Network Forensics and Lessons Learnt from the July 07 London Attacks
Geoff HarrisAlderbridge Consulting [email protected] 1423 321900
Conferencia FIST Enero/Madrid 2008 @
Sponsored by:
2
About the Author
Background in Military Communications Design
CEO Alderbridge Consulting formed 1997
ISSA-UK President
UK Government CLAS Consultant
CISSP, ITPC, BSc, DipEE, C.Eng
3
4
5
Early Firewall Adoption
6
DMZs & De-Perimeterisation
7
An early Intrusion Prevention System – Is IDS dead?
8
Forensics – fingerprints & DNA
Edward Henry appointed as Assistant Commissioner of Police at New Scotland Yard and began to introduce his fingerprint system. The first British court conviction by fingerprints in 1902
9
11 March 2004 – Madrid Train Bombings
10 explosions on 4 commuter trains (cercanías)
killing 191 people and wounding 1,755
10
7 July 2005 - London
3 tube explosions and 1 bus explosion
Entire London Underground system shut down
11
Post 7 July 2005 – London Investigations
12 July 2005 Idenitifed three suspects from CCTV footage, a missing person's report and documents found in the debris at each bomb site.Luton railways station is closed as police investigate a car parked there and believed to be associated with the suspects caught on CCTV cameras.
12
The Dummy Run
“Police trawl through 80,000 CCTV tapes”
“Ten weeks after the attacks, CCTV footage was released of three of the bombers setting out on a "practice run".
Mohammad Sidique Khan, Germaine Lindsay and Shehzad Tanweer - but not Hasib Hussain - met at Luton station at around 0810 BST on June 28.
13
The Dummy Run
Video cameras showed them buying tickets before they boarded a train to King's Cross, where they arrived at 0855 and made their way to the Underground network. Police said they were seen at Baker Street at midday before they returned to King's Cross at 1250, arriving back in Luton 50 minutes later.
14
Detecting The IT Network Attack
• Firewall logs• System Logs• IDS – Host IDS & Network IDS• Correlation of events – SEM tools
Management Overhead - MSS
15
Hiding In The Noise
• The Slow Scan• Random Ports – Random Port Hopping• Trojan/Covert channels over well used ports• The outgoing IRC, http, https threat
16
Site A
WAN
Site B
Points of interception for passive network sniffing
“Network CCTV” as a Forensic Tool
Commonly Used Existing Sniffing Products
Microsoft Net Mon
NAI Sniffer
Ethereal
Problem – the ability to capture the moment of attack at the right time and understand what lead up to the attack
17
“Network CCTV” as a Forensic Tool
For the IDS & Network CCTV - NIKSUN NetDetector
Other products such as NetIntercept
18
“Network CCTV” as a Forensic Tool
FW1
Internet
FW1
Netw ork IDS Sensor
Leeds
FW1
Stealth Monitoring LAN (RESTRICTED)
Web Server
VPN Gateway
Trusted LAN (RESTRICTED)
MailServer
Central Security Server
FW1
FW1
Server
(RESTRICTED)
Trusted LAN (UNCLASSIFIED)
WAN
Manchester
FW1
Proposed Netw ork Recorder
FW1Security LAN(RESTRICTED)
Server
(UNCLASSIFIED)
London - HQ
FW1FW1
InternetInternet
FW1FW1FW1
Netw ork IDS Sensor
Leeds
FW1FW1
Stealth Monitoring LAN (RESTRICTED)
Web Server
VPN Gateway
Trusted LAN (RESTRICTED)
MailServer
Central Security Server
FW1FW1
FW1FW1
Server
(RESTRICTED)
Trusted LAN (UNCLASSIFIED)
WAN
Manchester
FW1FW1
Proposed Netw ork Recorder
FW1FW1Security LAN(RESTRICTED)
Server
(UNCLASSIFIED)
London - HQ
19
Hiding In The Noise
20
Network Packet Decode
21
Summary
• CCTV in UK has been highly successful• Social issues – invasion of privacy• “Network CCTV” is very powerful as a forensic tool• Employee and citizen rights here too• Threat to corporate and government networks due to terrorism and espionage continues to grow
22
Attribution. You must give the original author credit.
Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one.
For any reuse or distribution, you must make clear to others the license terms of this work.
Any of these conditions can be waived if you get permission from the author.
Your fair use and other rights are in no way affected by the above.
This work is licensed under the Creative Commons Attribution-ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Creative Commons Attribution-ShareAlike 2.0
You are free:
•to copy, distribute, display, and perform this work
•to make commercial use of this work
Under the following conditions:
23
@ with the sponsorship of:www.fistconference.org
Geoff HarrisAlderbridge Consulting [email protected] 1423 321900