1 HoneyNets, Intrusion Detection Systems, and Network Forensics

1

HoneyNets, Intrusion Detection

Systems, and Network Forensics

ECE 4112-Internetwork Security 2

Introduction

• Definition of a Honeynet• Concept of Data Capture and Data Control• Generation I vs. Generation II Honeynets• Description of the Georgia Tech Campus Network• Current Vulnerabilities on the Internet• Current Tools to Protect Networks

Firewalls Intrusion Detection Systems (IDS)


Shortcomings Associated with Firewalls

1. The firewall cannot protect against attacks that bypass it, such as a dial–in or dial-out capability.

2. The firewall at the network interface does not protect against internal threats.

3. The firewall cannot protect against the transfer of virus–laden files and programs


Shortcomings Associated with Intrusion Detection Systems

1. Increase Complexity of Security Management of Network

2. High Level of False Positive and False Negative Alerts

3. Must Know Signature or Anomoly Detection Pattern


Definition of a Honeynet

• Network Established Behind a Reverse Firewall

• Captures All In-Bound and Out-Bound Traffic

• Any Type of System

• Network is Intended To Be Compromised

• All Honeynet traffic is suspicious


Data Capture and Data Control

• Data Capture Collect all information entering and leaving the

Honeynet covertly for future analysis

• Data Control Covertly protect other networks from being

attacked and compromised by computers on the Honeynet


Generation I vs. Generation II

• GEN I Honeynet Simple Methodology, Limited Capability Highly effective at detecting automated attacks Use Reverse Firewall for Data Control Can be fingerprinted by a skilled hacker Runs at OSI Layer 3

• GEN II Honeynet More Complex to Deploy and Maintain Examine Outbound Data and make determination to block,

pass, or modify data Runs at OSI Layer 2


Georgia Tech Campus Network• 15000 Students, 5000 Staff, 69 Departments • 30000-35000 networked computers on campus• Average data throughput 600Mbps/4 terabytes per

day• NO FIREWALL BETWEEN CAMPUS &

INTERNET! Why? Requirement for Academic Freedom, high

throughput However, individual enclaves within Georgia Tech use

firewalls

• IDS is run at campus gateway Out of band monitoring and follow-on investigation


Establishment of the Honeynet on the Georgia Tech Campus

• Established in Summer of 2002

• Uses Open Source Software

• Initially Established As One Honeynet Machine behind the firewall

• IP Address Range Provided by Georgia Tech Office of Information Technology (OIT)


Georgia Tech Honeynet


Hardware and Software

• No Requirement for State of the Art Equipment (Surplus Equipment)

• No Production Systems• Minimum Traffic• Use Open Source Software (SNORT,

Ethereal, MySQL DB, ACID)• Use Reverse Firewall Script Developed by

Honeynet.org


Intrusion Detection System Used with HoneyNet

• SNORT Open Source Signature-Based, with Anomaly-Based Plug-in

Available Can Write Customized Signatures

• Run Two Separate SNORT Sessions One Session to Check Against Signature Database One Session to Capture All Inbound/Outbound Traffic


Analysis Console for Intrusion Detection (ACID)


Logging and Review of Data

• Honeynet Data is stored in two separate locations Alert Data is stored in SQL database Packet Capture Data is stored in a daily archive file

• Data Analysis is a time consuming process In our Experience: One hour/day to analyze traffic One hour of attack traffic can result up to one week of

analysis


Ethereal Analysis Tool


Exploitations Detected on the Georgia Tech Honeynet

• 36 possible exploited machines have been detected at Georgia Tech in previous 9 months (through June 2003)

• A report is made to OIT on each suspected compromise


Identification of a System with a Compromised Password

• Previously Compromised Honeynet Computer Continued to Operate as Warez Server

• Another Georgia Tech Computer Connected to the Warez Server

• Investigation Revealed that Password had been Compromised on Second Georgia Tech Computer


Detection of Worm Type Exploits

• GEN I Honeynet Well-Suited to Detect Worm Type Exploits Repeated Scans targeting specific ports Analyze captured data for time lapses

• Ability to Deploy Specific Operating System on Honeynet


Exploitation Pattern of Typical Internet Worm

• Target Vulnerabilities on Specific Operating Systems

• Localized Scanning to Propagate (Code Red) 3/8 of time within same /16 network 1/2 of time within same /8 network 1/8 of time random address

• Allows for Quick Infection Within Internal Networks with High Concentration of Vulnerable Hosts


Georgia Tech Honeynet Gen II


Initial Observations of Gen II Honeynet

• Configuration is more complex than Gen I

• Must use variants of Linux 2.4 kernel in order to run Sebek keystroke logger capability

• Data must continue to be monitored on a daily basis


Honeynet Portscan ActivityPort 1434 (MS-SQL) scans

0

200

400

600

800

1000

1200

Jul_

31

Aug_06

Aug_29

Aug_21

Sep_09

Sep_17

Sep_24

Oct

_12

Oct

_04

Oct

_28

Oct

_20

Nov_

08

Nov_

09

Nov_

19

Nov_

21

Nov_

29

Dec_

05

Dec_

13

Dec_

21

Dec_

29

Jan_06

Jan_14

Jan_22

Jan_28

Feb_05

Feb_13

Feb_20

Feb_27

Mar_

07

Mar_

13

Mar_

19

Mar_

27

Apr_

04

Apr_

12

Apr_

20

Jun_10

Sep_10

Series1

• Date Public: 7/24/02 Date Attack: 1/25/03


Honeynet Portscan Activity


Port 135 (MS-BLASTER) scans

0

500

1000

1500

2000

2500

3000

3500

Series1


Honeynet Portscan Activity


Port 554 (RTSP) scans

0

5

10

15

20

25

30

35

40

5/2

0/2

003

5/2

7/2

003

6/3

/2003

6/1

0/2

003

6/1

7/2

003

6/2

4/2

003

7/1

/2003

7/8

/2003

7/1

5/2

003

7/2

2/2

003

7/2

9/2

003

8/5

/2003

8/1

2/2

003

8/1

9/2

003

8/2

6/2

003

9/2

/2003

9/9

/2003


Conclusions on HoneyNets

• Honeynet Assists in Maintaining Network Security

• Provides Platform for Research in Information Assurance and Intrusion Detection


IDS - Purpose

• Misuse detection

• Anomaly detection

• Conduct forensics

• Network traffic recording and analysis

• Intellectual property protection


IDS Strategies

• Signature-based (misuse detection) pattern matching cannot detect new attacks low false positive rate

• Anomaly-based (statistical-based) activity monitoring has the ability to detect new attacks higher false positive rate


IDS Deployment

• Network-based Inspect network traffic Monitor user activity (packet data)

• Host-based Inspect local network activity OS audit functionality Monitor user activity (function calls)


Example IDS:Snort

• Sniffer

• Packet logger

• IDS


Snort Rules

Example 1: “log tcp traffic from any port going to ports less than or equal to 6000”log tcp any any -> 192.168.1.0/24 :6000

Example 2: RPC alert call

alert tcp any any -> 192.168.1.0/24 111 (rpc: 100000, *,3; msg:RPC getport (TCP);)

see Snort Users Manual for more information


Defeating the IDS

• Encryption• Insertion/evasion attacks (requires complete

reassembly of packets and knowledge of end system exception handling)

• DoS attack (CPU, memory, bandwidth, false positives)


Signs of Intrusion

• Unaccountable disk utilization

• Unaccountable file system modification

• Unaccountable CPU utilization

• Network saturation

• Unknown process using sockets

• Abnormal network/system activity


Forensics

• After the attack• Obtain:

Attacker(s) IP(s) Time of attack Victim IP, OS, and targeted service Attacker’s activity Attacker’s objective Damage assessment


Forensic Guidance

• Photograph complete system• Take detailed notes• ID and secure all compromised systems• Preserve evidence (UNIX)

who (who logged on) ls (list of files) ps (list of processes) lsof (open file handles) find (modified files)


Forensic Guidance

• System operations can lie (rootkits)

• Retain a provable chain of custody for evidence

• Make bit-image copy of hard drive and verify it

• Analyze

Documents

1 HoneyNets, Intrusion Detection Systems, and Network Forensics