INF526: Secure Systems Administration

Network MonitoringAnd

Attack ForensicsProf. Clifford Neuman

Lecture 1312 April 2017OHE100C

AnnouncementsOur scheduled meeting on April 26th (the last lecture in the semester) will be moved to an alternative date.

In that lecture we will review for the final exam.We will also have groups on the criminal enterprise scenario demonstrate their systems and report on their architectures.

We will also red-team the servers for each group.

Depending on DEN classroom scheduling, I may split the two parts, so that we can record the final exam review, and choose a time that is more convenient to students for the demonstration.

1

Todays LectureA student presentation on Network Monitoring and Attack Forensics, expanding upon the material presented last week.

Discussion of SIEM and its relationship to newer ID systems.

Discussion of individual responses to the group project architecture (last weeks assignment).

2

Class Presentation Schedule4/12 Vishnu Vadlamani - Network Monitoring/Attack Forensics4/19 Andrew Gronski - Accreditation and acceptance testing

3

INF526: Secure Systems Administration

Student PresentationNetwork Monitoring and Forensics

Vishnu Sarma V

Lecture 111 January 2017OHE100C

What do we knew ?

• Network Monitoring– It helps us to ensure the availability is maintained.– It helps us to ensure Non-Repudiation by telling us:

who did what, and when.– It also gives us a bigger picture on what is happening

in the network and helps us ensure other principles too.

– It gives us options of inspecting at different level of granularity.

It has close relationship with Intrusion Detection and Forensics.

5

PCap

• LibPCap– Developed by tcpdump developers– Can specify captures by numerous options– Raw view, by one Protocol, by source/destination, by

network, by port ranges, by packet sizes– Read and Write captures to/from file– In depth, it’s all about combinations. Isolate TCP

flags, by SYN and RST sets, HTTP GETs, SSH, etc,.

*The raw way it iterfaces with traffic, combines with precision it offers in inspecting makes it best possible tool.

6

Keep Calm and TCPDump ON

• WinPCap– Portable : completely compateible with libpcap– Implies any unix/linux tools based on libpcap can be

ported into or from our windows.

• NPCap(Nmap project’s, for windows)– Extra Security : restricts packet sniffing to authorized

admin. Others should pass User Account Control to utilize driver

– Loopback Packet Capture: sniff loopback packets(transmissions between services on the same machine) .

7

NTAR

• Network Trace Archival and Retrieval library.• New file format especially targeted to the per-

capture and per-packet details.• Main idea is to overcome the limits of current

libpcap/winpcap dump format. Other purposes are: Extensibility, Portability.

* Under development.

8

FreeNATS by David Cutting

• Free Network Automatic Testing System• Monitoring and reporting system with a wide

range of test types, reporting/alerting options, publishable views, SLA reporting and more.

• Web – Time to connect, connection status, size of response.

• Protocol-based(SMTP, IMAP, MySQL, DNS, .. )• Remote monitoring and testing. (pull or push)• Extensible – Can add more tests by extending

FreeNATS_Local_Test class. (PHP based)

9

10

11

• www.purplepixie.org/freenats/

Ganglia

• If there are number of systems in our network.• 3 daemons : gmond, gmetad and gweb• Each are self containing and need only

respective config file to operate.

12

Ganglia

• Gmond: Big bang in a few bytes.– Operates on it’s own host.– XML format dumps in transmission (port 8649)

13

Ganglia

• Gmetad : Bringing it all together– Architecture allows to completely removing the need

for the poller to know what services to poll from which hosts.

– Needs a list of hostnames(atleast host per cluster)– Cluster will then inform the poller as to what metrics

are available and will provide corresponding values.– Many shell scripts readily available to collect XML

dumps, parse them and write them to RRDtool.– Python replacable for gmetad for plug-in architecture

making it easier to write custom data-handling logic.

14

Ganglia

• Gweb: Next-Gen Data Analysis– Visualization UI– Supports click-dragging in graphs to change time

period– Fully functional URL interface, so you can embed

graphs into other programs via predictable URLs.– Data in various textual formats (CSV, JSON, and

more)

Open source project grew out of UCB and can hanleclusters with 2000 nodes.

15

LiveAction(LiveNX)

• Combines network topology, device and flow visualizations

• Direct interactive monitoring and configuration of QoS, NetFlow, LAN, Routing and other features inside Cisco Systems.

• 3-tier architecture• Nodes will initiate communication from security

zone to server, In case of loss of communication, server of that particular node may initiate.

• Visualization, decision making, control, Improve

16

LiveAction(LiveNX)

17

Give them a visit

18

• https://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html

• https://en.wikipedia.org/wiki/Comparison_of_network_monitoring_systems#Legend

SCAPY

19

• Very powerful interactive packet manipulation program.

• Decode packets, send them on wire, capture them, match requests and results.

• Can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, p0f and many more.

• What makes it different ? Because its your own tool.

• Probe once and interpret many times.• http://www.secdev.org/projects/scapy/

I Know What You Surfed Last Weekend

20

• Network Forensics– Different from Host-Based Forensics.– Poses special challenges in several areas including:

• Acquisition : difficult to locate specific evidence – fromwireless access points to web proxies to central logservers

• Content : Unlike filesystems, lack of granularity desired• Storage : Commonly, Network devices don’t employ

secondary or persistent storage. Very much volatile thatsometimes might not survive a reset of device.

• Privacy : There may be legal issues involving privacythat are unique to network based acquisitiontechniques.

OSCAR

21

• Network Forensics Investigative Methodology– Obtain Information– Strategize– Collect evidence– Analyze– Report

• Obtaining information on incident, environment, legal issues, Time frame, Goals, etc,.

• It is especially important to Strategize in network forensics.

OSCAR

22

• Collect evidence as soon as possible and make the cryptographically verifiable copies.

• Analyze only the copies with tools that are reputable and reliable.

• Don’t ever forget to document everything you do!

OSCAR

23

• Forensic investigation can passively acquire network traffic by intercepting it as it is transmitted across cables or through equipment such as hubs and switches.

• BPF (Berkeley Packet Filter Language)• Can be impacted by hardware limitations and

configuration constraints.• Trivial protocols, web and proprietary Interfaces,

port scanning, vulnerability scanning.

Case Study

24

• Mr. X remotely infiltrates a facility lab network over internet.

• Environment : Facility is instrumented to capture flow and record data. Staff notices a port scanning from expternal IP(Ip address and timestamp noted)

• Challenge : Identify any compromised systems, Determine what attacker found, evaluate risk of data exfiltration.

Case Study

25

• Now, we get the information on network architecture in Obtaining information phase as :– Facility has

• Internal network (192.168.30.0/24)• DMZ : (10.30.30.0/24)• The Internet. (let’s assume one of our submets as the

internet. 172.30.1.0/24)

Case Study

26

• Assuming out facility uses Cisco equipment, corresponding softwares and services– We obtain cisco-asa-nfcapd.zip – A zip archive

containing flow records from the perimeter Cisco ASA, stored by the nfdump collector utility (nfcapd) in 5 minute increments.

– Also, argus-collector.ra- An Argus archive containing flow record data collected from Internal and DMZ subnets.

Case Study

27

• As, we have an IP address of attacker say 172.30.1.77– We browse the archive dump filtering with IP.– We might find a pattern, that attacker has performed a

quick port scan on one of system(server).– Using same nfdump we might also find the ports that

are open and our attacker might successfully connected to. (let’s say TCP port 22)

– Port 22 are SSH usually targeted for password brute force attacks.

Case Study

28

• Now let’s examine internal argus dumps.– We get information like protocol, Src and Dest add,

Src and Dest ports, time stamps, total packets, state

Case Study

29

• Legend for state(Man ra)

• From this we can see that attacker first initiated a connection to 10.30.30.20:22 three times.– Sent a TCP SYN, receiver SYN-ACK, sent a RST– Now attacker nows port is open

Case Study

30

– Now we see that attacker has successfully finished a TCP handshake.

– And then say we saw a ful TCP connection established with no FIN packets for a longer period of times.

– Consider graph reports of data flow at respective timeline to know the risk of exfiltration. Make sure the checks continue from our DMZ server to any internal servers or machines in a similar fashion.

– Make sure to document the timeline of the attacker performing different actions throughout his attack.

Tools

31

• BinWalk• Bulk-extractor• Capstone• Chntpw• Cuckoo• Dc3dd• Ddrescue• DFF• diStrom3• Dumpzilla• Extundelete• Foremost• Galleta• Guymager• P0f• Volatility and Xplico

• FTK• The SleuthKit• IDA • Encase• Snort• Bro• WireShark• CryptCat

IDA pro

32

• Multi-platform hosted interactive, programmable, multi-processor disassembler and debugger augmented by a complete plugin programming environment.

• Reverse Engineering : In hacking this would enable us to use a known signature and build unknown signature with same capabilities.

• Key Features– Hostile code Analysis– Vulnerability Research– Privacy Protection

Like, Sony Hack to North Korea.

Any Combinations

33

• So Not just mentioned tools or specific tools for forensics and monitoring.

• Any combination of tools with corresponding functionalities can form a powerful Forensic toolkit.

• Even BeEF like frameworks are used in correspondence with network monitoring in forensic analysis.

34

Thank You

Questions ?

References

35

• http://cryptcat.sourceforge.net/• http://nc110.sourceforge.net/ - netcat• https://sharkfest.wireshark.org/sharkfest.12/presentations/MB-

7_Network_Forensics_Analysis-A_Hands-on_Look.pdf• https://news.asis.io/sites/default/files/Network%20Forensics%20201

2.pdf• www.Lynda.com• Wikipedia• https://www.wonderhowto.com/

SIEM and Beyondhttp://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html

Security Operations and Analytics (Platform Architecture)

An evolution, not something different. Its all about detection in one form or another.

Intrusion detection – originally monolithic.SIEM – Management of data about incidents and events.

Rules defined processing to identify current state and intrusions.Provided ability to push down on the data to investigate.

Analytics are the tools (including big data) that allow us to reason about the collected data.

36

What is SIEM CurrentlyWhile originally expanded as “Security Incident and Event Management”, many currently expand the acronym as “Security Information and Event Management”.

– That is because most of the activities revolve around the management of security information.

• Collecting data from logs• Collecting data from sensors• Creating a common format to represent such data• Storing such data

– User interfaces for visualizing this stored data– Simple rules/signatures for prompting notification

37

What is SIEM useful for• It is the evolved state of previous work in intrusion

detection.• It is very useful for manual forensics, as a central

repository of all “artifacts”.• It is a source of data that may be used for more

advanced detection and diagnosis.

38

Enter SOAPADo we need a new name? NoDid we need a new name when SIEM came around? NoBut, marketers always want something new so…

Security Operations and Analytics Platform Architecture– Goal is to support AI, Machine Learning, Neural

Networks, and similar “Big Data”, “Data Science”, and “Data Analytics” to provide insight on the data.

39

SOAPA Components• SIEM• Endpoint Detection / Response Tools• Incident Response Platforms• Network Security Analytics• Machine Learning Algorithms• Vulnerability Scanners and Security Asset Managers• Malware Sandboxes• Threat Intelligence

Now let’s discuss these in terms of the material already covered in this course.

40

From http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html

SOAPA – SIEM Component• This is the repository for collected data, and the

source information on which other components will operate.

41

SOAPA Endpoint Tools“Security analysts often want to dig deep into security alerts by monitoring and investigating host behavior, so EDR (i.e. CarbonBlack, Countertack, CrowdStrike, Guidance Software, etc.) is an essential component of SOAPA.” -- Computerworld article

• Not just processing collected data, but allowing the administrator to push down and view live data at the end point, perhaps even more detailed than the data that is being forwarded to the SIEM.

42

Quote from http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html

SOAPA Incident Response“Aside from collecting, processing and analyzing security data, cybersecurity professionals want to prioritize alerts and remediate problems as soon as possible. These requirements are giving rise to IRPs such as Hexadite, Phantom, Resilient Systems (IBM), ServiceNow and Swimlane” -- Computerworld article

• Automated mitigation in an integrated manner is an important advance.• Intrusion response techniques – as discussed in CSci530 – provide guidance

on the kinds of response that is possible.• Integration with knowledge bases of what are your critical assets, what

connections can be safely cut off, and what is the impact of a new threat can be useful in prioritizing those responses.

– Some may be automated– Others may be advice

• Especially important in Cyber-Physical systems

43

Quote from http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html

SOAPA Security Analytics“SIEM’s log analysis and EDR host behavior monitoring are complemented by flow and packet analysis in SOAPA, provided by vendors such as Arbor Networks, Blue Coat/Symantec, Cisco (Lancope) and RSA.” -- Computerworld article

• Not much new here. Just the detail of the data of which analytics are performed. One can look at collected packets, as per the network forensics topics we discussed previously.

44

Quote from http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html

SOAPA Machine Learning“While these tools have received an inordinate degree of industry hype, there’s little doubt that machine learning will be baked into security analytics henceforth, thus vendors such as Bay Dynamics, Caspida (Splunk), Exabeam, Niara, Sqrrland Varonis should be included in SOAPA” -- Computerworld article

• This is where the real difference is. It is the application of big data science to the data collected through the SIEM functionaility.

• These tools should be able to find clustering that is indicative of previously unseen attacks (i.e. zero days).

• Some SIEM solutions claim to have modules (fairly limited) for this kind of analysis, and now marketers want a new name for the use of these kinds of techniques.

45

Quote from http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html

SOAPA Asset Vulnerability Scanning“Part of security operations is knowing which alerts should be prioritized. These decisions must be driven by solid data from vulnerability management systems (i.e. Qualys, Rapid7, Tanium) and other tools that monitor the state of systems and network configurations (i.e. RedSeal, Skybox, Verodin, etc.).” -- Computerworld article

• We have talked about these kinds of tools, though probably not man of them by name. These tools need to be better integrated into the SIEM environment, so that the tools are run on a regular basis, and the information can then be matched with configuration management information to identify what needs fixing in your environment.

46

Quote from http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html

SOAPA Malware Intelligence“This technology represents another key pivot point for understanding targeted attacks that may use zero-day malware. Sandboxes from FireEye, Fidelis and Trend Micro are definitely part of SOAPA. ”-- Computerworld article

• I’m not exactly sure how this capability integrates with other aspects of SOAPA. This is part of a total solution, but the integration eludes me.

47

Quote from http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html

SOAPA Threat Intelligence“Enterprise organizations want to compare internal network anomalies with malicious “in-the-wild” activities, so SOAPA extends to threat intelligence sources and platforms (i.e. BrightPoint (ServiceNow), FireEye/iSight Partners, RecordedFuture, ThreatConnect, ThreatQuotient, etc.).” -- Computerworld article

• This extends the sources of information outside the enterprise.• As security administrators you need to keep up to date on the latest attacks.

This is threat intelligence. • If properly encoded and integrated with an ID platform, this will enable you to

identify new intrusions (zero days), and flag such traffic as related to particular groups or classes of criminals that are exploiting such techniques.

48

Quote from http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html

SOAPA Summary

• SOAPA provides for better integration of many of the security technologies that should be deployed within your organization.

49

Quote from http://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html

Second Exercise - Criminal Enterprises

• Chosen because of differences in the high level principles.

– Not because I expect you to implement these kinds of systems in your future endeavors.– But you may be called upon to break some of these systems if later employed by government organizations.

• Your organization must:– Accept Bitcoin as payment (not really, but it must accept something that stands in for bitcoin)– Manage an inventory of stolen account identifiers with passwords– Control access to such information– Prevent collection of evidence or intelligence by third parties.– Note, do not deal in any illegal goods, but use dummy information to stand in for such goods. Also,

do not use terms associated with such illegals goods or information in communications, make up new names for this dummy information.

50

Group Report for Lab Exercise 2By Tuesday April 18th please submit a report including:

• A network diagram:– including your virtual machines and other systems like client browsers– Show containment regions

• A description of all software components used in the implementation of your scenario, including:

– Application software components (e.g. databases, servers)– Security software components– Administration and management software components

• For each software component:– Describe where it is installed– Where obtained (or written yourself), and version information

» How you manage updates– A table listing the authorized information flows.

• For the system as a whole– List tools used to monitor, detect and recover from intrusions– What kind of red-teaming or pen-testing you performed– A risk assessment – what threats do you defend against, how do you mitigate

impact of an attack, what are you still vulnerable to, and justification for your decisions regarding such threats.

51

By the Final Lecture in two weeksAlternate Date for April 26th

• Each group should prepare a report describing:– User documentation for their application (high level)– Their network and server architecture (what servers are on what VM’s and

how they are interconnected)– A risk assessment/vulnerability analysis enumerating the risks, explaining the

mitigation of those risks, and listing those threats that are not defended against (i.e. where you accept the risks).

– A description of the steps taken for pen testing of your system.• Each group will have 20 minutes to present, and then 20 minutes to

demonstrate their project. We will have 20 minutes following gthepresentations and demonstrations for limited pen-testing.

– Procedures and Rules to be determined

52