architecture. Distributed Real-Time Architecture. Target Agent. Agentless Host-Based Intrusion Detection. Raw Data Archive. Operational Concept. Tip-Off. Surveillance. Damage Assessment. Compliance. Policy Management. Audit Policy. Detection Policy. Audit and Detection Policy Dependencies. Data Sources. Operating System Event Logs. Middleware Application Audit Sources. Application Audit Sources. Benefits of Host-based Intrusion Detection. Insider Deterrence. Detection. Notification and Response. Damage Assessment. Attack Anticipation. Prosecution Support. Behavioral Data Forensics. Challenges for Host-based Technologies. Performance. Deployment/Maintenance. Compromise. Spoofing. Summary.

5. Detection Technology and Techniques.

Introduction. Network Detection Mechanisms. Packet Content Signatures. Packet Header (Traffic) Analysis. Host-based Signatures. Single Event Signatures. Multi-event Signatures. Multi-host Signatures. Enterprise Signatures. Compound (Network and Host) Signatures. Signature Detection Mechanisms. Embedded. Programmable. Expert System. Other Techniques. Statistical Analysis. Metalanguage. Artificial Intelligence (Artificial Neural Network). Summary.

6. Intrusion Detection Myths.

Introduction. Myth 1: The Network Intrusion Detection Myth. The Network Intrusion Detection Revolution. Network Intrusion Detection Is Not Sufficient. What's the Difference Between Network- and Host-Based Detection? Comparing Host- and Network-Based Benefits. The Bottom Line. Myth 2: The False-Positive Myth. True/False Positive/Negative. Noisy Systems? There Is No Such Thing as a False-Positive. Bottom Line. Myth 3: The Automated Anomaly Detection Myth. Behavior Models. You Just Said There Are No False-Positives. The Training Problem (A Mini Myth). Anomaly Detection as Decision Support. Bottom Line. Myth 4: The Real-time Requirement Myth. Why Real-Time? The Costs of Real-Time. Real-Time versus In-Time. The Bottom Line. Myth 5: Inside the Firewall equals Insider Threat Detection. Insider Threats. Paradigm Shift. Bottom Line. Myth 6: The Automated Response Myth. Advertising. Automated Response = Risk. Characteristics of a Good Real-Time Automated Response. Bottom Line. Myth 7: The Artificial Intelligence Myth. New Attacks and AI. Root-Cause Analysis to Detect New Attacks. Bottom Line. Summary.

7. Effective Use.

Detecting Outsider Misuse (Hackers). Real-Life Misuse Example 1: Anomalous Outbound Traffic. Real-Life Misuse Example 2: Help! We're Being Swept! Detecting Insider Misuse. Real-Life Misuse Example 3: Unauthorized Access to Mission-Critical Data. Real-Life Misuse Example 4: Abuse of Privilege. Attack Anticipation (Extended Attacks). Real-Life Misuse Example 5: Embezzlement. Real-Life Misuse Example 6: Intellectual Property Theft. Surveillance. Real-Life Misuse Example 7: Surveillance. Policy Compliance Monitoring. Real-Life Misuse Example 8: User Logout at Night. Damage Assessment. Real-life Misuse Example 9: Corporate Espionage. Summary.

8. Behavioral Data Forensics in Intrusion Detection.

Introduction. Benefits of Behavioral Data Forensics. Data Mining. Forms and Formats. Data Volume. User-Centric versus Target-Centric Monitoring. Real-World Examples of Behavioral Data Forensics. Performance Improvement. Security. Workload Reduction. Security Policy. Data Mining Techniques. Data Presentation Refinement. Contextual Interpretation. Drill Down. Combining Data from Heterogeneous Sources. Combining Data from All-Band Resources. Behavioral data forensics Tutorial Examples. Example 1: Trending and Drill Down. Example 2: Target Browsing. Example 3: Critical File Browsing Trends. Example 4: Attack Anticipation (Tip-Off). Example 5: Target Overloaded. Other Examples. Summary.

9. Operational Use.

Introduction. Background Operation. On-demand Operation. Scheduled Operation. Real-time Operation. 2437 Monitoring. Incident Response. Escalation Procedures. Incident Triage. Incident Volume. Summary.

10. Intrusion Detection Project Lifecycle.

Introduction. Project Phases. Overlap. Resource Estimates. Calculating Total Cost of Ownership. Hidden Costs of Intrusion Detection. Project Planning/requirements Analysis. Acquisition. Pilot Phase. Deployment Phase. Policy Implementation. Promiscuous Network Sensor Deployments. Distributed Sensor Deployments. Tuning. Deployment Issues. Cultural. Legal. Politics. Target Ownership. Policy Management. Maintenance. Software Updates. Signature Updates. Summary.

11. Justifying Intrusion Detection.

Importance of Intrusion Detection in Security. Time-Based Security. Relaxing Access Controls. Threat Briefing. 1. CSI/FBI Study. A Recap of Misuse Examples. Insider Threats. Quantifying Risk. Problems with Quantitative Risk Assessment. Return on Investment. ROI and Risk Calculator. Behind the Scenes. Summary.

12. Requirements Definition.

Introduction. Tracking Nonrequirements. Developing a Requirements Document. What Are Your Goals For Intrusion Detection? Information Risk Management. Detection Requirements. Perimeter Threat Detection Requirements. Insider Threat Detection requirements. Compliance Monitoring Requirements. Response Requirements. Resource Classification. Using Intrusion Detection to Define Mission-Critical Data. Operations Requirements. Background Operations. On-Demand Operation. Scheduled Operation. Real-Time Operation. 24. ´ 7 Monitoring. Platform Coverage Requirements. Audit Source Requirements. Performance Requirements. Intrusion Detection System Performance. Network Resource Requirements. Scalability Requirements. Prosecution Requirements. Damage Assessment Requirements. Summary.

13. Tool Selection and Acquisition Process.

Introduction. Selection and Evaluation Process. Define Requirements. Conduct Research. Online Research. Conferences. Magazines. Request for Information. Establish Selection Criteria. Translate Environment-Specific Criteria. Criteria Weighting. Scoring. Evaluation. Conduct Evaluation. Request for Proposal. Cover Letter. RFP Example. Pilot Program. Speaking to References. Words of Wisdom. Summary.

14. Commercial Intrusion Detection Tools.

Introduction. Network (TCP/IP) Only. BlackICE/ICEcap—Network ICE. Dragon—Network Security Wizards. NFR ID Appliance—Network Flight Recorder. Secure Intrusion Detection System (NetRanger)—Cisco. Net Prowler—Axent. eTrust ID (Abirnet Sessionwall 23)— Computer Associates. Host-only Products. Computer Misuse Detection System (CMDS)—ODS Networks. Kane Security Monitor (KSM)—ODS Networks, Inc. SecureCom 8001 Internet Appliance (Hardware)— ODS Networks, Inc.? Intruder Alert (ITA)—Axent. PS Audit—Pentasafe. Operations Manager—Mission Critical. Hybrid Systems. Centrax—CyberSafe Corporation. Cyber Cop Monitor—Network Associates, Inc. RealSecure—Internet Security Systems. Summary.

15. Legal Issues.

Introduction. Law Enforcement/Criminal Prosecutions. Tort Litigation. Negligence Litigation. Better Technology. Y2K. Corporate Reluctance to Prosecute. Standard of Due Care. Responsibilities. One-Sided Liability. Evidentiary Issues. Rules of Evidence. Accuracy. Chain of Custody. Transparency. Case Study. Improving Evidentiary Veracity. Organizations. National White Collar Crime Center. National Cybercrime Training Partnership (NCTP). High Technology Crime Investigators Association (HTCIA). Summary.

16. Organizations, Standards, and Government Initiatives.

Introduction. Organizations. ICSA.net. SANS. Standards Bodies (Interoperability). What Should Be Standardized? Interoperability. Common Intrusion Detection Framework (CIDF). IETF Intrusion Detection Working Group (IDWG). Common Vulnerability and Exposures (CVE). U.S. Federal Government Initiatives. The National Security Telecommunications Advisory Committee (NSTAC). The Presidential Commission on Critical Infrastructure Protection (PCCIP). Presidential Decision Directive 63 (PDD-63). Summary.

17. Practical Intrusion Detection.

The Current State of Technology. The Future of Intrusion Detection. Network Intrusion Detection. Host-Based Intrusion Detection. Managed Services. Enterprise On-Demand Detection. Application Intrusion Detection. Standards for Interoperability. Prosecution Support. Real-Time versus In Time. Advice to Security Officers. Advice to Intrusion Detection Developers. My last Advice: Avoiding Confusion. Summary. After All.

Appendix A: Sample RFP.

Appendix B: Commercial Intrusion Detection Vendors.

Appendix C: Resources.

Index.