Network Intrusion Detection: An Analysis Handbook

Thanks to D3 for reviewing Stephen Northcutt's Network Intrusion Detection: An Analysis Handbook. Recently published, this book is designed for those of you trying to keep people outside of your machines. Click below for more. Network Intrusion Detection: An Analyst's Handbook author Stephen Northcutt pages 267 publisher rating 8/10 reviewer D3 ISBN summary Any company or group that is serious about doing Intrusion Detection should read this book. Background

I have been learning about real computer and network security since January of this year. Thankfully I have been working under someone who really knows his stuff and once worked with the author, Stephen Northcutt. I have attended SANS '99 in Baltimore and will be at the New Orleans conference in October. I am by no means an expert on security or cracking. However, it is one of the most interesting aspects of what I do. I feel this book will be an essential tool in my career development.

To me the field of computer network security seems like a blossoming flower. Yes, people have been hacking, cracking, and fixing systems since the dawn of computing. However, I firmly believe once the we have recovered from the Y2K hangover, security will be the big buzz. You can already see it happening in the media with the attention certain incidents have had.

So where does Northcutt's book fit in? If you are an admin charged with securing the way your company interacts with other companies, the internet, your internal employees, e-mail, etc. this book can be an excellent resource. Keep in mind that Intrusion Detection is not a starting point. It is an integrated part to the overall picture. Having cool intrusion detection at your site does little good if you don't even have a decent firewall, acceptable use policies, e-mail filters, safe CGI's on your web, and current patch levels to your systems. Yes, you will be able to know where you were cracked from but you will have still been cracked. Likewise, if you don't understand networking and protocols to an advanced admin level this book may be a bit intimidating.

A search for Network Intrusion Detection on Amazon on Monday showed me a total of 3 titles on the subject and Northcutt's was one of them. He is certainly an expert in the field, having been the lead on the Navy Shadow Intrusion Detection Team for DoD, as well as being the current Chief Information Warfare Officer for the U.S. Ballistic Missle Defense Organization.

The Book

The best advice on how to get the value out of this book comes from the opening of chapter 6 which reads "If you do not have a lot of experience with Internet Protocol (IP), here's a suggestion to get the most out of this book: read Chapters 6, 7, and 8 twice." Northcutt starts out with a review of the Mitnick attack on Tsutomu Shimomura's system. The format of using real world examples carries throughout the rest of the book. His writing style is much the same as his lectures at SANS. He draws you in to interact with the examples he has chosen. Instead of just pointing out what he wants you to see he will ask you to think about what part of a given signature is important. Then he'll ask you to go back and look again for what he feels important. I wish textbooks in college were written this way because it helped me learn.

Included with Ch. 1 is a review of TCP/IP packet structure. Chapter Two carries on with introducing signatures and filters. This clearly explains how to tell what particular attack the script kiddie used to bring down your site. The chapter on Architectural Issues is a nice overview of sensor placement, hardware, and other implementation factors. This comes off as a little light with respect to comparing and contrasting, especially with regard to choice of OS. To be fair, these generalities will probably help keep the book relevant in the ever changing world of OS/Hardware combo. The final two chapters prior to the critical 6, 7, and 8 trio, deal with important factors to consider a good IDS solution should have and a review of known commercial and government software. Unfortunately the rapid changes involved in this field prevent a complete overview of all the available products out there. My suggestion is to read Ch. 4 more closely if you are about to make a decision on an IDS. It will help you ask the right questions to get the solution which will best suit your needs.

As I alluded to above, Chs. 6 through 8 are the guts of the book. The tcpdumps give you a real insider's view of what some classic attacks look like. Again, Northcutt is very thourough in what he presents. The exploits, like the IDS solutions, are also an ever evolving series and there is no way to write a book to cover them all. The point here is to begin to educate the eyes of the analyst. Only someone who has an idea of what traffic is normal versus what smells can hope to make good decisions when it comes to sounding the alarm. As Northcutt points out, sometimes the difference is as subtle as what port is being used. He is encouraging in that you can find the signature "fingerprint" of a given attack. He even admits that there are strange patterns he's seen but has not yet solved what tool or script was used to generate them.

Chapter 9's Introduction to Hacking takes you from the target to the attacker. With data from a crack where the attacker forgot to remove the history file, you can see how quickly a box can be 'owned'. Ten gives a look into coordinated attacks while Eleven shows some of the tools of the trade. The final chapters deal with convincing management to do things the right way and gives a taste of where IDS is heading. I don't mean to downplay the importance of these chapters. Keep in mind that the best way to play with cool toys on your job is to have management backing!

Summary

Any company or group that is serious about doing Intrusion Detection should read this book. Northcutt's tongue in cheek humor keeps things from getting too heavy. His reference to the best remote NT administration tool being a car had me chuckling for a while. The information provided is very thorough. His examples are clear and informitive. The areas where I wanted more information, he provides links to help follow up. I wouldn't be surprised if crackers used this as a reference to develop ways around detection and so the cycle will continue. I should also add the book went through technical review by Tim Aldrich, M. Dodge Mumford (of NFR), Judy Novak, and Larry Paccone.

Purchase this book at Amazon.

Contents

Acknowledgments

Tell Us What You Think

Introduction

Shadow History

Shadow Friends

1. Mitnick Attack

2. Introduction to Filters and Signatures

3. Architectural Issues

4. Interoperability and Correlation

5. Network-Based Intrusion Detection Solutions

6. Detection of Exploits

7. Denial of Service

8. Intelligence Gathering Techniques

9. Introduction to Hacking

10. Coordinated Attacks

11. Additional Tools

12. Risk Management and Intrusion Detection

13. Automated and Manual Response

14. Business Case for Intrusion Detection

15. Future Directions

Index