Future Books
Hacking TCP/IP Illustrated
- Role: Author
- Publisher: Concept only
- Availability: No idea
- Subject: Examination of attacks against network protocols from layers 2-5, complete with sample network traces
The Tao of Network Security Monitoring, 2nd Edition
- Role: Author, with one or more contributors
- Publisher: Concept only
- Availability: No idea
- Subject: Thorough rewrite of my first book
Real Digital Forensics 2
- Role: Co-author
- Publisher: Concept only
- Availability: No Idea
- Subject: Brand-new cases from the Jones/Rose/Bejtlich team
The Secrets to Carrier Class Network Security
- Role: Contributing author
- Publisher: Auerbach Publications
- Availability: November 2008
- Subject: My contribution to this book considers the role of network security monitoring in large networks.
Please note there is no guarantee that "concept only" books will ever be published.
Published Books
Extrusion Detection: Security Monitoring for Internal Intrusions
- Role: Author, with several contributors
- Publisher: Addison-Wesley; ISBN 0321349962
- Availability: BestBookBuys.com listing; Amazon.com sells it.
- Reviews and Citations: Amazon.com, Unix Review, Windows IT Library, USENIX Login (.pdf)
- Subject: Extrusion Detection helps security architects and engineers control and instrument their networks, and helps analysts investigate security events. Extrusion Detection is a sequel to my first book. Readers will learn theory, techniques, and tools to implement network security monitoring (NSM) for internal intrusions. This book believes that a defensible network can be built and operated only if the people, products, and processes enable pervasive network awareness.
- Excerpts: Foreword by Marcus Ranum; Chapter 4 ("Enterprise Network Instrumentation") and chapter 3 ("Extrusion Detection Illustrated"), all in .pdf format
- Errata: here
- Downloads: none yet
- Miscellaneous: not applicable
Real Digital Forensics
- Role: Co-author, with Keith Jones and Curtis Rose
- Publisher: Addison-Wesley; ISBN 0321240693
- Availability: BestBookBuys.com listing; Amazon.com sells it.
- Reviews and Citations: Amazon.com, IEEE Cipher, Unix Review, Information Security
- Subject: Real Digital Forensics is a hands-on guide to digital forensics. We provide host-, network-, and memory-based evidence on a DVD for readers to analyze, and then explain how to extract information from that evidence.
- Excerpts: Chapter 1: Windows Live Response (.pdf)
- Errata: here
- Downloads: none yet
- Miscellaneous: The book Web site is www.realdigitalforensics.com
The Tao of Network Security Monitoring: Beyond Intrusion Detection
- Role: Author
- Publisher: Addison-Wesley, July 2004
- Availability: BestBookBuys.com listing; Amazon.com sells it.
- Reviews and Citations: Amazon.com, BN.com, Slashdot, Computerworld,LinuxSecurity.com, IEEE Cipher, USENIX Login (.pdf), Information Security, SANS ISC, Dru Lavigne, BMonday.com, (IN)SECURE magazine (.pdf), Firewall.cx, ACM Reviews.com.
- Subject: My first solo book, The Tao of NSM is a comprehensive overview of the products, people, and processes needed to implement network security monitoring.
- Excerpts: foreword; Chapters 2 and 10 ("What is NSM?" and "Alert Data: NSM Using Sguil"), chapter 11 ("Best Practices"), and chapter 18 ("Tactics for Attacking NSM"), all in .pdf format; preface; a huge amount of the book is available at O'Reilly's Safari Bookshelf and chapter 10 is browsable at Informit.com
- Errata: here -- note the fixed references to figures in Appendix A for the TCP sequence number discussion
- Downloads: The traffic captures referenced in chapter 4 are available here. They are in .tar.gz format (Windows users can use WinZip or 7-Zip to access them) and about 2 MB prior to extraction. The papers discussed in Appendix B are available here (17 MB).
Incident Response: Computer Forensics (2nd Ed)
- Role: Contributor, chapter 8 ("Collecting Network-Based Evidence") and chapter 14 ("Analyzing Network Traffic")
- Publisher: McGraw-Hill/Osborne, July 2003
- Availability: BestBookBuys.com listing
- Subject: Incident Response is the best IR book available. I contributed material to chapters 8 and 14, although Kevin modified them to suit his needs.
- Excerpts: table of contents (.pdf)
- Errata: none listed
- Downloads: report templates
- Miscellaneous: not applicable
Hacking Exposed (4th Ed)
- Role: Contributor, "Case Study: Network Security Monitoring"
- Publisher: McGraw-Hill/Osborne, February 2003
- Availability: BestBookBuys.com listing
- Subject: Hacking Exposed put Foundstone on the map. This book featured the first formal publication of the term "network security monitoring" as defined by the NSM community.
- Excerpts: table of contents and chapter 3 ("Enumeration"), (.pdf)
- Errata: available
- Downloads: see HackingExposed.com
- Miscellaneous: Foundstone's classes are taught by some of the book's authors. I created some of the material in Foundstone's Incident Response and Ultimate Hacking: Expert classes while working there as a consultant.