Sunday, August 13, 2017

Forensics: Imaging a Drive

Background 
This blog post will cover how to image a hard drive(s) of a workstation/desktop computer. The process for imaging a large scale server will differ from these steps.   

Purpose 
Imaging is used to create a 1 to 1 copy of a drive. Forensics will be performed on the copy of the drive to gather evidence. The Chain of Custody is used to ensure that the processes used to obtain the image and the forensic evidence will hold up in legal proceedings.  


Requirements
Live Boot USB/CD  
  • Create a Live Boot USB/CD of a forensics oriented operating system. For the purpose of this blog post we will be using Kali Linux
Zero Drive
  • Zero Drive refers to a drive that has been over written with zeros.  
Methodology
When Imaging a drive for the purpose of evidence collection one must always adhere to the Chain of Custody[1]. The Chain of Custody is a set of standards and procedures designed to preserve the integrity of the data collected for legal proceedings. 


 Use Cases
There will be two primary scenarios for acquiring a forensic image:
  • The hard drive is NOT connected to the computer.
    • Solution: Attach the drive to a forensic workstation using a Write Blocking mechanism.
  • The hard drive is still connected to a powered down computer.
    • Solution: Use a Forensic Live USB/CD and have the computer boot from the attached USB/CD. 
 Concepts 
  • Reasons to Split an Image File:
    • If the media you are imaging is larger than the media it is being imaged too, then split the image into smaller files for transferring across multiple devices.
    • If you are trying to transfer a large FAT32 Image, then you must split it into files less than 4gigs in size. This is do to the fact that FAT32 supports a maximum file size of 4GB.

How To
Create a Zero Drive
Steps:
1. Boot into Kali Linux.
2. Connect the drive.
3. Run the following command:
  • sudo dc3dd wipe=/dev/sda dc3dd
  • This will over right all data on the drive using zeros.

Acquiring The Image[2]
Steps:
1. Identify
  • Verify the drive to be imaged from the list of available drives. Using 1 of 2 methods:
  • Run command the following command to show a list of available drives:
    • fdisk -I
  • If the drive is removed from the computer then compare the physical label on the drive to the output from the following command:
    • hdparm -I /dev/sda
  • Disk Name will be in the format of:
    • /dev/sDN
    • D - device
    • N - name
  • To Image the whole drive DO NOT include a number in the drive name
    • Incorrect:  /dev/sda1, /dev/sda2, etc
    • Correct: /dev/sda
  • Select a location (a Zero Drive) to save the image file to using the following command:
    • df -h: displays see the location of where your external Drive is mounted.
2. Run The dc3dd tool
  • To Image a FAT32 drive you will need to split the Image file using the following:
    • “hofs” option
      • Requires that you add the Format Specifier to the file name.
      • Format Specifier - is used to set a pattern for a sequence of file extensions.
      • BEST Practice: always use three numerical digits at the end of your .img naming scheme because AFF only recognizes names in that format.
        • Example: If you included “00” to the end of the file extension .img, then the file set would be the following .img.00, .img.01, .img.02, ext
    • “ofsz” option
      • Purpose: set the maximum size of each file in the sets of files specified.
      • For FAT32 set the file size to under 4GB.

  • Syntax:
    • dc3dd if=Name_Of_Disk_To_Image /Full_Path_Of_Location_To_Save_The_Disk_Image/Image_Name.img
    • example:
      • Dc3dd if=/dev/sda /media/root/47bf-5c55/forensics/cases/
  • Add option(s) to the command for hashing
    • “hof” option
    • Purpose: write output to a file or device.
    • To use it place it in front of the “/Full_Path_Of_Location_To_Save_The_Disk_Image/Image_Name.img”
      • Syntax:
        • hof=/Full_Path_Of_Location_To_Save_The_Disk_Image/Image_Name.img
    • “hash” option
    • Purpose: compute an ALGORITHM hash of the input and also of any outputs specified.
    • Place it at the end of the “hof” command
      • Syntax:
        • hash=(select one of the following:)md5,sha1,sha-256,sha-512
    • “log” option
      • Purpose: Log input/output statistics, diagnostics, and total hashes of input and output to file.
      • Syntax:
        • log=Full_Path_of_Location_to_Store_log_files/Log_File_Name.log


Resources 
1. An Open Extensible Format for Disk Imaging
2. Digital Forensics with Kali Linux
    ISBN: 9781783989225

 
References
1. Chain of Custody
2. Digital Forensics with Kali Linux
    ISBN: 9781783989225


Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec
Posted by at 1 comment:
Labels: , ,

Wednesday, June 7, 2017

OSINT: Nmap


Disclaimer
Do NOT preform network scans on networks without prior authorization.

Download
Nmap for Windows
Nmap for Linux

Background
This blog post is design to provide one with a basic understanding of how Nmap works and concepts to consider when performing a network scan.  

Purpose
Network Scanning is the probing of individual network systems for the purpose of obtaining vital information about it. Packet(s) are sent with various network flags set (SYN, ACK, FIN, URG, PSH) in order to solicit a response from the target system. The different response(s) are known to mean specific things are true.

Requirements
To perform a network scan the system performing the scan must have one of the following IP Address of the network to be scanned, an IP Address CDIR range, or a domain name.

Methodology
Network scanning is a balancing act between probing a system and the amount of time spent probing it. The more time you take probing an individual system for results will increases the likely hood of it crashing. Bandwidth consumption is also a consistent issue which must be monitored, as consuming too much will slow down the network for business operations. Try to limit the amount of bandwidth your scan will use by setting time out limits per system, specifying your options related to protocols and data collection. Scanning multiple systems in parallel will increase the speed of your scan.

Output
The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used. Key among that information is the “interesting ports table”. That table lists the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. Closed ports have no application listening on them, though they could open up at any time. Ports are classified as unfiltered when they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or closed. Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port. The port table may also include software version details when version detection has been requested. [2]

How To
Syntax:
nmap  [option] [option]... Domain/IP Address

List of Nmap Options

Common Issues
Firewalls and Systems can be configured to drop or not respond to the various network flags based on various criteria. [1]

Common Solutions
Evade Firewalls:
  • Don't Ping
  • Skip the default discovery check.
  • Limit the number of SYN packets you send at one time. [1]

Use Cases
Nmap is used for mainly two purposes Asset Management and Vulnerability Scanning.

Vulnerability Scanning
One of the uses of network scanning is for identifying vulnerabilities of individual network systems. This is done through a process called Fingerprinting in which the collection of information relating to an individual system is obtained. It is a best practice to use verbose when using the TCP fingerprinting method as to gather logging information for trouble shooting purposes.Key information from Fingerprinting is (but not limited) to:
  • Services running
  • Operating systems
  • Device type
  • OS CPE
  • OS details
  • Uptime guess
  • Network Distance
  • TCP Sequence Prediction
  • IP ID sequence generation
Asset Management
Is the process of maintaining current information on system inventory. In addition to the physical inventory the capability/usage of the system can also be cataloged. This process is similar to Vulnerability scanning with a change in focus for the resulting information. One may be more focused on an individual system's uptime or services running for the purpose of identifying a systems role in the organization's infrastructure.

For asset management scan I would scan the network in segments and if possible during off business hours. For network segmentation try to determine which systems are internet facing verses internal. For the public facing use options that identify if a system is online. For speed use an option that does not require a response from the probed system. To Identify network segments. To speed up your scan increase the number of parallel operations (host being scanned in parallel to one another).

Nmap Scripting Engine (NSE)
(Disclaimer: I do not recommend using a publicly available NSE without first reviewing the code for yourself to determine its legitimacy.)
Here is Nmap.org's official list of Nmap Scripting Engine from Cyber Security professionals and Amateurs. I recommend reviewing their code to learn how to create your own NSE.

Resources
List of websites available for scanning

Nmap 6 Cookbook: The Fat Free Guide to Network Scanning by Nicholas Marsh
  • ISBN-10: 1507781385
  • ISBN-13: 978-1507781388
Hands on Tutorials

References
1. Nmap 6 Cookbook: The Fat Free Guide to Network Scanning by Nicholas Marsh
  • ISBN-10: 1507781385
  • ISBN-13: 978-1507781388
2.  Chapter 15 Nmap Reference Guide
  • https://nmap.org/book/man.html
3. Nmap Options
Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec
Posted by at 2 comments:
Labels: , ,

Monday, March 20, 2017

Cyber Security Analyst (Part 3 of 3)

Writing Snort Signatures

This series will cover analyzing the common data types found in cyber security incidents; Netflow,  Domain(s) & IP address(es), PCAP. The format of the posts will be as follows Background information, Concepts & Techniques, Tools, and Recommended reading and/or videos.


Background
Intrusion Detection Systems (IDS) perform network packet inspection for predefined criteria. Its capabilities are to alert and/or collect Packet Capture (PCAP) data related to the predefined criteria.

Overview
For the purpose of this blog we are going to be reviewing the Snort IDS. The information in this blog is design to help people create Snort signatures.

 When creating snort rules remember that you might not have complete inbound/outbound traffic sensor coverage of your network. The longer the duration of PCAP collection the larger the file.  Include documentation on why you are collecting/alerting on the information provided in your signature. Have a set review period for when you will re-evaluate the effectiveness of the signature based on the data collected and its false positive to true positive ratio.

Operators[1]
  • \ - used to indicate the end of a line.
  • Negation "!" - tells Snort to match any IP address except the one indicated by the listed IP address.
  • [] - are used in the "Rules Action" section to define a set.
  • () - the contents inside the parenthesis are the "Rule Options" section.
  • Range ":" - used to define a range of numbers for the rule to take action on. The start of the range goes on the left of the : The end on the right side.
  • Directional "->" - indicates the orientation or direction of the traffic that the rule applies to.
  • BiDirectional "<>" - tells Snort to consider the address/port pairs in either the source or destination orientation.

Basics
  • Most rules are single line.
  • To do multiple line rules use the backslash \ to end the line.
  • Rule are divided into two logical section, "Rule header" and "Rule Options".
  • Rule Header: contains the rule's action, protocol, source and destination IP addresses and netmask, and the source and destination ports information. The text up to the first parenthesis is the rule header.
  • Rule Option: contains alert messages and information on which parts of the packet should be inspected to determine if the rule actions should be taken. The contents enclosed in the parenthesis contains the rule options.
  • (Best Practices) Separate the "Rule header" and "Rule options" onto separate lines making it easier to view both sections.


Rule Components

Rule Header = (Action + Protocol + SourceIP + Source Port) Directional or BiDirectional notation (destIP + destport)

Rule Options = Message + Flow + Reference + Classtype + sid/rev

Snort  Rule equation = Rule Header + Rule Options



Rule Creation Steps

1. Rule action
  • Rule action(s) take effect on one of the supported protocols the user can specify.

  • There are 5 default "Rule Actions" available to in Snort:
  • Alert - generate an alert using the selected alert method, and then log the packet.
  • Log - log the packet.
  • Pass - ignore the packet.
  • Activate-alert and then turn on another dynamic rule.
  • Dynamic - remain idle until activated by an activate rule, then act as a log rule.

2. Protocols
  • After the "Rule Action" is chosen the next field in the rule is the "Protocol"
  • Snort analyzes the following protocols TCP, UDP, ICMP, and IP.

3. IP Address

  • The keyword "any" may be used to define any address.
  • Write IP addresses in numeric four octate format and include a CIDR block. 
  • (i.e. xxx.xxx.xxx.xxx/24)
  • CIDR block indicates the netmask (range of IP addresses) that should be applied to the rule's address and any incoming packets that are tested against the rule.

4. Port Numbers
  • After the "Protocol" is chosen the next field in the rule is the "Port Number".
  • The keyword "any" may be used to define any port number.

5. The Direction Operator
  • Directional -> - indicates the orientation or direction of the traffic that the rule applies to.
  • BiDirectional <> - tells Snort to consider the address/port pairs in either the source or destination orientation.


Detection Options[1]
Content
Allows the user to set rules that search for specific content in the packet payload and trigger response based on that data. Whenever a content option pattern match is performed, the Boyer-Moore pattern match function is called and the (rather computationally expensive) test is performed against the packet contents. If data exactly matching the argument data string is contained anywhere within the packets payload, the test is successful and the remainder of the rule option tests are performed.
Be aware that this test is case sensitive.
Options:
  • nocase
    • Used to specify that the Snort should look for the specific pattern, ignoring case.
  • rawbytes
    • Used to look at the raw packet data, ignoring any decoding that was done by pre-processors.
  • depth
    • Used to specify how far into a packet Snort should search for the specified pattern based on a chosen byte value.
    • only values greater than or equal to the pattern length can be searched. The minimum byte value is 1 and the maximum byte value is 65535.
    • Syntax:
      • depth: [<number>|<var_name>]
  • offset
    • Used to specify where to start searching for a pattern within a packet based on a chosen byte value.
    • The byte ranges from -65535 to 65535.
    • Syntax:
      • offset:[<number>|<var_name>]
  • distance
    • Used to specify how far into a packet Snort should ignore before starting to search for the specified pattern relative to the end of the previous pattern match.
    • syntax:
    • distance:[<byte_count>|<var_name>]
  • within
    • Used to make sure that at most N bytes are between pattern matches using the content keyword.
    • Syntax:
      • within:[<byte_count>|<var_name>]
  • http_client_body
    • Used to restrict the search to the body of an HTTP client request.
    • Syntax:
      • http_client_body


References
1. Snort


Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec

Posted by at 30 comments:
Labels: ,

Friday, March 10, 2017

Social Engineering Toolkit: Credential Harvesting


Overview
The Social Engineering Toolkit (SET) is specifically designed to perform advanced attacks against the human element.[1]


Requirements
For this blog post I used the Kali Linux operating system which comes with SET pre-installed.



Instructions
Launch SET
  • Applications > Exploitation Tools > Social Engineering ToolKit
A. Loading Credential Harvesting
  1. Select: "1) Social-Engineering Attacks" by typing the number 1
  2. Select: "2) Website Attack Vectors" by typing the number 2
  3. Select: "3) Credential Harvester Attack Method" by typing the number 3
  4. Select: "3) Custom Import"  by typing the number 3


 B. Cloning A Website
  1. Open a browser (Any browser will work)
  2. Navigate to the Website Login page you wish to clone. 
  3. Navigate to the File option in your browser.
  4. Change the Name field to index.html (the name is case sensitive)
  5. Change the Save Location to /var/www/html
  6. Change Type to Web Page, Complete
  7. Save
C. Arming the Website
  1. Open a Terminal and type ifconfig
  2. Copy the inet addr: xxx.xxx.xxx.xxx
  3. Paste the inet addr into the terminal running SET
    • set: webattack > IP address for the POST back in Harvester/Tabnabbing: xxx.xxx.xxx.xxx
  4. Type the following file path:
    • /var/www/html
  5. Type the URL of the website you clone.
  6. Type "y" for yes you want to start Apache server. 
D. Testing the Website
If everything was done correctly you'll see an exact clone of the website you cloned. 
  1. Open a browser (on the same machine you used SET on)
  2. Type in your inet addr: xxx.xxx.xxx.xxx into the URL bar.
  3. Hit Enter key

Reference
1. Social Engineering Toolkit

Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec
Posted by at 8 comments:
Labels: , ,

OSINT Tool: Recon-ng


How to Use Open Source Intelligence Tool RECON-NG

Overview
"Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly." [1]

Recon-ng is a tool used to perform open source intelligence on Domains and IP addresses. It allows you to find sub domains, their relative IP addresses, and perform geographical tagging, etc.


Download
Recon-ng


Syntax
[recon-ng][default] command



Help
To access the help menu type the following command:

  • help
  • example: 
    • [recon-ng][default] help 

Database
Everything this script does is to populate a database which the user creates. This script's database query, creation, and deletion syntax is similar to MySQL.

1. Creating a Database
  • To create a database type the following command:
    • workspaces add
    • example: workspaces add TableName
  • Once you create your table you'll see the following prompt:
    • [recon-ng][TableName]
    • This means your table is ready for use with any of the modules.
2.  Defining Domains
  • After you create a table you have to define a domain for all of the modules to take action on.
  • To add a domain type the following:
    • add domain 
    • [recon-ng][TableName] add domain DomainName
3. Deleting a Table
  • To delete a database type the following command:
    • workspaces delete
    • example: [recon-ng][default] workspaces delete TableName
Modules
To search for Modules follow these steps:
1. Select your table
  • [recon-ng][default] workspaces select TableName
2. Search for Modules
  • Search Syntax:
    • [recon-ng][TableName] load SearchTerm
      • Key search terms: domain, location, reports
3.  Loading a Modular
  • From the list of option you are presented with copy & paste the whole line which contains the FilePath and the ModularName.
    • example: [recon-ng][TableName] load Path&ModularName

Recommended Videos

Reference(s)
1. Tools Kali

Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec
Posted by at No comments:
Labels: , ,

Wednesday, March 1, 2017

Cyber Security Analyst (Part 2 of 3)

PCAP Data Analysis

This series will cover analyzing the common data types found in cyber security incidents; Netflow,  Domain(s) & IP address(es), PCAP. The format of the posts will be as follows Background information, Concepts & Techniques, Tools, and Recommended reading and/or videos.



The information in this blog is design to help people analyzing PCAP data. There are many programs which can automate the manipulation and organization of PCAP data for the end user. I believe it is always a good idea to know how to perform these task manually because every environment will be different. For the purpose of this blog post we'll be covering the use of open source PCAP analysis tool Wireshark.


Tools
The list tool is a free open source tool for Linux and Windows:



Background
Having a working understanding of the PCAP filters are essential to being able to read PCAP data.

A. Wireshark  Filters [1]
1. HTTP header information
  • Description: used to analyze the packet HTTP header information
  • Syntax:
    • http."option"
    • Commonly used "option(s)"
      • http.user_agent
      • http.response
      • http.connection
  2. TCP session information
  • Description: used to analyze the packet TCP session information
  • Syntax:
    • tcp."option(s)"
    • Commonly used "option(s)"
      • tcp.analysis.flags
      • tcp.flags
      • tcp.srcport
3. SSL connection
  • Description: used to determine if an SSL connection was established.
  • Syntax
    •  
    • Commonly used "option(s)"
      • ssl.handshake
4.  System communications
  • Description: used to determine who the system is trying to communicate with and how often.
  • Syntax:
    • dns."option(s)"."option(s)"
    • Commonly used "option(s)"
      • dns.qry.name
      • dns.resp.addr
      • dns.resp.name
5. Text search
  • Description: used to search for specific text inside of a packet.
  • Syntax:
    • frame contains "text"
    • Common text to search for
      • "Dos"
      • ".exe"



Concepts & Techniques
Two things to look for in PCAP when looking for signs of potential malicious activity are magic numbers and Base64.

A. Magic Numbers [2]
Common in programs across many operating systems. Magic numbers implement strongly typed data and are a form of in-band signaling to the controlling program that reads the data type(s) at program run-times. Detecting such constraints in files is a simple and effective way of distinguishing between many file formats and can yield further run-time information.
  • GIF image file:
    • ASCII cod 
      • "GIF89a" (47 49 46 38 39 61) 
      • "GIF87a" (47 49 46 38 37 61)
  • JPEG image file:
    • Begins with "FF D8" and ends with "FF D9"
  • Postscript file:
    • start with "%!" (25 21)
  • MS-DOS exe file:
    • start with 
      • "MZ" (4D 5A)
      • "ZM" (5A 4D) - is NOT as common
B. Base64 [3]
A group of similar encoding schemes that represent binary data in an ASCII string format by translating it into a Radix-64 representation. Base64 encoding schemes are commonly used when there is a need to encode binary that needs to be stored and transferred over media that are designed to deal with textual data. This is done to ensure that the data remains intact without modification during transport.
  • Characters [A-Z], [a-z],[0-9],[+],[/]
  • Padding: 
    • "==" indicates last group contained only 1 bytes. 
    • "=" indicates that it contained 2 bytes.




References 
  1. Wireshark Filters
  2. Magic Numbers
  3. Base64




Recommended Reading and/or Videos
  • Real Digital Forensics: Computer Security and Incident Response by Keith J. Jones, Richard Bejtlich, and Curtis W. Rose.
  • Extrusion Detection: Security Monitoring for Internal Intrusions by Richard Bejtlich, foreword by Marcus Ranum.
 
Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec
Posted by at 3 comments:
Labels: ,

Sunday, January 22, 2017

Cyber Security Analyst (Part 1 of 3)

Netflow Data Analysis
This series will cover analyzing the common data types found in cyber security incidents; Netflow,  Domain(s) & IP address(es), PCAP. The format of the posts will be as follows Background information, Concepts & Techniques, Tools, and Recommended reading and/or videos. 



The information in this blog is design to help people analyzing Netflow data. There are many programs which can automate the manipulation and organization of Netflow data for the end user. I believe it is always a good idea to know how to perform these task manually because every environment will be different.



Background
Having a working understanding of the Threeway Handshake, Session Flags, Port Numbers, and Domain Name System (DNS) are essential to being able to read Netflow data.

A. Threeway Handshake
  • Threeway Handshake is used to establish a connection between a client and a server. 
  • Client is a device which request services. 
  • Server is a provider of services to clients. 
  • Threeway Handshake Process: 
    1. Client sends a "SYN" flag to the server  
    2. Server responses with "SYN-ACK"   
    3. Client sends a "ACK" flag  
    4. The connection is now complete. 

B. Session Flags [1]
  • URG (1 bit)  indicates that the Urgent pointer field is significant 
  • ACK (1 bit)  indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set. 
  • PSH (1 bit)  Push function. Asks to push the buffered data to the receiving application. 
  • RST (1 bit)  Reset the connection SYN (1 bit)  Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags change meaning based on this flag, and some are only valid for when it is set, and others when it is clear. 
  • FIN (1 bit)  No more data from sender

C. Port Numbers [2]
  • Port Numbers can be linked to certain applications and services to give one a better idea of the type of activity which is occurring during the communication they are observing. 
  • Port number: 1 - 1023 well know server services. 
  • Port numbers 1024 - 5000 ephemeral port numbers. 
  • An ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically from a predefined range by the TCP/IP software.


D.  Domain Naming System (DNS)
  • DNS interactions are required for all internet activity.
  • DNS Process:
    1. Client issues a DNS query.
    2. A DNS Server accepts the query.
    3. If the first DNS server does not know the answer to the query request, then it will ask additional DNS servers.
    4. When the DNS server receives the answer to the DNS query, it returns the Domain to the client.



Concepts & Techniques
The Netflow data is used to confirm activity through correlation of information across different mediums. For example correlating network traffic with system logs to determine what the system was doing at the specific point in time. When analyzing Netflow data keep the following in mind:
  • Netflow data can be queried like a database.
  • Organize the data according to the "Time" field preferably the start time option. 
  • You may not be able to see the complete session due to network a lack of network coverage.
  • Go back a week or a month from the initial date of the suspicious traffic in order to try and establish a normal behavioral pattern to compare the infected system to. 
  • A few common attacks that can be observed in Netflow:
    • Beaconing
    • DDoS
    • TCP Reset attack
 

Tools
The list tools are free open source tools for Linux and Windows respectively:
These tools will allow you to capture Netflow data from the network interface of your PC. I recommend practicing observing the Netflow data from your PC while it is idle in order to see which services are continuously communicating with the internet and browsing the web.


Recommended Reading and/or Videos
  • Real Digital Forensics: Computer Security and Incident Response by Keith J. Jones, Richard Bejtlich, and Curtis W. Rose.
  • Extrusion Detection: Security Monitoring for Internal Intrusions by Richard Bejtlich, foreword by Marcus Ranum.



References 
  1. Transmission Control Protocol
  2. Ephemeral Port
Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec

Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)