Upload
vungoc
View
260
Download
6
Embed Size (px)
Citation preview
INF526: Secure Systems Administration
Network MonitoringAnd
Attack ForensicsProf. Clifford Neuman
Lecture 1312 April 2017OHE100C
AnnouncementsOur scheduled meeting on April 26th (the last lecture in the semester) will be moved to an alternative date.
In that lecture we will review for the final exam.We will also have groups on the criminal enterprise scenario demonstrate their systems and report on their architectures.
We will also red-team the servers for each group.
Depending on DEN classroom scheduling, I may split the two parts, so that we can record the final exam review, and choose a time that is more convenient to students for the demonstration.
1
Todays LectureA student presentation on Network Monitoring and Attack Forensics, expanding upon the material presented last week.
Discussion of SIEM and its relationship to newer ID systems.
Discussion of individual responses to the group project architecture (last weeks assignment).
2
Class Presentation Schedule4/12 Vishnu Vadlamani - Network Monitoring/Attack Forensics4/19 Andrew Gronski - Accreditation and acceptance testing
3
INF526: Secure Systems Administration
Student PresentationNetwork Monitoring and Forensics
Vishnu Sarma V
Lecture 111 January 2017OHE100C
What do we knew ?
• Network Monitoring– It helps us to ensure the availability is maintained.– It helps us to ensure Non-Repudiation by telling us:
who did what, and when.– It also gives us a bigger picture on what is happening
in the network and helps us ensure other principles too.
– It gives us options of inspecting at different level of granularity.
It has close relationship with Intrusion Detection and Forensics.
5
PCap
• LibPCap– Developed by tcpdump developers– Can specify captures by numerous options– Raw view, by one Protocol, by source/destination, by
network, by port ranges, by packet sizes– Read and Write captures to/from file– In depth, it’s all about combinations. Isolate TCP
flags, by SYN and RST sets, HTTP GETs, SSH, etc,.
*The raw way it iterfaces with traffic, combines with precision it offers in inspecting makes it best possible tool.
6
Keep Calm and TCPDump ON
• WinPCap– Portable : completely compateible with libpcap– Implies any unix/linux tools based on libpcap can be
ported into or from our windows.
• NPCap(Nmap project’s, for windows)– Extra Security : restricts packet sniffing to authorized
admin. Others should pass User Account Control to utilize driver
– Loopback Packet Capture: sniff loopback packets(transmissions between services on the same machine) .
7
NTAR
• Network Trace Archival and Retrieval library.• New file format especially targeted to the per-
capture and per-packet details.• Main idea is to overcome the limits of current
libpcap/winpcap dump format. Other purposes are: Extensibility, Portability.
* Under development.
8
FreeNATS by David Cutting
• Free Network Automatic Testing System• Monitoring and reporting system with a wide
range of test types, reporting/alerting options, publishable views, SLA reporting and more.
• Web – Time to connect, connection status, size of response.
• Protocol-based(SMTP, IMAP, MySQL, DNS, .. )• Remote monitoring and testing. (pull or push)• Extensible – Can add more tests by extending
FreeNATS_Local_Test class. (PHP based)
9
10
11
• www.purplepixie.org/freenats/
Ganglia
• If there are number of systems in our network.• 3 daemons : gmond, gmetad and gweb• Each are self containing and need only
respective config file to operate.
12
Ganglia
• Gmond: Big bang in a few bytes.– Operates on it’s own host.– XML format dumps in transmission (port 8649)
13
Ganglia
• Gmetad : Bringing it all together– Architecture allows to completely removing the need
for the poller to know what services to poll from which hosts.
– Needs a list of hostnames(atleast host per cluster)– Cluster will then inform the poller as to what metrics
are available and will provide corresponding values.– Many shell scripts readily available to collect XML
dumps, parse them and write them to RRDtool.– Python replacable for gmetad for plug-in architecture
making it easier to write custom data-handling logic.
14
Ganglia
• Gweb: Next-Gen Data Analysis– Visualization UI– Supports click-dragging in graphs to change time
period– Fully functional URL interface, so you can embed
graphs into other programs via predictable URLs.– Data in various textual formats (CSV, JSON, and
more)
Open source project grew out of UCB and can hanleclusters with 2000 nodes.
15
LiveAction(LiveNX)
• Combines network topology, device and flow visualizations
• Direct interactive monitoring and configuration of QoS, NetFlow, LAN, Routing and other features inside Cisco Systems.
• 3-tier architecture• Nodes will initiate communication from security
zone to server, In case of loss of communication, server of that particular node may initiate.
• Visualization, decision making, control, Improve
16
LiveAction(LiveNX)
17
Give them a visit
18
• https://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html
• https://en.wikipedia.org/wiki/Comparison_of_network_monitoring_systems#Legend
SCAPY
19
• Very powerful interactive packet manipulation program.
• Decode packets, send them on wire, capture them, match requests and results.
• Can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, p0f and many more.
• What makes it different ? Because its your own tool.
• Probe once and interpret many times.• http://www.secdev.org/projects/scapy/
I Know What You Surfed Last Weekend
20
• Network Forensics– Different from Host-Based Forensics.– Poses special challenges in several areas including:
• Acquisition : difficult to locate specific evidence – fromwireless access points to web proxies to central logservers
• Content : Unlike filesystems, lack of granularity desired• Storage : Commonly, Network devices don’t employ
secondary or persistent storage. Very much volatile thatsometimes might not survive a reset of device.
• Privacy : There may be legal issues involving privacythat are unique to network based acquisitiontechniques.
OSCAR
21
• Network Forensics Investigative Methodology– Obtain Information– Strategize– Collect evidence– Analyze– Report
• Obtaining information on incident, environment, legal issues, Time frame, Goals, etc,.
• It is especially important to Strategize in network forensics.
OSCAR
22
• Collect evidence as soon as possible and make the cryptographically verifiable copies.
• Analyze only the copies with tools that are reputable and reliable.
• Don’t ever forget to document everything you do!
OSCAR
23
• Forensic investigation can passively acquire network traffic by intercepting it as it is transmitted across cables or through equipment such as hubs and switches.
• BPF (Berkeley Packet Filter Language)• Can be impacted by hardware limitations and
configuration constraints.• Trivial protocols, web and proprietary Interfaces,
port scanning, vulnerability scanning.
Case Study
24
• Mr. X remotely infiltrates a facility lab network over internet.
• Environment : Facility is instrumented to capture flow and record data. Staff notices a port scanning from expternal IP(Ip address and timestamp noted)
• Challenge : Identify any compromised systems, Determine what attacker found, evaluate risk of data exfiltration.
Case Study
25
• Now, we get the information on network architecture in Obtaining information phase as :– Facility has
• Internal network (192.168.30.0/24)• DMZ : (10.30.30.0/24)• The Internet. (let’s assume one of our submets as the
internet. 172.30.1.0/24)
Case Study
26
• Assuming out facility uses Cisco equipment, corresponding softwares and services– We obtain cisco-asa-nfcapd.zip – A zip archive
containing flow records from the perimeter Cisco ASA, stored by the nfdump collector utility (nfcapd) in 5 minute increments.
– Also, argus-collector.ra- An Argus archive containing flow record data collected from Internal and DMZ subnets.
Case Study
27
• As, we have an IP address of attacker say 172.30.1.77– We browse the archive dump filtering with IP.– We might find a pattern, that attacker has performed a
quick port scan on one of system(server).– Using same nfdump we might also find the ports that
are open and our attacker might successfully connected to. (let’s say TCP port 22)
– Port 22 are SSH usually targeted for password brute force attacks.
Case Study
28
• Now let’s examine internal argus dumps.– We get information like protocol, Src and Dest add,
Src and Dest ports, time stamps, total packets, state
Case Study
29
• Legend for state(Man ra)
• From this we can see that attacker first initiated a connection to 10.30.30.20:22 three times.– Sent a TCP SYN, receiver SYN-ACK, sent a RST– Now attacker nows port is open
Case Study
30
– Now we see that attacker has successfully finished a TCP handshake.
– And then say we saw a ful TCP connection established with no FIN packets for a longer period of times.
– Consider graph reports of data flow at respective timeline to know the risk of exfiltration. Make sure the checks continue from our DMZ server to any internal servers or machines in a similar fashion.
– Make sure to document the timeline of the attacker performing different actions throughout his attack.
Tools
31
• BinWalk• Bulk-extractor• Capstone• Chntpw• Cuckoo• Dc3dd• Ddrescue• DFF• diStrom3• Dumpzilla• Extundelete• Foremost• Galleta• Guymager• P0f• Volatility and Xplico
• FTK• The SleuthKit• IDA • Encase• Snort• Bro• WireShark• CryptCat
IDA pro
32
• Multi-platform hosted interactive, programmable, multi-processor disassembler and debugger augmented by a complete plugin programming environment.
• Reverse Engineering : In hacking this would enable us to use a known signature and build unknown signature with same capabilities.
• Key Features– Hostile code Analysis– Vulnerability Research– Privacy Protection
Like, Sony Hack to North Korea.
Any Combinations
33
• So Not just mentioned tools or specific tools for forensics and monitoring.
• Any combination of tools with corresponding functionalities can form a powerful Forensic toolkit.
• Even BeEF like frameworks are used in correspondence with network monitoring in forensic analysis.
34
Thank You
Questions ?
References
35
• http://cryptcat.sourceforge.net/• http://nc110.sourceforge.net/ - netcat• https://sharkfest.wireshark.org/sharkfest.12/presentations/MB-
7_Network_Forensics_Analysis-A_Hands-on_Look.pdf• https://news.asis.io/sites/default/files/Network%20Forensics%20201
2.pdf• www.Lynda.com• Wikipedia• https://www.wonderhowto.com/
SIEM and Beyondhttp://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html
Security Operations and Analytics (Platform Architecture)
An evolution, not something different. Its all about detection in one form or another.
Intrusion detection – originally monolithic.SIEM – Management of data about incidents and events.
Rules defined processing to identify current state and intrusions.Provided ability to push down on the data to investigate.
Analytics are the tools (including big data) that allow us to reason about the collected data.
36
What is SIEM CurrentlyWhile originally expanded as “Security Incident and Event Management”, many currently expand the acronym as “Security Information and Event Management”.
– That is because most of the activities revolve around the management of security information.
• Collecting data from logs• Collecting data from sensors• Creating a common format to represent such data• Storing such data
– User interfaces for visualizing this stored data– Simple rules/signatures for prompting notification
37
What is SIEM useful for• It is the evolved state of previous work in intrusion
detection.• It is very useful for manual forensics, as a central
repository of all “artifacts”.• It is a source of data that may be used for more
advanced detection and diagnosis.
38
Enter SOAPADo we need a new name? NoDid we need a new name when SIEM came around? NoBut, marketers always want something new so…
Security Operations and Analytics Platform Architecture– Goal is to support AI, Machine Learning, Neural
Networks, and similar “Big Data”, “Data Science”, and “Data Analytics” to provide insight on the data.
39
SOAPA Components• SIEM• Endpoint Detection / Response Tools• Incident Response Platforms• Network Security Analytics• Machine Learning Algorithms• Vulnerability Scanners and Security Asset Managers• Malware Sandboxes• Threat Intelligence
Now let’s discuss these in terms of the material already covered in this course.
40
From http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html
SOAPA – SIEM Component• This is the repository for collected data, and the
source information on which other components will operate.
41
SOAPA Endpoint Tools“Security analysts often want to dig deep into security alerts by monitoring and investigating host behavior, so EDR (i.e. CarbonBlack, Countertack, CrowdStrike, Guidance Software, etc.) is an essential component of SOAPA.” -- Computerworld article
• Not just processing collected data, but allowing the administrator to push down and view live data at the end point, perhaps even more detailed than the data that is being forwarded to the SIEM.
42
Quote from http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html
SOAPA Incident Response“Aside from collecting, processing and analyzing security data, cybersecurity professionals want to prioritize alerts and remediate problems as soon as possible. These requirements are giving rise to IRPs such as Hexadite, Phantom, Resilient Systems (IBM), ServiceNow and Swimlane” -- Computerworld article
• Automated mitigation in an integrated manner is an important advance.• Intrusion response techniques – as discussed in CSci530 – provide guidance
on the kinds of response that is possible.• Integration with knowledge bases of what are your critical assets, what
connections can be safely cut off, and what is the impact of a new threat can be useful in prioritizing those responses.
– Some may be automated– Others may be advice
• Especially important in Cyber-Physical systems
43
Quote from http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html
SOAPA Security Analytics“SIEM’s log analysis and EDR host behavior monitoring are complemented by flow and packet analysis in SOAPA, provided by vendors such as Arbor Networks, Blue Coat/Symantec, Cisco (Lancope) and RSA.” -- Computerworld article
• Not much new here. Just the detail of the data of which analytics are performed. One can look at collected packets, as per the network forensics topics we discussed previously.
44
Quote from http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html
SOAPA Machine Learning“While these tools have received an inordinate degree of industry hype, there’s little doubt that machine learning will be baked into security analytics henceforth, thus vendors such as Bay Dynamics, Caspida (Splunk), Exabeam, Niara, Sqrrland Varonis should be included in SOAPA” -- Computerworld article
• This is where the real difference is. It is the application of big data science to the data collected through the SIEM functionaility.
• These tools should be able to find clustering that is indicative of previously unseen attacks (i.e. zero days).
• Some SIEM solutions claim to have modules (fairly limited) for this kind of analysis, and now marketers want a new name for the use of these kinds of techniques.
45
Quote from http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html
SOAPA Asset Vulnerability Scanning“Part of security operations is knowing which alerts should be prioritized. These decisions must be driven by solid data from vulnerability management systems (i.e. Qualys, Rapid7, Tanium) and other tools that monitor the state of systems and network configurations (i.e. RedSeal, Skybox, Verodin, etc.).” -- Computerworld article
• We have talked about these kinds of tools, though probably not man of them by name. These tools need to be better integrated into the SIEM environment, so that the tools are run on a regular basis, and the information can then be matched with configuration management information to identify what needs fixing in your environment.
46
Quote from http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html
SOAPA Malware Intelligence“This technology represents another key pivot point for understanding targeted attacks that may use zero-day malware. Sandboxes from FireEye, Fidelis and Trend Micro are definitely part of SOAPA. ”-- Computerworld article
• I’m not exactly sure how this capability integrates with other aspects of SOAPA. This is part of a total solution, but the integration eludes me.
47
Quote from http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html
SOAPA Threat Intelligence“Enterprise organizations want to compare internal network anomalies with malicious “in-the-wild” activities, so SOAPA extends to threat intelligence sources and platforms (i.e. BrightPoint (ServiceNow), FireEye/iSight Partners, RecordedFuture, ThreatConnect, ThreatQuotient, etc.).” -- Computerworld article
• This extends the sources of information outside the enterprise.• As security administrators you need to keep up to date on the latest attacks.
This is threat intelligence. • If properly encoded and integrated with an ID platform, this will enable you to
identify new intrusions (zero days), and flag such traffic as related to particular groups or classes of criminals that are exploiting such techniques.
48
Quote from http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html
SOAPA Summary
• SOAPA provides for better integration of many of the security technologies that should be deployed within your organization.
49
Quote from http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html
Second Exercise - Criminal Enterprises
• Chosen because of differences in the high level principles.
– Not because I expect you to implement these kinds of systems in your future endeavors.– But you may be called upon to break some of these systems if later employed by government organizations.
• Your organization must:– Accept Bitcoin as payment (not really, but it must accept something that stands in for bitcoin)– Manage an inventory of stolen account identifiers with passwords– Control access to such information– Prevent collection of evidence or intelligence by third parties.– Note, do not deal in any illegal goods, but use dummy information to stand in for such goods. Also,
do not use terms associated with such illegals goods or information in communications, make up new names for this dummy information.
50
Group Report for Lab Exercise 2By Tuesday April 18th please submit a report including:
• A network diagram:– including your virtual machines and other systems like client browsers– Show containment regions
• A description of all software components used in the implementation of your scenario, including:
– Application software components (e.g. databases, servers)– Security software components– Administration and management software components
• For each software component:– Describe where it is installed– Where obtained (or written yourself), and version information
» How you manage updates– A table listing the authorized information flows.
• For the system as a whole– List tools used to monitor, detect and recover from intrusions– What kind of red-teaming or pen-testing you performed– A risk assessment – what threats do you defend against, how do you mitigate
impact of an attack, what are you still vulnerable to, and justification for your decisions regarding such threats.
51
By the Final Lecture in two weeksAlternate Date for April 26th
• Each group should prepare a report describing:– User documentation for their application (high level)– Their network and server architecture (what servers are on what VM’s and
how they are interconnected)– A risk assessment/vulnerability analysis enumerating the risks, explaining the
mitigation of those risks, and listing those threats that are not defended against (i.e. where you accept the risks).
– A description of the steps taken for pen testing of your system.• Each group will have 20 minutes to present, and then 20 minutes to
demonstrate their project. We will have 20 minutes following gthepresentations and demonstrations for limited pen-testing.
– Procedures and Rules to be determined
52