« Is Security Awareness Time and Money Wasted? A Different Perspective | Main | Reducing Phishing Up Times »

Wednesday, 01 August 2012

Book Review: Network Forensics, Tracking Hackers Through Hyperspace

51rHbjW5jFL._AA115_

Daniel Geer introduces the notion of forensics as a "craft" in his Foreword to Network Forensics, Tracking Hackers Through Hyperspace, and Sherri Davidoff and Jonathan Ham tackle the daunting task of explaining forensic investigation as a craft, introduce the tools of the trade, and demonstrate how to become a craftsman admirably well. 

The book begins by providing foundational material for three important forensic concepts. The authors illustrate the role network forensics plays in an investigation by using real world cases,  explain the different kinds of evidence and how evidence must be collected to be admitted into courts, and introduce an investigative methodology, OSCAR (Obtain information, Strategize, Collect evidence, Analyze, Report). The authors next explain the forensic value of the hardware elements found in most networks. They then provide a cursory discussion of protocols and warm my heart by recommending W. Richard Stevens' TCP/IP Illustrated for those who want to understand TCP/IP networking. [Stevens actually published three volumes in the TCP/IP Illustrated series and a complementary UNIX network Programming.]

A chapter on evidence acquisition provides succinct, insightful discussions of physical interception and traffic acquisition: I particularly like that the authors make a point to answer what, why, and how.  A chapter on packet analysis uses case studies, sample commands and console ouput (or screenshots) of methods to explain how to analyze protocols, flows, and higher level traffic, all done very much in the style of TCP/IP Illustrated.

A chapter on statistical flow analysis illustrates how traffic (network) activity can be used to identify not only suspicious or malicious activity, but the parties who perform them - and their objectives (targets). This chapter explains how "intel" can be gathered from multiple locations, aggregated and then analyzed. The authors list a dizzying number of tools and their uses, and put the methodology and tool kit to work in a case study: following how the authors compose a theory of the case of The Curious Mr. X should be great fun for any wannabe investigator.

The good stuff just keeps coming. Chapters on wireless network forensics and network intrusion detection follow form, and the case studies here (HackMe, Inc. and InterOptic Saves the Planet) were only less interesting to me because I was familiar with these scenarios. Chapters on finding and using logs, middleboxes (firewalls, routers, switches), and web proxies as sources of evidence are equally valuable for organizations that want to instrument their networks so that they can contend with and recover from incidents.

Davidoff and Ham conclude the book with two chapters on advanced topics: network tunneling and malware evolution. These chapters hint at how the craft of network forensics must evolve to keep pace with formidable adversaries.

With so much information freely available via the web today, and especially with a subject matter that seems to evolve at Internet pace, there is always a temptation to think that a book offers too narrow a snapshot of an evolving landscape. Network Forensics , Tracking Hackers Through Cyberspace (Hardcover, Kindle) disproves this assertion by providing perspective, context, and most important, a methodology that you can practice. And practice... And practice...

Posted at 04:38 PM in Books |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...
  • Malware quarterly reports for July-September
    Malware quarterly reports for July-September 2024 is now posted at the Cybercrime Information Center. For the period... Malware identified as targeting endpoint devices increased 277% over the prior period. WordPress blog sites used for malware accounted for nearly all the malicious documents reported for this period. We continue to see an uptick in malicious scripts. IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors increased 38% to just under 1 million. ASNs in China and India again have the most IPv4 addresses reported for hosting malware. More malware trends for the period at https://www.cybercrimeinfocenter.org/malware-trends-july-september-2024. For historical reporting of...
  • Interisle's Phishing Landscape 2024 is here
    Our Interisle team today announced the publication of an industry report, Phishing Landscape 2024, A Study of the Scope and Distribution of Phishing. Interisle’s fourth annual study examines nearly four million phishing reports collected from May 2023 to April 2024 and provides historical measurements using over 15 million phishing reports collected at the Cybercrime Information Center over a four year period. Findings from the study: • The total number of phishing attacks grew to ~1.9 million incidents worldwide. • Phishing attacks hosted at subdomain providers increased by 450,000+ reported names, representing 24% of all phishing attacks. • The use of...
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....

Search

My Photo

Categories