Embed Size (px)
Citation preview
Lesson 14Network MonitoringSystem RestorationIncident Evaluation
The Role of Network Forensics
• “Network Forensics analysis tools (NFATS) reveal insecurities, turn system administrators into system detectives.”
Nate King & Errol Weiss
Information Security Magazine
Network Forensics
Definitions
• Sniffer: Hardware or software that passively intercepts packets as they traverse the network. Other name include Protocol Analyzer and Network Monitor.• Silent Sniffers will not respond to any received packets.• Illegal Sniffers violate 18 USC 2511 dealing with wiretaps.
• Promiscuous Mode. A sniffer operates in a mode that intercepts all packets flowing across the network.• A normal NIC only intercepts packets packets addressed to its IP address
and Broadcasts address.• Transactional (Noncontent) information consists only of header
information. For example, IP, TCP or UDP headers.• Same as a LE Trap and Trace or Pen Register.
• Content Information consists of not only the headers but also part or all of the encapsulated data.
Network Forensics Data
• Network data can come from:• Routers, Firewalls, Servers, IDS, DHCP Servers, etc
• These logs may have different formats, be difficult to find, difficult to correlate and have a broken chain of custody
• Chain of Custody
• Strictly controlled network monitoring can maintain a proper chain of custody
• Electronic evidence requires tighter control than most other types of evidence because it can be easily altered
• A broken chain goes to weight and not admissibility
Chain of Custody
• Network data chain of custody should include:• Date and time recorded• Make, model, serial # and description of recording device• Names of individual recording or the name of individuals
recovering the logs• Description of the logs• Name, Signature and date of individual receiving the data.• Evidence Tag for this item• Hash value (MD5) of each log file
Monitoring The Network
• What are the Network Monitoring goals?• Monitor traffic to and from a host?• Monitor traffic to and from a network?• Monitor a specific person?• Verify an intrusion attempt?• Monitor attack signatures?• Monitor a specific protocol?• Monitor a specific port?
• Check with legal counsel prior to starting the monitor
Corporate policy must support the type monitoring to be performed!
Network Monitoring Tool
• Network Monitoring Hardware• A Portable laptop• 512 MB Ram• 40 +GB• External Zip drive
• Network Monitoring Software• NetBSD is reputedly the best• A Silent Sniffer that speaks only TCP/IP with ARP disabled• Employ VLAN with SSH or a Dial-back modem for Remote
Administration
Run a Sniffer detection tool prior to connecting yours.
Monitoring The Network Continued
• Possible Network Monitors.• tcpdump, Ethereal and Snort• Snoop, iptrace, Snifer Pro, Etherpeek, LANalyzer• NetMon, Network Tracing and Logging and Cisco IDS
• Network Monitor Location• Host Monitoring - On the same Hub or switch.
• The switch should have Switch Port Analysis (SPAN)• Network Monitoring - At the network perimeter• A Physically secure location
Helpful Hints
• Run a Sniffer detection tool prior to connecting yours• Someone may already be listening to the network
• Capture the network traffic as close to the source host as possible• Hackers use bounce sites to attack hosts
• Have the capability of viewing captured data as a continuous stream.• This provides an overview of what the hacker is attempting to do• Reconstruct documents, etc
• Have the capability of viewing the packets at the lowest level• High-level analyzers will sometimes strip off data that is not important for fault
analysis but could be important for investigative purposes• Options and fields to identify the OS• Typing speed of user• Printer variables, X display variables , etc
Common Forensics Mistakes
• Failure to Monitor • ICMP Traffic• SMTP, POP and IMAP
Traffic• UseNet Traffic• Files saved to external
media• Web Traffic• Senior Executives Traffic• Internal IP Traffic
• Failure to Detect• ICMP Covert Channels • UDP Covert Channels• HTTP Covert Channels
Common Forensics Mistakes Continued
• Failure to PlayBack • Encrypted traffic• Graphics• Modeling and Simulation
traffic • Failure to Trace:• DOS • DDOS• Spoofed EMail
• Failure to Detect.• Steganography.• Erasing Logs• File Encryption.• Binary Trojans
Monitoring Tools
Dsniff http://www.monkey.org/~dugsong/dsniff
tcpdump http://www.tcpdump.org/
WinDump http://netgroup-serv.polito.it/windump/
ethereal http://www.ethereal.com/
Snort http://www.snort.org/
Snoop
System Restoration
• System Administrator recovers the system • Don't trust anything that is on-line• Don't believe anything your system tells you
• Reformat disks• Restore operating system• Reload software• Assign new passwords• Scan the /etc/passwd for newly created files• Check for changes to files that may affect security (trapdoors, logic bombs, etc.)
System Restoration
• Check critical files for the appropriate file protection and permissions• Scan the system for newly created SUID and SGID files• Delete and recreate all .rhosts files• Check for changes to the /etc/hosts.equiv file• Check for changes in user startup files• Check for a modified .forward file• Check for hidden or unowned files and directories• Run audit tools such a COPS and Tripwire
System Restoration
• The recovery should be planned to have minimal impact on the users• Keep the users informed
• Engage in rumor control
System Restoration
Incident Evaluation
• Conduct an after action meeting• Prepare an after action report to document the incident, the response to the incident and the recovery from the incident
• Lessons Learned?• Policy to general• Responsibilities not sufficiently defined• Inadequate monitoring tools• Systems not backed up• Hard disk needs smaller partitions• Set smaller limits on disk usage• System not scanned with tools: SATAN and ISS
After Action Meeting and Report
• Law Enforcement report?• Regulatory agency report?• Insurance claim? • Disciplinary action?• Dismissal action?• Vendor report?• Update disaster recovery plan?• Update software to new versions?• Update employee training?• Public Affairs report?• CEO report to employees?
Action List
Computer Crime Investigation
• Notify law Enforcement.• Brief/coordinate with upper management• The Law Enforcement Computer Crime Team assumes control.• Computer crime investigation is complex, time consuming, and resource intensive• Allow time/resources for
• Investigation• Prosecution
Incident Response Process
Incident Preparation
Incident Detection
Activate IR Team
Define Roles.Establish Policies. Identify Tools.Network Preparation. Firewall Logs.
IDS Logs.Suspicious User.System Administrator.
Complete IR Checklist Who/What/Where/When. Incident Description Hardware/Software. Personnel Involved. Network.
Initial ResponseCompleted IR Checklist.
Verify Incident.Affected Systems.Users Involved.Business Impact.
Is it really and Incident?
Incident Response Process-Continued
Response Strategy
Forensic Duplication
System Criticality. Information Sensitivity.Perpetrators.Publicity.Skill of Attacker.System Downtime.Dollar Loss.
Management Approval Dollar Loss. Downtime. Legal Liability. Publicity. Intellectual Property.
Accumulate Evidence&
Secure System
Best Evidence Rule.Chain of custody.Data Volatility.
Incident Response Process Contd
Investigate
Who, What, When, Where, How.People and Things.
Implement Security Measures
Isolate and Contain.Disconnect.Electronically isolate.Network Filtering.
Network Monitoring
Monitor throughout the incident.Track the hacker.No incident recurrence.
Monitor on subnet.Monitor at boundary.
Incident Response Process-Continued
Recovery
Documentation
New Procedures.Reinstall files.Reinstall from CD-Rom. Secure System. Turnoff unneeded services. Apply patches. Strong Passwords. Strong Administration.
Document everything as it occurs.
Support both criminal and civil prosecution.
Produce the final report.
Process improvement.
Each new technology will bring with it new forms of crime, demanding innovative security. That is the dynamic which drives our modern progress: not dreams, not ideas, but the simple desire on the part of criminals to take what is not theirs by law, and the determination of others to keep them from doing so.
Each new technology will bring with it new forms of crime, demanding innovative security. That is the dynamic which drives our modern progress: not dreams, not ideas, but the simple desire on the part of criminals to take what is not theirs by law, and the determination of others to keep them from doing so.
“This Alien Shore”, C. S. Friedman (C) 1998
Brave New Battles
Summary
• Thorough analysis is hard• Don’t forget to restore with same
ZEAL as you investigate• Incident evaluation is critical for
lessons learned
