Extrusion Detection: Security Monitoring for Internal Intrusions
by Richard Bejtlich

Upper Saddle River: Addison-Wesley 2006.
ISBN 0-321-34996-2. Amazon.com $32.99. Bookpool.com $31.50

Reviewed by  Richard Austin   11/11/2006 

We've been told for years (and alas, had it proved repeatedly to our collective chagrin) that we have to maintain situational awareness of attacks arising from outside our networks and this has created a plethora of tools, vendors and service providers devoted to intrusion detection and prevention. Bejtlich then asks a perceptive question: "What do we know about the traffic leaving our networks?" A typical answer might be, "Uh, well, we filter URL's, block employees from inappropriate sites, install some proxies here or there. What do you mean anyway?

Bejtlich answers quite reasonably that while the Internet is a wild jungle where almost anything goes, our internal networks are under our control and we should have a pretty decent idea of the types of traffic that should be flowing. Why hasn't it occurred to us before that we should be watching traffic flowing out of our networks to identify signs of a successful intrusion?

He goes on to observe that once an intruder is inside our defended networks, s/he is too often usually pretty much free to make whatever outgoing connections are required to download additional tools, register as a zombie with a botnet network, deliver pilfered information and so on. Since these extrusions originate inside our networks, we should be much better able to detect them against the background of the types of traffic that should be flowing.

From that starting point, he describes extrusion detection using many of the concepts described in his previous book (The Tao of Network Security Monitoring reviewed by Bob Bruen in the September, 2004 issue of IEEE-Cipher).

After a thorough presentation of detecting an extrusion, he devotes a substantial amount of material to the critical process of responding to an extrusion, beginning with stopping the extrusion by blocking the victim systems' access to the network and going on through to the steps of collecting and preserving the evidence of the extrusion for use in a criminal investigation or other legal proceedings.

As in his other books, the tools he presents are largely Open Source and will therefore be widely available for experimentation and use.

This is a technical book and the detailed network traces and other minutiae that warm the cockles of an engineer's heart will put off many a technical manager who would benefit from understanding the important concepts Bejtlich presents. I definitely encourage network and security managers to read the portions of this book that deal with the concepts of network extrusion, planning for incident response and the processes for collecting and preserving evidence.

Richard Austin is a resident curmudgeon at a Fortune 100 company who continues to wage a battle with a tottering tower of new security tomes. Periodically he has been known to take a break and share his opinion of the latest book to migrate from the tower to the shelf. He can be reached at rda7838@kennesaw.edu