9 Detecting intrusions

 

This chapter covers

  • Examining the phases of an intrusion as it progresses through the infrastructure
  • Detecting intrusions using indicators of compromise
  • Using Linux audit logs to detect intrusions
  • Inspecting the filesystems, memory, and network of endpoints remotely
  • Filtering outbound network traffic using intrusion-detection systems
  • Understanding the roles of developers and operators in detecting intrusions

July 2015. A hacker known by the pseudonym “Phineas Fisher” posts a short but terrifying message on Twitter:

gamma and HT down, a few more to go :)

The message quickly propagates across the information-security community. Gamma International and Hacking Team (HT) are two well-known security firms that sell offensive intrusion technologies. Both are known for selling exploits in popular software to the highest bidder, which gave them a bad reputation among security specialists. Phineas breached Gamma International in 2014, so the news of a breach of another high-profile security firm makes a lot of people nervous. Could Phineas possibly have broken into the network of one of the most paranoid security companies on the planet? People are suspicious at first, but Phineas quickly releases a dump of the company’s entire email server, removing any doubt that their defenses have been breached. But how?

9.1 The seven phases of an intrusion: the kill chain

9.2 What are indicators of compromise?

9.3 Scanning endpoints for IOCs

9.4 Inspecting network traffic with Suricata

9.4.1 Setting up Suricata

9.4.2 Monitoring the network

9.4.3 Writing rules

9.4.4 Using predefined rule-sets

9.5 Finding intrusions in system-call audit logs

9.5.1 The execution vulnerability

9.5.2 Catching fraudulent executions

9.5.3 Monitoring the filesystem

9.5.4 Monitoring the impossible

9.6 Trusting humans to detect anomalies

Summary