Index
Note: Page numbers followed by b indicate boxes, f indicate figures and t indicate tables.
A
Advanced Intrusion Detection Environment (AIDE), 72
Analysis process
diagnosis
candidate conditions, 432
diagnosis, 432
evaluation, 431–432
scenarios, 433–438
symptoms list, 431
morbidity and mortality (M&M)
audience, 444
information security, See (Information security M&M)
practices
Arcsight, 441
assumptions, 438–439
background, 439–440
cyber event categorization system, 441–442
Netwitness, 441
Network Miner, 441
rule of 10’s, 442
SIEM solution, 439
systems administration backgrounds, 439–440
Wireshark, 441
relational investigation
scenario, See (Relational investigation scenario)
Anomaly-based detection, 150
Application directories and configuration files
Bro, 458
ELSA, 458
PRADS, 458
PulledPork, 457–458
security onion, 457
sensor tools store, 458
Sguil, 458
Snorby, 458
Snort/Suricata, 457
Syslog-NG, 458
Applied Collection Framework (ACF)
cost/benefit analysis, 32
data identification, 32
host-based data, 33
network-based data, 33
NSM collection, 34
quantify risk, 30–31
threats, 29–30
Argus
data retrieval, 94–95
definition, 92–93
features, 93
resources, 95
solution architecture, 93
B
BASH tools
awk, 143–144
ETags, 144
sed, 145
sed command output, 145f
Berkeley Packet Filters (BPFs)
primitive, 377
TCP header, 379
TCP/IP protocols, 379
TTL field, 379
Bro platform
custom detection tool, See (Custom detection tool)
DPD, 256–257
execution, 257–258
HTTP request, 257
log files
bro-cut output, 260
creation, 258
HTTP transaction, 261
ID field, 261–262
print format, 259–260
out-of-the-box functionality, 256
C
Canary honeypot
architecture
alerting and logging, 322–323
devices and services, 320–321
placement, 321
definition, 317
exploitable and non-exploitable, 318
Honeyd
ansm_winserver_1, 324
configuration file, 324
default settings, 324
HTTP client header, 327
IDS rule, 327
IDS sensor, 326
port scanning, 325
WSUS and SMS, 326
Honeydocs
creation, 335
HTML img tag, 335
output, 336
web interface, 337
Kippo
attacker’s actions, 330
$HONEYPOT_SERVERS variable, 331
logging authentication, 329
network based detection, 328
OSSEC, 331–332
SSH service, 328
Tom’s Honeypot
MSSQL and SIP protocols, 334
Ncrack tool, 334
Python script, 332
RDP protocol, 333
Security Onion, 332
SIP protocol, 335
specification services, 332
VoIP services, 335
types of, 319–320
Center for Internet Security (CIS), 70–71
Collective intelligence framework (CIF)
deploying indicators, 192–193
querying indicators, 191–192
updating and adding indicator lists, 190–191
Custom detection tool
Bro logs
connection log, 286f
conn-geoip.bro file, 284
Conn::Info record type, 285
lookup_location() function, 285
&optional tag, 285
configuration options
ExtractFiles, 270
interesting_types, 269
darknet
allowed_darknet_talkers, 279–280
cat() function, 274
Conn_id record type, 274t
creation, 272
Darknet_Traffic, 275
e-mailing, 282–283
hook function, 281
ICMP traffic, 277–278
n$actions variable, 281
new_connection event, 274
NOTICE function, 275
notice suppression, 275–276
script, 278–279
file carving
file_new event, 264
PCAP file, 263
live network traffic
broctl check, 268
broctl install, 268
broctl restart, 268
configuration, 267
EXTRACT analyzer, 268
packaging, 269
selective file extraction
Bro command, 266
MIME type, 265
D
Daemonlogger, 102–104
Data link layer, 350
Detection mechanisms
reputation-based, See (Reputation-based detection)
Snort, 193–194
statistical anomaly-based, See (Statistical anomaly-based detection)
Suricata, See (Suricata)
Domain block list (DBL), 181
Don’t Route or Peer (DROP), 181
Dumpcap, 101–102
Dynamic Protocol Detection (DPD), 256–257
E
E-commerce server
external asset compromise, 38–40
host-based server, 41–42
internal asset compromise, 39–40
network-based server, 41
Exploits block list (XBL), 180
F
Fprobe, 82
Friendly intelligence
network asset model, 390–391
Nmap, 392
PRADS
baseline asset model, 399
log entries, 396f
new asset alerts, 399
PADS, 395
Sguil, 395
Friendly threat intelligence
friendly intelligence, See (Friendly intelligence)
intelligence cycle
analysis, 389
collection, 388
defined requirement, 387
dissemination, 389–390
planning, 388
processing, 388–389
threat intelligence, See (Threat intelligence)
Full packet capture (FPC)
collection
Netsniff-NG and IFPPS, 107–109
session data, 109–111
storage considerations, 106–107
tool, 105–106
Daemonlogger, 102–104
data storage
destination ports, 112
encrypted VPN tunnels, 113
host to host communication, 113–115
HTTP traffic, 112
source ports, 111
Dumpcap, 101–102
Netsniff-NG, 104–105
PCAP data, 99–100
size-based retention strategy
dir variable, 118
Security Onion, 120
time-based retention strategy, 115–116
H
Hard disk storage
calculations, 52
data retention goals, 53
sensor role modifiers, 53–54
Honeypot, See Canary honeypot
Host-based forensics, 14
Host-based intrusion detection (HIDS), 72
Httpry, 128–130
I
Indicators and signatures
critical criteria, 160–161
evolution, 157–158
features, 151
frameworks
OpenIOC, 169–171
STIX, 171–173
host and network, 151–152
management
CSV files, 163
data backup, 163
deployment tracking, 162–163
master list, 163–166
raw data format, 162
revision table, 166–168
revision tracking, 162
static
host-based forensic data, 153
NSM data, 153
tuning
false negative, 159
false positive, 159
precision, 159–160
true negative, 159
true positive, 158
variable, 155–157
Information security M&M
alternative analysis (AA), 446–447
Devils Advocate method, 446
peers, 445
presentation, 445–446
presenter(s), 445
strategic questioning, 446
tips, 448
Intelligence cycle
analysis, 389
collection, 388
defined requirement, 387
dissemination, 389–390
planning, 388
processing, 388–389
International Assigned Numbers Authority (IANA), 405
Intrusion detection system (IDS)
header rules
protocol, 230–231
rule action, 230
source and destination hosts, 231
source and destination ports, 231
traffic direction, 231
rule anatomy, 229–245
rule options
classification, 235
communication flow, 243–245
distance modifier, 239–240
HTTP content modifiers, 240–241
message (msg), 232
nocase modifier, 237
offset modifier, 237–238
PCRE, 242–243
priority, 235
protocol header detection options, 245
reference, 233–234
revision (rev), 232–233
signature identifier (sid), 232
rule tuning
alert detection filters, 248–249
alert suppression, 247–248
eliminate unwanted traffic, 249
event filtering, 245–247
fast pattern matching, 251
manually test rules, 237–238
pair PCRE/content matches, 250
vulnerability, 249–250
J
Justniffer
BASH script, 130–131
installion steps, 131
multi-line log, 132
Python script, 130–131
request.header, 131
response.header, 131
single line log, 133
L
Logstash
advantages, 135
Dsniff, 137
execution, 136
Java Runtime Environment, 135
log data viewing, 136
match filter, 138
open ports, 136f
sensor name, 138
URLsnarf logs, 141
urlsnarf-parse.conf, 135
M
Malware analysis, 14
Malware domain list (MDL), 177
Multipurpose Internet Mail Extensions (MIME), 265b
N
Netsniff-NG, 104–105
Network Address Translation (NAT), 62
Network asset model
Nmap, 392
Network-based intrusion detection (HIDS), 72
Network Interface Card (NIC), 54–56
Network Security Monitoring (NSM)
anomaly, 5
asset, 3
attack sense and warning, 7
cyclical process
analysis, 11
collection, 10
detection, 10–11
definition, 6
exploit, 4
human analyst
baseline skills, 13
classifying analysts, 14–15
culture requirements, 16–17
defensive tactics, 13–14
host-based forensics, 14
learning opportunity, 18
malware analysis, 14
offensive tactics, 13
professional growth, 17
programming, 14
reinforcement, 18
servant leadership, 18–19
superstar, 17–18
systems administration, 14
teamwork, 17
vulnerability-centric model, 15–16
incident, 5
information operations, 6–7
intrusion detection, 5–6
issues, 11–12
protect domain, 2–3
risk management, 4
security onion (SO)
installation, 19–20
setup process, 22–24
testing, 22–24
updation, 21
threat, 3–4
vulnerability, 4
NOTICE function, 275
O
Offensive tactics, 13
Online retailer
customer PII, 37–38
e-commerce server
external asset compromise, 38–40
host-based, 41–42
internal asset compromise, 39–40
network-based, 41
organizational threats
customer PII, 35–36
e-commerce service, 36
quantify risk, 36–37
OpenIOC, 169–171
P
Packet analysis
definition, 342
dissecting packets
hexadecimal form, 344
networking protocol, 342
nibbles, 344
packet filtering, See (Packet filtering)
packet math, See (Packet math)
tcpdump
-F argument, 359
-r command, 356
unix environments, 355
-w argument, 359
tshark
–f argument, 362
HTTP statistics, 362f
–R argument, 362
adding custom columns, 373–374
capture/display filters, 375–376
capture summary, 366–367
capturing packets, 363–365
changing time display formats, 365–366
endpoints/conversations, 368–369
exporting objects, 372
IO graph, 370–371
multiplatform tool, 363
protocol dissectors, 374–375
protocol hierarchy, 367–368
streams, 369–370
Packet filtering
BPFs
primitive, 377
TCP header, 379
TCP/IP protocols, 379
TTL field, 379
wireshark display filters
field name, 381
individual protocol fields, 380
Packet math
converting hex to binary and decimal, 346–347
counting bytes
Packet string (PSTR) data, 45
data collection, 124–134
Httpry, 128–130
Justniffer, See (Justniffer)
manual generation, 126–127
URLSnarf, 127–128
definition, 122
viewing mechanisms
BASH tools, See (BASH tools)
Logstash, See (Logstash)
Passive asset detection system (PADS), 395
Passive Real-time Asset Detection System (PRADS)
baseline asset model, 399
log entries, 396f
new asset alerts, 399
PADS, 395
Sguil, 395
Perl compatible regular expressions (PCRE), 242–243
Personally Identifiable Information (PII), 35–36
PF_Ring +DNA, 56
PhishTank, 179
Planning data collection
ACF, See (Applied Collection Framework (ACF))
online retailer, See (Online retailer)
Policy Block List (PBL), 181
Q
Quantify risk
ACF, 30–31
online retailer, 36–37
R
Relational investigation scenario
primary and secondary subjects, 428f
secondary subjects and relationships, 429
Reputation-based detection
BASH scripts
download and parsing, 184–186
malicious domains, 188–189
malicious IP addresses, 186–187
Bro
intel framework, 198
intel.log, 200
meta.do_notice, 199
meta.if_in, 199
meta.source, 199
reputation list, 198f
CIF
deploying indicators, 192–193
querying indicators, 191–192
updating and adding indicator lists, 190–191
definition, 175–176
drawbacks
advertising networks, 183
automatic blocking, 182
false positives, 183–184
pruning, 182
shared servers, 183
public reputation lists
benefits, 176
DBL, 181
DROP, 181
MDL, 177
negative aspects, 176–177
PBL, 181
PhishTank, 179
SBL, 180
Tor exit node, 179
XBL, 180
Snort IP, 193–194
Suricata IP
categories file, 196
default-reputation-path, 196
IP reputation capability, 195
S
Security Onion (SO)
Canary honeypot, 332
FPC, 120
installation, 19–20
setup process, 22–24
SiLK, 87
testing, 22–24
updation, 21
Security onion control scripts
high level commands
nsm, 451
nsm_all_del, 451
nsm_all_del_quick, 451
sensor control commands
nsm_sensor, 453
nsm_sensor_add, 454
nsm_sensor_backup-config, 454
nsm_sensor_backup-data, 454
nsm_sensor_clean, 454
nsm_sensor_clear, 454
nsm_sensor_del, 454
nsm_sensor_edit, 454–455
nsm_sensor_ps-daily-restart, 455
nsm_sensor_ps-restart, 455–456
nsm_sensor_ps-start, 455
nsm_sensor_ps-status, 455
nsm_sensor_ps-stop, 455
rule-update, 456
server control commands
nsm_server, 451
nsm_server_add, 452
nsm_server_backup-config, 452
nsm_server_backup-data, 452
nsm_server_clear, 452
nsm_server_del, 452
nsm_server_edit, 452
nsm_server_ps-restart, 453
nsm_server_ps-start, 453
nsm_server_ps-status, 452
nsm_server_ps-stop, 453
nsm_server_sensor-add, 453
nsm_server_sensor-del, 453
nsm_server_user-add, 453
Sensor hardware
aggregated and non-aggregated taps, 58
calculations, 52
CPU, 49–50
data retention goals, 53
memory, 51
NIC, 54–56
sensor role modifiers, 53–54
socket buffer requirements, 56
Sensor placement
critical assets, 66–68
goal of, 61
ingress/egress points, 62–63
internal IP addresses
drive-by download attack, 64
malicious activity, 65
router, 63
resources, 62
visibility diagrams, 68–69
Sensor platform
hardware
aggregated and non-aggregated taps, 58
calculations, 52
CPU, 49–50
data retention goals, 53
memory, 51
NIC, 54–56
sensor role modifiers, 53–54
socket buffer requirements, 56
NSM data types
alert data, 46–47
FPC data, 45
log data, 45
PSTR, 45
session data, 45
statistical data, 45
operating system, 61
placement, See (Sensor placement)
security
HIDS, 72
installation, 71
limit internet access, 71
NIDS, 72
operating system, 70–71
software, 70
two-factor authentication, 72
VLAN segmentation, 71–72
types, 47–48
Session data
Argus
data retrieval, 94–95
definition, 92–93
features, 93
resources, 95
solution architecture, 93
benefit, 76
collection
Fprobe, 82
hardware generation, 81–82
YAF, 82–83
data storage considerations, 95–97
flow record, 76
aggregation, 76–77
communication sequence, 78
IPFIX, 80
NetFlow V5, 79–80
NetFlow V9, 80
sFlow, 81
5-tuple attribute, 77
unidirectional flows, 78
web browsing, 79
FPC data, 76
Signature-based detection, 150
Snort, 193–194
Snort and Suricata
architecture
open source IDS, 208
packet sniffermode, 206
runmode, 209–210
sensor status, 208f
sniffer mode, 206
configuration
command line arguments, 227–229
fast alerting format, 224
full alerting format, 224–225
IP variables, 215–218
packet logging, 225
port variables, 217–218
preprocessors, 226–227
public rule sources, 221
PulledPork, 221–222
rules in Security Onion, 222–223
snort.conf, 214
Snort rule files, 218–219
standard variables, 218
Suricata rule files, 220
suricata.yaml, 214
syslog alerting format, 225
Unified2, 226
IDS engine, 211
IDS rules, See (Intrusion detection system (IDS))
installation guides, 205
“lightweight” system, 205
sensor status, 205f
Sguil, 254
Snorby, 253
Spamhaus block list (SBL), 180
Statistical anomaly-based detection
Afterglow
Gephi, 310
Neato, 311
three-column mode, 313
definition, 289
Gnuplot
BASH script, 305
data spread, 303f
rwcount, 302
rwfilter, 302
Google Charts
CSV file, 306
directory, 308
Snort Zeus alert, 299f
UDP port 123, 300–301
Zeus botnet, 299
STIX, 171–173
Suricata
categories file, 196
default-reputation-path, 196
IP reputation capability, 195
System for Internet-Level Knowledge (SiLK)
analysis toolset, 86
definition, 83
flow types, 85–86
packing process, 85
piping data and rwtools
flow data, 90
PCAP data, 91
rwsetbuild, 89
rwstats query, 91
Top-N/Bottom-N calculations, 90
resources, 92
rwfilter command, 87–88
rwflowpack, 85
Security Onion, 87
service discovery
DNS servers, 298
drill down, 296
Email servers, 297
FTP servers, 298
Leftover servers, 298
server identification, 294
SSH servers, 298
TELNET servers, 298
VPN servers, 298
web servers, 297
toolset, 83–84
top talkers
rwstats outout, 291f
service usage, 292f
single host, 292f
workflow, 84
T
Tcpdump
-F argument, 359
-r command, 356
unix environments, 355
-w argument, 359
Threat intelligence
hostile host
internal data sources, 403–404
OSINT, 404–413
IP and domain registration
ASN, 407
domain information, 407–408
IANA, 405
IP and domain reputation
Cuckoo Sandbox and Malwr.com, 415–417
OSINT, 413–420
Team Cymru Malware Hash Registry, 419–420
ThreatExpert, 417–419
Virustotal, 414–415
operational, 402
strategy, 402
tactical, 402–403
Tor exit node list, 179
Tshark
–f argument, 362
HTTP statistics, 362f
–R argument, 362
U
URLSnarf, 127–128
V
Virtual Local Area Networks (VLANs), 71–72
Voice over IP (VoIP), 335
W
Wireshark
adding custom columns, 373–374
capture/display filters, 375–376
capture summary, 366–367
capturing packets, 363–365
changing time display formats, 365–366
endpoints/conversations, 368–369
exporting objects, 372
IO graph, 370–371
multiplatform tool, 363
protocol dissectors, 374–375
protocol hierarchy, 367–368
streams, 369–370
Y
Yet Another Flowmeter (YAF), 82–83
Z
ZeuS and SpyEye trackers, 178–179
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.