Network Security Forensics

Solving Network Mysteries Slide - 1

Dan VanBelleghemDan VanBelleghem

Senior Information Assurance Engineer - SRA Penetration Testing Security Training Security Readiness Reviews Incident Response Security Assessments

Director of Security Programs - Network Forensics Security Assistance Teams for US DoD - BAH Security Audits and Assessments for Fortune 500 - D&T


Network Mystery QuizNetwork Mystery Quiz

Do you know: What is happening on your network? What users are doing? If users are compliant with policy? If users’ internal and external network

communications affect the enterprise security posture?

If anomalous behavior is detectable on the network?

Why network diagrams are not enough?


ObjectivesObjectives

The objectives of this session are to provide an overview of the following:

Examples of network activities that are often overlooked

Techniques used in solving mysteries Benefits from audit & monitoring Recommendations for performing audit &

monitoring


ObservationsObservations

• The following observations will provide examples of network security issues that could have been discovered with good audit and monitoring practices in place

• Discovery, analysis and lessons learned will be discussed for each of the following examples:• Uncovering DDOS agents• Harassing e-mails• Rogue servers and applications• System administrator misuse


DDOS Agent DiscoveryDDOS Agent Discovery

Background• Enterprise network solution company• Firewall policy allowed DNS traffic• Firewalls managed in Colorado• DNS servers managed locally at other

national offices


DDOSDDOS

F

INTERNET

victim.comHQ

Local DNS

Secondary DNS

victim.comLocal Offices

Primary DNS

Managed by network operations

Permit DNS

Managed by local office staff


DDOS DDOS

F

INTERNET

victim.comHQ

Local DNS

Secondary DNS

victim.comLocal Offices

Primary DNS

Attacker

• DNS service exploited

• Root access gained

• Trust relationships exploited

• DDOS agent planted



Techniques used for discovery• Network traffic analysis

• “unusual traffic”• Firewall logs reviewed• DNS server and OS logs reviewed



Lessons learned• Firewall logs not reviewed• DNS server (OS and application) logs not

reviewed• IP spoofing not monitored internally• Integrity checking not performed



Recommendations• Perform regular log review of network service

systems (DNS, Firewall, Mail, etc)• Automate• Outsource

• Monitor and review network traffic patterns and trends

• Network monitors• Network device logs

• Perform host integrity checking for critical assets • Tripwire• System profile checkers


Harassing E-mailsHarassing E-mails

Background• Employee was receiving harassing e-mails

from an anonymous external source (e.g., hotmail)

• An internal employee was suspected but could not be confirmed



Techniques used for discovery Collected network traffic using a packet sniffer Searched traffic for hosts going to and from hotmail.com Once an originating IP address was found, then searched

for user name that sent anonymous e-mail Specifically looked for CGI postings of the message - this

was the proof to determine the person who sent it





Harassing E-mails (cont.)Harassing E-mails (cont.)








Recommendations Implement e-mail policy Monitor for non-production e-mail traffic Develop monitoring scripts or procure

commercial tools


Rogue Servers/ApplicationsRogue Servers/Applications

Background• Users install unauthorized devices, “stowaways,” on

the production network• Enabling write access on anonymous ftp services for

convenience• Users installing unauthorized services (e.g., web

servers) to the production network



Techniques used for discovery• Monitoring procedures implemented • Leveraged automation

• Network sweep: fping• TCP/UDP port scanning: nmap

• Consider appliance solution: NetFox







Recommendations• Create a robust network security policy• Educate the user knowledge base to the policies and

security fundamentals• Implement consistent procedures to achieve these

goals


System AdministratorSystem Administrator

Background• Government agency• Outsourced system administration duties• Controlled application network with strict perimeter

security• Only database and e-mail traffic in and out of control

network• Firewall was monitored for all unsuccessful attempts



• Monitor status of network remotely• Batch job to inspect health of systems• Sent results of process to home account - - in

clear text



From: [email protected]: [email protected]: System Report

Hostname: database.victim.gov

System uptime: 2 days 14 hours

Active users:oracle system larry steve

interface status:hme0 10.10.150.12

Services Running:db http inetd

mailto:[email protected]

mailto:[email protected]



Techniques used for discovery• Firewall logs reviewed• Network traffic analysis



Lessons learned• Administrators needed security awareness

training• No official remote administration procedures

were in place• Adequate tools were not available to support

environment requirements



Recommendations• Implement appropriate remote administration

solution• Conduct constant administrator training


Audit & Monitoring GoalsAudit & Monitoring Goals

Protect Provides input to policy changes or mis-configurations Acts as a deterrent

Detect Analysis of all data Passive collection Active scanning

Analyze and Recover Forensic level analysis Rapid answers to the who, what, when, where, how questions Full damage control Network, system and application level audit logs Centralized information source


Audit & Monitoring Enablers Audit & Monitoring Enablers

Logs Host Application System

Network Packet sniffers NIDS

Analysis Database Scripts


LogsLogs

Logs are great source of information if: They have been enabled They are still there Their integrity is not questionable Someone reads them!

Provide Who and When Do not provide content (e.g.,What)

Solving Network Mysteries Slide - 37Testing sniffers means different things to different people!

Sniffers

Source: U.S. News


NetworkNetwork

Sniffers are needed to “see” what is on your network

NIDS provide a means for pre-processing Switched environments can provide a challenge Since no two networking environments are the

same, methodologies will need to be tailored for each network


Raw Output Raw Output


NIDS Output (Dragon)NIDS Output (Dragon)


AnalysisAnalysis

Collecting gigabytes of data… now what? A system or tools to assist with analysis is

vital Implementing a system with consistent

procedures is a challenge Filter and focus before drowning in data


Audit & Monitoring Tool TrendsAudit & Monitoring Tool Trends

• Evidence preservation• Data warehousing• Data mining• Automatic correlation• Event interpretation• Passive monitoring• Data exchange• AI based attack prediction


Audit & Monitoring Tool TrendsAudit & Monitoring Tool Trends

• Outsourced Managed Security• Counterpane – www.counterpane.com• SecurityTracker – www.securitytracker.net• ServerVault – www.servervault.com

• Network Appliances• NetFox – www.securityfox.net

• Interactive Analysis• SilentRunner – www.silentrunner.com

• Log Consolidators• Kane – www.intrusion.com• eSecurity – www.esecurityinc.com


TipsTips

Do’s One step at a time Automation is your

friend Storage Data sensitivity Measure

Don’ts Underestimate Forget legal

responsibilities Be unprepared Believe in silver

bullets


In Closing…In Closing…

• Potential Benefits:• Increased knowledge and awareness of

network usage practices• Enhance current detection and

protection process• Reduced time and resource cost when

responding to an incident• Reduced network misuse and abuse• Enforcement of policy


QuestionsQuestions

Documents

Network Security Forensics