Index
Note: Page numbers followed by b indicate boxes, f indicate figures and t indicate tables.
A
Advanced Intrusion Detection Environment (AIDE),
72
Analysis process
diagnosis
candidate conditions,
432
morbidity and mortality (M&M)
practices
cyber event categorization system,
441–442
systems administration backgrounds,
439–440
relational investigation
additional degrees of subjects relation,
423f,
425
perform preliminary investigation,
423f,
424
primary relationships and current interaction,
423f,
424–425
secondary subjects and relationships,
423f,
425
Anomaly-based detection,
150
Application directories and configuration files
Applied Collection Framework (ACF)
cost/benefit analysis,
32
Argus
solution architecture,
93
Autonomous system number (ASN),
405,
407
B
BASH tools
Berkeley Packet Filters (BPFs)
Bro platform
log files
out-of-the-box functionality,
256
C
Canary honeypot
architecture
exploitable and non-exploitable,
318
Honeyd
Honeydocs
Kippo
$HONEYPOT_SERVERS variable,
331
logging authentication,
329
network based detection,
328
Tom’s Honeypot
MSSQL and SIP protocols,
334
specification services,
332
Center for Internet Security (CIS),
70–71
Collective intelligence framework (CIF)
updating and adding indicator lists,
190–191
Custom detection tool
Bro logs
Conn::Info record type,
285
lookup_location() function,
285
configuration options
darknet
Conn_id record type,
274t
new_connection event,
274
file carving
live network traffic
selective file extraction
D
Detection mechanisms
Domain block list (DBL),
181
Don’t Route or Peer (DROP),
181
Dynamic Protocol Detection (DPD),
256–257
E
E-commerce server
external asset compromise,
38–40
internal asset compromise,
39–40
Exploits block list (XBL),
180
F
Friendly intelligence
PRADS
baseline asset model,
399
home_nets IP range variable,
397,
397f
Friendly threat intelligence
intelligence cycle
Full packet capture (FPC)
collection
data storage
encrypted VPN tunnels,
113
host to host communication,
113–115
size-based retention strategy
time-based retention strategy,
115–116
H
Hard disk storage
sensor role modifiers,
53–54
Host-based intrusion detection (HIDS),
72
I
Indicators and signatures
frameworks
management
static
host-based forensic data,
153
tuning
Information security M&M
Devils Advocate method,
446
strategic questioning,
446
Intelligence cycle
International Assigned Numbers Authority (IANA),
405
Intrusion detection system (IDS)
header rules
source and destination hosts,
231
source and destination ports,
231
rule options
protocol header detection options,
245
signature identifier (sid),
232
rule tuning
eliminate unwanted traffic,
249
fast pattern matching,
251
pair PCRE/content matches,
250
J
Justniffer
L
Logstash
field metrics examination,
141,
141f
individual logs examination,
140,
140f
Java Runtime Environment,
135
M
Malware domain list (MDL),
177
Multipurpose Internet Mail Extensions (MIME),
265b
N
Network Address Translation (NAT),
62
Network asset model
Network-based intrusion detection (HIDS),
72
Network Interface Card (NIC),
54–56
Network Security Monitoring (NSM)
anomaly,
asset,
attack sense and warning,
cyclical process
definition,
exploit,
human analyst
classifying analysts,
14–15
culture requirements,
16–17
servant leadership,
18–19
systems administration,
14
vulnerability-centric model,
15–16
incident,
information operations,
6–7
risk management,
security onion (SO)
vulnerability,
vulnerability-centric vs. threat-centric defense, ,
O
Online retailer
e-commerce server
external asset compromise,
38–40
internal asset compromise,
39–40
organizational threats
P
Packet analysis
dissecting packets
tcpdump
tshark
changing time display formats,
365–366
Packet filtering
BPFs
wireshark display filters
individual protocol fields,
380
Packet math
converting hex to binary and decimal,
346–347
counting bytes
Packet string (PSTR) data,
45
viewing mechanisms
Passive asset detection system (PADS),
395
Passive Real-time Asset Detection System (PRADS)
baseline asset model,
399
home_nets IP range variable,
397,
397f
Perl compatible regular expressions (PCRE),
242–243
Personally Identifiable Information (PII),
35–36
Planning data collection
Policy Block List (PBL),
181
Q
Quantify risk
R
Relational investigation scenario
primary and secondary subjects,
428f
primary relationships and current interaction,
426–428,
427f
secondary subjects and relationships,
429
Reputation-based detection
BASH scripts
Bro
CIF
updating and adding indicator lists,
190–191
drawbacks
advertising networks,
183
public reputation lists
Suricata IP
default-reputation-path,
196
IP reputation capability,
195
S
Security Onion (SO)
Security onion control scripts
high level commands
sensor control commands
nsm_sensor_backup-config,
454
nsm_sensor_backup-data,
454
nsm_sensor_ps-daily-restart,
455
nsm_sensor_ps-status,
455
server control commands
nsm_server_backup-config,
452
nsm_server_backup-data,
452
nsm_server_ps-restart,
453
nsm_server_ps-status,
452
nsm_server_sensor-add,
453
nsm_server_sensor-del,
453
Sensor hardware
aggregated and non-aggregated taps,
58
bidirectonal traffic,
60,
61f
sensor role modifiers,
53–54
socket buffer requirements,
56
Sensor placement
ingress/egress points,
62–63
internal IP addresses
drive-by download attack,
64
visibility diagrams,
68–69
Sensor platform
hardware
aggregated and non-aggregated taps,
58
bidirectonal traffic,
60,
61f
sensor role modifiers,
53–54
socket buffer requirements,
56
NSM data types
security
limit internet access,
71
two-factor authentication,
72
Session data
Argus
solution architecture,
93
collection
hardware generation,
81–82
data storage considerations,
95–97
communication sequence,
78
Signature-based detection,
150
Snort and Suricata
architecture
configuration
fast alerting format,
224
syslog alerting format,
225
“lightweight” system,
205
Spamhaus block list (SBL),
180
Statistical anomaly-based detection
Afterglow
outbound communication link graph,
314,
315f
friendly host and multiple hosts,
300,
300f
Gnuplot
Google Charts
Suricata
default-reputation-path,
196
IP reputation capability,
195
System for Internet-Level Knowledge (SiLK)
piping data and rwtools
Top-N/Bottom-N calculations,
90
service discovery
server identification,
294
top talkers
T
Tcpdump
Threat-centric defense, ,
Threat intelligence
hostile host
IP and domain registration
IP and domain reputation
Cuckoo Sandbox and Malwr.com,
415–417
Team Cymru Malware Hash Registry,
419–420
Tshark
U
V
Virtual Local Area Networks (VLANs),
71–72
Voice over IP (VoIP),
335
Vulnerability-centric approach, ,
W
Wireshark
changing time display formats,
365–366
Y
Yet Another Flowmeter (YAF),
82–83
Z