Enhanced descriptions from Syndetics:

Preface

In the mid 1990s, Neil was an auditor for a major government agency in Canada. An inside embezzler had taken his agency for several million dollars and Neil was asked to help pick up the pieces. For over 6 months, Neil poured over transaction logs to trace the money, and figure out how it was done. A substantial amount of the money was never recovered.

On February 9, 2000 Amazon.com, E-Trade, and other pioneering ecommerce companies got hit with a distributed denial of service attack that collectively cost several million dollars. This electronic "Waterloo" changed the face of electronic commerce forever by highlighting the importance of effective detection and response in any successful on-line business.

In 1986, Dorothy Denning wrote a paper that set the stage for the development of commercial technologies that would provide detection, response, deterrence, and damage assessment. Intrusion detection, often misunderstood, provides the best chance for peace in an otherwise turbulent on-line world.

I've spent my career trying to get intrusion detection out of the research lab and into operational environments. I worked in intrusion detection research in 1988 to do a state of the art study for the U.S. Navy with the intent of deploying a system in an operational Navy environment. Then in 1990, I started work on generic testing paradigms to quantify the value of intrusion detection. In 1992, I designed the Computer Misuse Detection System (CMDS) at SAIC, one of the first commercial intrusion detection systems. CMDS saw real action and enjoyed some very large deployments starting in the mid 1990s. In 1997, I left SAIC to co-found Centrax Corporation and bring Intrusion Detection to the Windows NT masses. At Cybersafe I helped develop one of the first hybrid intrusion detection systems combining both network and host-based technologies.

I've researched systems, developed systems, deployed systems, sold systems, given seminars, and assisted investigations. This book was the next logical step. It was simple in concept: Write down everything I know about intrusion detection, make it understandable, and help businesses deploy operational systems.

You hold the results in your hands. This book will explain intrusion detection, dispel common myths, provide guidance on requirements and even help you acquire an intrusion detection system and operate it effectively throughout the entire project lifecycle. The format is designed to be readable. Anecdotes appear throughout to connect the information with the real world. Important points are punctuated and called out separately for emphasis and to make it easy to scan the text.

The book is divided roughly into thirds. The first third describes technology, the second effective operation, and the third project lifecycle. Near the end I provide a chapter on commercial products because this book is about using intrusion detection. These are your tools. This book is your manual.

Table of contents provided by Syndetics

• Preface (p. xvii)
• How to Read This Book (p. xxi)
• Real-Life Stories and Case Studies (p. xxii)
• Foreword (p. xxiv)
• Chapter 1 Introduction (p. 1)
• Security versus Business (p. 2)
• What is Intrusion Detection? (p. 5)
• The Most Common Intrusion Detection (p. 7)
• Network- versus Host-based Intrusion Detection (p. 8)
• Anatomy of an Intrusion Detection System (p. 9)
• Command Console (p. 10)
• Network Sensor (p. 10)
• Alert Notification (p. 11)
• Response Subsystem (p. 11)
• Database (p. 11)
• Network Tap (p. 11)
• Anatomy of an Intrusion Detection Process (p. 11)
• Traditional Audit versus Intrusion Detection (p. 14)
• Integrity Checkers (p. 15)
• A Conceptual View of Misuse Detection (p. 15)
• Detecting Deviations from Acceptable Behavior (p. 17)
• Detecting Adherence to Known Unacceptable Behavior (p. 19)
• Summary (p. 20)
• Chapter 2 A Historical Perspective (p. 22)
• A Timeline (p. 22)
• The Early Systems (p. 24)
• Early Capabilities Comparison (p. 26)
• Effectiveness (p. 28)
• SSO Support/SSO Interface (p. 29)
• Adaptability/Flexibility (p. 29)
• Historical Lessons (p. 30)
• Summary (p. 31)
• Chapter 3 Network-Based Intrusion Detection Systems (p. 32)
• Introduction (p. 32)
• Network-based Detection (p. 33)
• Unauthorized Access (p. 33)
• Data/Resource Theft (p. 34)
• Denial of Service (p. 34)
• Architecture (p. 35)
• Traditional Sensor-Based Architecture (p. 36)
• Distributed Network-Node Architecture (p. 37)
• The Network Intrusion Detection Engine (p. 39)
• Network Signatures (p. 39)
• Operational Concept (p. 41)
• Tip-Off (p. 41)
• Surveillance (p. 42)
• Forensics Workbench (p. 42)
• Benefits of Network-based Intrusion Detection (p. 43)
• Outsider Deterrence (p. 43)
• Detection (p. 43)
• Automated Response and Notification (p. 43)
• Challenges for Network-based Technologies (p. 44)
• Packet Reassembly (p. 44)
• High-Speed Networks (p. 45)
• Sniffer Detection Programs (p. 45)
• Switched Networks (p. 46)
• Encryption (p. 46)
• Summary (p. 48)
• Chapter 4 Host-Based Intrusion Detection Systems (p. 49)
• Introduction (p. 49)
• Host-based Detection (p. 50)
• Abuse of Privilege Attack Scenarios (p. 50)
• Critical Data Access and Modification (p. 51)
• Changes in Security Configuration (p. 52)
• Architecture (p. 53)
• Centralized Host-Based Architecture (p. 54)
• Distributed Real-Time Architecture (p. 56)
• Target Agent (p. 57)
• Agentless Host-Based Intrusion Detection (p. 58)
• Raw Data Archive (p. 58)
• Operational Concept (p. 59)
• Tip-Off (p. 59)
• Surveillance (p. 60)
• Damage Assessment (p. 60)
• Compliance (p. 60)
• Policy Management (p. 60)
• Audit Policy (p. 61)
• Detection Policy (p. 64)
• Audit and Detection Policy Dependencies (p. 65)
• Data Sources (p. 65)
• Operating System Event Logs (p. 67)
• Middleware Application Audit Sources (p. 68)
• Application Audit Sources (p. 69)
• Benefits of Host-based Intrusion Detection (p. 70)
• Insider Deterrence (p. 70)
• Detection (p. 72)
• Notification and Response (p. 72)
• Damage Assessment (p. 73)
• Attack Anticipation (p. 73)
• Prosecution Support (p. 74)
• Behavioral Data Forensics (p. 74)
• Challenges for Host-based Technologies (p. 75)
• Performance (p. 75)
• Deployment/Maintenance (p. 76)
• Compromise (p. 76)
• Spoofing (p. 76)
• Summary (p. 77)
• Chapter 5 Detection Technology and Techniques (p. 78)
• Introduction (p. 78)
• Network Detection Mechanisms (p. 79)
• Packet Content Signatures (p. 79)
• Packet Header (Traffic) Analysis (p. 80)
• Host-based Signatures (p. 81)
• Single Event Signatures (p. 82)
• Multi-event Signatures (p. 84)
• Multi-host Signatures (p. 87)
• Enterprise Signatures (p. 89)
• Compound (Network and Host) Signatures (p. 89)
• Signature Detection Mechanisms (p. 91)
• Embedded (p. 92)
• Programmable (p. 92)
• Expert System (p. 92)
• Other Techniques (p. 93)
• Statistical Analysis (p. 93)
• Metalanguage (p. 95)
• Artificial Intelligence (Artificial Neural Network) (p. 95)
• Summary (p. 97)
• Chapter 6 Intrusion Detection Myths (p. 98)
• Introduction (p. 98)
• Myth 1 The Network Intrusion Detection Myth (p. 100)
• The Network Intrusion Detection Revolution (p. 100)
• Network Intrusion Detection Is Not Sufficient (p. 102)
• What's the Difference Between Network- and Host-Based Detection? (p. 104)
• Comparing Host- and Network-Based Benefits (p. 106)
• The Bottom Line (p. 108)
• Myth 2 The False-Positive Myth (p. 108)
• True/False-Positive/Negative (p. 108)
• Noisy Systems? (p. 110)
• There Is No Such Thing as a False-Positive (p. 110)
• Bottom Line (p. 111)
• Myth 3 The Automated Anomaly Detection Myth (p. 112)
• Behavior Models (p. 112)
• You Just Said There Are No False-Positives (p. 113)
• The Training Problem (A Mini Myth) (p. 113)
• Anomaly Detection as Decision Support (p. 114)
• Bottom Line (p. 114)
• Myth 4 The Real-time Requirement Myth (p. 115)
• Why Real-Time? (p. 115)
• The Costs of Real-Time (p. 117)
• Real-Time versus In-Time (p. 120)
• The Bottom Line (p. 121)
• Myth 5 Inside the Firewall equals Insider Threat Detection (p. 121)
• Insider Threats (p. 121)
• Paradigm Shift (p. 121)
• Bottom Line (p. 122)
• Myth 6 The Automated Response Myth (p. 122)
• Advertising (p. 123)
• Automated Response = Risk (p. 123)
• Characteristics of a Good Real-Time Automated Response (p. 125)
• Bottom Line (p. 127)
• Myth 7 The Artificial Intelligence Myth (p. 127)
• New Attacks and AI (p. 127)
• Root-Cause Analysis to Detect New Attacks (p. 128)
• Bottom Line (p. 130)
• Summary (p. 130)
• Chapter 7 Effective Use (p. 132)
• Detecting Outsider Misuse (Hackers) (p. 133)
• Real-Life Misuse Example 1 Anomalous Outbound Traffic (p. 134)
• Real-Life Misuse Example 2 Help! We're Being Swept! (p. 135)
• Detecting Insider Misuse (p. 136)
• Real-Life Misuse Example 3 Unauthorized Access to Mission-Critical Data (p. 136)
• Real-Life Misuse Example 4 Abuse of Privilege (p. 137)
• Attack Anticipation (Extended Attacks) (p. 138)
• Real-Life Misuse Example 5 Embezzlement (p. 138)
• Real-Life Misuse Example 6 Intellectual Property Theft (p. 139)
• Surveillance (p. 139)
• Real-Life Misuse Example 7 Surveillance (p. 139)
• Policy Compliance Monitoring (p. 140)
• Real-Life Misuse Example 8 User Logout at Night (p. 140)
• Damage Assessment (p. 141)
• Real-life Misuse Example 9 Corporate Espionage (p. 141)
• Summary (p. 141)
• Chapter 8 Behavioral Data Forensics in Intrusion Detection (p. 143)
• Introduction (p. 143)
• Benefits of Behavioral Data Forensics (p. 144)
• Data Mining (p. 145)
• Forms and Formats (p. 145)
• Data Volume (p. 145)
• User-Centric versus Target-Centric Monitoring (p. 146)
• Real-World Examples of Behavioral Data Forensics (p. 147)
• Performance Improvement (p. 147)
• Security (p. 147)
• Workload Reduction (p. 148)
• Security Policy (p. 148)
• Data Mining Techniques (p. 149)
• Data Presentation Refinement (p. 150)
• Contextual Interpretation (p. 151)
• Drill Down (p. 153)
• Combining Data from Heterogeneous Sources (p. 154)
• Combining Data from All-Band Resources (p. 155)
• Behavioral data forensics Tutorial Examples (p. 156)
• Example 1 Trending and Drill Down (p. 156)
• Example 2 Target Browsing (p. 160)
• Example 3 Critical File Browsing Trends (p. 160)
• Example 4 Attack Anticipation (Tip-Off) (p. 161)
• Example 5 Target Overloaded (p. 161)
• Other Examples (p. 162)
• Summary (p. 163)
• Chapter 9 Operational Use (p. 165)
• Introduction (p. 165)
• Background Operation (p. 167)
• On-demand Operation (p. 168)
• Scheduled Operation (p. 169)
• Real-time Operation (p. 169)
• 2437 Monitoring (p. 170)
• Incident Response (p. 171)
• Escalation Procedures (p. 171)
• Incident Triage (p. 173)
• Incident Volume (p. 173)
• Summary (p. 173)
• Chapter 10 Intrusion Detection Project Lifecycle (p. 175)
• Introduction (p. 175)
• Project Phases (p. 176)
• Overlap (p. 176)
• Resource Estimates (p. 176)
• Calculating Total Cost of Ownership (p. 178)
• Hidden Costs of Intrusion Detection (p. 179)
• Project Planning/requirements Analysis (p. 180)
• Acquisition (p. 181)
• Pilot Phase (p. 181)
• Deployment Phase (p. 181)
• Policy Implementation (p. 182)
• Promiscuous Network Sensor Deployments (p. 182)
• Distributed Sensor Deployments (p. 184)
• Tuning (p. 185)
• Deployment Issues (p. 186)
• Cultural (p. 186)
• Legal (p. 186)
• Politics (p. 187)
• Target Ownership (p. 187)
• Policy Management (p. 187)
• Maintenance (p. 188)
• Software Updates (p. 188)
• Signature Updates (p. 188)
• Summary (p. 189)
• Chapter 11 Justifying Intrusion Detection (p. 190)
• Importance of Intrusion Detection in Security (p. 190)
• Time-Based Security (p. 191)
• Relaxing Access Controls (p. 191)
• Threat Briefing (p. 192)
• 1 CSI/FBI Study (p. 193)
• A Recap of Misuse Examples (p. 193)
• Insider Threats (p. 195)
• Quantifying Risk (p. 198)
• Problems with Quantitative Risk Assessment (p. 200)
• Return on Investment (p. 201)
• ROI and Risk Calculator (p. 201)
• Behind the Scenes (p. 206)
• Summary (p. 209)
• Chapter 12 Requirements Definition (p. 211)
• Introduction (p. 212)
• Tracking Nonrequirements (p. 212)
• Developing a Requirements Document (p. 213)
• What Are Your Goals For Intrusion Detection? (p. 213)
• Information Risk Management (p. 214)
• Detection Requirements (p. 215)
• Perimeter Threat Detection Requirements (p. 216)
• Insider Threat Detection requirements (p. 217)
• Compliance Monitoring Requirements (p. 217)
• Response Requirements (p. 219)
• Resource Classification (p. 219)
• Using Intrusion Detection to Define Mission-Critical Data (p. 221)
• Operations Requirements (p. 222)
• Background Operations (p. 222)
• On-Demand Operation (p. 222)
• Scheduled Operation (p. 223)
• Real-Time Operation (p. 223)
• 24 [times] 7 Monitoring (p. 223)
• Platform Coverage Requirements (p. 224)
• Audit Source Requirements (p. 224)
• Performance Requirements (p. 225)
• Intrusion Detection System Performance (p. 225)
• Network Resource Requirements (p. 227)
• Scalability Requirements (p. 228)
• Prosecution Requirements (p. 229)
• Damage Assessment Requirements (p. 229)
• Summary (p. 229)
• Chapter 13 Tool Selection and Acquisition Process (p. 231)
• Introduction (p. 231)
• Selection and Evaluation Process (p. 232)
• Define Requirements (p. 232)
• Conduct Research (p. 232)
• Online Research (p. 233)
• Conferences (p. 235)
• Magazines (p. 238)
• Request for Information (p. 238)
• Establish Selection Criteria (p. 238)
• Translate Environment-Specific Criteria (p. 238)
• Criteria Weighting (p. 239)
• Scoring (p. 240)
• Evaluation (p. 240)
• Conduct Evaluation (p. 242)
• Request for Proposal (p. 242)
• Cover Letter (p. 243)
• RFP Example (p. 244)
• Pilot Program (p. 244)
• Speaking to References (p. 245)
• Words of Wisdom (p. 246)
• Summary (p. 246)
• Chapter 14 Commercial Intrusion Detection Tools (p. 247)
• Introduction (p. 247)
• Network (TCP/IP) Only (p. 248)
• BlackICE/ICEcap--Network ICE (p. 249)
• Dragon--Network Security Wizards (p. 250)
• NFR ID Appliance--Network Flight Recorder (p. 252)
• Secure Intrusion Detection System (NetRanger)--Cisco (p. 255)
• Net Prowler--Axent (p. 255)
• eTrust ID (Abirnet Sessionwall 23)--Computer Associates (p. 257)
• Host-only Products (p. 258)
• Computer Misuse Detection System (CMDS)--ODS Networks (p. 259)
• Kane Security Monitor (KSM)--ODS Networks, Inc. (p. 260)
• SecureCom 8001 Internet Appliance (Hardware)--ODS Networks, Inc.? (p. 261)
• Intruder Alert (ITA)--Axent (p. 263)
• PS Audit--Pentasafe (p. 265)
• Operations Manager--Mission Critical (p. 266)
• Hybrid Systems (p. 268)
• Centrax--CyberSafe Corporation (p. 269)
• Cyber Cop Monitor--Network Associates, Inc. (p. 270)
• RealSecure--Internet Security Systems (p. 273)
• Chapter 15 Legal Issues (p. 276)
• Introduction (p. 276)
• Law Enforcement/Criminal Prosecutions (p. 278)
• Tort Litigation (p. 279)
• Negligence Litigation (p. 279)
• Better Technology (p. 280)
• Y2K (p. 281)
• Corporate Reluctance to Prosecute (p. 281)
• Standard of Due Care (p. 281)
• Responsibilities (p. 282)
• One-Sided Liability (p. 283)
• Evidentiary Issues (p. 284)
• Rules of Evidence (p. 285)
• Accuracy (p. 287)
• Chain of Custody (p. 288)
• Transparency (p. 288)
• Case Study (p. 289)
• Improving Evidentiary Veracity (p. 290)
• Organizations (p. 291)
• National White Collar Crime Center (p. 291)
• National Cybercrime Training Partnership (NCTP) (p. 292)
• High Technology Crime Investigators Association (HTCIA) (p. 292)
• Summary (p. 293)
• Chapter 16 Organizations, Standards, and Government Initiatives (p. 295)
• Introduction (p. 295)
• Organizations (p. 296)
• ICSA.net (p. 296)
• SANS (p. 298)
• Standards Bodies (Interoperability) (p. 300)
• What Should Be Standardized? (p. 300)
• Interoperability (p. 301)
• Common Intrusion Detection Framework (CIDF) (p. 301)
• IETF Intrusion Detection Working Group (IDWG) (p. 304)
• Common Vulnerability and Exposures (CVE) (p. 304)
• U.S. Federal Government Initiatives (p. 305)
• The National Security Telecommunications Advisory Committee (NSTAC) (p. 305)
• The Presidential Commission on Critical Infrastructure Protection (PCCIP) (p. 306)
• Presidential Decision Directive 63 (PDD-63) (p. 307)
• Summary (p. 309)
• Chapter 17 Practical Intrusion Detection (p. 311)
• The Current State of Technology (p. 312)
• The Future of Intrusion Detection (p. 313)
• Network Intrusion Detection (p. 313)
• Host-Based Intrusion Detection (p. 314)
• Managed Services (p. 314)
• Enterprise On-Demand Detection (p. 314)
• Application Intrusion Detection (p. 315)
• Standards for Interoperability (p. 315)
• Prosecution Support (p. 315)
• Real-Time versus In Time (p. 315)
• Advice to Security Officers (p. 316)
• Advice to Intrusion Detection Developers (p. 317)
• My last Advice: Avoiding Confusion (p. 318)
• Summary (p. 319)
• After All (p. 320)
• Appendix A Sample RFP (p. 321)
• Appendix B Commercial Intrusion Detection Vendors (p. 336)
• Appendix C Resources (p. 345)
• Index (p. 353)

Excerpt provided by Syndetics

Author notes provided by Syndetics

PAUL E. PROCTOR is the Director of Technology at Cybersafe Corporation and Chief Technology Officer of the firm's Centrax Division. Proctor has worked in intrusion detection for nearly 15 years and developed many commercial intrusion detection technologies. He sat on the Intrusion Detection Subgroup of the President's National Security Telecommunications Advisory Committee (NSTAC), has been an invited speaker at the CIA, and has been personally involved in several of the world's most significant intruder "take-downs." Sorry, but he can't tell you which ones!