Solving Network Mysteries Slide - 1
Dan VanBelleghemDan VanBelleghem
Senior Information Assurance Engineer - SRA Penetration Testing Security Training Security Readiness Reviews Incident Response Security Assessments
Director of Security Programs - Network Forensics Security Assistance Teams for US DoD - BAH Security Audits and Assessments for Fortune 500 - D&T
Solving Network Mysteries Slide - 2
Network Mystery QuizNetwork Mystery Quiz
Do you know: What is happening on your network? What users are doing? If users are compliant with policy? If users’ internal and external network
communications affect the enterprise security posture?
If anomalous behavior is detectable on the network?
Why network diagrams are not enough?
Solving Network Mysteries Slide - 3
ObjectivesObjectives
The objectives of this session are to provide an overview of the following:
Examples of network activities that are often overlooked
Techniques used in solving mysteries Benefits from audit & monitoring Recommendations for performing audit &
monitoring
Solving Network Mysteries Slide - 4
ObservationsObservations
• The following observations will provide examples of network security issues that could have been discovered with good audit and monitoring practices in place
• Discovery, analysis and lessons learned will be discussed for each of the following examples:• Uncovering DDOS agents• Harassing e-mails• Rogue servers and applications• System administrator misuse
Solving Network Mysteries Slide - 5
DDOS Agent DiscoveryDDOS Agent Discovery
Background• Enterprise network solution company• Firewall policy allowed DNS traffic• Firewalls managed in Colorado• DNS servers managed locally at other
national offices
Solving Network Mysteries Slide - 6
DDOSDDOS
F
INTERNET
victim.comHQ
Local DNS
Secondary DNS
victim.comLocal Offices
Primary DNS
Managed by network operations
Permit DNS
Managed by local office staff
Solving Network Mysteries Slide - 7
DDOS DDOS
F
INTERNET
victim.comHQ
Local DNS
Secondary DNS
victim.comLocal Offices
Primary DNS
Attacker
• DNS service exploited
• Root access gained
• Trust relationships exploited
• DDOS agent planted
Solving Network Mysteries Slide - 8
DDOS Agent DiscoveryDDOS Agent Discovery
Techniques used for discovery• Network traffic analysis
• “unusual traffic”• Firewall logs reviewed• DNS server and OS logs reviewed
Solving Network Mysteries Slide - 9
DDOS Agent DiscoveryDDOS Agent Discovery
Lessons learned• Firewall logs not reviewed• DNS server (OS and application) logs not
reviewed• IP spoofing not monitored internally• Integrity checking not performed
Solving Network Mysteries Slide - 10
DDOS Agent DiscoveryDDOS Agent Discovery
Recommendations• Perform regular log review of network service
systems (DNS, Firewall, Mail, etc)• Automate• Outsource
• Monitor and review network traffic patterns and trends
• Network monitors• Network device logs
• Perform host integrity checking for critical assets • Tripwire• System profile checkers
Solving Network Mysteries Slide - 11
Harassing E-mailsHarassing E-mails
Background• Employee was receiving harassing e-mails
from an anonymous external source (e.g., hotmail)
• An internal employee was suspected but could not be confirmed
Solving Network Mysteries Slide - 12
Harassing E-mailsHarassing E-mails
Techniques used for discovery Collected network traffic using a packet sniffer Searched traffic for hosts going to and from hotmail.com Once an originating IP address was found, then searched
for user name that sent anonymous e-mail Specifically looked for CGI postings of the message - this
was the proof to determine the person who sent it
Solving Network Mysteries Slide - 13
Solving Network Mysteries Slide - 14
Solving Network Mysteries Slide - 15
Solving Network Mysteries Slide - 16
Harassing E-mails (cont.)Harassing E-mails (cont.)
Solving Network Mysteries Slide - 17
Solving Network Mysteries Slide - 18
Solving Network Mysteries Slide - 19
Solving Network Mysteries Slide - 20
Solving Network Mysteries Slide - 21
Solving Network Mysteries Slide - 22
Harassing E-mailsHarassing E-mails
Recommendations Implement e-mail policy Monitor for non-production e-mail traffic Develop monitoring scripts or procure
commercial tools
Solving Network Mysteries Slide - 23
Rogue Servers/ApplicationsRogue Servers/Applications
Background• Users install unauthorized devices, “stowaways,” on
the production network• Enabling write access on anonymous ftp services for
convenience• Users installing unauthorized services (e.g., web
servers) to the production network
Solving Network Mysteries Slide - 24
Rogue Servers/ApplicationsRogue Servers/Applications
Techniques used for discovery• Monitoring procedures implemented • Leveraged automation
• Network sweep: fping• TCP/UDP port scanning: nmap
• Consider appliance solution: NetFox
Solving Network Mysteries Slide - 25
Rogue Servers/ApplicationsRogue Servers/Applications
Solving Network Mysteries Slide - 26
Rogue Servers/ApplicationsRogue Servers/Applications
Solving Network Mysteries Slide - 27
Rogue Servers/ApplicationsRogue Servers/Applications
Recommendations• Create a robust network security policy• Educate the user knowledge base to the policies and
security fundamentals• Implement consistent procedures to achieve these
goals
Solving Network Mysteries Slide - 28
System AdministratorSystem Administrator
Background• Government agency• Outsourced system administration duties• Controlled application network with strict perimeter
security• Only database and e-mail traffic in and out of control
network• Firewall was monitored for all unsuccessful attempts
Solving Network Mysteries Slide - 29
System AdministratorSystem Administrator
• Monitor status of network remotely• Batch job to inspect health of systems• Sent results of process to home account - - in
clear text
Solving Network Mysteries Slide - 30
System AdministratorSystem Administrator
From: [email protected]: [email protected]: System Report
Hostname: database.victim.gov
System uptime: 2 days 14 hours
Active users:oracle system larry steve
interface status:hme0 10.10.150.12
Services Running:db http inetd
Solving Network Mysteries Slide - 31
System AdministratorSystem Administrator
Techniques used for discovery• Firewall logs reviewed• Network traffic analysis
Solving Network Mysteries Slide - 32
System AdministratorSystem Administrator
Lessons learned• Administrators needed security awareness
training• No official remote administration procedures
were in place• Adequate tools were not available to support
environment requirements
Solving Network Mysteries Slide - 33
System AdministratorSystem Administrator
Recommendations• Implement appropriate remote administration
solution• Conduct constant administrator training
Solving Network Mysteries Slide - 34
Audit & Monitoring GoalsAudit & Monitoring Goals
Protect Provides input to policy changes or mis-configurations Acts as a deterrent
Detect Analysis of all data Passive collection Active scanning
Analyze and Recover Forensic level analysis Rapid answers to the who, what, when, where, how questions Full damage control Network, system and application level audit logs Centralized information source
Solving Network Mysteries Slide - 35
Audit & Monitoring Enablers Audit & Monitoring Enablers
Logs Host Application System
Network Packet sniffers NIDS
Analysis Database Scripts
Solving Network Mysteries Slide - 36
LogsLogs
Logs are great source of information if: They have been enabled They are still there Their integrity is not questionable Someone reads them!
Provide Who and When Do not provide content (e.g.,What)
Solving Network Mysteries Slide - 37Testing sniffers means different things to different people!
Sniffers
Source: U.S. News
Solving Network Mysteries Slide - 38
NetworkNetwork
Sniffers are needed to “see” what is on your network
NIDS provide a means for pre-processing Switched environments can provide a challenge Since no two networking environments are the
same, methodologies will need to be tailored for each network
Solving Network Mysteries Slide - 39
Raw Output Raw Output
Solving Network Mysteries Slide - 40
NIDS Output (Dragon)NIDS Output (Dragon)
Solving Network Mysteries Slide - 41
AnalysisAnalysis
Collecting gigabytes of data… now what? A system or tools to assist with analysis is
vital Implementing a system with consistent
procedures is a challenge Filter and focus before drowning in data
Solving Network Mysteries Slide - 42
Audit & Monitoring Tool TrendsAudit & Monitoring Tool Trends
• Evidence preservation• Data warehousing• Data mining• Automatic correlation• Event interpretation• Passive monitoring• Data exchange• AI based attack prediction
Solving Network Mysteries Slide - 43
Audit & Monitoring Tool TrendsAudit & Monitoring Tool Trends
• Outsourced Managed Security• Counterpane – www.counterpane.com• SecurityTracker – www.securitytracker.net• ServerVault – www.servervault.com
• Network Appliances• NetFox – www.securityfox.net
• Interactive Analysis• SilentRunner – www.silentrunner.com
• Log Consolidators• Kane – www.intrusion.com• eSecurity – www.esecurityinc.com
Solving Network Mysteries Slide - 44
TipsTips
Do’s One step at a time Automation is your
friend Storage Data sensitivity Measure
Don’ts Underestimate Forget legal
responsibilities Be unprepared Believe in silver
bullets
Solving Network Mysteries Slide - 45
In Closing…In Closing…
• Potential Benefits:• Increased knowledge and awareness of
network usage practices• Enhance current detection and
protection process• Reduced time and resource cost when
responding to an incident• Reduced network misuse and abuse• Enforcement of policy
Solving Network Mysteries Slide - 46
QuestionsQuestions