“This is my 2nd book by Bejtlich that I have read, with the first being “The Tao of Network Security Monitoring: Beyond Intrusion Detection.” While the Tao of NSM focused mainly on detecting attacks coming in from the perimeter, this book focused on Network Security Monitoring principles as applied to traffic going out of the network.
Bejtlich starts out by doing an overview of Network Security Monitoring, referencing his earlier book as a more in-depth treatise on NSM. He then goes on to the theory and illustration of “Extrusion Detection.” (“‘The process of identifying unauthorized activity by inspecting outbound network traffic.”) We see Extrusion Detection illustrated with the 4 types of NSM data. (Full Content, Session, Statistical, and Alert)
We then moved onto “Enterprise Network Instrumentation,” which included discussions on network/packet capture equipment, some I had never seen before: SPAN Regeneration Taps, Link Aggregator Taps, etc.
The next section was probably my favorite: Enterprise Sink Holes. What a fantastic way to discover a local compromised host scanning your internal network. This section also had some great ways to do short-term containment (with a Sink Hole) on a loose worm. (The coolest, in my opinion, being Unicast Reverse Path Forwarding)
Next we have sections on Traffic Threat Assessments, Network Incident Response, and Network Forensics. The book finishes up with a case study on traffic threat assessment and a discussion on Malicious Bots.
I have to give this book 5 stars out of 5 for it’s fresh and unique look at internal and outbound intrusions. Richard doesn’t rehash what a thousand other network security pros have written.”