Insights into Network Monitoring and Attack Forensics in Secure Systems Administration

inf526 n.w
1 / 53
Embed
Share

Explore the world of network monitoring and attack forensics in secure systems administration through lectures and student presentations. Learn about tools like PCap and LibPCap for capturing network data, and delve into the intricacies of ensuring availability, non-repudiation, and intrusion detection. Discover the importance of maintaining network security and observing different levels of granularity for a comprehensive network overview.

  • Network Monitoring
  • Attack Forensics
  • Secure Systems Administration
  • PCap
  • Intrusion Detection
rayaanacharya
joya_31 Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. INF526: Secure Systems Administration Network Monitoring And Attack Forensics Prof. Clifford Neuman Lecture 13 12 April 2017 OHE100C

  2. Announcements Our scheduled meeting on April 26th (the last lecture in the semester) will be moved to an alternative date. In that lecture we will review for the final exam. We will also have groups on the criminal enterprise scenario demonstrate their systems and report on their architectures. We will also red-team the servers for each group. Depending on DEN classroom scheduling, I may split the two parts, so that we can record the final exam review, and choose a time that is more convenient to students for the demonstration. 1

  3. Todays Lecture A student presentation on Network Monitoring and Attack Forensics, expanding upon the material presented last week. Discussion of SIEM and its relationship to newer ID systems. Discussion of individual responses to the group project architecture (last weeks assignment). 2

  4. Class Presentation Schedule 4/12 Vishnu Vadlamani - Network Monitoring/Attack Forensics 4/19 Andrew Gronski - Accreditation and acceptance testing 3

  5. INF526: Secure Systems Administration Student Presentation Network Monitoring and Forensics Vishnu Sarma V Lecture 1 11 January 2017 OHE100C

  6. What do we knew ? Network Monitoring It helps us to ensure the availability is maintained. It helps us to ensure Non-Repudiation by telling us: who did what, and when. It also gives us a bigger picture on what is happening in the network and helps us ensure other principles too. It gives us options of inspecting at different level of granularity. It has close relationship with Intrusion Detection and Forensics. 5

  7. PCap LibPCap Developed by tcpdump developers Can specify captures by numerous options Raw view, by one Protocol, by source/destination, by network, by port ranges, by packet sizes Read and Write captures to/from file In depth, it s all about combinations. Isolate TCP flags, by SYN and RST sets, HTTP GETs, SSH, etc,. *The raw way it iterfaces with traffic, combines with precision it offers in inspecting makes it best possible tool. 6

  8. Keep Calm and TCPDump ON WinPCap Portable : completely compateible with libpcap Implies any unix/linux tools based on libpcap can be ported into or from our windows. NPCap(Nmap project s, for windows) Extra Security : restricts packet sniffing to authorized admin. Others should pass User Account Control to utilize driver Loopback Packet Capture: sniff loopback packets(transmissions between services on the same machine) . 7

  9. NTAR Network Trace Archival and Retrieval library. New file format especially targeted to the per- capture and per-packet details. Main idea is to overcome the limits of current libpcap/winpcap dump format. Other purposes are: Extensibility, Portability. * Under development. 8

  10. FreeNATS by David Cutting Free Network Automatic Testing System Monitoring and reporting system with a wide range of test types, reporting/alerting options, publishable views, SLA reporting and more. Web Time to connect, connection status, size of response. Protocol-based(SMTP, IMAP, MySQL, DNS, .. ) Remote monitoring and testing. (pull or push) Extensible Can add more tests by extending FreeNATS_Local_Test class. (PHP based) 9

  11. 10

  12. www.purplepixie.org/freenats/ 11

  13. Ganglia If there are number of systems in our network. 3 daemons : gmond, gmetad and gweb Each are self containing and need only respective config file to operate. 12

  14. Ganglia Gmond: Big bang in a few bytes. Operates on it s own host. XML format dumps in transmission (port 8649) 13

  15. Ganglia Gmetad : Bringing it all together Architecture allows to completely removing the need for the poller to know what services to poll from which hosts. Needs a list of hostnames(atleast host per cluster) Cluster will then inform the poller as to what metrics are available and will provide corresponding values. Many shell scripts readily available to collect XML dumps, parse them and write them to RRDtool. Python replacable for gmetad for plug-in architecture making it easier to write custom data-handling logic. 14

  16. Ganglia Gweb: Next-Gen Data Analysis Visualization UI Supports click-dragging in graphs to change time period Fully functional URL interface, so you can embed graphs into other programs via predictable URLs. Data in various textual formats (CSV, JSON, and more) Open source project grew out of UCB and can hanle clusters with 2000 nodes. 15

  17. LiveAction(LiveNX) Combines network topology, device and flow visualizations Direct interactive monitoring and configuration of QoS, NetFlow, LAN, Routing and other features inside Cisco Systems. 3-tier architecture Nodes will initiate communication from security zone to server, In case of loss of communication, server of that particular node may initiate. Visualization, decision making, control, Improve 16

  18. LiveAction(LiveNX) 17

  19. Give them a visit https://www.slac.stanford.edu/xorg/nmtf/nmtf- tools.html https://en.wikipedia.org/wiki/Comparison_of_net work_monitoring_systems#Legend 18

  20. SCAPY Very powerful interactive packet manipulation program. Decode packets, send them on wire, capture them, match requests and results. Can replace hping, 85% of nmap, arpspoof, arp- sk, arping, tcpdump, p0f and many more. What makes it different ? Because its your own tool. Probe once and interpret many times. http://www.secdev.org/projects/scapy/ 19

  21. I Know What You Surfed Last Weekend Network Forensics Different from Host-Based Forensics. Poses special challenges in several areas including: Acquisition : difficult to locate specific evidence from wireless access points to web proxies to central log servers Content : Unlike filesystems, lack of granularity desired Storage : Commonly, Network devices don t employ secondary or persistent storage. Very much volatile that sometimes might not survive a reset of device. Privacy : There may be legal issues involving privacy that are unique to network based acquisition techniques. 20

  22. OSCAR Network Forensics Investigative Methodology Obtain Information Strategize Collect evidence Analyze Report Obtaining information on incident, environment, legal issues, Time frame, Goals, etc,. It is especially important to Strategize in network forensics. 21

  23. OSCAR Collect evidence as soon as possible and make the cryptographically verifiable copies. Analyze only the copies with tools that are reputable and reliable. Don t ever forget to document everything you do! 22

  24. OSCAR Forensic investigation can passively acquire network traffic by intercepting it as it is transmitted across cables or through equipment such as hubs and switches. BPF (Berkeley Packet Filter Language) Can be impacted by hardware limitations and configuration constraints. Trivial protocols, web and proprietary Interfaces, port scanning, vulnerability scanning. 23

  25. Case Study Mr. X remotely infiltrates a facility lab network over internet. Environment : Facility is instrumented to capture flow and record data. Staff notices a port scanning from expternal IP(Ip address and timestamp noted) Challenge : Identify any compromised systems, Determine what attacker found, evaluate risk of data exfiltration. 24

  26. Case Study Now, we get the information on network architecture in Obtaining information phase as : Facility has Internal network (192.168.30.0/24) DMZ : (10.30.30.0/24) The Internet. (let s assume one of our submets as the internet. 172.30.1.0/24) 25

  27. Case Study Assuming out facility uses Cisco equipment, corresponding softwares and services We obtain cisco-asa-nfcapd.zip A zip archive containing flow records from the perimeter Cisco ASA, stored by the nfdump collector utility (nfcapd) in 5 minute increments. Also, argus-collector.ra- An Argus archive containing flow record data collected from Internal and DMZ subnets. 26

  28. Case Study As, we have an IP address of attacker say 172.30.1.77 We browse the archive dump filtering with IP. We might find a pattern, that attacker has performed a quick port scan on one of system(server). Using same nfdump we might also find the ports that are open and our attacker might successfully connected to. (let s say TCP port 22) Port 22 are SSH usually targeted for password brute force attacks. 27

  29. Case Study Now let s examine internal argus dumps. We get information like protocol, Src and Dest add, Src and Dest ports, time stamps, total packets, state 28

  30. Case Study Legend for state(Man ra) From this we can see that attacker first initiated a connection to 10.30.30.20:22 three times. Sent a TCP SYN, receiver SYN-ACK, sent a RST Now attacker nows port is open 29

  31. Case Study Now we see that attacker has successfully finished a TCP handshake. And then say we saw a ful TCP connection established with no FIN packets for a longer period of times. Consider graph reports of data flow at respective timeline to know the risk of exfiltration. Make sure the checks continue from our DMZ server to any internal servers or machines in a similar fashion. Make sure to document the timeline of the attacker performing different actions throughout his attack. 30

  32. Tools FTK The SleuthKit IDA Encase Snort Bro WireShark CryptCat BinWalk Bulk-extractor Capstone Chntpw Cuckoo Dc3dd Ddrescue DFF diStrom3 Dumpzilla Extundelete Foremost Galleta Guymager P0f Volatility and Xplico 31

  33. IDA pro Multi-platform hosted interactive, programmable, multi-processor disassembler and debugger augmented by a complete plugin programming environment. Reverse Engineering : In hacking this would enable us to use a known signature and build unknown signature with same capabilities. Key Features Hostile code Analysis Vulnerability Research Privacy Protection Like, Sony Hack to North Korea. 32

  34. Any Combinations So Not just mentioned tools or specific tools for forensics and monitoring. Any combination of tools with corresponding functionalities can form a powerful Forensic toolkit. Even BeEF like frameworks are used in correspondence with network monitoring in forensic analysis. 33

  35. Thank You Questions ? 34

  36. References http://cryptcat.sourceforge.net/ http://nc110.sourceforge.net/ - netcat https://sharkfest.wireshark.org/sharkfest.12/presentations/MB- 7_Network_Forensics_Analysis-A_Hands-on_Look.pdf https://news.asis.io/sites/default/files/Network%20Forensics%20201 2.pdf www.Lynda.com Wikipedia https://www.wonderhowto.com/ 35

  37. SIEM and Beyond http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html Security Operations and Analytics (Platform Architecture) An evolution, not something different. Its all about detection in one form or another. Intrusion detection originally monolithic. SIEM Management of data about incidents and events. Rules defined processing to identify current state and intrusions. Provided ability to push down on the data to investigate. Analytics are the tools (including big data) that allow us to reason about the collected data. 36

  38. What is SIEM Currently While originally expanded as Security Incident and Event Management , many currently expand the acronym as Security Information and Event Management . That is because most of the activities revolve around the management of security information. Collecting data from logs Collecting data from sensors Creating a common format to represent such data Storing such data User interfaces for visualizing this stored data Simple rules/signatures for prompting notification 37

  39. What is SIEM useful for It is the evolved state of previous work in intrusion detection. It is very useful for manual forensics, as a central repository of all artifacts . It is a source of data that may be used for more advanced detection and diagnosis. 38

  40. Enter SOAPA Do we need a new name? No Did we need a new name when SIEM came around? No But, marketers always want something new so Security Operations and Analytics Platform Architecture Goal is to support AI, Machine Learning, Neural Networks, and similar Big Data , Data Science , and Data Analytics to provide insight on the data. 39

  41. SOAPA Components SIEM Endpoint Detection / Response Tools Incident Response Platforms Network Security Analytics Machine Learning Algorithms Vulnerability Scanners and Security Asset Managers Malware Sandboxes Threat Intelligence Now let s discuss these in terms of the material already covered in this course. From http://www.networkworld.com/article/3145408/ security/goodbye-siem-hello-soapa.html 40

  42. SOAPA SIEM Component This is the repository for collected data, and the source information on which other components will operate. 41

  43. SOAPA Endpoint Tools Security analysts often want to dig deep into security alerts by monitoring and investigating host behavior, so EDR (i.e. CarbonBlack, Countertack, CrowdStrike, Guidance Software, etc.) is an essential component of SOAPA. -- Computerworld article Not just processing collected data, but allowing the administrator to push down and view live data at the end point, perhaps even more detailed than the data that is being forwarded to the SIEM. Quote from http://www.networkworld.com/article/3145408/ security/goodbye-siem-hello-soapa.html 42

  44. SOAPA Incident Response Aside from collecting, processing and analyzing security data, cybersecurity professionals want to prioritize alerts and remediate problems as soon as possible. These requirements are giving rise to IRPs such as Hexadite, Phantom, Resilient Systems (IBM), ServiceNow and Swimlane -- Computerworld article Automated mitigation in an integrated manner is an important advance. Intrusion response techniques as discussed in CSci530 provide guidance on the kinds of response that is possible. Integration with knowledge bases of what are your critical assets, what connections can be safely cut off, and what is the impact of a new threat can be useful in prioritizing those responses. Some may be automated Others may be advice Especially important in Cyber-Physical systems Quote from http://www.networkworld.com/article/3145408/ security/goodbye-siem-hello-soapa.html 43

  45. SOAPA Security Analytics SIEM s log analysis and EDR host behavior monitoring are complemented by flow and packet analysis in SOAPA, provided by vendors such as Arbor Networks, Blue Coat/Symantec, Cisco (Lancope) and RSA. -- Computerworld article Not much new here. Just the detail of the data of which analytics are performed. One can look at collected packets, as per the network forensics topics we discussed previously. Quote from http://www.networkworld.com/article/3145408/ security/goodbye-siem-hello-soapa.html 44

  46. SOAPA Machine Learning While these tools have received an inordinate degree of industry hype, there s little doubt that machine learning will be baked into security analytics henceforth, thus vendors such as Bay Dynamics, Caspida (Splunk), Exabeam, Niara, Sqrrl and Varonis should be included in SOAPA -- Computerworld article This is where the real difference is. It is the application of big data science to the data collected through the SIEM functionaility. These tools should be able to find clustering that is indicative of previously unseen attacks (i.e. zero days). Some SIEM solutions claim to have modules (fairly limited) for this kind of analysis, and now marketers want a new name for the use of these kinds of techniques. Quote from http://www.networkworld.com/article/3145408/ security/goodbye-siem-hello-soapa.html 45

  47. SOAPA Asset Vulnerability Scanning Part of security operations is knowing which alerts should be prioritized. These decisions must be driven by solid data from vulnerability management systems (i.e. Qualys, Rapid7, Tanium) and other tools that monitor the state of systems and network configurations (i.e. RedSeal, Skybox, Verodin, etc.). -- Computerworld article We have talked about these kinds of tools, though probably not man of them by name. These tools need to be better integrated into the SIEM environment, so that the tools are run on a regular basis, and the information can then be matched with configuration management information to identify what needs fixing in your environment. Quote from http://www.networkworld.com/article/3145408/ security/goodbye-siem-hello-soapa.html 46

  48. SOAPA Malware Intelligence This technology represents another key pivot point for understanding targeted attacks that may use zero-day malware. Sandboxes from FireEye, Fidelis and Trend Micro are definitely part of SOAPA. -- Computerworld article I m not exactly sure how this capability integrates with other aspects of SOAPA. This is part of a total solution, but the integration eludes me. Quote from http://www.networkworld.com/article/3145408/ security/goodbye-siem-hello-soapa.html 47

  49. SOAPA Threat Intelligence Enterprise organizations want to compare internal network anomalies with malicious in-the-wild activities, so SOAPA extends to threat intelligence sources and platforms (i.e. BrightPoint (ServiceNow), FireEye/iSight Partners, RecordedFuture, ThreatConnect, ThreatQuotient, etc.). -- Computerworld article This extends the sources of information outside the enterprise. As security administrators you need to keep up to date on the latest attacks. This is threat intelligence. If properly encoded and integrated with an ID platform, this will enable you to identify new intrusions (zero days), and flag such traffic as related to particular groups or classes of criminals that are exploiting such techniques. Quote from http://www.networkworld.com/article/3145408/ security/goodbye-siem-hello-soapa.html 48

  50. SOAPA Summary SOAPA provides for better integration of many of the security technologies that should be deployed within your organization. Quote from http://www.networkworld.com/article/3145408/ security/goodbye-siem-hello-soapa.html 49

Related


No related presentations.

More Related Content