Last night I started working on my next book: Extrusion Detection: Security Monitoring for Internal Intrusions. The goal of this book is to help security architects and engineers control and instrument their networks, and help analysts investigate security events.
Extrusion Detection is a sequel to my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection.
Extrusion Detection explains how to engineer an organization's internal network to control and detect intruders launching client-side attacks. Client-side attacks are more insidious than server-side attacks, because the intruder targets a vulnerable application anywhere inside a potentially hardened internal network. A powerful means to detect the compromise of internal systems is to watch for outbound connections from the victim to systems on the Internet operated by the intruder. Here we see the significance of the word "extrusion" in the book's title. In addition to watching connections inbound from the Internet, we watch for suspicious activity exiting the protected
Readers will learn theory, techniques, and tools to implement network security monitoring (NSM) for internal intrusions. I have already received several case studies from LURHQ and I have contacted an expert on p2p networks who plans to write a chapter. I am interested in hearing from any blog readers who might want to contribute a case study, section, chapter, on appendix on one or more of the following subjects:
- Interpreting Microsoft Server Message Block (SMB) (port 139, 445 TCP) protocols
- Microsoft's Network Access Protection (NAP)
- Cisco's Network Admission Control (NAC) technologies.
- VLANs and VLAN access control lists
- Cisco Network Access Module and similar means to collect traffic on network hardware
- Using FPGAs, network processors, or other non-libpcap methods to capture network traffic in high bandwidth environments
- Using proxies to inspect and carry traffic from internal systems to the Internet -- the more exotic, the better
- Any case studies involving compromise of internal systems, such as via VPN to partner networks, attaching rogue laptops, opening malicious email or visiting evil Web sites
- Anything else you think would be cool to discuss in a book on controlling, detecting, and responding to internal threats -- as long as it doesn't appear in other books!
If you have an idea you'd like to discuss, please email taosecurity at gmail dot com. You will receive full credit for anything you submit that makes it in some form into the final book, even if I have to rewrite some or all of it to meet publishing guidelines. Thank you!