Index

Note: Page numbers followed by b indicate boxes, f indicate figures and t indicate tables.

A

Advanced Intrusion Detection Environment (AIDE), 72
Analysis process
diagnosis
candidate conditions, 432
diagnosis, 432
evaluation, 431–432
scenarios, 433–438
symptoms list, 431
morbidity and mortality (M&M)
audience, 444
information security, See (Information security M&M)
practices
Arcsight, 441
assumptions, 438–439
background, 439–440
cyber event categorization system, 441–442
Netwitness, 441
Network Miner, 441
rule of 10’s, 442
SIEM solution, 439
systems administration backgrounds, 439–440
Wireshark, 441
relational investigation
additional degrees of subjects relation, 423f, 425
perform preliminary investigation, 423f, 424
primary relationships and current interaction, 423f, 424–425
primary subjects, 423f, 424
secondary subjects and relationships, 423f, 425
Anomaly-based detection, 150
Application directories and configuration files
Bro, 458
ELSA, 458
PRADS, 458
PulledPork, 457–458
security onion, 457
sensor tools store, 458
Sguil, 458
Snorby, 458
Snort/Suricata, 457
Syslog-NG, 458
Applied Collection Framework (ACF)
cost/benefit analysis, 32
data identification, 32
host-based data, 33
network-based data, 33
NSM collection, 34
quantify risk, 30–31
threats, 29–30
Argus
data retrieval, 94–95
definition, 92–93
features, 93
resources, 95
solution architecture, 93
Autonomous system number (ASN), 405, 407

B

BASH tools
ETags, 144
grep, 143–144, 145
sed, 145
sed command output, 145f
user agent, 145, 146f
Berkeley Packet Filters (BPFs)
expression, 377, 378t
primitive, 377
qualifiers, 377, 378t
TCP header, 379
TCP/IP protocols, 379
TTL field, 379
Bro platform
custom detection tool, See (Custom detection tool)
execution, 257–258
HTTP request, 257
log files
bro-cut output, 260
creation, 258
HTTP transaction, 261
ID field, 261–262
print format, 259–260
out-of-the-box functionality, 256

C

Canary honeypot
architecture
alerting and logging, 322–323
devices and services, 320–321
placement, 321
definition, 317
exploitable and non-exploitable, 318
Honeyd
ansm_winserver_1, 324
configuration file, 324
default settings, 324
HTTP client header, 327
IDS rule, 327
IDS sensor, 326
log output, 325, 326f
port scanning, 325
WSUS and SMS, 326
Honeydocs
creation, 335
HTML img tag, 335
output, 336
web interface, 337
Kippo
attacker’s actions, 330
fake file system, 329, 330f
$HONEYPOT_SERVERS variable, 331
logging authentication, 329
network based detection, 328
OSSEC, 331–332
SSH service, 328
TTY log, 330, 331f
Tom’s Honeypot
MSSQL and SIP protocols, 334
Ncrack tool, 334
Python script, 332
RDP protocol, 333
Security Onion, 332
SIP protocol, 335
specification services, 332
VoIP services, 335
types of, 319–320
Center for Internet Security (CIS), 70–71
Collective intelligence framework (CIF)
deploying indicators, 192–193
querying indicators, 191–192
updating and adding indicator lists, 190–191
Custom detection tool
Bro logs
connection log, 286f
conn-geoip.bro file, 284
Conn::Info record type, 285
lookup_location() function, 285
&optional tag, 285
configuration options
ExtractFiles, 270
GIF and HTML files, 271, 272f
interesting_types, 269
MIME types, 271, 271f
darknet
allowed_darknet_talkers, 279–280
cat() function, 274
Conn_id record type, 274t
creation, 272
dark host, 278, 282
Darknet_Traffic, 275
e-mailing, 282–283
hook function, 281
ICMP traffic, 277–278
IP address, 272, 276
n$actions variable, 281
new_connection event, 274
NOTICE function, 275
notice suppression, 275–276
script, 278–279
file carving
extract-files.bro, 263, 265f
file extractor output, 264, 264f
file_new event, 264
PCAP file, 263
live network traffic
broctl check, 268
broctl install, 268
broctl restart, 268
configuration, 267
EXTRACT analyzer, 268
file extraction code, 267, 267f
packaging, 269
selective file extraction
Bro command, 266
MIME type, 265

D

Daemonlogger, 102–104
Data link layer, 350
Detection mechanisms
reputation-based, See (Reputation-based detection)
Snort, 193–194
statistical anomaly-based, See (Statistical anomaly-based detection)
Suricata, See (Suricata)
Domain block list (DBL), 181
Don’t Route or Peer (DROP), 181
Dumpcap, 101–102
Dynamic Protocol Detection (DPD), 256–257

E

E-commerce server
external asset compromise, 38–40
host-based server, 41–42
internal asset compromise, 39–40
network-based server, 41
Exploits block list (XBL), 180

F

Fprobe, 82
Friendly intelligence
network asset model, 390–391
grep command, 394, 395f
Nmap, 392
ping scan, 392, 392f
SYN port scan, 393, 394f
SYN scan, 393, 393f
PRADS
asset report, 399, 400f
baseline asset model, 399
home_nets IP range variable, 397, 397f
individual IP address, 400, 401f
log entries, 396f
log file, 397, 397f
new asset alerts, 399
PADS, 395
Sguil, 395
Sguil query, 398, 398f
Friendly threat intelligence
friendly intelligence, See (Friendly intelligence)
intelligence cycle
analysis, 389
collection, 388
defined requirement, 387
dissemination, 389–390
planning, 388
processing, 388–389
threat intelligence, See (Threat intelligence)
Full packet capture (FPC)
collection
Netsniff-NG and IFPPS, 107–109
session data, 109–111
storage considerations, 106–107
tool, 105–106
Daemonlogger, 102–104
data storage
destination ports, 112
encrypted VPN tunnels, 113
host to host communication, 113–115
HTTP traffic, 112
source ports, 111
TCP/443 traffic, 112, 113
Dumpcap, 101–102
Netsniff-NG, 104–105
PCAP data, 99–100
PCAP-NG format, 100–101, 101f
size-based retention strategy
BASH script, 116, 118
dir variable, 118
Security Onion, 120
time-based retention strategy, 115–116

H

Hard disk storage
calculations, 52
data retention goals, 53
sensor role modifiers, 53–54
Honeypot, See Canary honeypot
Host-based forensics, 14
Host-based intrusion detection (HIDS), 72
Httpry, 128–130

I

Indicators and signatures
critical criteria, 160–161
evolution, 157–158
features, 151
frameworks
OpenIOC, 169–171
STIX, 171–173
host and network, 151–152
management
CSV files, 163
data backup, 163
deployment tracking, 162–163
master list, 163–166
raw data format, 162
revision table, 166–168
revision tracking, 162
static
atomic, 152, 153f
behavioral, 152, 153f
computed, 152, 153f
host-based forensic data, 153
NSM data, 153
tuning
false negative, 159
false positive, 159
precision, 159–160
true negative, 159
true positive, 158
variable, 155–157
Information security M&M
alternative analysis (AA), 446–447
Devils Advocate method, 446
peers, 445
presentation, 445–446
presenter(s), 445
strategic questioning, 446
tips, 448
Intelligence cycle
analysis, 389
collection, 388
defined requirement, 387
dissemination, 389–390
planning, 388
processing, 388–389
International Assigned Numbers Authority (IANA), 405
Intrusion detection system (IDS)
header rules
protocol, 230–231
rule action, 230
source and destination hosts, 231
source and destination ports, 231
traffic direction, 231
rule anatomy, 229–245
rule options
classification, 235
communication flow, 243–245
distance modifier, 239–240
HTTP content modifiers, 240–241
message (msg), 232
nocase modifier, 237
offset modifier, 237–238
PCRE, 242–243
priority, 235
protocol header detection options, 245
reference, 233–234
revision (rev), 232–233
signature identifier (sid), 232
rule tuning
alert detection filters, 248–249
alert suppression, 247–248
eliminate unwanted traffic, 249
event filtering, 245–247
fast pattern matching, 251
manually test rules, 237–238
pair PCRE/content matches, 250
vulnerability, 249–250

J

Justniffer
BASH script, 130–131
installion steps, 131
multi-line log, 132
Python script, 130–131
request.header, 131
response.header, 131
single line log, 133

L

Logstash
advantages, 135
Dsniff, 137
execution, 136
field metrics examination, 141, 141f
GROK, 138, 139, 142, 142f
individual logs examination, 140, 140f
Java Runtime Environment, 135
log data viewing, 136
match filter, 138
open ports, 136f
sensor name, 138
URLsnarf logs, 141
urlsnarf-parse.conf, 135

M

Malware analysis, 14
Malware domain list (MDL), 177
Multipurpose Internet Mail Extensions (MIME), 265b

N

Netsniff-NG, 104–105
Network Address Translation (NAT), 62
Network asset model
grep command, 394, 395f
Nmap, 392
ping scan, 392, 392f
SYN port scan, 393, 394f
SYN scan, 393, 393f
Network-based intrusion detection (HIDS), 72
Network Interface Card (NIC), 54–56
Network Security Monitoring (NSM)
anomaly, 5
asset, 3
attack sense and warning, 7
cyclical process
analysis, 11
collection, 10
detection, 10–11
definition, 6
exploit, 4
human analyst
baseline skills, 13
classifying analysts, 14–15
culture requirements, 16–17
defensive tactics, 13–14
host-based forensics, 14
learning opportunity, 18
malware analysis, 14
offensive tactics, 13
professional growth, 17
programming, 14
reinforcement, 18
servant leadership, 18–19
superstar, 17–18
systems administration, 14
teamwork, 17
vulnerability-centric model, 15–16
incident, 5
information operations, 6–7
intrusion detection, 5–6
issues, 11–12
protect domain, 2–3
risk management, 4
security onion (SO)
installation, 19–20
setup process, 22–24
testing, 22–24
updation, 21
threat, 3–4
vulnerability, 4
vulnerability-centric vs. threat-centric defense, 8, 9
Nibbles, 344, 346–347
NOTICE function, 275

O

Offensive tactics, 13
Online retailer
customer PII, 37–38
e-commerce server
external asset compromise, 38–40
host-based, 41–42
internal asset compromise, 39–40
network-based, 41
organizational threats
customer PII, 35–36
e-commerce service, 36
PDI network, 34–35, 35f
quantify risk, 36–37
OpenIOC, 169–171

P

Packet analysis
definition, 342
dissecting packets
Ethernet header, 350, 351f
IP header, 352, 352f
MAC addresses, 350–352, 351f
TCP protocol, 353–354, 353f, 354f
hexadecimal form, 344
HTTP GET request, 342–343, 344f
networking protocol, 342
nibbles, 344
packet filtering, See (Packet filtering)
packet math, See (Packet math)
tcpdump
ASCII, 357, 358, 358f
-F argument, 359
hex format, 357, 357f
-r command, 356
unix environments, 355
verbosity, 356, 357f
-w argument, 359
tshark
ASCII format, 361, 361f
–f argument, 362
HTTP statistics, 362f
–R argument, 362
–r command, 360, 360f
–t ad option, 360–361, 361f
–V argument, 360, 360f
Wireshark, 342–343, 343f
adding custom columns, 373–374
capture/display filters, 375–376
capture summary, 366–367
capturing packets, 363–365
changing time display formats, 365–366
endpoints/conversations, 368–369
exporting objects, 372
IO graph, 370–371
multiplatform tool, 363
protocol dissectors, 374–375
protocol hierarchy, 367–368
streams, 369–370
Packet filtering
BPFs
expression, 377, 378t
primitive, 377
qualifiers, 377, 378t
TCP header, 379
TCP/IP protocols, 379
TTL field, 379
wireshark display filters
field name, 381
filter expression, 383, 383t
individual protocol fields, 380
logical operators, 382, 382t
relational operator, 381, 381t
value types, 381, 382t
Packet math
converting binary byte to hex, 345, 345f, 346f
converting hex to binary and decimal, 346–347
counting bytes
basic IP packet, 347, 348f
IP address fields, 349, 350f
IP header, 347, 348f
IP header length field, 349, 349f
IP protocol field, 348, 349f
Packet string (PSTR) data, 45
data collection, 124–134
Httpry, 128–130
Justniffer, See (Justniffer)
manual generation, 126–127
URLSnarf, 127–128
definition, 122
log style, 122f, 123, 123f
payload style, 123, 124f
viewing mechanisms
BASH tools, See (BASH tools)
Logstash, See (Logstash)
Passive asset detection system (PADS), 395
Passive Real-time Asset Detection System (PRADS)
asset report, 399, 400f
baseline asset model, 399
home_nets IP range variable, 397, 397f
individual IP address, 400, 401f
log entries, 396f
log file, 397, 397f
new asset alerts, 399
PADS, 395
Sguil, 395
Sguil query, 398, 398f
Perl compatible regular expressions (PCRE), 242–243
Personally Identifiable Information (PII), 35–36
PF_Ring +DNA, 56
PhishTank, 179
Planning data collection
online retailer, See (Online retailer)
Policy Block List (PBL), 181
PulledPork, 22, 221–222, 223, 457–458
Purple Dog Inc. (PDI), 34–35, 35f

Q

Quantify risk
ACF, 30–31
online retailer, 36–37

R

Relational investigation scenario
primary and secondary subjects, 428f
primary relationships and current interaction, 426–428, 427f
primary subjects, 426, 426f
secondary subjects and relationships, 429
subjects relationship, 429, 430f
Reputation-based detection
BASH scripts
download and parsing, 184–186
malicious domains, 188–189
malicious IP addresses, 186–187
Bro
data types, 197, 198t
intel framework, 198
intel.log, 200
meta.do_notice, 199
meta.if_in, 199
meta.source, 199
reputation list, 198f
CIF
deploying indicators, 192–193
querying indicators, 191–192
updating and adding indicator lists, 190–191
definition, 175–176
drawbacks
advertising networks, 183
automatic blocking, 182
false positives, 183–184
pruning, 182
shared servers, 183
public reputation lists
benefits, 176
DBL, 181
DROP, 181
MDL, 177
negative aspects, 176–177
PBL, 181
PhishTank, 179
SBL, 180
Tor exit node, 179
XBL, 180
Snort IP, 193–194
Suricata IP
categories file, 196
default-reputation-path, 196
iprep directive, 196, 197f
IP reputation capability, 195

S

Security Onion (SO)
Canary honeypot, 332
FPC, 120
installation, 19–20
setup process, 22–24
SiLK, 87
testing, 22–24
updation, 21
Security onion control scripts
high level commands
nsm, 451
nsm_all_del, 451
nsm_all_del_quick, 451
sensor control commands
nsm_sensor, 453
nsm_sensor_add, 454
nsm_sensor_backup-config, 454
nsm_sensor_backup-data, 454
nsm_sensor_clean, 454
nsm_sensor_clear, 454
nsm_sensor_del, 454
nsm_sensor_edit, 454–455
nsm_sensor_ps-daily-restart, 455
nsm_sensor_ps-restart, 455–456
nsm_sensor_ps-start, 455
nsm_sensor_ps-status, 455
nsm_sensor_ps-stop, 455
rule-update, 456
server control commands
nsm_server, 451
nsm_server_add, 452
nsm_server_backup-config, 452
nsm_server_backup-data, 452
nsm_server_clear, 452
nsm_server_del, 452
nsm_server_edit, 452
nsm_server_ps-restart, 453
nsm_server_ps-start, 453
nsm_server_ps-status, 452
nsm_server_ps-stop, 453
nsm_server_sensor-add, 453
nsm_server_sensor-del, 453
nsm_server_user-add, 453
Sensor hardware
aggregated and non-aggregated taps, 58
bidirectonal traffic, 60, 61f
calculations, 52
CPU, 49–50
data retention goals, 53
memory, 51
network tap, 57–58, 58f
NIC, 54–56
sensor role modifiers, 53–54
socket buffer requirements, 56
SPAN port, 56–57, 57f
unidirectional traffic, 59–60, 60f
Sensor placement
critical assets, 66–68
goal of, 61
ingress/egress points, 62–63
internal IP addresses
drive-by download attack, 64
malicious activity, 65
NetFlow data, 65, 66
router, 63
resources, 62
visibility diagrams, 68–69
Sensor platform
hardware
aggregated and non-aggregated taps, 58
bidirectonal traffic, 60, 61f
calculations, 52
CPU, 49–50
data retention goals, 53
memory, 51
network tap, 57–58, 58f
NIC, 54–56
sensor role modifiers, 53–54
socket buffer requirements, 56
SPAN port, 56–57, 57f
unidirectional traffic, 59–60, 60f
NSM data types
alert data, 46–47
FPC data, 45
log data, 45
PSTR, 45
session data, 45
statistical data, 45
operating system, 61
placement, See (Sensor placement)
security
HIDS, 72
installation, 71
limit internet access, 71
NIDS, 72
operating system, 70–71
software, 70
two-factor authentication, 72
VLAN segmentation, 71–72
types, 47–48
Session data
Argus
data retrieval, 94–95
definition, 92–93
features, 93
resources, 95
solution architecture, 93
benefit, 76
collection
Fprobe, 82
hardware generation, 81–82
YAF, 82–83
data storage considerations, 95–97
flow record, 76
aggregation, 76–77
communication sequence, 78
IPFIX, 80
NetFlow V5, 79–80
NetFlow V9, 80
sFlow, 81
5-tuple attribute, 77
unidirectional flows, 78
web browsing, 79
FPC data, 76
Signature-based detection, 150
Snort, 193–194
Snort and Suricata
architecture
NIDS Mode, 206, 207f
open source IDS, 208
packet sniffermode, 206
runmode, 209–210
sensor status, 208f
sniffer mode, 206
configuration
command line arguments, 227–229
fast alerting format, 224
full alerting format, 224–225
IP variables, 215–218
packet logging, 225
port variables, 217–218
preprocessors, 226–227
public rule sources, 221
PulledPork, 221–222
rules in Security Onion, 222–223
snort.conf, 214
Snort rule files, 218–219
standard variables, 218
Suricata rule files, 220
suricata.yaml, 214
syslog alerting format, 225
Unified2, 226
IDS engine, 211
initialization, 211–214, 213f, 214f
installation guides, 205
“lightweight” system, 205
sensor status, 205f
Sguil, 254
Snorby, 253
Spamhaus block list (SBL), 180
Statistical anomaly-based detection
Afterglow
Gephi, 310
Graphviz, 310, 311
Neato, 311
NetFlow link graph, 311, 312f
outbound communication link graph, 314, 315f
three-column mode, 313
definition, 289
friendly host and multiple hosts, 300, 300f
Gnuplot
BASH script, 305
data spread, 303f
rwcount, 302
rwfilter, 302
throughput graph, 304, 304f
Google Charts
CSV file, 306
directory, 308
linechart.html, 308, 309
throughput graph, 308, 308f
Snort Zeus alert, 299f
UDP port 123, 300–301
Zeus botnet, 299
STIX, 171–173
Suricata
categories file, 196
default-reputation-path, 196
iprep directive, 196, 197f
IP reputation capability, 195
System for Internet-Level Knowledge (SiLK)
analysis toolset, 86
definition, 83
documentation, 83, 85
flow types, 85–86
packing process, 85
piping data and rwtools
flow data, 90
PCAP data, 91
rwcount, 88, 89
rwsetbuild, 89
rwstats query, 91
Top-N/Bottom-N calculations, 90
resources, 92
rwfilter command, 87–88
rwflowpack, 85
Security Onion, 87
service discovery
DNS servers, 298
drill down, 296
Email servers, 297
FTP servers, 298
Leftover servers, 298
server identification, 294
server ports, 294, 295f
SSH servers, 298
TELNET servers, 298
VPN servers, 298
web servers, 297
toolset, 83–84
top talkers
rwcount, 293, 293f
rwfilter, 290, 291
rwstats, 290, 291
rwstats outout, 291f
service usage, 292f
single host, 292f
workflow, 84

T

Tcpdump
ASCII, 357, 358, 358f
-F argument, 359
hex format, 357, 357f
-r command, 356
unix environments, 355
verbosity, 356, 357f
-w argument, 359
Threat-centric defense, 8, 9
Threat intelligence
hostile host
internal data sources, 403–404
OSINT, 404–413
IP and domain registration
ASN, 407
domain information, 407–408
IANA, 405
Robtex, 409, 409f
IP and domain reputation
Cuckoo Sandbox and Malwr.com, 415–417
IPVoid, 410, 411f
OSINT, 413–420
Team Cymru Malware Hash Registry, 419–420
ThreatExpert, 417–419
URLVoid, 410, 410f
Virustotal, 414–415
operational, 402
strategy, 402
tactical, 402–403
Tor exit node list, 179
Tshark
ASCII format, 361, 361f
–f argument, 362
HTTP statistics, 362f
–R argument, 362
–r command, 360, 360f
–t ad option, 360–361, 361f
–V argument, 360, 360f

U

Unified2, 208, 226
URLSnarf, 127–128

V

Virtual Local Area Networks (VLANs), 71–72
Voice over IP (VoIP), 335
Vulnerability-centric approach, 8, 9

W

Wireshark
adding custom columns, 373–374
capture/display filters, 375–376
capture summary, 366–367
capturing packets, 363–365
changing time display formats, 365–366
endpoints/conversations, 368–369
exporting objects, 372
IO graph, 370–371
multiplatform tool, 363
protocol dissectors, 374–375
protocol hierarchy, 367–368
streams, 369–370

Y

Yet Another Flowmeter (YAF), 82–83

Z

ZeuS and SpyEye trackers, 178–179
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.238.121.7