Network Security Forensics

1. Slide - 1Dan VanBelleghemSenior Information Assurance Engineer - SRAPenetration TestingSecurity TrainingSecurity Readiness ReviewsIncident ResponseSecurity AssessmentsDirector of Security Programs - Network ForensicsSecurity Assistance Teams for US DoD - BAHSecurity Audits and Assessments for Fortune 500 - D&T

2. Slide - 2Network Mystery QuizDo you know:What is happening on your network?What users are doing?If users are compliant with policy?If users’ internal and external network communications affect the enterprise security posture?If anomalous behavior is detectable on the network?Why network diagrams are not enough?

3. Slide - 3ObjectivesThe objectives of this session are to provide an overview of the following:Examples of network activities that are often overlookedTechniques used in solving mysteriesBenefits from audit & monitoringRecommendations for performing audit & monitoring

4. Slide - 4ObservationsThe following observations will provide examples of network security issues that could have been discovered with good audit and monitoring practices in place

5. Discovery, analysis and lessons learned will be discussed for each of the following examples:

6. Uncovering DDOS agents

7. Harassing e-mails

8. Rogue servers and applications

9. System administrator misuseSlide - 5DDOS Agent DiscoveryBackgroundEnterprise network solution company

10. Firewall policy allowed DNS traffic

11. Firewalls managed in Colorado

12. DNS servers managed locally at other national officesSlide - 6DDOSvictim.comLocal OfficesINTERNETFPermit DNSvictim.comHQManaged by local office staffManaged by network operationsSecondary DNSPrimary DNSLocal DNS

13. Slide - 7DDOS victim.comLocal OfficesAttackerINTERNETFvictim.comHQDNS service exploited

14. Root access gained

15. Trust relationships exploited

16. DDOS agent plantedSecondary DNSPrimary DNSLocal DNS

17. Slide - 8DDOS Agent DiscoveryTechniques used for discoveryNetwork traffic analysis

18. “unusual traffic”

19. Firewall logs reviewed

20. DNS server and OS logs reviewedSlide - 9DDOS Agent DiscoveryLessons learnedFirewall logs not reviewed

21. DNS server (OS and application) logs not reviewed

22. IP spoofing not monitored internally

23. Integrity checking not performedSlide - 10DDOS Agent DiscoveryRecommendationsPerform regular log review of network service systems (DNS, Firewall, Mail, etc)

24. Automate

25. Outsource

26. Monitor and review network traffic patterns and trends

27. Network monitors

28. Network device logs

29. Perform host integrity checking for critical assets

30. Tripwire

31. System profile checkersSlide - 11Harassing E-mailsBackgroundEmployee was receiving harassing e-mails from an anonymous external source (e.g., hotmail)

32. An internal employee was suspected but could not be confirmedSlide - 12Harassing E-mailsTechniques used for discoveryCollected network traffic using a packet snifferSearched traffic for hosts going to and from hotmail.comOnce an originating IP address was found, then searched for user name that sent anonymous e-mailSpecifically looked for CGI postings of the message - this was the proof to determine the person who sent it

33. Slide - 13

34. Slide - 14

35. Slide - 15

36. Slide - 16Harassing E-mails (cont.)

37. Slide - 17

38. Slide - 18

39. Slide - 19

40. Slide - 20

41. Slide - 21

42. Slide - 22Harassing E-mailsRecommendationsImplement e-mail policy

43. Monitor for non-production e-mail traffic

44. Develop monitoring scripts or procure commercial toolsSlide - 23BackgroundUsers install unauthorized devices, “stowaways,” on the production network

45. Enabling write access on anonymous ftp services for convenience

46. Users installing unauthorized services (e.g., web servers) to the production networkRogue Servers/Applications

47. Slide - 24Rogue Servers/ApplicationsTechniques used for discoveryMonitoring procedures implemented

48. Leveraged automation

49. Network sweep: fping

50. TCP/UDP port scanning: nmap

51. Consider appliance solution: NetFoxSlide - 25Rogue Servers/Applications

52. Slide - 26Rogue Servers/Applications

53. Slide - 27Rogue Servers/ApplicationsRecommendationsCreate a robust network security policy

54. Educate the user knowledge base to the policies and security fundamentals

55. Implement consistent procedures to achieve these goalsSlide - 28System AdministratorBackgroundGovernment agency

56. Outsourced system administration duties

57. Controlled application network with strict perimeter security

58. Only database and e-mail traffic in and out of control network

59. Firewall was monitored for all unsuccessful attemptsSlide - 29System AdministratorMonitor status of network remotely

60. Batch job to inspect health of systems

61. Sent results of process to home account - - in clear textSlide - 30System AdministratorFrom: [email protected]: [email protected]: System ReportHostname: database.victim.govSystem uptime: 2 days 14 hoursActive users:oracle system larry steveinterface status:hme0 10.10.150.12Services Running:db http inetd

62. Slide - 31System AdministratorTechniques used for discoveryFirewall logs reviewed

63. Network traffic analysisSlide - 32System AdministratorLessons learnedAdministrators needed security awareness training

64. No official remote administration procedures were in place

65. Adequate tools were not available to support environment requirementsSlide - 33System AdministratorRecommendationsImplement appropriate remote administration solution

66. Conduct constant administrator trainingSlide - 34Audit & Monitoring GoalsProtectProvides input to policy changes or mis-configurationsActs as a deterrentDetectAnalysis of all data Passive collection Active scanningAnalyze and RecoverForensic level analysisRapid answers to the who, what, when, where, how questionsFull damage controlNetwork, system and application level audit logsCentralized information source

67. Slide - 35Audit & Monitoring Enablers LogsHostApplicationSystemNetworkPacket sniffersNIDSAnalysisDatabaseScripts

68. Slide - 36LogsLogs are great source of information if:They have been enabledThey are still thereTheir integrity is not questionableSomeone reads them!Provide Who and WhenDo not provide content (e.g.,What)

69. Slide - 37Source: U.S. News Sniffers Testing sniffers means different things to different people!

70. Slide - 38NetworkSniffers are needed to “see” what is on your networkNIDS provide a means for pre-processingSwitched environments can provide a challengeSince no two networking environments are the same, methodologies will need to be tailored for each network

71. Slide - 39Raw Output

72. Slide - 40NIDS Output (Dragon)

73. Slide - 41AnalysisCollecting gigabytes of data… now what?A system or tools to assist with analysis is vitalImplementing a system with consistent procedures is a challengeFilter and focus before drowning in data

74. Slide - 42Audit & Monitoring Tool TrendsEvidence preservation

75. Data warehousing

76. Data mining

77. Automatic correlation

78. Event interpretation

79. Passive monitoring

80. Data exchange

81. AI based attack predictionSlide - 43Audit & Monitoring Tool TrendsOutsourced Managed Security

82. Counterpane – www.counterpane.com

83. SecurityTracker – www.securitytracker.net

84. ServerVault – www.servervault.com

85. Network Appliances

86. NetFox – www.securityfox.net

87. Interactive Analysis

88. SilentRunner – www.silentrunner.com

89. Log Consolidators

90. Kane – www.intrusion.com

91. eSecurity – www.esecurityinc.comSlide - 44TipsDo’sOne step at a timeAutomation is your friendStorageData sensitivityMeasureDon’tsUnderestimateForget legal responsibilitiesBe unpreparedBelieve in silver bullets

92. Slide - 45In Closing… Potential Benefits:

93. Increased knowledge and awareness of network usage practices

94. Enhance current detection and protection process

95. Reduced time and resource cost when responding to an incident

96. Reduced network misuse and abuse

97. Enforcement of policySlide - 46Questions

Network Security Forensics

More Related Content

What's hot (20)

Similar to Network Security Forensics (20)

Network Security Forensics