Network Security Through Data Analysis
From Data to Action
Erschienen am 8. September 2017
428 Seiten
978-1-4919-6281-7 (ISBN)
Beschreibung
Traditional intrusion detection and logfile analysis are no longer enough to protect todays complex networks. In the updated second edition of this practical guide, security researcher Michael Collins shows InfoSec personnel the latest techniques and tools for collecting and analyzing network traffic datasets. Youll understand how your network is used, and what actions are necessary to harden and defend the systems within it.In three sections, this book examines the process of collecting and organizing data, various tools for analysis, and several different analytic scenarios and techniques. New chapters focus on active monitoring and traffic manipulation, insider threat detection, data mining, regression and machine learning, and other topics.Youll learn how to:Use sensors to collect network, service, host, and active domain dataWork with the SiLK toolset, Python, and other tools and techniques for manipulating data you collectDetect unusual phenomena through exploratory data analysis (EDA), using visualization and mathematical techniquesAnalyze text data, traffic behavior, and communications mistakesIdentify significant structures in your network with graph analysisExamine insider threat data and acquire threat intelligenceMap your network and identify significant hosts within itWork with operations to develop defenses and analysis techniques
Weitere Details
Weitere Ausgaben
Inhalt
- Intro
- Copyright
- Table of Contents
- Preface
- Audience
- Contents of This Book
- Changes Between Editions
- Conventions Used in This Book
- Using Code Examples
- O'Reilly Safari
- How to Contact Us
- Acknowledgments
- Part I. Data
- Chapter 1. Organizing Data: Vantage, Domain, Action, and Validity
- Domain
- Vantage
- Choosing Vantage
- Actions: What a Sensor Does with Data
- Validity and Action
- Internal Validity
- External Validity
- Construct Validity
- Statistical Validity
- Attacker and Attack Issues
- Further Reading
- Chapter 2. Vantage: Understanding Sensor Placement in Networks
- The Basics of Network Layering
- Network Layers and Vantage
- Network Layers and Addressing
- MAC Addresses
- IPv4 Format and Addresses
- IPv6 Format and Addresses
- Validity Challenges from Middlebox Network Data
- Further Reading
- Chapter 3. Sensors in the Network Domain
- Packet and Frame Formats
- Rolling Buffers
- Limiting the Data Captured from Each Packet
- Filtering Specific Types of Packets
- What If It's Not Ethernet?
- NetFlow
- NetFlow v5 Formats and Fields
- NetFlow Generation and Collection
- Data Collection via IDS
- Classifying IDSs
- IDS as Classifier
- Improving IDS Performance
- Enhancing IDS Detection
- Configuring Snort
- Enhancing IDS Response
- Prefetching Data
- Middlebox Logs and Their Impact
- VPN Logs
- Proxy Logs
- NAT Logs
- Further Reading
- Chapter 4. Data in the Service Domain
- What and Why
- Logfiles as the Basis for Service Data
- Accessing and Manipulating Logfiles
- The Contents of Logfiles
- The Characteristics of a Good Log Message
- Existing Logfiles and How to Manipulate Them
- Stateful Logfiles
- Further Reading
- Chapter 5. Sensors in the Service Domain
- Representative Logfile Formats
- HTTP: CLF and ELF
- Simple Mail Transfer Protocol (SMTP)
- Sendmail
- Microsoft Exchange: Message Tracking Logs
- Additional Useful Logfiles
- Staged Logging
- LDAP and Directory Services
- File Transfer, Storage, and Databases
- Logfile Transport: Transfers, Syslog, and Message Queues
- Transfer and Logfile Rotation
- Syslog
- Further Reading
- Chapter 6. Data and Sensors in the Host Domain
- A Host: From the Network's View
- The Network Interfaces
- The Host: Tracking Identity
- Processes
- Structure
- Filesystem
- Historical Data: Commands and Logins
- Other Data and Sensors: HIPS and AV
- Further Reading
- Chapter 7. Data and Sensors in the Active Domain
- Discovery, Assessment, and Maintenance
- Discovery: ping, traceroute, netcat, and Half of nmap
- Checking Connectivity: Using ping to Connect to an Address
- Tracerouting
- Using nc as a Swiss Army Multitool
- nmap Scanning for Discovery
- Assessment: nmap, a Bunch of Clients, and a Lot of Repositories
- Basic Assessment with nmap
- Using Active Vantage Data for Verification
- Further Reading
- Part II. Tools
- Chapter 8. Getting Data in One Place
- High-Level Architecture
- The Sensor Network
- The Repository
- Query Processing
- Real-Time Processing
- Source Control
- Log Data and the CRUD Paradigm
- A Brief Introduction to NoSQL Systems
- Further Reading
- Chapter 9. The SiLK Suite
- What Is SiLK and How Does It Work?
- Acquiring and Installing SiLK
- The Datafiles
- Choosing and Formatting Output Field Manipulation: rwcut
- Basic Field Manipulation: rwfilter
- Ports and Protocols
- Size
- IP Addresses
- Time
- TCP Options
- Helper Options
- Miscellaneous Filtering Options and Some Hacks
- rwfileinfo and Provenance
- Combining Information Flows: rwcount
- rwset and IP Sets
- rwuniq
- rwbag
- Advanced SiLK Facilities
- PMAPs
- Collecting SiLK Data
- YAF
- rwptoflow
- rwtuc
- rwrandomizeip
- Further Reading
- Chapter 10. Reference and Lookup: Tools for Figuring Out Who Someone Is
- MAC and Hardware Addresses
- IP Addressing
- IPv4 Addresses, Their Structure, and Significant Addresses
- IPv6 Addresses, Their Structure, and Significant Addresses
- IP Intelligence: Geolocation and Demographics
- DNS
- DNS Name Structure
- Forward DNS Querying Using dig
- The DNS Reverse Lookup
- Using whois to Find Ownership
- DNS Blackhole Lists
- Search Engines
- General Search Engines
- Scanning Repositories, Shodan et al
- Further Reading
- Part III. Analytics
- An Overview of Attacker Behavior
- Further Reading
- Chapter 11. Exploratory Data Analysis and Visualization
- The Goal of EDA: Applying Analysis
- EDA Workflow
- Variables and Visualization
- Univariate Visualization
- Histograms
- Bar Plots (Not Pie Charts)
- The Five-Number Summary and the Boxplot
- Generating a Boxplot
- Bivariate Description
- Scatterplots
- Multivariate Visualization
- Other Visualizations and Their Role
- Operationalizing Security Visualization
- Fitting and Estimation
- Is It Normal?
- Simply Visualizing: Projected Values and QQ Plots
- Fit Tests: K-S and S-W
- Further Reading
- Chapter 12. On Analyzing Text
- Text Encoding
- Unicode, UTF, and ASCII
- Encoding for Attackers
- Basic Skills
- Finding a String
- Manipulating Delimiters
- Splitting Along Delimiters
- Regular Expressions
- Techniques for Text Analysis
- N-Gram Analysis
- Jaccard Distance
- Hamming Distance
- Levenshtein Distance
- Entropy and Compressibility
- Homoglyphs
- Further Reading
- Chapter 13. On Fumbling
- Fumbling: Misconfiguration, Automation, and Scanning
- Lookup Failures
- Automation
- Scanning
- Identifying Fumbling
- IP Fumbling: Dark Addresses and Spread
- TCP Fumbling: Failed Sessions
- ICMP Messages and Fumbling
- Fumbling at the Service Level
- HTTP Fumbling
- SMTP Fumbling
- DNS Fumbling
- Detecting and Analyzing Fumbling
- Building Fumbling Alarms
- Forensic Analysis of Fumbling
- Engineering a Network to Take Advantage of Fumbling
- Chapter 14. On Volume and Time
- The Workday and Its Impact on Network Traffic Volume
- Beaconing
- File Transfers/Raiding
- Locality
- DDoS, Flash Crowds, and Resource Exhaustion
- DDoS and Routing Infrastructure
- Applying Volume and Locality Analysis
- Data Selection
- Using Volume as an Alarm
- Using Beaconing as an Alarm
- Using Locality as an Alarm
- Engineering Solutions
- Further Reading
- Chapter 15. On Graphs
- Graph Attributes: What Is a Graph?
- Labeling, Weight, and Paths
- Components and Connectivity
- Clustering Coefficient
- Analyzing Graphs
- Using Component Analysis as an Alarm
- Using Centrality Analysis for Forensics
- Using Breadth-First Searches Forensically
- Using Centrality Analysis for Engineering
- Further Reading
- Chapter 16. On Insider Threat
- Insider Threat Versus Other Classes of Attacks
- Avoiding Toxicity
- Modes of Attack
- Data Theft and Exfiltration
- Credential Theft
- Sabotage
- Insider Threat Data: Logistics and Collection
- Applying Sector-Based Workflow to Insider Threat
- Physical Data Sources
- Keeping Track of User Identity
- Further Reading
- Chapter 17. On Threat Intelligence
- Defining Threat Intelligence
- Data Types
- Creating a Threat Intelligence Program
- Identifying Goals
- Starting with Free Sources
- Determining Data Output
- Purchasing Sources
- Brief Remarks on Creating Threat Intelligence
- Further Reading
- Chapter 18. Application Identification
- Mechanisms for Application Identification
- Port Number
- Application Identification by Banner Grabbing
- Application Identification by Behavior
- Application Identification by Subsidiary Site
- Application Banners: Identifying and Classifying
- Non-Web Banners
- Web Client Banners: The User-Agent String
- Further Reading
- Chapter 19. On Network Mapping
- Creating an Initial Network Inventory and Map
- Creating an Inventory: Data, Coverage, and Files
- Phase I: The First Three Questions
- Phase II: Examining the IP Space
- Phase III: Identifying Blind and Confusing Traffic
- Phase IV: Identifying Clients and Servers
- Identifying Sensing and Blocking Infrastructure
- Updating the Inventory: Toward Continuous Audit
- Further Reading
- Chapter 20. On Working with Ops
- Ops Environments: An Overview
- Operational Workflows
- Escalation Workflow
- Sector Workflow
- Hunting Workflow
- Hardening Workflow
- Forensic Workflow
- Switching Workflows
- Further Readings
- Chapter 21. Conclusions
- Index
- About the Author
- Colophon
