Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
6. Types of Network Monitoring
ā¢ Headers or full packets
ā¢ Helps to identify scope of data theft
ā¢ Capture actions done with interactive shells
ā¢ Closely monitor malware communicating with
remote sites
7. Types of Network Monitoring
ā¢ High-level statistics showing type and number
of packets
ā¢ Can reveal interesting information on
activities that are not otherwise detectable
8. Event-Based Alert
Monitoring
ā¢ Most common type
ā¢ Based on rules or thresholds
ā¢ Events are generated by Network Intrusion
Detection Systems (NIDS)
ā¢ Or by software that monitors trafļ¬c patterns
and ļ¬ows
ā¢ Standard tools: Snort and Suricata
9. Indicators (or Signatures)
ā¢ Matched against trafļ¬c observed by the network
sensor
ā¢ Simple indicators
ā¢ Such as IP address + port
ā¢ "Cheap" (small load on sensor)
ā¢ Complex indicators
ā¢ Session reconstruction or string matching
ā¢ Can burden the sensor so much it drops
packets
10. Example Snort Rule
ā¢ This rule detects SSH Brute Force attacks
ā¢ Depth: how many bytes of packet to read
ā¢ Links Ch 9a, 9b
alert tcp $EXTERNAL_NET any -> $HOME_NET 22
(msg:"INDICATOR-SCAN SSH
brute force login attempt";
flow:to_server,established; content:"SSH-";
depth:4; detection_filter:track by_src, count 5,
seconds 60;
metadata:service ssh; classtype:misc-activity;
sid:19559; rev:5;)
11. alert_fast
ā¢ Put this in Snort conļ¬guration ļ¬le
ā¢ output alert_fast alerts.txt
ā¢ Simplest output module for Snort
ā¢ Puts text into a ļ¬le
12. Detect Fake SSL Certiļ¬cate
ā¢ Detects a speciļ¬c fake certiļ¬cate used by an
APT group identiļ¬ed by Mandiant in 2003
ā¢ Written by Emerging Threats
ā¢ Matches serial number and Issuer string
ā¢ Link Ch 9h
13. Header and Full Packet
Logging
ā¢ Two distinct purposes
ā¢ To help IR team generate signatures, monitor
activity, or identify stolen data
ā¢ Collect evidence for an administrative or legal
matter
ā¢ Consider whether to treat packet captures as
evidence and generate a chain of custody
14. Thoroughness
ā¢ IDS systems can retain the full session that
generated an alert
ā¢ But for targeted collection against speciļ¬c
subjects, use tcpdump or Wireshark
15. tcpdump
ā¢ Complete packet capture of an HTTP request
ā¢ Done with "tcpdump -X"
ā¢ Limiting capture to 64 bytes captures only the
headers (called "trap and trace" by law
enforcement)
18. ļ¬ow-tools and argus
ā¢ Open-source
ā¢ Convert pcap ļ¬le (from tcpdump) to Argus format
ā¢ Graph all packets > 68 bytes from server1 by port
number
23. Simple Method
ā¢ Deploy laptops or 1U servers
with hardware network taps
ā¢ Snort + tcpdump works
ā¢ Best if you are setting up
monitoring after an incident
is detected--fast & easy
24. IDS Limitations
ā¢ IDS platforms cannot reliably perform both
intrusion detection and network surveillance
simultaneously
ā¢ If you set an IDS to capture full-content, its
effectiveness as a sensor will diminish
26. Hardware
ā¢ Difļ¬cult to collect and store every packet
traversing high-speed links
ā¢ Recommended:
ā¢ 1U servers from large manufacturers
ā¢ Linux-based network monitoring distributions
ā¢ Linux now outperforms FreeBSD
ā¢ For best performance, use NTOP's PF_RING
network socket, not the default AF_PACKET
interface
27. Before an Incident
ā¢ If your organization plans ahead
ā¢ Commercial solutions that combine Snort-style
alerting wth storage
ā¢ Solera Network's DeepSea appliance
ā¢ RSA's NetWitness platform
28. Security Onion
ā¢ Free Linux distribution, with kernel patched
installed (securityonion.net)
ā¢ Includes analysis tools
30. Major Network Changes
ā¢ May facilitate network surveillance
ā¢ Ex: route all company locations through a
single Internet connection with MPLS
(Multiprotocol Label Switching), not a
separate ISP for each ofļ¬ce
31. Secure Sensor Deployment
ā¢ Place network sensor in a locked room, to
maintain chain of custody
ā¢ Patch the OS, keep it up to date
ā¢ Protect it from unauthorized access
ā¢ Document everything
ā¢ Review logs
ā¢ Use Tripwire to ensure integrity of OS
32. Evaluating Your Network
Monitor
ā¢ Is it receiving the trafļ¬c you want to monitor?
ā¢ Is the hardware responsive enough to
achieve your goals?
ā¢ Create signatures to detect test trafļ¬c and
test your monitor
ā¢ Such as a nonexistent URL
ā¢ Performance metrics in logs will tell you if the
sensor is dropping packets
34. General Principles
ā¢ Wireshark is excellent
ā¢ Especially with custom decoders, written in
Lua or C
ā¢ Don't hunt through large packet captures
looking for something new
ā¢ Limit the scope
ā¢ Use targeted queries that follow your leads and
answer investigative questions
35. Data Theft Scenario
ā¢ On Dec. 3, 2013, your investigation starts
ā¢ Two days ago, an attacker accessed a user's
desktop system
ā¢ Ran rar.exe and ftp.exe once each
ā¢ You have complete packet capture data
36. Prefetch
ā¢ Shows exact date and time ftp.exe was executed
ā¢ Dec. 1, 2013 at 00:57 UTC
ā¢ Interviews tell you that RAR and FTP are not
used normally on that workstation
37. PCAP File
ā¢ 73 FTP sessions on the date in question
ā¢ 2 are active during the time of interest
ā¢ Download PCAP ļ¬les from link Ch 9e
42. Password
ā¢ The RARs are password-protected
ā¢ We can see the names of ļ¬les and folders, but
not extract them
ā¢ A forensic examiner could search for command
lines using RAR.exe on the system, which might
contain the password
ā¢ Password cracking tools might help, but they
are slow
43. Is the Process Automated?
ā¢ Look for typographical errors
ā¢ Look at timing between steps of the attack
ā¢ Timing below indicates a human user
44. File from First Session
ā¢ pwdump hacking tool, steals password hashes
45. Webshell Reconnaissance
Scenario
ā¢ IDS detects a port scan coming from your DMZ
ā¢ From an Apache & MySQL server, on Windows,
at 203.0.113.101
ā¢ Interviews: no authorized port scan was run at
that time
ā¢ Login history shows no user logged in to the
server at that time
46. Apache Server Logs
ā¢ Large number of requests at the time of interest
ā¢ From an external IP address you don't recognize
ā¢ Many different pages requested
ā¢ Then many requests of the "/apps/login.php"
page
47. PHP Shell
ā¢ Many POST requests to "/apps/login.php"
ā¢ Then GET requests to "/tmpbkxcn.php"
ā¢ Containing strings such as
ā¢ cmd=netstat
ā¢ cmd=tasklist
49. SSL Encryption
ā¢ New versions of TLS have Forward Secrecy
ā¢ A different key for each session, using a
"session master secret"
ā¢ Older versions of TLS
ā¢ All data can be decrypted with the RSA private
key on the server
50. Importing the Key
ā¢ In Wirehark
ā¢ Wireshark,
Preferences,
Protocols,
SSL
ā¢ In "RSA keys
list" line,
click Edit
51. ā¢ "Decrypted SSL data" tab appears at bottom
ā¢ User-Agent: sqlmap (a common hacking tool)
60. Network-Based Logs
ā¢ Server-based logs are ļ¬les on the individual
systems
ā¢ May be altered or deleted by the attacker
ā¢ Network-based logs may be more reliable
ā¢ Especially if network devices are physically
and electronically secured
61. Log Aggregation
ā¢ Log aggregation is difļ¬cult because:
ā¢ Logs are in different formats
ā¢ Originate from different operating systems
ā¢ May require special software to access and
read
ā¢ May have inaccurate timestamps