Professional Documents
Culture Documents
PDF The Best of Taosecurity Blog Volume 1 Milestones Philosophy and Strategy Risk and Advice 1St Edition Richard Bejtlich Ebook Full Chapter
PDF The Best of Taosecurity Blog Volume 1 Milestones Philosophy and Strategy Risk and Advice 1St Edition Richard Bejtlich Ebook Full Chapter
https://textbookfull.com/product/the-best-advice-ever-given-
steven-price/
https://textbookfull.com/product/laparoscopic-colon-surgery-
milestones-education-best-practice-gregory-kouraklis/
https://textbookfull.com/product/implicit-bias-and-philosophy-
volume-1-metaphysics-and-epistemology-1st-edition-brownstein/
https://textbookfull.com/product/the-routledge-handbook-of-
evolution-and-philosophy-1st-edition-richard-joyce-ed/
Milestones in analog and digital computing vol 1 3rd
Edition Herbert Bruderer
https://textbookfull.com/product/milestones-in-analog-and-
digital-computing-vol-1-3rd-edition-herbert-bruderer/
https://textbookfull.com/product/information-and-the-world-stage-
volume-1-from-philosophy-to-science-the-world-of-forms-and-
communications-1st-edition-bernard-dugue/
https://textbookfull.com/product/tribe-of-hackers-cybersecurity-
advice-from-the-best-hackers-in-the-world-1st-edition-marcus-j-
carey/
https://textbookfull.com/product/essential-university-physics-
volume-1-4th-edition-richard-wolfson/
https://textbookfull.com/product/cyber-strategy-risk-driven-
security-and-resiliency-1st-edition-carol-a-siegel/
The Best of TaoSecurity Blog,
Volume 1
The Best of TaoSecurity Blog, Volume 1
Milestones, Philosophy and Strategy, Risk, and
Advice
Richard Bejtlich
TaoSecurity Press
Copyright © 2020 Richard Bejtlich and TaoSecurity Press
Trademarked names may appear in this book. Rather than use a trademark symbol
with each occurrence of a trademarked name, names are used in an editorial fashion with
no intention of infringement of the respective owners’ trademarks.
This is a book about digital security and network monitoring. The act of collecting network
traffic may violate local, state, and national laws if done inappropriately. The tools and
techniques explained in this book should be tested in a laboratory environment, separate
from production networks. None of the tools or techniques should be tested with network
devices outside of your responsibility or authority.
Suggestions on network monitoring in this book shall not be construed as legal advice.
The author has taken care in the preparation of this book, but makes no expressed or
implied warranty of any kind and assumes no responsibility for errors or omissions.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval
system, or transmitted, in any form, or by any means, electronic, mechanical,
photocopying, recording, or otherwise, without the prior consent of the publisher.
ISBN: 978-1-952809-00-2
I dedicate this book to my family.
I propose to fight it out on this line, if it takes all summer.
This book, by and large, only incorporates the text from the
selected posts. There are many cases where I originally linked to
material created by others, and I did not want to violate any
copyright holders in a commercial work such as this. I’ve also
omitted all of the URLs mentioned in the posts. Given the age of the
source material, most original URLs point to dead links, and I was
not interested in tracking down replacements in the remote
expectation that a reader might want to follow a source. If that is
the case, however, each entry in this book includes a URL for the
original blog post. Duly motivated readers can begin their research
there, should they be so inclined.
Blog comments are not reproduced here either. While a few posts
over the years featured thoughtful commentary, most did not. At
some point during the blog’s history I had to enable comment
moderation. I was shocked by those who submitted comments that
exhibited foul and racist language, personal attacks, and other
disgusting content. The world is better off without a platform for
their idiocy, although most of them have unfortunately migrated to
Twitter. If for some reason you’re wondering if a post in this book
had comments, please follow the cited link.
As of April 2020, the five most popular posts, since January 2011
when Blogger began offering native statistics, are as follows:
Some of the content has aged well, and some of it has not. I’ve
tried to preserve material in this book that is useful, regardless of
when it was written. For that reason, much of the “technical”
material has been omitted. For example, the online TaoSecurity Blog
features over 430 posts with the label “FreeBSD,” meaning they have
something to do with that Unix-like operating system. Early in my
career I was a keen FreeBSD user, and I often wrote about how to
accomplish various tasks using that software. When I stopped
writing about FreeBSD, some of my readers complained. I didn’t
care. I wrote for myself and if the complainers wanted that content,
they could try their hand at writing. At this point, much of that
material is no longer relevant, and if it might be to some readers, it
remains a Google search or blog URL away.
And now, before turning to the blog, I leave the introduction with
the immortal words attributed to Steve Jobs:
Richard Bejtlich
Northern Virginia, 2020
Chapter 1. Milestones
Introduction
This chapter contains posts which represented various moments
where the course of my blogging life changed, usually for the better.
It also contains entries which I felt marked a noteworthy moment for
the blog, and perhaps did not strictly belong in another category.
First Post and Review of BGP Posted
Wednesday, January 08, 2003
Welcome to my blog! The main new content will be news of book
reviews that I've had published at Amazon.com. In 2002 I read and
reviewed 24 books on computer security topics. Most recently, these
included The Art of Deception: Controlling the Human Element of
Security by Kevin Mitnick and The Hacker Diaries: Confessions of
Teenage Hackers by Dan Verton.
Richard Bejtlich
https://taosecurity.blogspot.com/2003/01/welcome-to-my-blog-
main-new-content.html
Commentary
This was my first blog post. I had very modest plans when I
started, concentrating on promoting the book reviews I was writing
on Amazon.com. I eventually became a top 500 book reviewer for
that site. I used to read and review dozens of technical books per
year (17 in 2000, 42 in 2001, 24 in 2002, 33 in 2003, 33 in 2004, 26
in 2005, 52 in 2006, 25 in 2007, 20 in 2008, 15 in 2009, 31 in 2010,
22 in 2011 -- 340 in total). In mid-2012 I decided that technical
books no longer captured my interest, and I focused on books about
history, strategy, policy, and martial arts. The archive.org repository
of pages for www.bejtlich.net/reading.html shows what I used to
read. The link is no longer active.
Sguil User Six
Tuesday, February 18, 2003
According to my friend Bamm Visscher, I just became user
number six of Sguil, an interface for the Snort intrusion detection
engine. It's in early alpha stages but it smokes everything else
available. It's built BY an analyst FOR an analyst. I spent a chunk of
the weekend writing this 4 MB installation guide pdf for it. The 13
MB sguil_complete_17_feb_03.tar archive I mention in the
installation guide can be downloaded here, for now. There is also a
Sourceforge site. Enjoy!
https://taosecurity.blogspot.com/2003/02/according-to-my-
friend-bamm-visscher-i.html
Commentary
I am very proud to have been associated with the Sguil project,
even though my code contribution was one or two lines that I
believe Bamm rejected anyway! I still use Sguil to this day, as it is
the most information-dense way to review alerts generated by an
intrusion detection engine like Suricata, and it provides right-click
access to full content data access via Wireshark. At this time I was
working as an incident response consultant for Kevin Mandia at
Foundstone, and I believe I may have used Sguil during some
engagements where I had to build my own network security
monitoring sensors.
Trying New Martial Arts School
Monday, April 28, 2003
I finally joined a new martial arts school in northern Virginia. It's
been two years since I broke my wrist and stopped formal training,
and about seven months since my last organized martial arts activity.
https://taosecurity.blogspot.com/2003/04/i-finally-joined-new-
martial-arts.html
Commentary
I was surprised to find this entry. At this point in the blog’s
progression, I had not yet instituted the fairly strict rules I would
later follow, namely keeping the blog on topic. I recommend this
strategy for anyone trying to organize their thoughts in written form
in a public-facing medium. To this day I have TaoSecurity Blog for
cyber security, intelligence, and military history; Rejoining the Tao
Blog for my martial arts journey; and Martial History Team for
promoting sound evidence and sourced research on martial arts
topics.
Five Years Ago Today...
Tuesday, September 23, 2003
Five years ago today I left the information warfare planning
directorate at Air Intelligence Agency and joined the Air Force
Computer Emergency Response Team at then-Kelly Air Force Base in
San Antonio, Texas. Back then we were part of the Air Force
Information Warfare Center, tasked with monitoring all of the
intrusion detection systems deployed inside border routers at Air
Force's installations. I was a new captain and had voluntarily
attended some UNIX training after work hours while deployed to RAF
Molesworth in late 1997.
Just yesterday I was asked how to get into the computer security
field. Here's how I did it. I looked at the AFCERT's manning roster
for the network security monitoring teams and put myself on the
schedule. Wherever I saw an opening -- usually between 2 and 10
pm or 10 pm and 6 am -- I added my name. I sat next to people
who seemed to understand the alerts they were analyzing and asked
a lot of questions. Six months later I was in charge of the real-time
NSM team, and a year later I was in charge of all NSM operations. I
wrote my first white paper in late 1999 and spoke at my first SANS
conference on 25 Mar 00. Currently I'm writing Real Digital Forensics
and The Tao of Network Security Monitoring, both to be published in
2004.
https://taosecurity.blogspot.com/2003/09/five-years-ago-
today.html
Commentary
This was the first of several posts that look back on my time in
the Air Force. Writing now in 2020, it’s stunning to remember a time
when I had only five years of hands-on technical security
experience. I notice that I also mentioned the publication process for
my first two books, the Tao of Network Security Monitoring,
published in 2004, and Real Digital Forensics, co-authored with Keith
Jones and Curtis Rose, published in 2005.
The Tao of NSM Is Published!
Friday, July 16, 2004
My wife found a copy of my book left in our garage today by the
UPS or Fedex delivery person! I'm very happy to see it in print.
Now, less than a year after that Black Hat meeting, I have a copy
of my book in hand. Thank you to every who assisted -- you're all in
the preface!
Commentary
The Tao remains my magnum opus, despite any attempt to
create something better. It was the right book at the right time. I
decided to write it in 2001 when Bamm and I were acting as
technical leads and managers for a team of 12 analysts at Ball
Aerospace & Technologies Corporation (BATC). I wrote a training
course for them to take before serving as event analysts. I realized
that there was no text that I could hand to a new analyst that
taught them what I hoped they should know. I decided to as
thoroughly as possible investigate many aspects of network security
monitoring (NSM). When the book exceeded an 800 page count, my
publisher said that I needed to stop. That’s why I quickly published a
sequel, Extrusion Detection. I’ve likened Tao to the Constitution and
Extrusion to the Bill of Rights! I remain very proud of Tao to this day
-- especially the appendix on NSM intellectual history. That’s a
timeless historical section that is relevant forever, regardless of what
the Amazon.com reviewers might think.
While I will not outline specifics here, I will say I was impressed
by the variety of network traffic the Pentagon collects. They are not
a single-solution shop that can be beaten by evading one variety of
intrusion detection system deployed at the perimeter. Rather, they
gather alert, session, and statistical data and have the capability to
collect some full content data. I will not name tools, but I was
surprised by some of their choices. By this I mean they seemed
genuinely interested in novel approaches to identifying and
validating security events.
Even after the Erie canal was built and long lines of boats were
carrying the grain and other products of the West to New York, the
men of Virginia and Maryland did not give up the notion of still
making the trade of the western country come their way. They
planned the Chesapeake and Ohio canal, to reach the Ohio river,
and thought that other canals across the state of Ohio would let them
into lake Erie. By the Ohio river they would connect with New
Orleans and the upper Mississippi river, and through lake Erie they
could reach the towns and farms that border lake Huron, lake
Michigan, and lake Superior.
A canal along the Potomac valley had been talked of several
years before the Revolution, when Richard Henry Lee laid a plan for
it before the Assembly of Virginia. Doubtless others thought of it too,
as of the Erie canal, long before it was made. At the end of the War
of the Revolution Washington made a long journey into the wild
woods of New York. He went to the source of the Susquehanna at
Otsego lake, visited the portage between the Mohawk and Wood
creek, and saw for himself that New York had a great chance for
navigation and trade. But he had a natural love for his own Virginia,
and he did not intend to let New York go ahead of his native state.
His journeys across the mountains as a surveyor and as a soldier
gave him a knowledge of the Ohio country, and as he had himself
taken up much good land there, he wished to have an easy way, by
land or water, from the sea to the rich Ohio valley. So he thought
much about a canal to run by the side of the Potomac, and he joined
with others who felt as he did to form the Potomac Company. They