Your SlideShare is downloading. ×
0
Detecting Intrusions and Malware 
August, 2012 
Eric Vanderburg, MBA, CISSP 
JurInnov, Ltd. 
© 2012 JurInnov Ltd. All Righ...
© 2012 JurInnov Ltd. All Rights Reserved. 
1 
Malware 
• Malware 
– Software that enters a computer system without the 
ow...
© 2012 JurInnov Ltd. All Rights Reserved. 
2 
Malware – Virus 
• Viruses 
– Malicious computer code that 
reproduces on a ...
© 2012 JurInnov Ltd. All Rights Reserved. 
3 
Malware - Virus 
• Methods of spreading virus 
– Virus appends itself to a f...
© 2012 JurInnov Ltd. All Rights Reserved. 
4 
Malware – Virus 
• Virus actions 
Virus 
Bot 
– Causing computer to crash re...
© 2012 JurInnov Ltd. All Rights Reserved. 
5 
Malware – Virus 
• Virus can only replicate on host 
computer 
– Cannot spre...
© 2012 JurInnov Ltd. All Rights Reserved. 
6 
Malware - Worm 
• Worms 
– Malicious program designed to 
take advantage of ...
© 2012 JurInnov Ltd. All Rights Reserved. 
7 
Malware - Worm 
• Worm actions 
– Consume network resources 
– Allow compute...
© 2012 JurInnov Ltd. All Rights Reserved. 
8 
Malware - Trojan 
• Trojan horses 
– install malicious software 
under the g...
© 2012 JurInnov Ltd. All Rights Reserved. 
9 
Malware - Trojan 
Virus 
Bot 
• Trojan may be installed on user’s system wit...
© 2012 JurInnov Ltd. All Rights Reserved. 
10 
Malware – Spyware / Adware / 
Scareware 
• Spyware 
– A dangerous, prolific...
© 2012 JurInnov Ltd. All Rights Reserved. 
11 
Malware – Spyware / Adware / 
Scareware 
• Spyware’s negative effects on an...
© 2012 JurInnov Ltd. All Rights Reserved. 
12 
Malware – Spyware / Adware / 
Scareware 
• Adware 
Bot 
– Software program ...
© 2012 JurInnov Ltd. All Rights Reserved. 
13 
Malware – Spyware / Adware / 
Scareware 
• Scareware 
Virus 
Bot 
– Softwar...
© 2012 JurInnov Ltd. All Rights Reserved. 
14 
Malware - Rootkit 
• Rootkit 
Virus 
Bot 
– Set of software tools used by a...
© 2012 JurInnov Ltd. All Rights Reserved. 
15 
Malware - Keylogger 
• Keylogger 
Bot 
– Hardware or software that captures...
© 2012 JurInnov Ltd. All Rights Reserved. 
16 
Malware - Bots 
• Bots 
– A type of malware that allows 
an attacker to gai...
Threat defined – What is done with botnets? 
© 2012 JurInnov Ltd. All Rights Reserved. 
17 
• DDoS 
• Spam 
• Distribute c...
2002 AgoBot 
• Modular design 
• DDoS 
• Hides with rootkit tech 
• Turns off antivirus 
• Modifies host file 
• Delivery:...
2006 2007 2008 
© 2012 JurInnov Ltd. All Rights Reserved. 
19 
History 
2007 Cutwail 
• Spam, DDoS 
• Harvests email addre...
2006 2007 2008 2009 
© 2012 JurInnov Ltd. All Rights Reserved. 
20 
History 
2009 Koobface 
• Installs pay-per-install 
ma...
Exploit Rally Preserve Inventory 
Await 
instructions 
Update Execute Report 
© 2012 JurInnov Ltd. All Rights Reserved. 
2...
Exploit Rally Preserve Inventory 
Await 
instructions 
Update Execute Report 
Agobot host control commands 
© 2012 JurInno...
Exploit Rally Preserve Inventory 
Await 
instructions 
© 2012 JurInnov Ltd. All Rights Reserved. 
23 
Life Cycle 
• Invent...
Exploit Rally Preserve Inventory 
Await 
instructions 
© 2012 JurInnov Ltd. All Rights Reserved. 
24 
Life Cycle 
• Execut...
© 2012 JurInnov Ltd. All Rights Reserved. 
25 
Propagation 
• Scan for windows shares and guess passwords 
($PRINT, C$, D$...
© 2012 JurInnov Ltd. All Rights Reserved. 
26 
Propagation 
• Use backdoors from common trojans 
• P2P – makes files avail...
© 2012 JurInnov Ltd. All Rights Reserved. 
27 
Propagation 
• SPIM 
– Message contact list 
– Send friend requests to cont...
© 2012 JurInnov Ltd. All Rights Reserved. 
28 
Command and Control 
• C&C or C2 
• Networked with redundancy 
• Dynamic DN...
© 2012 JurInnov Ltd. All Rights Reserved. 
29 
Detecting bots 
• Monitor port statistics on network equipment and 
alert w...
© 2012 JurInnov Ltd. All Rights Reserved. 
30 
Who Are the Attackers? 
• Cybercriminals 
• Script kiddies 
• Spies 
• Insi...
© 2012 JurInnov Ltd. All Rights Reserved. 
31 
Cybercriminals / Organized Crime 
• Generic definition 
– People who launch...
© 2012 JurInnov Ltd. All Rights Reserved. 
32 
Cybercriminals / Organized Crime 
• Lee Klein compromised the Lexis-Nexis s...
© 2012 JurInnov Ltd. All Rights Reserved. 
33 
Cybercriminals / Organized Crime 
• In 2005, federal agents conducted a sti...
© 2012 JurInnov Ltd. All Rights Reserved. 
34 
Script Kiddies 
• Attackers who lack knowledge necessary to 
perform attack...
© 2012 JurInnov Ltd. All Rights Reserved. 
35 
Spies 
• People hired to break into a computer and steal 
information 
• Do...
© 2012 JurInnov Ltd. All Rights Reserved. 
36 
Spies 
• It is generally believed by security experts that many 
companies ...
© 2012 JurInnov Ltd. All Rights Reserved. 
37 
Spies 
• CIO Magazine examined the issue of government 
based cyber espiona...
© 2012 JurInnov Ltd. All Rights Reserved. 
38 
Insiders 
• An organization’s own employees, contractors, 
and business par...
© 2012 JurInnov Ltd. All Rights Reserved. 
39 
Cyberterrorists 
• Goals of a cyberattack 
– Deface electronic information ...
© 2012 JurInnov Ltd. All Rights Reserved. 
40 
Cyberterrorists 
• According to the FBI “cyber terrorism is the 
premeditat...
© 2012 JurInnov Ltd. All Rights Reserved. 
41 
Hacktivists 
• Motivated by ideology 
• Direct attacks at specific Web site...
© 2012 JurInnov Ltd. All Rights Reserved. 
42 
Governments 
• May instigate attacks against own citizens or 
foreign gover...
© 2012 JurInnov Ltd. All Rights Reserved. 
43 
Governments 
• Attacks are 
– Premeditated, politically-motivated attacks a...
© 2012 JurInnov Ltd. All Rights Reserved. 
44 
Governments 
• This can mean attempting to spread disinformation in an 
att...
© 2012 JurInnov Ltd. All Rights Reserved. 
45 
Networking Concepts 
• TCP/IP 
• IP Addressing 
• Packet Fragmentation 
• I...
OSI Reference Model 
Application Application 
Presentation Presentation 
Session Session 
Transport Transport 
Network Net...
© 2012 JurInnov Ltd. All Rights Reserved. 
47 
Encapsulation 
• Enclosing some data within another thing so 
that the incl...
© 2012 JurInnov Ltd. All Rights Reserved. 
48 
Application – Layer 7 
• Where programs access network services 
• FTP, HTT...
© 2012 JurInnov Ltd. All Rights Reserved. 
49 
Presentation – Layer 6 
• Formats data 
• Protocol conversion 
• Encryption...
© 2012 JurInnov Ltd. All Rights Reserved. 
50 
Redirector 
• Sends requests for services to the appropriate 
network devic...
© 2012 JurInnov Ltd. All Rights Reserved. 
51 
Session – Layer 5 
• Manages communication 
• Identification 
• Window size...
© 2012 JurInnov Ltd. All Rights Reserved. 
52 
Transport – Layer 4 
• Segmenting 
• Sequencing 
• Error checking 
• Flow c...
© 2012 JurInnov Ltd. All Rights Reserved. 
53 
Network – Layer 3 
• Logical addressing 
• Routing 
• QOS 
• Deals with pac...
© 2012 JurInnov Ltd. All Rights Reserved. 
54 
Datalink – Layer 2 
• Physical Addressing 
• Deals with frames 
• Discards ...
© 2012 JurInnov Ltd. All Rights Reserved. 
55 
Datalink Sublayers 
• MAC 
– Manages multiple NICs 
– Creates frame and sen...
© 2012 JurInnov Ltd. All Rights Reserved. 
56 
Physical – Layer 1 
• Encoding - Convert bits to signals 
– 101001011001 
•...
OSI & TCP/IP 
OSI Model TCP/IP 
Application Application 
Presentation 
Session Transport 
Transport 
Network Internet 
Dat...
© 2012 JurInnov Ltd. All Rights Reserved. 
58 
IP Addresses 
• Class A - 0nnnnnnn hhhhhhhh hhhhhhhh hhhhhhhh 
– First bit ...
© 2012 JurInnov Ltd. All Rights Reserved. 
59 
Packet Fragmentation 
• Data is split into many packets 
• Encapsulation, d...
© 2012 JurInnov Ltd. All Rights Reserved. 
60 
ICMP – To Ping or not to Ping 
• Internet Control Message Protocol 
– Check...
© 2012 JurInnov Ltd. All Rights Reserved. 
61 
Wireless - Overview 
• How does it work? 
• What are the risks? 
• What sec...
© 2012 JurInnov Ltd. All Rights Reserved. 
62 
Wireless – How it works 
• Spread Spectrum Technologies 
– Uses multiple fr...
© 2012 JurInnov Ltd. All Rights Reserved. 
63 
Wireless – How it works 
• 802.11a 
– 54Mbps 
– 5GHz 
• 802.11b 
– 11Mbps 
...
© 2012 JurInnov Ltd. All Rights Reserved. 
64 
Wireless – How it works 
• BSA (Basic Service Area) 
– Influence of the WAP...
© 2012 JurInnov Ltd. All Rights Reserved. 
65 
Attacks Through Wireless Networks 
• Popular types of wireless networks 
– ...
© 2012 JurInnov Ltd. All Rights Reserved. 
66 
Attacks Through Wireless Networks 
• Wi-Fi equipment 
– Mobile device needs...
© 2012 JurInnov Ltd. All Rights Reserved. 
67 
Attacks Through Wireless Networks 
• Attacks on home Wi-Fi networks relativ...
© 2012 JurInnov Ltd. All Rights Reserved. 
68 
Attacks Through Wireless Networks 
• Free or fee-based wireless network rar...
© 2012 JurInnov Ltd. All Rights Reserved. 
69 
Wireless – Detecting networks 
• Netstumbler 
• inSSIDer 
• Commercial ente...
© 2012 JurInnov Ltd. All Rights Reserved. 
70 
Bluetooth 
• Bluetooth 
– Common wireless technology 
– Short-range 
• Up t...
© 2012 JurInnov Ltd. All Rights Reserved. 
71 
Other Protocols 
• DNS 
• DHCP 
• PPTP, SSTP, L2TP
© 2012 JurInnov Ltd. All Rights Reserved. 
72 
Firewalls 
• Packet filters – allow or deny based on… 
– Source or destinat...
© 2012 JurInnov Ltd. All Rights Reserved. 
73 
Firewall features 
• NAT 
• DHCP 
• VPN tunneling 
• Load balancing 
• Fail...
© 2012 JurInnov Ltd. All Rights Reserved. 
74 
Common interfaces 
• Console – serial (DB9) or USB 
• Secure Shell (SSH) 
•...
© 2012 JurInnov Ltd. All Rights Reserved. 
75 
Auditing 
• Policy 
• Logs
Intrusion Detection and Prevention Systems 
© 2012 JurInnov Ltd. All Rights Reserved. 
76 
• IDS – audit only 
• IPS – aud...
© 2012 JurInnov Ltd. All Rights Reserved. 
77 
IPS functionality 
• Detection 
– Signature 
– Behavior 
– Malformed data/p...
© 2012 JurInnov Ltd. All Rights Reserved. 
78 
IPS functionality 
• Alerts 
– Email 
– Syslog 
– SNMP 
– Database 
• Traci...
© 2012 JurInnov Ltd. All Rights Reserved. 
79 
IPS Limitations 
• Verify scope – sensors may be configured 
differently
© 2012 JurInnov Ltd. All Rights Reserved. 
80 
IPS Brands 
• CheckPoint IPS-1 
• Cisco IPS 
• Corero Network Security 
• E...
© 2012 JurInnov Ltd. All Rights Reserved. 
81 
Snort 
• Open Source IDS 
• Extensible 
• Most widely used
© 2012 JurInnov Ltd. All Rights Reserved. 
82 
Snort Architecture 
Capture 
packets 
on 
bound 
interfac 
e(s) 
Reassemble...
© 2012 JurInnov Ltd. All Rights Reserved. 
83 
Rule Matching 
Directionality -> <- <> 
Protocol 
Source IP, network or por...
© 2012 JurInnov Ltd. All Rights Reserved. 
84 
Rule matching – additional options 
Minfrag – min size for packet fragments...
© 2012 JurInnov Ltd. All Rights Reserved. 
85 
Rule matching – additional options 
• TTL – match on specific TTL 
• ID – m...
© 2012 JurInnov Ltd. All Rights Reserved. 
86 
Rule matching - Flags 
• F - FIN 
• S – SYN – synchronize (request connecti...
© 2012 JurInnov Ltd. All Rights Reserved. 
87 
Event Collection – Windows logs 
Windows NT – 2003 
• Application 
• Securi...
© 2012 JurInnov Ltd. All Rights Reserved. 
88 
Event Collection – Mac Logs 
• Stored in library/logs 
• Over 100 logs incl...
© 2012 JurInnov Ltd. All Rights Reserved. 
89 
Event Collection – Linux Logs 
• Logs based on syslog 
• Organized by facil...
© 2012 JurInnov Ltd. All Rights Reserved. 
90 
Event Collection – Linux Logs 
• /var/log/faillog : This log file contains ...
Event Collection – Linux Logs 
• /var/log/apache2/* : If a machine is running the Apache web server, 
© 2012 JurInnov Ltd....
Event Collection – Linux Logs 
© 2012 JurInnov Ltd. All Rights Reserved. 
92 
• There are several shell commands one can e...
© 2012 JurInnov Ltd. All Rights Reserved. 
93 
Chat Room Logs 
• Most chat software keeps at least a temporary 
log of con...
© 2012 JurInnov Ltd. All Rights Reserved. 
94 
How Logs Get Cleared 
• Clearing the log. Any user with administrative priv...
© 2012 JurInnov Ltd. All Rights Reserved. 
95 
Event Collection - Tools 
• WinRM – Microsoft tool that runs on Server 
200...
© 2012 JurInnov Ltd. All Rights Reserved. 
96 
Event Collection - Tools 
• SNARE (System iNtrusion Analysis and 
Reporting...
© 2012 JurInnov Ltd. All Rights Reserved. 
97 
SIEM 
• Security Information and Event Management 
– Log aggregation 
– Cor...
© 2012 JurInnov Ltd. All Rights Reserved. 
98 
Automated responses 
• Throttle 
• Drop 
• Shun 
• Island
© 2012 JurInnov Ltd. All Rights Reserved. 
99 
Packet Filtering 
• Sensor – monitors traffic flow, extracts flow 
records ...
© 2012 JurInnov Ltd. All Rights Reserved. 
100 
Network Analysis 
• Network schematic 
• Server roles 
• Baselining – norm...
© 2012 JurInnov Ltd. All Rights Reserved. 
101 
Analysis 
• Activity pattern matching 
• Packet analysis 
– Libpcap and Wi...
© 2012 JurInnov Ltd. All Rights Reserved. 
102 
Wireshark - Interface 
Packet list  
Packet details  
Packet bytes 
© 2012 JurInnov Ltd. All Rights Reserved. 
103 
Wireshark 
• Filtering 
– Frame contains “search term” 
• Flow – sequence ...
© 2012 JurInnov Ltd. All Rights Reserved. 
104 
Wireshark – Encrypted content 
• TLS/SSL 
– Obtain server or workstation p...
© 2012 JurInnov Ltd. All Rights Reserved. 
105 
Networkminer 
• Traffic analysis tool 
• Graphical breakdown of… 
– Hosts ...
© 2012 JurInnov Ltd. All Rights Reserved. 
106 
Wireshark / Networkminer demo 
• Capture data 
– Send email 
• Msmith-jur2...
© 2012 JurInnov Ltd. All Rights Reserved. 
107 
Vulnerability scanning 
• Vulnerability scanning – scan and fix vulnerabil...
© 2012 JurInnov Ltd. All Rights Reserved. 
108 
Architecting a Solution 
– How does it fit in the security strategy? 
– Sc...
© 2012 JurInnov Ltd. All Rights Reserved. 
109 
IDS/IPS 
• Active or Passive 
• Host, Network or Both 
• Centralized or de...
© 2012 JurInnov Ltd. All Rights Reserved. 
110 
Event Logging 
• Placement 
– Perimeter 
– VLAN or Workgroup 
– Wireless 
...
© 2012 JurInnov Ltd. All Rights Reserved. 
111 
Event Logging 
• Local 
• Remote 
– Centralized 
– Decentralized 
– Concer...
© 2012 JurInnov Ltd. All Rights Reserved. 
112 
Quick and Fast Rules 
• Compromised hosts generally send out more 
informa...
Upcoming SlideShare
Loading in...5
×

Detecting Intrusions and Malware - Eric Vanderburg - JurInnov

38,669

Published on

Eric Vanderburg, Director of Information Systems and Security at JurInnov, presents "Detecting Intrusions and Malware"

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
38,669
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
32
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Detecting Intrusions and Malware - Eric Vanderburg - JurInnov"

  1. 1. Detecting Intrusions and Malware August, 2012 Eric Vanderburg, MBA, CISSP JurInnov, Ltd. © 2012 JurInnov Ltd. All Rights Reserved.
  2. 2. © 2012 JurInnov Ltd. All Rights Reserved. 1 Malware • Malware – Software that enters a computer system without the owner’s knowledge or consent – Performs unwanted and usually harmful action • Malware objectives – Rapidly spread its infection – Conceal its purpose – Make profit for its creators
  3. 3. © 2012 JurInnov Ltd. All Rights Reserved. 2 Malware – Virus • Viruses – Malicious computer code that reproduces on a single computer – An FBI survey revealed that despite protection programs, 82% of organizations have been infected by a virus. Virus Worm Bot Trojan
  4. 4. © 2012 JurInnov Ltd. All Rights Reserved. 3 Malware - Virus • Methods of spreading virus – Virus appends itself to a file – Virus changes the beginning of the file • Adds jump instruction pointing to the virus – Swiss cheese infection Virus Bot • Injects portions of code throughout program’s executable code Worm Trojan
  5. 5. © 2012 JurInnov Ltd. All Rights Reserved. 4 Malware – Virus • Virus actions Virus Bot – Causing computer to crash repeatedly – Displaying an annoying message – Erasing files from hard drive – Making copies of itself to consume all space on the hard drive – Turning off security settings – Reformatting the hard drive Worm Trojan
  6. 6. © 2012 JurInnov Ltd. All Rights Reserved. 5 Malware – Virus • Virus can only replicate on host computer – Cannot spread between computers without user action • Types of viruses – Program virus • Infects program executable files – Macro virus • Stored within a user document Virus Worm Bot Trojan
  7. 7. © 2012 JurInnov Ltd. All Rights Reserved. 6 Malware - Worm • Worms – Malicious program designed to take advantage of a vulnerability in an application or operating system – Searches for another computer with same vulnerability – Sends copies of itself over the network Virus Worm Bot Trojan
  8. 8. © 2012 JurInnov Ltd. All Rights Reserved. 7 Malware - Worm • Worm actions – Consume network resources – Allow computer to be controlled remotely – Delete files Virus Worm Bot Trojan
  9. 9. © 2012 JurInnov Ltd. All Rights Reserved. 8 Malware - Trojan • Trojan horses – install malicious software under the guise of doing something else – Executable program containing hidden malware code – Program advertised as performing one activity but actually does something else Virus Worm Bot Trojan
  10. 10. © 2012 JurInnov Ltd. All Rights Reserved. 9 Malware - Trojan Virus Bot • Trojan may be installed on user’s system with user’s approval • Trojans typically do not replicate to same computer or another computer Worm Trojan
  11. 11. © 2012 JurInnov Ltd. All Rights Reserved. 10 Malware – Spyware / Adware / Scareware • Spyware – A dangerous, prolific code that logs a users activity and collects personnel information, which it then sends to a third party. • Adware – A relative of spyware. Typically found with free software, they display advertisements when the program is running. They may also contain spyware. • Scareware – Software that is meant to prompt a user to action or incite panic Virus Worm Bot Trojan
  12. 12. © 2012 JurInnov Ltd. All Rights Reserved. 11 Malware – Spyware / Adware / Scareware • Spyware’s negative effects on an infected computer – Slow system performance – Create system instability – Add browser toolbars or menus – Add shortcuts – Hijack a home page – Increase pop-ups Virus Worm Bot Trojan
  13. 13. © 2012 JurInnov Ltd. All Rights Reserved. 12 Malware – Spyware / Adware / Scareware • Adware Bot – Software program that delivers advertising content: • In an unexpected and unwanted manner • Adware actions – Display pop-up ads and banners – Open Web browsers at random intervals – May display objectionable content – May interfere with user productivity – May track and monitor user actions Virus Worm Trojan
  14. 14. © 2012 JurInnov Ltd. All Rights Reserved. 13 Malware – Spyware / Adware / Scareware • Scareware Virus Bot – Software that displays a fictitious warning – Tries to impel user to take action – Uses legitimate trademarks or icons – Pretends to perform a security scan and find serious problems – Offers purchase of full version of software to fix problems – Victim provides credit card number to attacker • Attacker uses number to make fraudulent purchases Worm Trojan
  15. 15. © 2012 JurInnov Ltd. All Rights Reserved. 14 Malware - Rootkit • Rootkit Virus Bot – Set of software tools used by an attacker – Conceals presence of other malicious software – Actions • Deleting logs • Changing operating system to ignore malicious activity Worm Trojan
  16. 16. © 2012 JurInnov Ltd. All Rights Reserved. 15 Malware - Keylogger • Keylogger Bot – Hardware or software that captures keystrokes – Information can be retrieved by an attacker • Hardware keylogger – Installed between computer keyboard and USB port • Software keylogger – Hides itself from detection by the user Virus Worm Trojan
  17. 17. © 2012 JurInnov Ltd. All Rights Reserved. 16 Malware - Bots • Bots – A type of malware that allows an attacker to gain control over the infected computer (also called “zombie computers”) and allow them to use a company’s network to send spam, launch attacks and infect other computers. Virus Worm Bot Trojan
  18. 18. Threat defined – What is done with botnets? © 2012 JurInnov Ltd. All Rights Reserved. 17 • DDoS • Spam • Distribute copyrighted material – Torrents • Data mining • Hacking • Spread itself
  19. 19. 2002 AgoBot • Modular design • DDoS • Hides with rootkit tech • Turns off antivirus • Modifies host file • Delivery: P2P (Kazaa, Grokster, © 2012 JurInnov Ltd. All Rights Reserved. 18 History 18 1999 Pretty Park • Used IRC for C&C & updates • ICQ & email harvesting • DoS 1999 SubSeven • Used IRC for C&C • Keylogger • Admin shell access 2000 GTBot • Bounce (relay) IRC traffic • Port scan • DDoS • Delivery: email 2002 SDBot • Keylogger • Delivery: WebDav and MSSQL vulnerabilities, DameWare remote mgmt software, password guessing on common MS ports & common backdoors BearShare, Limewire) 2003 SpyBot • Builds on SDBot • Customizable to avoid detection • DDoS, Keylogger, web form collection, clipboard logging, webcam capture • Delivery: SDBot + P2P 2003 RBot • Encrypts itself • Admin shell access 2004 PolyBot • Builds on AgoBot • Polymorphs through encrypted encapsulation 2005 MyTob • DDoS, Keylogger, web form collection, webcam capture • Delivery: email spam using MyDoom w/ own SMTP server 1999 2000 2002 2003 2004 2005 2006
  20. 20. 2006 2007 2008 © 2012 JurInnov Ltd. All Rights Reserved. 19 History 2007 Cutwail • Spam, DDoS • Harvests email addresses • Rootkit • Delivery: Email 2006 Rustock • Spam, DDoS • Uses rootkit to hide • Encrypts spam in TLS • Robust C&C network (over 2500 domains) • Delivery: email 2008 TDSS • Sets up a proxy that is rented to other for anonymous web access • Delivery: Trojan embedded in software 2007 Storm • Spam • Dynamic fast flux C&C DNS • Malware re-encoded twice/hr • Defends itself with DDoS • Sold and “licensed” • Delivery: Email enticement for free music 2007 Zeus • Phishing w/ customizable data collection methods • Web based C&C • Stealthy and difficult to detect • Sold and “licensed” to hackers for data theft • Delivery: Phishing, Social Networking 2008 Mariposa (Butterfly) • Rented botnet space for spam, DDoS, and theft of personal information • Delivery: MSN, P2P, USB
  21. 21. 2006 2007 2008 2009 © 2012 JurInnov Ltd. All Rights Reserved. 20 History 2009 Koobface • Installs pay-per-install malware • Delivery: Social Networking
  22. 22. Exploit Rally Preserve Inventory Await instructions Update Execute Report © 2012 JurInnov Ltd. All Rights Reserved. 21 Life Cycle • Exploit – Malicious code – Unpatched vulnerabilities – Trojan – Password guessing – Phish • Rally - Reporting in – Log into designated IRC channel and PM master – Make connection to http server – Post data to FTP or http form Clean up
  23. 23. Exploit Rally Preserve Inventory Await instructions Update Execute Report Agobot host control commands © 2012 JurInnov Ltd. All Rights Reserved. 22 Life Cycle • Preserve – Alter A/V dll’s – Modify Hosts file to prevent A/V updates – Remove default shares (IPC$, ADMIN$, C$) – Rootkit – Encrypt – Polymorph – Retrieve Anti-A/V module – Turn off A/V or firewall services – Kill A/V, firewall or debugging processes Clean up <preserve> <pctrl.kill “Mcdetect.exe”/> < pctrl.kill “avgupsvc.exe”/> < pctrl.kill “avgamsvr.exe”/> < pctrl.kill “ccapp.exe”/> </preserve>
  24. 24. Exploit Rally Preserve Inventory Await instructions © 2012 JurInnov Ltd. All Rights Reserved. 23 Life Cycle • Inventory – determine capabilities such as RAM, HDD, Processor, Bandwidth, and pre-installed tools • Await instructions from C&C server • Update – Download payload/exploit – Update C&C lists Update Execute Report Clean up
  25. 25. Exploit Rally Preserve Inventory Await instructions © 2012 JurInnov Ltd. All Rights Reserved. 24 Life Cycle • Execute commands – DDoS – Spam – Harvest emails – Keylog – Screen capture – Webcam stream – Steal data • Report back to C&C server • Clean up - Erase evidence Update Execute Report Clean up
  26. 26. © 2012 JurInnov Ltd. All Rights Reserved. 25 Propagation • Scan for windows shares and guess passwords ($PRINT, C$, D$, E$, ADMIN$, IPC$) – find usernames, guess passwords from list – Remember to use strong passwords Agobot propagation functions
  27. 27. © 2012 JurInnov Ltd. All Rights Reserved. 26 Propagation • Use backdoors from common trojans • P2P – makes files available with enticing names hoping to be downloaded. File names consist of celebrity or model names, games, and popular applications • Social networking – Facebook posts or messages that provides a link (Koobface worm)
  28. 28. © 2012 JurInnov Ltd. All Rights Reserved. 27 Propagation • SPIM – Message contact list – Send friend requests to contacts from email lists or harvested IM contacts from the Internet • Email – Harvests email addresses from ASCII files such as html, php, asp, txt and csv – uses own SMTP engine and guesses the mail server by putting mx, mail, smpt, mx1, mail1, relay or ns in front of the domain name.
  29. 29. © 2012 JurInnov Ltd. All Rights Reserved. 28 Command and Control • C&C or C2 • Networked with redundancy • Dynamic DNS with short TTL for C&C IP (weakness is the DNS, not the C&C server) • Daily rotating encrypted C&C hostnames • Alternate control channels (Ex: Researchers in 2004 redirected C&C to monitoring server)
  30. 30. © 2012 JurInnov Ltd. All Rights Reserved. 29 Detecting bots • Monitor port statistics on network equipment and alert when machines utilize more than average – Gather with SNMP, netflow, or first stage probes (sniffers) attached to port mirrored ports on switches. • Wireshark • Real time netflow analyzer- Solarwinds free netflow tool • Small Operation Center or MRTG – free SNMP/syslog server with dashboard • SNARE – event log monitoring (Linux & Windows agents)
  31. 31. © 2012 JurInnov Ltd. All Rights Reserved. 30 Who Are the Attackers? • Cybercriminals • Script kiddies • Spies • Insiders • Cyberterrorists • Hacktivists • Government agencies Skills required
  32. 32. © 2012 JurInnov Ltd. All Rights Reserved. 31 Cybercriminals / Organized Crime • Generic definition – People who launch attacks against other users and their computers • Specific definition – Loose network of highly motivated attackers – Many belong to organized gangs of attackers • Targets – Individuals and businesses – Businesses and governments
  33. 33. © 2012 JurInnov Ltd. All Rights Reserved. 32 Cybercriminals / Organized Crime • Lee Klein compromised the Lexis-Nexis system and may have stolen personal data of up to 13,000 users and sold the data to the Bonanno crime family. • Groups based in the former Soviet Union have been repeatedly implicated in significant computer breaches.
  34. 34. © 2012 JurInnov Ltd. All Rights Reserved. 33 Cybercriminals / Organized Crime • In 2005, federal agents conducted a sting operation in order to arrest members of a group known as ‘ShadowCrew’. This gang was a group of hackers working together to conduct a variety of computer crimes including identity theft. • This phenomenon is international in scope. Korean authorities have also arrested gangs of online criminals • The most common crime for these groups is identity theft.
  35. 35. © 2012 JurInnov Ltd. All Rights Reserved. 34 Script Kiddies • Attackers who lack knowledge necessary to perform attack on their own • Use automated attack software • Can purchase “exploit kit” for a fee from other attackers • Over 40 percent of attacks require low or no skills
  36. 36. © 2012 JurInnov Ltd. All Rights Reserved. 35 Spies • People hired to break into a computer and steal information • Do not randomly search for unsecured computers – Hired to attack a specific computer or system • Goal – Break into computer or system – Take information without drawing attention to their actions • Generally possess excellent computer skills
  37. 37. © 2012 JurInnov Ltd. All Rights Reserved. 36 Spies • It is generally believed by security experts that many companies have purchased information from freelance individuals without asking where that information came from. • In 2008, the SANS institute ranked cyber espionage as the third greatest threat on the internet. • In 1993, General Motors (GM) and one if its partners began to investigate a former executive, Inaki Lopez. GM alleged that Lopez and seven other former GM employees had transferred GM proprietary information to Volkswagen (VW) in Germany via GM's own network.
  38. 38. © 2012 JurInnov Ltd. All Rights Reserved. 37 Spies • CIO Magazine examined the issue of government based cyber espionage in a 2009 article. Their article discusses the possibility that the Chinese government was behind a widespread infiltration of over 1200 computers owned by over 100 countries, with the express purpose of spying on the activities of those countries. • One week before Christmas 2009, the story broke that hackers had stolen secret defense plans of the United States and South Korea.
  39. 39. © 2012 JurInnov Ltd. All Rights Reserved. 38 Insiders • An organization’s own employees, contractors, and business partners • One study showed 48 percent of data breaches are caused by insiders accessing information • Most insider attacks: sabotage or theft of intellectual property • Most sabotage comes from employees who have recently been demoted, reprimanded, or left the company
  40. 40. © 2012 JurInnov Ltd. All Rights Reserved. 39 Cyberterrorists • Goals of a cyberattack – Deface electronic information • Spread misinformation and propaganda – Deny service to legitimate computer users – Cause critical infrastructure outages and corrupt vital data • Attacks may be ideologically motivated
  41. 41. © 2012 JurInnov Ltd. All Rights Reserved. 40 Cyberterrorists • According to the FBI “cyber terrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by sub national groups or clandestine agents.” • In 2008 and 2009 there have been growing reports of attacks on various systems tracing back to South Korea or China.
  42. 42. © 2012 JurInnov Ltd. All Rights Reserved. 41 Hacktivists • Motivated by ideology • Direct attacks at specific Web sites • May promote a political agenda – Or retaliate for a specific prior event
  43. 43. © 2012 JurInnov Ltd. All Rights Reserved. 42 Governments • May instigate attacks against own citizens or foreign governments • Examples of attacks by government agencies – Malware Flame targeted at computers in Eastern Europe – Malware Stuxnet targeted a nuclear power plant near Persian Gulf – Iranian government reads e-mail messages of 30,000 citizens • Attempt to track down dissidents
  44. 44. © 2012 JurInnov Ltd. All Rights Reserved. 43 Governments • Attacks are – Premeditated, politically-motivated attacks against computer systems – Intended to cause panic, provoke violence, or cause financial catastrophe • Possible targets – Banking industry – Air traffic control centers – Water systems
  45. 45. © 2012 JurInnov Ltd. All Rights Reserved. 44 Governments • This can mean attempting to spread disinformation in an attempt to mislead the enemy or propaganda in order to undermine the enemy’s morale. • The first way in which the internet is used in information warfare is in the realm of propaganda. Every stakeholder in any situation has their own interpretation of events and news. • Law enforcement agencies have successfully used fake websites, fake craigslist ads, and other techniques to help capture criminals. It is also possible to utilize the internet to feed misinformation to criminals and terrorists.
  46. 46. © 2012 JurInnov Ltd. All Rights Reserved. 45 Networking Concepts • TCP/IP • IP Addressing • Packet Fragmentation • ICMP • Wireless • Other Protocols – DNS – DHCP – PPTP, SSTP, L2TP
  47. 47. OSI Reference Model Application Application Presentation Presentation Session Session Transport Transport Network Network Datalink Datalink Physical Medium Physical © 2012 JurInnov Ltd. All Rights Reserved.
  48. 48. © 2012 JurInnov Ltd. All Rights Reserved. 47 Encapsulation • Enclosing some data within another thing so that the included data is not apparent.
  49. 49. © 2012 JurInnov Ltd. All Rights Reserved. 48 Application – Layer 7 • Where programs access network services • FTP, HTTP, Client Software • Problems at this layer: – Misconfigured settings – Incompatible commands
  50. 50. © 2012 JurInnov Ltd. All Rights Reserved. 49 Presentation – Layer 6 • Formats data • Protocol conversion • Encryption • Compression • Character set (ASCII, Unicode, EBCDIC) • Problems at this layer: – Cannot decrypt – Wrong conversion
  51. 51. © 2012 JurInnov Ltd. All Rights Reserved. 50 Redirector • Sends requests for services to the appropriate network device. • RDR can sometimes stand for redirector – Rdr.sys – Windows redirector registry entries stored in • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetSe rvices LanmanWorkstationParameters and • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetSe rvicesRdr
  52. 52. © 2012 JurInnov Ltd. All Rights Reserved. 51 Session – Layer 5 • Manages communication • Identification • Window size • Keep alive messages • ACK, NAK • Name resolution – DNS – NetBIOS • Logon • Problems at this level: – Incorrect or no name resolution
  53. 53. © 2012 JurInnov Ltd. All Rights Reserved. 52 Transport – Layer 4 • Segmenting • Sequencing • Error checking • Flow control – as much data as can handle • TCP & SPX • Problems at this layer: – Overly large segments
  54. 54. © 2012 JurInnov Ltd. All Rights Reserved. 53 Network – Layer 3 • Logical addressing • Routing • QOS • Deals with packets • IP & IPX • Problems at this layer: – Incorrect routing (bad config) – Incorrect routing table – Incorrect routing protocol – Incorrect IP configuration
  55. 55. © 2012 JurInnov Ltd. All Rights Reserved. 54 Datalink – Layer 2 • Physical Addressing • Deals with frames • Discards bad frames • Convert to bits • Problems at this layer: – Collisions – Bad frames – Faulty NIC – Incorrect bridging tables
  56. 56. © 2012 JurInnov Ltd. All Rights Reserved. 55 Datalink Sublayers • MAC – Manages multiple NICs – Creates frame and sends to physical – Sense carrier – Pass tokens • LLC – Error recovery – Integrity checking
  57. 57. © 2012 JurInnov Ltd. All Rights Reserved. 56 Physical – Layer 1 • Encoding - Convert bits to signals – 101001011001 • Problems at this level: – Interference – Noise – Cable not connected
  58. 58. OSI & TCP/IP OSI Model TCP/IP Application Application Presentation Session Transport Transport Network Internet Datalink Network Physical © 2012 JurInnov Ltd. All Rights Reserved.
  59. 59. © 2012 JurInnov Ltd. All Rights Reserved. 58 IP Addresses • Class A - 0nnnnnnn hhhhhhhh hhhhhhhh hhhhhhhh – First bit 0; 7 network bits; 24 host bits – Initial byte: 0 - 127 – 126 Class As exist (0 and 127 are reserved) – 16,777,214 hosts • Class B - 10nnnnnn nnnnnnnn hhhhhhhh hhhhhhhh – First two bits 10; 14 network bits; 16 host bits – Initial byte: 128 - 191 – 16,384 Class Bs exist – 65,532 hosts • Class C - 110nnnnn nnnnnnnn nnnnnnnn hhhhhhhh – First three bits 110; 21 network bits; 8 host bits – Initial byte: 192 - 223 – 2,097,152 Class Cs exist – 254 hosts
  60. 60. © 2012 JurInnov Ltd. All Rights Reserved. 59 Packet Fragmentation • Data is split into many packets • Encapsulation, de-encapsulation and padding causes additional fragmentation • Reassembled by sequence number
  61. 61. © 2012 JurInnov Ltd. All Rights Reserved. 60 ICMP – To Ping or not to Ping • Internet Control Message Protocol – Checks host alive status – Susceptible to attacks • Smurf- broadcast pings with spoofed address • PoD (Ping of Death) – ICMP packet larger than 65,535 bytes – causes buffer overflow upon reassembly – Can be used to footprint
  62. 62. © 2012 JurInnov Ltd. All Rights Reserved. 61 Wireless - Overview • How does it work? • What are the risks? • What security controls are available?
  63. 63. © 2012 JurInnov Ltd. All Rights Reserved. 62 Wireless – How it works • Spread Spectrum Technologies – Uses multiple frequencies • Less interference • Redundancy – Frequency Range: 902-928MHz,2.4GHz – Frequency Hopping • Changes at regular intervals • Lower bandwidth, more secure – Direct-sequence Modulation • Send different data chunks along multiple frequencies • Low frequencies (just above noise)
  64. 64. © 2012 JurInnov Ltd. All Rights Reserved. 63 Wireless – How it works • 802.11a – 54Mbps – 5GHz • 802.11b – 11Mbps – 2.4GHz • 802.11g – 54Mbps – 2.4GHz – WPA Support • 802.11n – 300Mbps – 2.4GHz
  65. 65. © 2012 JurInnov Ltd. All Rights Reserved. 64 Wireless – How it works • BSA (Basic Service Area) – Influence of the WAPs – Depends on: • Power of the transmitter • Environment • BSS (Basic Service Set) – Stations belonging to an AP
  66. 66. © 2012 JurInnov Ltd. All Rights Reserved. 65 Attacks Through Wireless Networks • Popular types of wireless networks – Wi-Fi – Bluetooth • Wi-Fi networks – Wireless local area network (WLAN) – Use radio frequency (WF) transmissions – Devices in range of a connection device can send and receive information • Estimate: 1.4 billion wireless devices shipped in 2014
  67. 67. © 2012 JurInnov Ltd. All Rights Reserved. 66 Attacks Through Wireless Networks • Wi-Fi equipment – Mobile device needs a wireless client interface card adapter (wireless adapter) – Special software to translate between device and adapter – Wireless broadband router or access point • Base station for sending and receiving signals • Gateway to the Internet
  68. 68. © 2012 JurInnov Ltd. All Rights Reserved. 67 Attacks Through Wireless Networks • Attacks on home Wi-Fi networks relatively easy – Signal not confined within home walls – Many users do not understand how to configure router security – Some users consider security an inconvenience • Types of attacks – Stealing data – Reading wireless transmissions – Injecting malware – Downloading harmful content
  69. 69. © 2012 JurInnov Ltd. All Rights Reserved. 68 Attacks Through Wireless Networks • Free or fee-based wireless network rarely protected • Evil twin – Attacker’s wireless device – Mimics an authorized Wi-Fi device – Attacker can use to send malware directly to victim’s computer
  70. 70. © 2012 JurInnov Ltd. All Rights Reserved. 69 Wireless – Detecting networks • Netstumbler • inSSIDer • Commercial enterprise tools
  71. 71. © 2012 JurInnov Ltd. All Rights Reserved. 70 Bluetooth • Bluetooth – Common wireless technology – Short-range • Up to 33 feet; 1Mbps transmission rate – See Figure 5-5 • Bluetooth attacks – Bluejacking • Sending text messages – Bluesnarfing • Accessing unauthorized information
  72. 72. © 2012 JurInnov Ltd. All Rights Reserved. 71 Other Protocols • DNS • DHCP • PPTP, SSTP, L2TP
  73. 73. © 2012 JurInnov Ltd. All Rights Reserved. 72 Firewalls • Packet filters – allow or deny based on… – Source or destination IP address – Source or destination port – Blocked IP lists, blacklists and whitelists • Session-layer proxies – stateful allow or deny decisions – Middle-man between source and destination – Decrypted content inspection • Application proxies – examine one or more layer 7 traffic types such as email, SQL or HTTP.
  74. 74. © 2012 JurInnov Ltd. All Rights Reserved. 73 Firewall features • NAT • DHCP • VPN tunneling • Load balancing • Failover • Stateful packet inspection • Performance monitoring • Centralized management • SNMP • Application proxy
  75. 75. © 2012 JurInnov Ltd. All Rights Reserved. 74 Common interfaces • Console – serial (DB9) or USB • Secure Shell (SSH) • Secure Copy (SCP) and SSH FTP (SFTP) • Telnet • Simple Network Management Protocol (SNMP) • Trivial File Transfer Protocol (TFTP) • Web interfaces
  76. 76. © 2012 JurInnov Ltd. All Rights Reserved. 75 Auditing • Policy • Logs
  77. 77. Intrusion Detection and Prevention Systems © 2012 JurInnov Ltd. All Rights Reserved. 76 • IDS – audit only • IPS – audit and respond • Problem with tuning down and exceptions • Types – Port mirrored – Inline – Integrated
  78. 78. © 2012 JurInnov Ltd. All Rights Reserved. 77 IPS functionality • Detection – Signature – Behavior – Malformed data/protocols • Analysis – Protocol reassembly – Normalization • Rules
  79. 79. © 2012 JurInnov Ltd. All Rights Reserved. 78 IPS functionality • Alerts – Email – Syslog – SNMP – Database • Tracing – Summary information – Packet captures
  80. 80. © 2012 JurInnov Ltd. All Rights Reserved. 79 IPS Limitations • Verify scope – sensors may be configured differently
  81. 81. © 2012 JurInnov Ltd. All Rights Reserved. 80 IPS Brands • CheckPoint IPS-1 • Cisco IPS • Corero Network Security • Entrasys IPS • HP TippingPoint IPS • IMB Security NIPS • Sourcefire 3D System • Custom built (Snort or Bro)
  82. 82. © 2012 JurInnov Ltd. All Rights Reserved. 81 Snort • Open Source IDS • Extensible • Most widely used
  83. 83. © 2012 JurInnov Ltd. All Rights Reserved. 82 Snort Architecture Capture packets on bound interfac e(s) Reassemble and analyze protocol Anomaly detection • protocol • frame • packet Passed to rule engine Determine actions • Drop and log (pcap) • Drop, no log • Accept • Accept and log (pcap) • Notify
  84. 84. © 2012 JurInnov Ltd. All Rights Reserved. 83 Rule Matching Directionality -> <- <> Protocol Source IP, network or port • Log tcp !192.168.1.0/24 any -> 192.168.1.0/24 • Matches data from outside the network (192.168.1.0) Destination IP, network or port • log udp any any -> 192.168.1.0/24 1:1024 • log udp traffic coming from any port and destination ports ranging from 1 to 1024 Content • alert tcp !192.168.1.0/24 any -> 192.168.1.19/24 80 (content: “web.config“; msg: “outside request for web.config”;) • Find requests for web.config from the outside and send an alert
  85. 85. © 2012 JurInnov Ltd. All Rights Reserved. 84 Rule matching – additional options Minfrag – min size for packet fragments Dsize – packet payload size • Dsize: >100 and < 1000; Depth – how far to search in the packet Offset – start searching after this point Example • alert tcp any any -> 192.168.1.0/24 80 (content: "cgi-bin/phf"; offset: 3; depth: 22; msg: "CGI-PHF attack";)
  86. 86. © 2012 JurInnov Ltd. All Rights Reserved. 85 Rule matching – additional options • TTL – match on specific TTL • ID – match on specific fragment ID – some known hacking tools use specific IDs • Logto – create separate output file • Session – records what is typed in telnet, rlogin, ftp, etc. – log tcp any any <> 192.168.1.0/24 23 (session: printable; logto: “.telnettelnet-records.log”;) – Records telnet sessions
  87. 87. © 2012 JurInnov Ltd. All Rights Reserved. 86 Rule matching - Flags • F - FIN • S – SYN – synchronize (request connection) • R - RST • P – PSH – push data up stack before waiting for additional data • A - ACK • U – URG - urgent • 2 - Reserved bit (used in fingerprinting) • alert any any -> 192.168.1.0/24 any (flags: SF; msg: "Possible SYN FIN scan";)
  88. 88. © 2012 JurInnov Ltd. All Rights Reserved. 87 Event Collection – Windows logs Windows NT – 2003 • Application • Security • System • Special – Directory Service – DNS Server – File Replication Service – Powershell Server 2008 /2008 R2 • Includes 2003 logs plus: – Administrative events – Setup – Server roles • Organized by installed roles with custom filters
  89. 89. © 2012 JurInnov Ltd. All Rights Reserved. 88 Event Collection – Mac Logs • Stored in library/logs • Over 100 logs including: – System.log – Mail.log – Appfirewall.log • Aug 27 11:10:54 Iceberg Firewall[113]: Stealth Mode connection attempt to UDP 192.168.0.25:49747 from 192.168.0.1:53 • Unexpected UDP connection attempt – Install.log
  90. 90. © 2012 JurInnov Ltd. All Rights Reserved. 89 Event Collection – Linux Logs • Logs based on syslog • Organized by facility such as mail or web • Syslog-ng – supports TLS encryption for shipped logs • Rsyslogd – Supports IPv6, RELP (Reliable Event Logging Protocol), TLS, timestamping and zone logging
  91. 91. © 2012 JurInnov Ltd. All Rights Reserved. 90 Event Collection – Linux Logs • /var/log/faillog : This log file contains failed user logins. This can be very important when tracking attempts to crack into the system. • /var/log/kern.log : This log file is used for messages from the operating system’s kernel. This is not likely to be pertinent to most computer crime investigations. • /var/log/lpr.log : This is the printer log and can give you a record of any items that have been printed from this machine. It can be useful in corporate espionage cases. • /var/log/mail.* : This is the mail server log and can be very useful in any computer crime investigation. Emails can be a component in any computer crime, and even in some non-computer crimes such as fraud. • /var/log/mysql.* : This log records activities related to the MySQL database server and will usually be of less interest to a computer crime investigation.
  92. 92. Event Collection – Linux Logs • /var/log/apache2/* : If a machine is running the Apache web server, © 2012 JurInnov Ltd. All Rights Reserved. 91 then this log will show related activity. This can be very useful in tracking attempts to hack into the web server. • /var/log/lighttpd/* : If a machine is running the Lighttpd web server, then this log will show related activity. This can be very useful in tracking attempts to hack into the web server. • /var/log/apport.log : This records application crashes. Sometimes these can reveal attempts to compromise the system, or the presence of a virus or spyware. • /var/log/user.log : These contain user activity logs and can be very important to a criminal investigation.
  93. 93. Event Collection – Linux Logs © 2012 JurInnov Ltd. All Rights Reserved. 92 • There are several shell commands one can enter to view system logs in Linux. For example, to view the printer log any of the following would work, though some won’t be supported by every Linux shell: • # tail -f /var/log/lbr.log • # less /var/log/ lbr.log • # more -f /var/log/ lbr.log • # vi /var/log/ lbr.log
  94. 94. © 2012 JurInnov Ltd. All Rights Reserved. 93 Chat Room Logs • Most chat software keeps at least a temporary log of conversations. This is true for MSN Messenger, Yahoo Messenger and many others. • The exact path for viewing those logs will vary from product to product.
  95. 95. © 2012 JurInnov Ltd. All Rights Reserved. 94 How Logs Get Cleared • Clearing the log. Any user with administrative privileges can simply wipe out a log. However, this will be obvious when you see an empty event log. • Using auditpol.exe. This is an administrative utility that exists in Windows systems. It won’t show on the desktop or in the programs—you have to know it’s there and go find it. But using auditpol ipaddress /disable turns off logging. Then when the criminal exits, they can use auditpol ipaddress /enable to turn it back on. • There are a number of utilities on the web that will assist an attacker in this process. For example WinZapper allows one to selectively remove certain items from event logs in Windows.
  96. 96. © 2012 JurInnov Ltd. All Rights Reserved. 95 Event Collection - Tools • WinRM – Microsoft tool that runs on Server 2008 R2 • Argus • Softflowd • Cisco MARS (Monitoring, Analysis and Response System)
  97. 97. © 2012 JurInnov Ltd. All Rights Reserved. 96 Event Collection - Tools • SNARE (System iNtrusion Analysis and Reporting Environment) – open source • Splunk (only free for 500MB/day) • SCOM (System Center Operations Manager) • DAD (Distributed log Aggregation for Data analysis)
  98. 98. © 2012 JurInnov Ltd. All Rights Reserved. 97 SIEM • Security Information and Event Management – Log aggregation – Correlation – Normalization – Alerting – Dashboards – Views – Compliance reports – Retention
  99. 99. © 2012 JurInnov Ltd. All Rights Reserved. 98 Automated responses • Throttle • Drop • Shun • Island
  100. 100. © 2012 JurInnov Ltd. All Rights Reserved. 99 Packet Filtering • Sensor – monitors traffic flow, extracts flow records and sends to collectors • Collector – receives flow records and stores them • Aggregator – central collection point when multiple collectors are used • Analysis – tool that organizes and makes sense of the collected data
  101. 101. © 2012 JurInnov Ltd. All Rights Reserved. 100 Network Analysis • Network schematic • Server roles • Baselining – normal profile – Destination IP addresses – Ports – Protocols – Volume of data and directionality
  102. 102. © 2012 JurInnov Ltd. All Rights Reserved. 101 Analysis • Activity pattern matching • Packet analysis – Libpcap and WinPcap – Wireshark • Traffic analysis – Networkminer • Persistent packet sniffing – Data available when needed – High disk and CPU requirement – Must be highly secure
  103. 103. © 2012 JurInnov Ltd. All Rights Reserved. 102 Wireshark - Interface Packet list  Packet details  Packet bytes 
  104. 104. © 2012 JurInnov Ltd. All Rights Reserved. 103 Wireshark • Filtering – Frame contains “search term” • Flow – sequence of packets comprising a single communication segment. – EX: Connection, Negotiation, File Request, File delivery, checksum, acknowledgment, termination – Flow record – subset of information from a flow such as source and destination IP, protocol, date or time
  105. 105. © 2012 JurInnov Ltd. All Rights Reserved. 104 Wireshark – Encrypted content • TLS/SSL – Obtain server or workstation private key – Decrypt session keys with private key – Decrypt message stream with session keys – Record session key changes and continue decrypting message stream – Go to preferences  Protocols  SSL  Edit RSA keys list  New  point to private key and enter IP address, port, protocol and password
  106. 106. © 2012 JurInnov Ltd. All Rights Reserved. 105 Networkminer • Traffic analysis tool • Graphical breakdown of… – Hosts – Images – Files – Email – DNS – Sessions
  107. 107. © 2012 JurInnov Ltd. All Rights Reserved. 106 Wireshark / Networkminer demo • Capture data – Send email • Msmith-jur2012@hotmail.com • IknowIT2! – Visit web site – Run lansearch and copy files • End capture • Export to pcap • View in Networkminer
  108. 108. © 2012 JurInnov Ltd. All Rights Reserved. 107 Vulnerability scanning • Vulnerability scanning – scan and fix vulnerabilities found. Identify and protect machines that could be potential bots. – Nexpose • Free for up to 32 IP – OpenVAS (Vulnerability Assessment System) • Linux • VM available (resource intensive) – Greenbone Desktop Suite (uses OpenVAS) • Windows XP/Vista/7 – MBSA (Microsoft Baseline Security Analyzer) – Secunia PSI (local Windows machine scanning only)
  109. 109. © 2012 JurInnov Ltd. All Rights Reserved. 108 Architecting a Solution – How does it fit in the security strategy? – Scope – Scalability – Regulations and Standards – Structure • Distributed • Centralized – Platforms • Black box • Open Source • Commercial Application
  110. 110. © 2012 JurInnov Ltd. All Rights Reserved. 109 IDS/IPS • Active or Passive • Host, Network or Both • Centralized or decentralized
  111. 111. © 2012 JurInnov Ltd. All Rights Reserved. 110 Event Logging • Placement – Perimeter – VLAN or Workgroup – Wireless – Choke points – maximize collection capacity within budget and ability to process and analyze – Minimize duplication – Sync time – Normalize – Secure collector transmission pathways
  112. 112. © 2012 JurInnov Ltd. All Rights Reserved. 111 Event Logging • Local • Remote – Centralized – Decentralized – Concerns • Time stamping • Network reliability • Confidentiality and integrity
  113. 113. © 2012 JurInnov Ltd. All Rights Reserved. 112 Quick and Fast Rules • Compromised hosts generally send out more information • Patterns (sending perspective) – Many-to-one – DDoS, Syslog, data repository, email server – One-to-many – web server, email server, SPAM bot, warez, port scanning – Many-to-many – P2P, virus infection – One-to-one – normal communication, targeted attack
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×