Network Security Forensics

Solving Network Mysteries Slide - 1

Dan VanBelleghemDan VanBelleghem

Senior Information Assurance Engineer - SRA Penetration Testing Security Training Security Readiness Reviews Incident Response Security Assessments

Director of Security Programs - Network Forensics Security Assistance Teams for US DoD - BAH Security Audits and Assessments for Fortune 500 - D&T

Network Mystery QuizNetwork Mystery Quiz

Do you know: What is happening on your network? What users are doing? If users are compliant with policy? If users’ internal and external network

communications affect the enterprise security posture?

If anomalous behavior is detectable on the network?

Why network diagrams are not enough?

ObjectivesObjectives

The objectives of this session are to provide an overview of the following:

Examples of network activities that are often overlooked

Techniques used in solving mysteries Benefits from audit & monitoring Recommendations for performing audit &

monitoring

ObservationsObservations

• The following observations will provide examples of network security issues that could have been discovered with good audit and monitoring practices in place

• Discovery, analysis and lessons learned will be discussed for each of the following examples:• Uncovering DDOS agents• Harassing e-mails• Rogue servers and applications• System administrator misuse

DDOS Agent DiscoveryDDOS Agent Discovery

Background• Enterprise network solution company• Firewall policy allowed DNS traffic• Firewalls managed in Colorado• DNS servers managed locally at other

national offices

DDOSDDOS

INTERNET

victim.comHQ

Local DNS

Secondary DNS

victim.comLocal Offices

Primary DNS

Managed by network operations

Permit DNS

Managed by local office staff

DDOS DDOS

INTERNET

victim.comHQ

Local DNS

Secondary DNS

victim.comLocal Offices

Primary DNS

Attacker

• DNS service exploited

• Root access gained

• Trust relationships exploited

• DDOS agent planted

Techniques used for discovery• Network traffic analysis

• “unusual traffic”• Firewall logs reviewed• DNS server and OS logs reviewed

Lessons learned• Firewall logs not reviewed• DNS server (OS and application) logs not

reviewed• IP spoofing not monitored internally• Integrity checking not performed

Recommendations• Perform regular log review of network service

systems (DNS, Firewall, Mail, etc)• Automate• Outsource

• Monitor and review network traffic patterns and trends

• Network monitors• Network device logs

• Perform host integrity checking for critical assets • Tripwire• System profile checkers

Harassing E-mailsHarassing E-mails

Background• Employee was receiving harassing e-mails

from an anonymous external source (e.g., hotmail)

• An internal employee was suspected but could not be confirmed

Techniques used for discovery Collected network traffic using a packet sniffer Searched traffic for hosts going to and from hotmail.com Once an originating IP address was found, then searched

for user name that sent anonymous e-mail Specifically looked for CGI postings of the message - this

was the proof to determine the person who sent it

Harassing E-mails (cont.)Harassing E-mails (cont.)

Recommendations Implement e-mail policy Monitor for non-production e-mail traffic Develop monitoring scripts or procure

commercial tools

Rogue Servers/ApplicationsRogue Servers/Applications

Background• Users install unauthorized devices, “stowaways,” on

the production network• Enabling write access on anonymous ftp services for

convenience• Users installing unauthorized services (e.g., web

servers) to the production network

Techniques used for discovery• Monitoring procedures implemented • Leveraged automation

• Network sweep: fping• TCP/UDP port scanning: nmap

• Consider appliance solution: NetFox

Recommendations• Create a robust network security policy• Educate the user knowledge base to the policies and

security fundamentals• Implement consistent procedures to achieve these

System AdministratorSystem Administrator

Background• Government agency• Outsourced system administration duties• Controlled application network with strict perimeter

security• Only database and e-mail traffic in and out of control

network• Firewall was monitored for all unsuccessful attempts

• Monitor status of network remotely• Batch job to inspect health of systems• Sent results of process to home account - - in

clear text

From: root@mainhost.govTo: home_account@myisp.comSubject: System Report

Hostname: database.victim.gov

System uptime: 2 days 14 hours

Active users:oracle system larry steve

interface status:hme0 10.10.150.12

Services Running:db http inetd

Techniques used for discovery• Firewall logs reviewed• Network traffic analysis

Lessons learned• Administrators needed security awareness

training• No official remote administration procedures

were in place• Adequate tools were not available to support

environment requirements

Recommendations• Implement appropriate remote administration

solution• Conduct constant administrator training

Audit & Monitoring GoalsAudit & Monitoring Goals

Protect Provides input to policy changes or mis-configurations Acts as a deterrent

Detect Analysis of all data Passive collection Active scanning

Analyze and Recover Forensic level analysis Rapid answers to the who, what, when, where, how questions Full damage control Network, system and application level audit logs Centralized information source

Audit & Monitoring Enablers Audit & Monitoring Enablers

Logs Host Application System

Network Packet sniffers NIDS

Analysis Database Scripts

LogsLogs

Logs are great source of information if: They have been enabled They are still there Their integrity is not questionable Someone reads them!

Provide Who and When Do not provide content (e.g.,What)

Solving Network Mysteries Slide - 37Testing sniffers means different things to different people!

Sniffers

Source: U.S. News

NetworkNetwork

Sniffers are needed to “see” what is on your network

NIDS provide a means for pre-processing Switched environments can provide a challenge Since no two networking environments are the

same, methodologies will need to be tailored for each network

Raw Output Raw Output

NIDS Output (Dragon)NIDS Output (Dragon)

AnalysisAnalysis

Collecting gigabytes of data… now what? A system or tools to assist with analysis is

vital Implementing a system with consistent

procedures is a challenge Filter and focus before drowning in data

Audit & Monitoring Tool TrendsAudit & Monitoring Tool Trends

• Evidence preservation• Data warehousing• Data mining• Automatic correlation• Event interpretation• Passive monitoring• Data exchange• AI based attack prediction

Audit & Monitoring Tool TrendsAudit & Monitoring Tool Trends

• Outsourced Managed Security• Counterpane – www.counterpane.com• SecurityTracker – www.securitytracker.net• ServerVault – www.servervault.com

• Network Appliances• NetFox – www.securityfox.net

• Interactive Analysis• SilentRunner – www.silentrunner.com

• Log Consolidators• Kane – www.intrusion.com• eSecurity – www.esecurityinc.com

TipsTips

Do’s One step at a time Automation is your

friend Storage Data sensitivity Measure

Don’ts Underestimate Forget legal

responsibilities Be unprepared Believe in silver

bullets

In Closing…In Closing…

• Potential Benefits:• Increased knowledge and awareness of

network usage practices• Enhance current detection and

protection process• Reduced time and resource cost when

responding to an incident• Reduced network misuse and abuse• Enforcement of policy

QuestionsQuestions

Network Security Forensics

Documents

Network Security First-Step - pearsoncmg.com...and Security. Phil’s areas of expertise include sanctioned attack and penetration, digital and network forensics, wireless security,

· Other computer security resources from O’Reilly Related titles 802.11 Security Digital Identity Firewall Warrior Internet Forensics Network Security Assessment Network Security

ASC Network Forensics

The Bro Network Security Monitor - Matthias Vallentinmatthias.vallentin.net/slides/bro-nf.pdf · The Bro Network Security Monitor Network Forensics with Bro MatthiasVallentin UCBerkeley/ICSI

4482 Intro - York UniversityEECS 3482 Intro to Com. Sec. EECS 4481 Com. Sec. Lab EECS 4480 Capstone Project Network Security & Forensics Computer Forensics EECS 4482 - Network Security

Guide to Network Security 1 st Edition Chapter Twelve Digital Forensics

2016 Global Network Security Forensics Market Leadership Award

Network Forensics Analysis

Network Security First-Step - pearsoncmg.comptgmedia.pearsoncmg.com/images/9781587204104/samplepages/158720410… · and network forensics, wireless security, network security architecture,

UNIT I NETWORK LAYER SECURITY &TRANSPORT ......CS6004 / CYBER FORENSICS Prepared By: Mr X.MARTIN LOURDURAJ AP/CSE ,ST.ANNESCET 1 UNIT I NETWORK LAYER SECURITY &TRANSPORT LAYER SECURITY

Network Packet Reconstruction Technology for Computer Forensics and Information Security

Network Forensics

Security Forensics - T3DD15

Network Security Forensics For GDPR Compliance - … Security Forensics For GDPR Compliance ... financial impact on the firm from the infringement ... invested in discovery and forensics

The Bro Network Security Monitor - Zeek · The Bro Network Security Monitor Network Forensics with Bro MatthiasVallentin UCBerkeley/ICSI vallentin@icir.org Bro Workshop 2011 NCSA,

NETWORK SECURITY/ COMPUTER FORENSICS...Network Security/Computer Forensics Degree Prerequisites: High school prerequisites for admission into this program: Algebra I. All students

Security Monitoring for Wireless Network Forensics

Introduction to Mobile Forensics - Think · PDF fileINTRODUCTION TO MOBILE FORENSICS Joe Walsh ... Network+, Security+, CompTIA Advanced Security Practitioner ... smartphone More than

FORENSICS & SECURITY - Elsevierscitechconnect.elsevier.com/.../forensics-security... · SEP 2014 • ISBN: 9780124052130 FORENSIC SCIENCE Introduction to Environmental Forensics,

NetFlows & Network Forensics