Bejtlich - The Best of TaoSecurity Blog, Volume 2: Network Security Monitoring, Technical Notes, Research, and China and the Advanced Persistent Threat

The Best of TaoSecurity Blog, Volume 2: Network Security Monitoring, Technical Notes, Research, and China and the Advanced Persistent Threat — read online for free the complete book (whole text) full work

Below is the text of the book, divided by pages. System saving the place of the last page read, allows you to conveniently read the book "The Best of TaoSecurity Blog, Volume 2: Network Security Monitoring, Technical Notes, Research, and China and the Advanced Persistent Threat" online for free, without having to search again every time where you left off. Put a bookmark, and you can go to the page where you finished reading at any time.

Light

Font size:

↓

↑

Georgia Tahoma Arial Verdana

Reset

Interval:

↓

↑

Bookmark:

Make

1234567...77

The Best of TaoSecurity Blog, Volume 2

The Best of TaoSecurity Blog, Volume 2

Network Security Monitoring, Technical Notes, Research, and China and the Advanced Persistent Threat

Richard Bejtlich

TaoSecurity Press

Copyright 2020 Richard Bejtlich and TaoSecurity Press

Trademarked names may appear in this book. Rather than use a trademark symbol with each occurrence of a trademarked name, names are used in an editorial fashion with no intention of infringement of the respective owners trademarks.
This is a book about digital security and network monitoring. The act of collecting network traffic may violate local, state, and national laws if done inappropriately. The tools and techniques explained in this book should be tested in a laboratory environment, separate from production networks. None of the tools or techniques should be tested with network devices outside of your responsibility or authority.
Suggestions on network monitoring in this book shall not be construed as legal advice.
The author has taken care in the preparation of this book, but makes no expressed or implied warranty of any kind and assumes no responsibility for errors or omissions.
No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior consent of the publisher.
ISBN: 978-1-952809-02-6 Ebook
ISBN: 978-1-952809-03-3 Paperback

I dedicate this book to my family.

Judo is originally a teaching of the literary and military arts, and one must begin with waza [physical technique] when embarking on the do [way, pronounced "dough"] of Judo. How many people, although they make rapid progress with waza, require a great deal of training in order to reach the point at which they can appreciate the do.
The only thing that remains gratifying no matter how much one indulges in its joys, the one undertaking that becomes even more deeply satisfying the more one pursues it, is education.

Professor Jigoro Kano, as quoted in Mind Over Muscle: Writings from the Founder of Judo (Kodansha International, 2013), p 65, and The Legacy of Kano Jigoro: Judo and Education (Japan Publishing Industry Foundation for Culture, 2011), p 293.

Contents

Preface

The purpose of this book is to help readers better understand security, and therefore better protect their digital assets. It is a sequel to the first installment, The Best of TaoSecurity Blog, Volume 1: Milestones, Philosophy and Strategy, Risk, and Advice . This volume focuses on network security monitoring (NSM), technical notes, research, and China and the advanced persistent threat (APT). The third and final installment features current events, law, wise people, history, and an assortment of appendices.

This book contains my second set of favorite posts from the TaoSecurity Blog. The time frame lasts from 2003 to mid-2020. While all of these posts are free online, without advertising, they have become increasingly difficult to individually locate. As of mid-2020, TaoSecurity Blog features over 3,050 posts, and despite being hosted by Googles Blogspot property, lacks sufficient search capability for the average visitor. When I know that Im having trouble finding posts, then I expect readers are suffering the same limitations.

Rather than repeating the explanation for why Im producing this compendium, I prefer interested readers consult the first volume. (Thanks to Amazon, the preface is available either as a Kindle sample or an online preview.) In brief, these are the posts that I believe are most relevant to security practitioners, despite having been written as early as 2003. I reference them to this day, and followers of my TaoSecurity Twitter account have noted their utility over the years.

I will repeat one element from the first volumes preface, however. I leave the introduction with the immortal words attributed to Steve Jobs:

Real artists ship.

-- Attributed to Steve Jobs, https://quoteinvestigator.com/2018/10/13/ship/

Richard Bejtlich

Northern Virginia, August 2020

Chapter 1. Network Security Monitoring

Introduction

If there is a constant technical and operational construct upon which I have built my career, it is network security monitoring (NSM). While elements of NSM appear in other volumes in this series, and in other chapters in this volume, this section contains the blog posts most closely associated with the topic. Rather than turning this introduction into another manuscript on why NSM matters or how to conduct it, I will let the blog posts take those steps. Along the way I will add commentary.

IPS vs IDS

Wednesday, April 16, 2003

Articles like Intrusion prevention: IDS' 800-pound gorilla make me sick. Quotes like this demonstrate the ignorance of the speaker:

Intrusion-detection systems do a good job of telling companies whether they are being compromised or attacked. So good, in fact, that some question whether systems should go a step further and prevent incidents. It doesn't seem much of a stretch to have systems flip a switch instead of alerting when an anomaly is found, said Pete Lindstrom, research director of Malvern, Pa.-based Spire Security.

Argh! Thankfully the same article shows some people still understand this issue:

Other companies, however, see their intrusion-prevention products as usurping IDS. Martin Roesch, cofounder and CTO of Columbia, Md.-based Sourcefire, which sells the commercial version of the open-source intrusion-detection system Snort, rejects such a suggestion. Anyone who tries to sell you an intrusion-prevention system at the expense of an intrusion-detection system doesn't understand the problem stack, he said. Intrusion prevention is access control. Intrusion detection is monitoring.

Sourcefire will probably play in the intrusion-prevention space at some point. We see value in having an access control role on the network as well as a network-monitoring role, because it allows us to leverage the information to enhance monitoring and protection, Roesch said. You can't have one without the other.

https://taosecurity.blogspot.com/2003/04/articles-like-intrusion-prevention-ids.html

Commentary

This was one of my earliest blog posts. I apologize to Pete Lindstrom for calling him ignorant. Over the years Ive managed to chill out a bit, but I left the original post as is to show I am not trying to eradicate an ugly history.

Regarding the content, though, I agreed with Marty Roesch then and I agree with him now. Network security can either be active or passive. If its active, its interfering with the traffic. If its passive, its observing the traffic. Firewalls, intrusion prevention systems, and the like are active interference platforms. Network security monitors are passive observation platforms. Anyone responsible for a network requires both capabilities. They should not be combined on a single system.

Sguil 0.2 Released

Thursday, May 22, 2003

My friend Bamm Visscher released version 0.2 of his Snort-based network monitoring solution, called Sguil. I will be working on more comprehensive documentation when I finish my current incident response deployments! Also, check out the new project logo! From the announcement:

Sguil (pronounced "sgweel") is a graphical interface to Snort. The actual interface and GUI server are written in Tcl/Tk. Sguil uses other open source software like Barnyard and MySQL for accessing data. The client interface provides 'hooks' to analyst tools like Ethereal, Tcpflow, and P0f. Sguil makes it easy for multiple analysts to work together in monitoring multiple sensors. Currently, Sguil only provides an analyst interface. Sensor and rule management is forthcoming.

Next page

1234567...77

Light

Font size:

↓

↑

Georgia Tahoma Arial Verdana

Reset

Interval:

↓

↑

Bookmark:

Make

Similar books «The Best of TaoSecurity Blog, Volume 2: Network Security Monitoring, Technical Notes, Research, and China and the Advanced Persistent Threat»

Look at similar books to The Best of TaoSecurity Blog, Volume 2: Network Security Monitoring, Technical Notes, Research, and China and the Advanced Persistent Threat. We have selected literature similar in name and meaning in the hope of providing readers with more options to find new, interesting, not yet read works.

Andrew Stephen Campion

The Geopolitics of Red Oil: Constructing the China threat through energy security

Navin Sabharwal

Pro Google Kubernetes Engine: Network, Security, Monitoring, and Automation Configuration

Aditya Mukherjee

Network Security Strategies: Protect your network and enterprise against advanced cybersecurity attacks and threats

Richard Bejtlich

The Best of TaoSecurity Blog, Volume 1: Milestones, Philosophy and Strategy, Risk, and Advice

Kurtz George

Hacking exposed 7: network security secrets and solutions

Levesque Warun

Applied network security: master the art of detecting and averting advanced network security attacks and techniques

Bollinger Jeff

Crafting the infosec playbook [security monitoring and incident response master plan]

Bejtlich

The Tao of network security monitoring: beyond intrusion detection

Stefan Rass

Cyber-Security in Critical Infrastructures: A Game-Theoretic Approach (Advanced Sciences and Technologies for Security Applications)

Tyler Wrightson

Advanced Persistent Threat Hacking The Art and Science of Hacking Any Organization

Cole

Advanced persistent threat : understanding the danger and how to protect your organization

Richard Bejtlich

The practice of network security monitoring: understanding incident detection and response

Discussion, reviews of the book The Best of TaoSecurity Blog, Volume 2: Network Security Monitoring, Technical Notes, Research, and China and the Advanced Persistent Threat and just readers' own opinions. Leave your comments, write what you think about the work, its meaning or the main characters. Specify what exactly you liked and what you didn't like, and why you think so.