SlideShare a Scribd company logo

CNIT 152: 9 Network Evidence

Sam Bowne
Sam Bowne

Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco. Website: https://samsclass.info/152/152_F18.shtml

Education
1 of 62
Download to read offline
CNIT 152: Incident Response 9 Network Evidence Updated 10-8-18
The Case for Network Monitoring
Types of Network Monitoring
Types of Network Monitoring 1. Event-based alerts 2. Packet captures 3. Session information 4. High-level statistics
Types of Network Monitoring • Event-based alerts • Snort, Suricata, SourceFire, RSA NetWitness • Require rule sets • Provides real-time notification
Types of Network Monitoring • Headers or full packets • Helps to identify scope of data theft • Capture actions done with interactive shells • Closely monitor malware communicating with remote sites
Types of Network Monitoring • High-level statistics showing type and number of packets • Can reveal interesting information on activities that are not otherwise detectable
Event-Based Alert Monitoring • Most common type • Based on rules or thresholds • Events are generated by Network Intrusion Detection Systems (NIDS) • Or by software that monitors traffic patterns and flows • Standard tools: Snort and Suricata
Indicators (or Signatures) • Matched against traffic observed by the network sensor • Simple indicators • Such as IP address + port • "Cheap" (small load on sensor) • Complex indicators • Session reconstruction or string matching • Can burden the sensor so much it drops packets
Example Snort Rule • This rule detects SSH Brute Force attacks • Depth: how many bytes of packet to read • Links Ch 9a, 9b alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH brute force login attempt"; flow:to_server,established; content:"SSH-"; depth:4; detection_filter:track by_src, count 5, seconds 60; metadata:service ssh; classtype:misc-activity; sid:19559; rev:5;)
alert_fast • Put this in Snort configuration file • output alert_fast alerts.txt • Simplest output module for Snort • Puts text into a file
Detect Fake SSL Certificate • Detects a specific fake certificate used by an APT group identified by Mandiant in 2003 • Written by Emerging Threats • Matches serial number and Issuer string • Link Ch 9h
Header and Full Packet Logging • Two distinct purposes • To help IR team generate signatures, monitor activity, or identify stolen data • Collect evidence for an administrative or legal matter • Consider whether to treat packet captures as evidence and generate a chain of custody
Thoroughness • IDS systems can retain the full session that generated an alert • But for targeted collection against specific subjects, use tcpdump or Wireshark
tcpdump • Complete packet capture of an HTTP request • Done with "tcpdump -X" • Limiting capture to 64 bytes captures only the headers (called "trap and trace" by law enforcement)
Statistical Monitoring • Cisco NetFlow • Number of packets & bytes in each "flow" (session)
Statistical Monitoring Commercial visualization products available from Fluke, HP, Solarwinds, and IBM Link Ch 9c
flow-tools and argus • Open-source • Convert pcap file (from tcpdump) to Argus format • Graph all packets > 68 bytes from server1 by port number
Setting Up a Network Monitoring System
Simple Method • Deploy laptops or 1U servers with hardware network taps • Snort + tcpdump works • Best if you are setting up monitoring after an incident is detected--fast & easy
IDS Limitations • IDS platforms cannot reliably perform both intrusion detection and network surveillance simultaneously • If you set an IDS to capture full-content, its effectiveness as a sensor will diminish
Effective Network Surveillance
Hardware • Difficult to collect and store every packet traversing high-speed links • Recommended: • 1U servers from large manufacturers • Linux-based network monitoring distributions • Linux now outperforms FreeBSD • For best performance, use NTOP's PF_RING network socket, not the default AF_PACKET interface
Before an Incident • If your organization plans ahead • Commercial solutions that combine Snort-style alerting wth storage • Solera Network's DeepSea appliance • RSA's NetWitness platform
Security Onion • Free Linux distribution, with kernel patched installed (securityonion.net) • Includes analysis tools
Deploying the Network Sensor
Major Network Changes • May facilitate network surveillance • Ex: route all company locations through a single Internet connection with MPLS (Multiprotocol Label Switching), not a separate ISP for each office
Secure Sensor Deployment • Place network sensor in a locked room, to maintain chain of custody • Patch the OS, keep it up to date • Protect it from unauthorized access • Document everything • Review logs • Use Tripwire to ensure integrity of OS
Evaluating Your Network Monitor • Is it receiving the traffic you want to monitor? • Is the hardware responsive enough to achieve your goals? • Create signatures to detect test traffic and test your monitor • Such as a nonexistent URL • Performance metrics in logs will tell you if the sensor is dropping packets
Network Data Analysis
General Principles • Wireshark is excellent • Especially with custom decoders, written in Lua or C • Don't hunt through large packet captures looking for something new • Limit the scope • Use targeted queries that follow your leads and answer investigative questions
Data Theft Scenario • On Dec. 3, 2013, your investigation starts • Two days ago, an attacker accessed a user's desktop system • Ran rar.exe and ftp.exe once each • You have complete packet capture data
Prefetch • Shows exact date and time ftp.exe was executed • Dec. 1, 2013 at 00:57 UTC • Interviews tell you that RAR and FTP are not used normally on that workstation
PCAP File • 73 FTP sessions on the date in question • 2 are active during the time of interest • Download PCAP files from link Ch 9e
• Statistics, Conversations, TCP tab • Select conversation, Follow Stream
Stream 0: FTP (Port 21) • Control traffic
Stream 1: FTP-Data (Port 20) • A RAR file being transferred • Show data as "Raw" • Save the file as file.rar with "Save as"
edi-source.bin RAR • From second pcap file
Password • The RARs are password-protected • We can see the names of files and folders, but not extract them • A forensic examiner could search for command lines using RAR.exe on the system, which might contain the password • Password cracking tools might help, but they are slow
Is the Process Automated? • Look for typographical errors • Look at timing between steps of the attack • Timing below indicates a human user
File from First Session • pwdump hacking tool, steals password hashes
Webshell Reconnaissance Scenario • IDS detects a port scan coming from your DMZ • From an Apache & MySQL server, on Windows, at 203.0.113.101 • Interviews: no authorized port scan was run at that time • Login history shows no user logged in to the server at that time
Apache Server Logs • Large number of requests at the time of interest • From an external IP address you don't recognize • Many different pages requested • Then many requests of the "/apps/login.php" page
PHP Shell • Many POST requests to "/apps/login.php" • Then GET requests to "/tmpbkxcn.php" • Containing strings such as • cmd=netstat • cmd=tasklist
Wireshark • Data is encrypted with HTTPS (SSL)
SSL Encryption • New versions of TLS have Forward Secrecy • A different key for each session, using a "session master secret" • Older versions of TLS • All data can be decrypted with the RSA private key on the server
Importing the Key • In Wirehark • Wireshark, Preferences, Protocols, SSL • In "RSA keys list" line, click Edit
• "Decrypted SSL data" tab appears at bottom • User-Agent: sqlmap (a common hacking tool)
Exporting Decrypted Data • File, Export PDUs to File, OSI Layer 7 • Produces decrypted HTTP packets
Decrypted Data
PHP Shell Upload • From second PCAP file
Commands
NetWitness Investigator • Sorts traffic by protocol • 32-bit version seems to be gone
Collect Logs Generated from Network Events
Examples
Examples
Network-Based Logs • Server-based logs are files on the individual systems • May be altered or deleted by the attacker • Network-based logs may be more reliable • Especially if network devices are physically and electronically secured
Log Aggregation • Log aggregation is difficult because: • Logs are in different formats • Originate from different operating systems • May require special software to access and read • May have inaccurate timestamps
CNIT 152: 9 Network Evidence

Recommended

CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
Sam Bowne
 
Attack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaAttack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and Kibana
Prajal Kulkarni
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
Aryan G
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
Benjamin Delpy
 
Introduction to Apache NiFi dws19 DWS - DC 2019
Introduction to Apache NiFi dws19 DWS - DC 2019Introduction to Apache NiFi dws19 DWS - DC 2019
Introduction to Apache NiFi dws19 DWS - DC 2019
Timothy Spann
 
Pig Tutorial | Twitter Case Study | Apache Pig Script and Commands | Edureka
Pig Tutorial | Twitter Case Study | Apache Pig Script and Commands | EdurekaPig Tutorial | Twitter Case Study | Apache Pig Script and Commands | Edureka
Pig Tutorial | Twitter Case Study | Apache Pig Script and Commands | Edureka
Edureka!
 
Apache Knox - Hadoop Security Swiss Army Knife
Apache Knox - Hadoop Security Swiss Army KnifeApache Knox - Hadoop Security Swiss Army Knife
Apache Knox - Hadoop Security Swiss Army Knife
DataWorks Summit
 

Recommended

CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
Sam Bowne
 
Attack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaAttack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and Kibana
Prajal Kulkarni
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
Aryan G
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
Benjamin Delpy
 
Introduction to Apache NiFi dws19 DWS - DC 2019
Introduction to Apache NiFi dws19 DWS - DC 2019Introduction to Apache NiFi dws19 DWS - DC 2019
Introduction to Apache NiFi dws19 DWS - DC 2019
Timothy Spann
 
Pig Tutorial | Twitter Case Study | Apache Pig Script and Commands | Edureka
Pig Tutorial | Twitter Case Study | Apache Pig Script and Commands | EdurekaPig Tutorial | Twitter Case Study | Apache Pig Script and Commands | Edureka
Pig Tutorial | Twitter Case Study | Apache Pig Script and Commands | Edureka
Edureka!
 
Apache Knox - Hadoop Security Swiss Army Knife
Apache Knox - Hadoop Security Swiss Army KnifeApache Knox - Hadoop Security Swiss Army Knife
Apache Knox - Hadoop Security Swiss Army Knife
DataWorks Summit
 
Customer Intelligence: Using the ELK Stack to Analyze ForgeRock OpenAM Audit ...
Customer Intelligence: Using the ELK Stack to Analyze ForgeRock OpenAM Audit ...Customer Intelligence: Using the ELK Stack to Analyze ForgeRock OpenAM Audit ...
Customer Intelligence: Using the ELK Stack to Analyze ForgeRock OpenAM Audit ...
ForgeRock
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Extending Druid Index File
Extending Druid Index FileExtending Druid Index File
Extending Druid Index File
Navis Ryu
 
VPN Overview and IPsec Intro
VPN Overview and IPsec IntroVPN Overview and IPsec Intro
VPN Overview and IPsec Intro
Netgate
 
Tag based policies using Apache Atlas and Ranger
Tag based policies using Apache Atlas and RangerTag based policies using Apache Atlas and Ranger
Tag based policies using Apache Atlas and Ranger
Vimal Sharma
 
Real World Event Sourcing and CQRS
Real World Event Sourcing and CQRSReal World Event Sourcing and CQRS
Real World Event Sourcing and CQRS
Matthew Hawkins
 
Apache Hive Hook
Apache Hive HookApache Hive Hook
Apache Hive Hook
Minwoo Kim
 
16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept
Mostafa El Lathy
 
An Apache Hive Based Data Warehouse
An Apache Hive Based Data WarehouseAn Apache Hive Based Data Warehouse
An Apache Hive Based Data Warehouse
DataWorks Summit
 
File Format Benchmark - Avro, JSON, ORC & Parquet
File Format Benchmark - Avro, JSON, ORC & ParquetFile Format Benchmark - Avro, JSON, ORC & Parquet
File Format Benchmark - Avro, JSON, ORC & Parquet
DataWorks Summit/Hadoop Summit
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
Sander Demeester
 
NiFi Developer Guide
NiFi Developer GuideNiFi Developer Guide
NiFi Developer Guide
Deon Huang
 
Git Tutorial | Git Basics - Branching, Merging, Rebasing | Learn Git | DevOps...
Git Tutorial | Git Basics - Branching, Merging, Rebasing | Learn Git | DevOps...Git Tutorial | Git Basics - Branching, Merging, Rebasing | Learn Git | DevOps...
Git Tutorial | Git Basics - Branching, Merging, Rebasing | Learn Git | DevOps...
Edureka!
 
ELK introduction
ELK introductionELK introduction
ELK introduction
Waldemar Neto
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering concept
Mostafa El Lathy
 
Telecom Network & SIEM logs analysis using machine learning
Telecom Network & SIEM logs analysis using machine learningTelecom Network & SIEM logs analysis using machine learning
Telecom Network & SIEM logs analysis using machine learning
ALTANAI BISHT
 
Course 102: Lecture 28: Virtual FileSystems
Course 102: Lecture 28: Virtual FileSystems Course 102: Lecture 28: Virtual FileSystems
Course 102: Lecture 28: Virtual FileSystems
Ahmed El-Arabawy
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
Deanonymize Tor Hidden Services
Deanonymize Tor Hidden ServicesDeanonymize Tor Hidden Services
Deanonymize Tor Hidden Services
Fabrizio Farinacci
 
Presentation AuthZForce
Presentation AuthZForcePresentation AuthZForce
Presentation AuthZForce
mpfariseni mabogo
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
Sam Bowne
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
Sam Bowne
 

More Related Content

What's hot

An Apache Hive Based Data Warehouse
An Apache Hive Based Data WarehouseAn Apache Hive Based Data Warehouse
An Apache Hive Based Data Warehouse
DataWorks Summit
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 

What's hot (20)

Customer Intelligence: Using the ELK Stack to Analyze ForgeRock OpenAM Audit ...
Customer Intelligence: Using the ELK Stack to Analyze ForgeRock OpenAM Audit ...Customer Intelligence: Using the ELK Stack to Analyze ForgeRock OpenAM Audit ...
Customer Intelligence: Using the ELK Stack to Analyze ForgeRock OpenAM Audit ...
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Extending Druid Index File
Extending Druid Index FileExtending Druid Index File
Extending Druid Index File
 
VPN Overview and IPsec Intro
VPN Overview and IPsec IntroVPN Overview and IPsec Intro
VPN Overview and IPsec Intro
 
Tag based policies using Apache Atlas and Ranger
Tag based policies using Apache Atlas and RangerTag based policies using Apache Atlas and Ranger
Tag based policies using Apache Atlas and Ranger
 
Real World Event Sourcing and CQRS
Real World Event Sourcing and CQRSReal World Event Sourcing and CQRS
Real World Event Sourcing and CQRS
 
Apache Hive Hook
Apache Hive HookApache Hive Hook
Apache Hive Hook
 
16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept
 
An Apache Hive Based Data Warehouse
An Apache Hive Based Data WarehouseAn Apache Hive Based Data Warehouse
An Apache Hive Based Data Warehouse
 
File Format Benchmark - Avro, JSON, ORC & Parquet
File Format Benchmark - Avro, JSON, ORC & ParquetFile Format Benchmark - Avro, JSON, ORC & Parquet
File Format Benchmark - Avro, JSON, ORC & Parquet
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
 
NiFi Developer Guide
NiFi Developer GuideNiFi Developer Guide
NiFi Developer Guide
 
Git Tutorial | Git Basics - Branching, Merging, Rebasing | Learn Git | DevOps...
Git Tutorial | Git Basics - Branching, Merging, Rebasing | Learn Git | DevOps...Git Tutorial | Git Basics - Branching, Merging, Rebasing | Learn Git | DevOps...
Git Tutorial | Git Basics - Branching, Merging, Rebasing | Learn Git | DevOps...
 
ELK introduction
ELK introductionELK introduction
ELK introduction
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering concept
 
Telecom Network & SIEM logs analysis using machine learning
Telecom Network & SIEM logs analysis using machine learningTelecom Network & SIEM logs analysis using machine learning
Telecom Network & SIEM logs analysis using machine learning
 
Course 102: Lecture 28: Virtual FileSystems
Course 102: Lecture 28: Virtual FileSystems Course 102: Lecture 28: Virtual FileSystems
Course 102: Lecture 28: Virtual FileSystems
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
Deanonymize Tor Hidden Services
Deanonymize Tor Hidden ServicesDeanonymize Tor Hidden Services
Deanonymize Tor Hidden Services
 
Presentation AuthZForce
Presentation AuthZForcePresentation AuthZForce
Presentation AuthZForce
 

Similar to CNIT 152: 9 Network Evidence

Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
Cengage Learning
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
GTKlondike
 
Telecommunications and Network Security Presentation
Telecommunications and Network Security PresentationTelecommunications and Network Security Presentation
Telecommunications and Network Security Presentation
Wajahat Rajab
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
Chris Sistrunk
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
ShainaBoling829
 

Similar to CNIT 152: 9 Network Evidence (20)

CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
Chapter 3 footprinting
Chapter 3 footprintingChapter 3 footprinting
Chapter 3 footprinting
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident Preparation
 
Security tools
Security toolsSecurity tools
Security tools
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion Techniques
 
Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate Espionage
 
Network Traffic Analysis With Wireshark.pptx
Network Traffic Analysis With Wireshark.pptxNetwork Traffic Analysis With Wireshark.pptx
Network Traffic Analysis With Wireshark.pptx
 
Unit08
Unit08Unit08
Unit08
 
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
CNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationCNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident Preparation
 
Telecommunications and Network Security Presentation
Telecommunications and Network Security PresentationTelecommunications and Network Security Presentation
Telecommunications and Network Security Presentation
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
snort.ppt
snort.pptsnort.ppt
snort.ppt
 
1.SNORT.pdf
1.SNORT.pdf1.SNORT.pdf
1.SNORT.pdf
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
 

More from Sam Bowne

More from Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Recently uploaded

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Sapana Sha
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 

Recently uploaded (20)

Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 

CNIT 152: 9 Network Evidence

  • 1. CNIT 152: Incident Response 9 Network Evidence Updated 10-8-18
  • 2. The Case for Network Monitoring
  • 3. Types of Network Monitoring
  • 4. Types of Network Monitoring 1. Event-based alerts 2. Packet captures 3. Session information 4. High-level statistics
  • 5. Types of Network Monitoring • Event-based alerts • Snort, Suricata, SourceFire, RSA NetWitness • Require rule sets • Provides real-time notification
  • 6. Types of Network Monitoring • Headers or full packets • Helps to identify scope of data theft • Capture actions done with interactive shells • Closely monitor malware communicating with remote sites
  • 7. Types of Network Monitoring • High-level statistics showing type and number of packets • Can reveal interesting information on activities that are not otherwise detectable
  • 8. Event-Based Alert Monitoring • Most common type • Based on rules or thresholds • Events are generated by Network Intrusion Detection Systems (NIDS) • Or by software that monitors traffic patterns and flows • Standard tools: Snort and Suricata
  • 9. Indicators (or Signatures) • Matched against traffic observed by the network sensor • Simple indicators • Such as IP address + port • "Cheap" (small load on sensor) • Complex indicators • Session reconstruction or string matching • Can burden the sensor so much it drops packets
  • 10. Example Snort Rule • This rule detects SSH Brute Force attacks • Depth: how many bytes of packet to read • Links Ch 9a, 9b alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH brute force login attempt"; flow:to_server,established; content:"SSH-"; depth:4; detection_filter:track by_src, count 5, seconds 60; metadata:service ssh; classtype:misc-activity; sid:19559; rev:5;)
  • 11. alert_fast • Put this in Snort configuration file • output alert_fast alerts.txt • Simplest output module for Snort • Puts text into a file
  • 12. Detect Fake SSL Certificate • Detects a specific fake certificate used by an APT group identified by Mandiant in 2003 • Written by Emerging Threats • Matches serial number and Issuer string • Link Ch 9h
  • 13. Header and Full Packet Logging • Two distinct purposes • To help IR team generate signatures, monitor activity, or identify stolen data • Collect evidence for an administrative or legal matter • Consider whether to treat packet captures as evidence and generate a chain of custody
  • 14. Thoroughness • IDS systems can retain the full session that generated an alert • But for targeted collection against specific subjects, use tcpdump or Wireshark
  • 15. tcpdump • Complete packet capture of an HTTP request • Done with "tcpdump -X" • Limiting capture to 64 bytes captures only the headers (called "trap and trace" by law enforcement)
  • 16. Statistical Monitoring • Cisco NetFlow • Number of packets & bytes in each "flow" (session)
  • 18. flow-tools and argus • Open-source • Convert pcap file (from tcpdump) to Argus format • Graph all packets > 68 bytes from server1 by port number
  • 19.
  • 20.
  • 21.
  • 22. Setting Up a Network Monitoring System
  • 23. Simple Method • Deploy laptops or 1U servers with hardware network taps • Snort + tcpdump works • Best if you are setting up monitoring after an incident is detected--fast & easy
  • 24. IDS Limitations • IDS platforms cannot reliably perform both intrusion detection and network surveillance simultaneously • If you set an IDS to capture full-content, its effectiveness as a sensor will diminish
  • 26. Hardware • Difficult to collect and store every packet traversing high-speed links • Recommended: • 1U servers from large manufacturers • Linux-based network monitoring distributions • Linux now outperforms FreeBSD • For best performance, use NTOP's PF_RING network socket, not the default AF_PACKET interface
  • 27. Before an Incident • If your organization plans ahead • Commercial solutions that combine Snort-style alerting wth storage • Solera Network's DeepSea appliance • RSA's NetWitness platform
  • 28. Security Onion • Free Linux distribution, with kernel patched installed (securityonion.net) • Includes analysis tools
  • 30. Major Network Changes • May facilitate network surveillance • Ex: route all company locations through a single Internet connection with MPLS (Multiprotocol Label Switching), not a separate ISP for each office
  • 31. Secure Sensor Deployment • Place network sensor in a locked room, to maintain chain of custody • Patch the OS, keep it up to date • Protect it from unauthorized access • Document everything • Review logs • Use Tripwire to ensure integrity of OS
  • 32. Evaluating Your Network Monitor • Is it receiving the traffic you want to monitor? • Is the hardware responsive enough to achieve your goals? • Create signatures to detect test traffic and test your monitor • Such as a nonexistent URL • Performance metrics in logs will tell you if the sensor is dropping packets
  • 34. General Principles • Wireshark is excellent • Especially with custom decoders, written in Lua or C • Don't hunt through large packet captures looking for something new • Limit the scope • Use targeted queries that follow your leads and answer investigative questions
  • 35. Data Theft Scenario • On Dec. 3, 2013, your investigation starts • Two days ago, an attacker accessed a user's desktop system • Ran rar.exe and ftp.exe once each • You have complete packet capture data
  • 36. Prefetch • Shows exact date and time ftp.exe was executed • Dec. 1, 2013 at 00:57 UTC • Interviews tell you that RAR and FTP are not used normally on that workstation
  • 37. PCAP File • 73 FTP sessions on the date in question • 2 are active during the time of interest • Download PCAP files from link Ch 9e
  • 38. • Statistics, Conversations, TCP tab • Select conversation, Follow Stream
  • 39. Stream 0: FTP (Port 21) • Control traffic
  • 40. Stream 1: FTP-Data (Port 20) • A RAR file being transferred • Show data as "Raw" • Save the file as file.rar with "Save as"
  • 42. Password • The RARs are password-protected • We can see the names of files and folders, but not extract them • A forensic examiner could search for command lines using RAR.exe on the system, which might contain the password • Password cracking tools might help, but they are slow
  • 43. Is the Process Automated? • Look for typographical errors • Look at timing between steps of the attack • Timing below indicates a human user
  • 44. File from First Session • pwdump hacking tool, steals password hashes
  • 45. Webshell Reconnaissance Scenario • IDS detects a port scan coming from your DMZ • From an Apache & MySQL server, on Windows, at 203.0.113.101 • Interviews: no authorized port scan was run at that time • Login history shows no user logged in to the server at that time
  • 46. Apache Server Logs • Large number of requests at the time of interest • From an external IP address you don't recognize • Many different pages requested • Then many requests of the "/apps/login.php" page
  • 47. PHP Shell • Many POST requests to "/apps/login.php" • Then GET requests to "/tmpbkxcn.php" • Containing strings such as • cmd=netstat • cmd=tasklist
  • 48. Wireshark • Data is encrypted with HTTPS (SSL)
  • 49. SSL Encryption • New versions of TLS have Forward Secrecy • A different key for each session, using a "session master secret" • Older versions of TLS • All data can be decrypted with the RSA private key on the server
  • 50. Importing the Key • In Wirehark • Wireshark, Preferences, Protocols, SSL • In "RSA keys list" line, click Edit
  • 51. • "Decrypted SSL data" tab appears at bottom • User-Agent: sqlmap (a common hacking tool)
  • 52. Exporting Decrypted Data • File, Export PDUs to File, OSI Layer 7 • Produces decrypted HTTP packets
  • 54. PHP Shell Upload • From second PCAP file
  • 56. NetWitness Investigator • Sorts traffic by protocol • 32-bit version seems to be gone
  • 57. Collect Logs Generated from Network Events
  • 60. Network-Based Logs • Server-based logs are files on the individual systems • May be altered or deleted by the attacker • Network-based logs may be more reliable • Especially if network devices are physically and electronically secured
  • 61. Log Aggregation • Log aggregation is difficult because: • Logs are in different formats • Originate from different operating systems • May require special software to access and read • May have inaccurate timestamps