Book Review: "The Practice of Network Security Monitoring"
The Practice of Network Security Monitoring: Understanding Incident Detection and Response, written by Richard Bejtlich and published by NoStarchPress, is one of those staple texts in the world of incident response and information security. For about $30 this book provides over 350+ pages of free tools, fundamental theories, and verified techniques for detecting and responding to network incidents in an information security context. This has been called the definitive text on Network Security Monitoring (NSM) and would serve as an excellent baseline knowledge for any network security analyst. In fact, while this book can be read cover to cover, it actually targets a wide audience of people, from those who don't even know what tools to use all the way to tactics for more seasoned analysts. Therefore, I would recommend any blue teamer, network engineer, or even information security practitioner to pick the book up and look at which chapters could best fill gaps in one's NSM understanding. Overall, I'm giving this book 8/10 stars, because it's entirely based on free tools, should be considered a seminal text on NSM, and provides a rock solid approach for not only hunting down and acting on network incidents, but running a Computer Incident Response Team (CIRT). However, the book dosn't dive deep into advanced topics, but rather chooses to address the breadth of NSM, meaning it may be more review than insight for advanced network analysts.
The reasons I love this book are innumerable but here goes: the ease it finds in guiding noobies through instillation and tool configuration, eloquently conveying theories on incident response, the core network security tools covered, analyzing the attacker's kill chains, hunting on the network for new indicators, a model for the functions of a successful SOC or CIRT, and most importantly the focus on constantly improving incident response metrics. But despite the reasons I hold this book so high, one of my concerns is the book is almost entirely tool driven, so if you aren't using the tools exemplified in the book, it may be harder to pick up the underlying lessons. The book is entirely focused around Security Onion, which is a great collection of blue team tools neatly packaged in an ISO, similar to what Kali Linux is for the red team. Further, this book is part of Palo Alto Network's Cyber Security Cannon and their review really distills the core theories of the book. Ultimately, this is the kind of book that can replace a class, the kind of book that can help an interested and driven individual find a lot of success in the network security world. I also really enjoyed the detective like narrative when working through the examples, showing us the screenshots and letting us make our own judgments on events before explaining to the reader the event's true significance. Don't be intimidated by the books large size either, it dosn't have to be read from cover to cover, in fact more experienced network analysts will probably pick and choose their favorite chapters quickly. The following is the list of chapters and their subtopics, in my typical review style, so you can see which chapters would be important to you:
Part 1: Getting Started
Chapter 1: Network Security Monitoring Rationale
An Introduction to NSMA Sample NSM Test
The Range of NSM Data
What’s the Point of All This Data?
NSM Drawbacks
Where Can I Buy NSM?
Where Can I Go for Support or More Information?
Conclusion
Chapter 2: Collecting Network Traffic: Access, Storage, and Management
A Sample Network for a Pilot NSM SystemIP Addresses and Network Address Translation
Choosing the Best Place to Obtain Network Visibility
Getting Physical Access to the Traffic
Choosing an NSM Platform
Ten NSM Platform Management Recommendations
Conclusion
Part 2: Security Onion Deployment
Chapter 3: Stand-alone NSM Deployment and Installation
Stand-alone or Server Plus Sensors?Choosing How to Get SO Code onto Hardware
Installing a Stand-alone System
Conclusion
Chapter 4: Distributed Deployment
Installing an SO Server Using the SO .iso ImageInstalling an SO Sensor Using the SO .iso Image
Building an SO Server Using PPAs
Building an SO Sensor Using PPAs
Conclusion
Chapter 5: SO Platform Housekeeping
Keeping SO Up-to-DateLimiting Access to SO
Managing SO Data Storage
Conclusion
Part 3: Tools
Chapter 6: Command Line Packet Analysis Tools
SO Tool CategoriesRunning Tcpdump
Using Dumpcap and Tshark
Running Argus and the Ra Client
Conclusion
Chapter 7: Graphical Packet Analysis Tools
Using WiresharkUsing Xplico
Examining Content with NetworkMiner
Conclusion
Chapter 8: NSM Consoles
An NSM-centric Look at Network TrafficUsing Sguil
Using Squert
Using Snorby
Using ELSA
Conclusion
Part 4: NSM in Action
Chapter 9: NSM Operations
The Enterprise Security CycleCollection, Analysis, Escalation, and Resolution
Remediation
Conclusion
Chapter 10: Server-side Compromise
Server-side Compromise DefinedServer-side Compromise in Action
Exploring the Session Data
Stepping Back
Conclusion
Chapter 11: Client-side Compromise
Client-side Compromise DefinedClient-side Compromise in Action
Analyzing the Bro dns.log File
Checking Destination Ports
Examining the Command-and-Control Channel
Conclusion
Chapter 12: Extending SO
Using Bro to Track ExecutablesUsing Bro to Extract Binaries from Traffic
Using APT1 Intelligence
Reporting Downloads of Malicious Binaries
Conclusion
Chapter 13: Proxies and Checksums
ProxiesChecksums
Conclusion
Conclusion
Cloud Computing
Workflow, Metrics, and Collaboration
Conclusion
(Chapter 14:) SO Scripts and Configuration
SO Control ScriptsSO Configuration Files
Updating SO
Colophon
Appendix Updates
By far I found the most interesting section being 'Part 4: NSM in Action', which covered the processes of detecting and tracking down an incident using your entire toolkit. This was a very real chapter to me and reminded me of many of the operations we used to perform at Mandiant. Similarly, I enjoy this book so much because Richard really takes you from start to finish, performing practical network security monitoring throughout the book, making the learning experience very real world and applicable. If your still not convinced you need network security monitoring in your life or don't know if this book is right for you, you can read the first chapter for free! But if you ask me, I say pick up a copy and start tcpdump today!