detecting intrusions and malware - eric vanderburg - jurinnov
TRANSCRIPT
© 2012 JurInnov Ltd. All Rights Reserved.
Detecting Intrusions and Malware
August, 2012
Eric Vanderburg, MBA, CISSPJurInnov, Ltd.
© 2012 JurInnov Ltd. All Rights Reserved.2
Malware
• Malware – Software that enters a computer system
without the owner’s knowledge or consent– Performs unwanted and usually harmful action
• Malware objectives– Rapidly spread its infection– Conceal its purpose– Make profit for its creators
© 2012 JurInnov Ltd. All Rights Reserved.3
Malware – Virus
• Viruses – Malicious computer code
that reproduces on a single computer
– An FBI survey revealed that despite protection programs, 82% of organizations have been infected by a virus.
Virus Worm
Trojan
Bot
© 2012 JurInnov Ltd. All Rights Reserved.4
Malware - Virus
• Methods of spreading virus– Virus appends itself to a file– Virus changes the beginning of the file
• Adds jump instruction pointing to the virus– Swiss cheese infection
• Injects portions of code throughout program’s executable code
Virus Worm
Trojan
Bot
© 2012 JurInnov Ltd. All Rights Reserved.5
Malware – Virus
• Virus actions– Causing computer to crash repeatedly– Displaying an annoying message– Erasing files from hard drive– Making copies of itself to consume all space
on the hard drive– Turning off security settings– Reformatting the hard drive
Virus Worm
Trojan
Bot
© 2012 JurInnov Ltd. All Rights Reserved.6
Malware – Virus
• Virus can only replicate on host computer– Cannot spread between computers
without user action• Types of viruses– Program virus
• Infects program executable files– Macro virus
• Stored within a user document
Virus Worm
Trojan
Bot
© 2012 JurInnov Ltd. All Rights Reserved.7
Malware - Worm
• Worms – Malicious program
designed to take advantage of a vulnerability in an application or operating system
– Searches for another computer with same vulnerability
– Sends copies of itself over the network
Virus Worm
Trojan
Bot
© 2012 JurInnov Ltd. All Rights Reserved.8
Malware - Worm
• Worm actions– Consume network resources– Allow computer to be controlled remotely– Delete files
Virus Worm
Trojan
Bot
© 2012 JurInnov Ltd. All Rights Reserved.9
Malware - Trojan
• Trojan horses – install malicious software
under the guise of doing something else
– Executable program containing hidden malware code
– Program advertised as performing one activity but actually does something else
Virus Worm
Trojan
Bot
© 2012 JurInnov Ltd. All Rights Reserved.10
Malware - Trojan
• Trojan may be installed on user’s system with user’s approval
• Trojans typically do not replicate to same computer or another computer
Virus Worm
Trojan
Bot
© 2012 JurInnov Ltd. All Rights Reserved.11
Malware – Spyware / Adware /Scareware• Spyware
– A dangerous, prolific code that logs a users activity and collects personnel information, which it then sends to a third party.
• Adware– A relative of spyware. Typically found with
free software, they display advertisements when the program is running. They may also contain spyware.
• Scareware– Software that is meant to prompt a user to
action or incite panic
Virus Worm
Trojan
Bot
© 2012 JurInnov Ltd. All Rights Reserved.12
Malware – Spyware / Adware /Scareware• Spyware’s negative effects on an infected
computer– Slow system performance– Create system instability– Add browser toolbars or menus– Add shortcuts– Hijack a home page– Increase pop-ups
Virus Worm
Trojan
Bot
© 2012 JurInnov Ltd. All Rights Reserved.13
Malware – Spyware / Adware /Scareware
• Adware– Software program that delivers advertising
content:• In an unexpected and unwanted manner
• Adware actions– Display pop-up ads and banners– Open Web browsers at random intervals– May display objectionable content– May interfere with user productivity– May track and monitor user actions
Virus Worm
Trojan
Bot
© 2012 JurInnov Ltd. All Rights Reserved.14
Malware – Spyware / Adware /Scareware• Scareware– Software that displays a fictitious warning– Tries to impel user to take action– Uses legitimate trademarks or icons– Pretends to perform a security scan and find
serious problems– Offers purchase of full version of software to
fix problems– Victim provides credit card number to
attacker• Attacker uses number to make fraudulent purchases
Virus Worm
Trojan
Bot
© 2012 JurInnov Ltd. All Rights Reserved.15
Malware - Rootkit
• Rootkit– Set of software tools used by an attacker– Conceals presence of other malicious software– Actions
• Deleting logs• Changing operating system to ignore malicious
activity
Virus Worm
Trojan
Bot
© 2012 JurInnov Ltd. All Rights Reserved.16
Malware - Keylogger
• Keylogger– Hardware or software that captures
keystrokes– Information can be retrieved by an attacker
• Hardware keylogger– Installed between computer keyboard and
USB port• Software keylogger– Hides itself from detection by the user
Virus Worm
Trojan
Bot
© 2012 JurInnov Ltd. All Rights Reserved.17
Malware - Bots• Bots
– A type of malware that allows an attacker to gain control over the infected computer (also called “zombie computers”) and allow them to use a company’s network to send spam, launch attacks and infect other computers.
Virus Worm
Trojan
Bot
© 2012 JurInnov Ltd. All Rights Reserved.18
Threat defined – What is done with botnets?• DDoS• Spam• Distribute copyrighted material– Torrents
• Data mining• Hacking• Spread itself
© 2012 JurInnov Ltd. All Rights Reserved.19
History
19
1999 Pretty Park• Used IRC for C&C &
updates• ICQ & email harvesting• DoS
1999 SubSeven• Used IRC for C&C• Keylogger• Admin shell access
2000 GTBot• Bounce (relay) IRC traffic• Port scan• DDoS• Delivery: email
2002 SDBot• Keylogger• Delivery: WebDav and
MSSQL vulnerabilities, DameWare remote mgmt software, password guessing on common MS ports & common backdoors
2002 AgoBot• Modular design• DDoS• Hides with rootkit tech• Turns off antivirus• Modifies host file• Delivery: P2P (Kazaa,
Grokster, BearShare, Limewire)
2003 SpyBot• Builds on SDBot• Customizable to avoid
detection• DDoS, Keylogger, web form
collection, clipboard logging, webcam capture
• Delivery: SDBot + P2P
2003 RBot• Encrypts itself• Admin shell access
2004 PolyBot• Builds on AgoBot• Polymorphs through
encrypted encapsulation2005 MyTob• DDoS, Keylogger, web form
collection, webcam capture• Delivery: email spam using
MyDoom w/ own SMTP server
1999 2003 200520042000 20062002
© 2012 JurInnov Ltd. All Rights Reserved.20
History
2006 Rustock• Spam, DDoS• Uses rootkit to hide• Encrypts spam in TLS• Robust C&C network (over
2500 domains)• Delivery: email
2007 Cutwail• Spam, DDoS• Harvests email addresses• Rootkit• Delivery: Email
2008 TDSS• Sets up a proxy that is
rented to other for anonymous web access
• Delivery: Trojan embedded in software
20082006 2007
2007 Storm• Spam• Dynamic fast flux C&C
DNS• Malware re-encoded
twice/hr• Defends itself with DDoS• Sold and “licensed”• Delivery: Email
enticement for free music
2007 Zeus• Phishing w/ customizable
data collection methods• Web based C&C• Stealthy and difficult to
detect• Sold and “licensed” to
hackers for data theft• Delivery: Phishing, Social
Networking
2008 Mariposa (Butterfly)• Rented botnet space for
spam, DDoS, and theft of personal information
• Delivery: MSN, P2P, USB
© 2012 JurInnov Ltd. All Rights Reserved.21
History
2009 Koobface• Installs pay-per-install
malware• Delivery: Social
Networking
200920082006 2007
© 2012 JurInnov Ltd. All Rights Reserved.22
Life Cycle
• Exploit– Malicious code– Unpatched vulnerabilities– Trojan– Password guessing– Phish
• Rally - Reporting in– Log into designated IRC channel and PM master– Make connection to http server– Post data to FTP or http form
Exploit Rally
Preserve
Inventory
Await instruction
sUpdat
e Execute Report Clean up
© 2012 JurInnov Ltd. All Rights Reserved.23
Life Cycle
• Preserve– Alter A/V dll’s– Modify Hosts file to prevent A/V
updates– Remove default shares (IPC$,
ADMIN$, C$)– Rootkit– Encrypt– Polymorph– Retrieve Anti-A/V module– Turn off A/V or firewall services– Kill A/V, firewall or debugging processes
Exploit Rally
Preserve
Inventory
Await instruction
sUpdat
e Execute Report Clean up
<preserve> <pctrl.kill “Mcdetect.exe”/> < pctrl.kill “avgupsvc.exe”/> < pctrl.kill “avgamsvr.exe”/> < pctrl.kill “ccapp.exe”/></preserve>
Agobot host control commands
© 2012 JurInnov Ltd. All Rights Reserved.24
Life Cycle
• Inventory– determine capabilities such as RAM, HDD,
Processor, Bandwidth, and pre-installed tools• Await instructions from C&C server• Update– Download payload/exploit– Update C&C lists
Exploit Rally
Preserve
Inventory
Await instruction
sUpdat
e Execute Report Clean up
© 2012 JurInnov Ltd. All Rights Reserved.25
Life Cycle
• Execute commands– DDoS– Spam– Harvest emails– Keylog– Screen capture– Webcam stream– Steal data
• Report back to C&C server• Clean up - Erase evidence
Exploit Rally
Preserve
Inventory
Await instruction
sUpdat
e Execute Report Clean up
© 2012 JurInnov Ltd. All Rights Reserved.26
Propagation
• Scan for windows shares and guess passwords ($PRINT, C$, D$, E$, ADMIN$, IPC$) – find usernames, guess passwords from list– Remember to use strong passwords
Agobot propagation functions
© 2012 JurInnov Ltd. All Rights Reserved.27
Propagation
• Use backdoors from common trojans• P2P – makes files available with enticing
names hoping to be downloaded. File names consist of celebrity or model names, games, and popular applications
• Social networking – Facebook posts or messages that provides a link (Koobface worm)
© 2012 JurInnov Ltd. All Rights Reserved.28
Propagation
• SPIM– Message contact list– Send friend requests to contacts from email
lists or harvested IM contacts from the Internet
• Email– Harvests email addresses from ASCII files such
as html, php, asp, txt and csv– uses own SMTP engine and guesses the mail
server by putting mx, mail, smpt, mx1, mail1, relay or ns in front of the domain name.
© 2012 JurInnov Ltd. All Rights Reserved.29
Command and Control
• C&C or C2• Networked with redundancy• Dynamic DNS with short TTL for C&C IP
(weakness is the DNS, not the C&C server)
• Daily rotating encrypted C&C hostnames• Alternate control channels (Ex:
Researchers in 2004 redirected C&C to monitoring server)
© 2012 JurInnov Ltd. All Rights Reserved.30
Detecting bots
• Monitor port statistics on network equipment and alert when machines utilize more than average– Gather with SNMP, netflow, or first stage probes
(sniffers) attached to port mirrored ports on switches. • Wireshark• Real time netflow analyzer- Solarwinds free
netflow tool• Small Operation Center or MRTG – free
SNMP/syslog server with dashboard• SNARE – event log monitoring (Linux & Windows
agents)
© 2012 JurInnov Ltd. All Rights Reserved.31
Who Are the Attackers?
• Cybercriminals• Script kiddies• Spies• Insiders• Cyberterrorists• Hacktivists• Government agencies
Skills required
© 2012 JurInnov Ltd. All Rights Reserved.32
Cybercriminals / Organized Crime
• Generic definition– People who launch attacks against other users
and their computers• Specific definition– Loose network of highly motivated attackers– Many belong to organized gangs of attackers
• Targets– Individuals and businesses– Businesses and governments
© 2012 JurInnov Ltd. All Rights Reserved.33
Cybercriminals / Organized Crime
• Lee Klein compromised the Lexis-Nexis system and may have stolen personal data of up to 13,000 users and sold the data to the Bonanno crime family.
• Groups based in the former Soviet Union have been repeatedly implicated in significant computer breaches.
© 2012 JurInnov Ltd. All Rights Reserved.34
Cybercriminals / Organized Crime• In 2005, federal agents conducted a sting
operation in order to arrest members of a group known as ‘ShadowCrew’. This gang was a group of hackers working together to conduct a variety of computer crimes including identity theft.
• This phenomenon is international in scope. Korean authorities have also arrested gangs of online criminals
• The most common crime for these groups is identity theft.
© 2012 JurInnov Ltd. All Rights Reserved.35
Script Kiddies
• Attackers who lack knowledge necessary to perform attack on their own
• Use automated attack software• Can purchase “exploit kit” for a fee from
other attackers• Over 40 percent of attacks require low or
no skills
© 2012 JurInnov Ltd. All Rights Reserved.36
Spies
• People hired to break into a computer and steal information
• Do not randomly search for unsecured computers– Hired to attack a specific computer or system
• Goal – Break into computer or system – Take information without drawing attention to
their actions• Generally possess excellent computer skills
© 2012 JurInnov Ltd. All Rights Reserved.37
Spies• It is generally believed by security experts that
many companies have purchased information from freelance individuals without asking where that information came from.
• In 2008, the SANS institute ranked cyber espionage as the third greatest threat on the internet.
• In 1993, General Motors (GM) and one if its partners began to investigate a former executive, Inaki Lopez. GM alleged that Lopez and seven other former GM employees had transferred GM proprietary information to Volkswagen (VW) in Germany via GM's own network.
© 2012 JurInnov Ltd. All Rights Reserved.38
Spies• CIO Magazine examined the issue of
government based cyber espionage in a 2009 article. Their article discusses the possibility that the Chinese government was behind a widespread infiltration of over 1200 computers owned by over 100 countries, with the express purpose of spying on the activities of those countries.
• One week before Christmas 2009, the story broke that hackers had stolen secret defense plans of the United States and South Korea.
© 2012 JurInnov Ltd. All Rights Reserved.39
Insiders
• An organization’s own employees, contractors, and business partners
• One study showed 48 percent of data breaches are caused by insiders accessing information
• Most insider attacks: sabotage or theft of intellectual property
• Most sabotage comes from employees who have recently been demoted, reprimanded, or left the company
© 2012 JurInnov Ltd. All Rights Reserved.40
Cyberterrorists
• Goals of a cyberattack– Deface electronic information
• Spread misinformation and propaganda– Deny service to legitimate computer users– Cause critical infrastructure outages and
corrupt vital data• Attacks may be ideologically motivated
© 2012 JurInnov Ltd. All Rights Reserved.41
Cyberterrorists
• According to the FBI “cyber terrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by sub national groups or clandestine agents.”
• In 2008 and 2009 there have been growing reports of attacks on various systems tracing back to South Korea or China.
© 2012 JurInnov Ltd. All Rights Reserved.42
Hacktivists
• Motivated by ideology• Direct attacks at specific Web sites• May promote a political agenda– Or retaliate for a specific prior event
© 2012 JurInnov Ltd. All Rights Reserved.43
Governments
• May instigate attacks against own citizens or foreign governments
• Examples of attacks by government agencies– Malware Flame targeted at computers in
Eastern Europe– Malware Stuxnet targeted a nuclear power
plant near Persian Gulf– Iranian government reads e-mail messages of
30,000 citizens• Attempt to track down dissidents
© 2012 JurInnov Ltd. All Rights Reserved.44
Governments
• Attacks are– Premeditated, politically-motivated attacks
against computer systems– Intended to cause panic, provoke violence, or
cause financial catastrophe• Possible targets– Banking industry– Air traffic control centers– Water systems
© 2012 JurInnov Ltd. All Rights Reserved.45
Governments• This can mean attempting to spread disinformation
in an attempt to mislead the enemy or propaganda in order to undermine the enemy’s morale.
• The first way in which the internet is used in information warfare is in the realm of propaganda. Every stakeholder in any situation has their own interpretation of events and news.
• Law enforcement agencies have successfully used fake websites, fake craigslist ads, and other techniques to help capture criminals. It is also possible to utilize the internet to feed misinformation to criminals and terrorists.
© 2012 JurInnov Ltd. All Rights Reserved.46
Networking Concepts
• TCP/IP• IP Addressing• Packet Fragmentation• ICMP• Wireless• Other Protocols– DNS– DHCP– PPTP, SSTP, L2TP
© 2012 JurInnov Ltd. All Rights Reserved.
OSI Reference Model
Application Application
Presentation Presentation
Session Session
Transport Transport
Network Network
Datalink Datalink
Physical PhysicalMedium
© 2012 JurInnov Ltd. All Rights Reserved.48
Encapsulation
• Enclosing some data within another thing so that the included data is not apparent.
© 2012 JurInnov Ltd. All Rights Reserved.49
Application – Layer 7
• Where programs access network services
• FTP, HTTP, Client Software• Problems at this layer:–Misconfigured settings– Incompatible commands
© 2012 JurInnov Ltd. All Rights Reserved.50
Presentation – Layer 6
• Formats data• Protocol conversion• Encryption• Compression• Character set (ASCII, Unicode,
EBCDIC)• Problems at this layer:– Cannot decrypt–Wrong conversion
© 2012 JurInnov Ltd. All Rights Reserved.51
Redirector
• Sends requests for services to the appropriate network device.
• RDR can sometimes stand for redirector– Rdr.sys–Windows redirector registry entries
stored in• HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\ LanmanWorkstation\Parameters and • HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\Rdr
© 2012 JurInnov Ltd. All Rights Reserved.52
Session – Layer 5
• Manages communication• Identification• Window size• Keep alive messages• ACK, NAK• Name resolution
– DNS– NetBIOS
• Logon• Problems at this level:
– Incorrect or no name resolution
© 2012 JurInnov Ltd. All Rights Reserved.53
Transport – Layer 4
• Segmenting• Sequencing• Error checking• Flow control – as much data as can
handle• TCP & SPX• Problems at this layer:– Overly large segments
© 2012 JurInnov Ltd. All Rights Reserved.54
Network – Layer 3
• Logical addressing• Routing• QOS• Deals with packets• IP & IPX• Problems at this layer:– Incorrect routing (bad config)– Incorrect routing table– Incorrect routing protocol– Incorrect IP configuration
© 2012 JurInnov Ltd. All Rights Reserved.55
Datalink – Layer 2
• Physical Addressing• Deals with frames• Discards bad frames• Convert to bits• Problems at this layer:– Collisions– Bad frames– Faulty NIC– Incorrect bridging tables
© 2012 JurInnov Ltd. All Rights Reserved.56
Datalink Sublayers
• MAC–Manages multiple NICs– Creates frame and sends to physical– Sense carrier– Pass tokens
• LLC– Error recovery– Integrity checking
© 2012 JurInnov Ltd. All Rights Reserved.57
Physical – Layer 1
• Encoding - Convert bits to signals– 101001011001
• Problems at this level:– Interference–Noise– Cable not connected
© 2012 JurInnov Ltd. All Rights Reserved.
OSI & TCP/IP
OSI Model TCP/IPApplication ApplicationPresentationSession TransportTransportNetwork InternetDatalink NetworkPhysical
© 2012 JurInnov Ltd. All Rights Reserved.59
IP Addresses• Class A - 0nnnnnnn hhhhhhhh hhhhhhhh hhhhhhhh
– First bit 0; 7 network bits; 24 host bits – Initial byte: 0 - 127 – 126 Class As exist (0 and 127 are reserved) – 16,777,214 hosts
• Class B - 10nnnnnn nnnnnnnn hhhhhhhh hhhhhhhh – First two bits 10; 14 network bits; 16 host bits – Initial byte: 128 - 191 – 16,384 Class Bs exist – 65,532 hosts
• Class C - 110nnnnn nnnnnnnn nnnnnnnn hhhhhhhh – First three bits 110; 21 network bits; 8 host bits – Initial byte: 192 - 223 – 2,097,152 Class Cs exist – 254 hosts
© 2012 JurInnov Ltd. All Rights Reserved.60
Packet Fragmentation
• Data is split into many packets • Encapsulation, de-encapsulation and
padding causes additional fragmentation• Reassembled by sequence number
© 2012 JurInnov Ltd. All Rights Reserved.61
ICMP – To Ping or not to Ping
• Internet Control Message Protocol– Checks host alive status– Susceptible to attacks
• Smurf- broadcast pings with spoofed address• PoD (Ping of Death) – ICMP packet larger than
65,535 bytes – causes buffer overflow upon reassembly
– Can be used to footprint
© 2012 JurInnov Ltd. All Rights Reserved.62
Wireless - Overview
• How does it work?• What are the risks?• What security controls are available?
© 2012 JurInnov Ltd. All Rights Reserved.63
Wireless – How it works
• Spread Spectrum Technologies– Uses multiple frequencies
• Less interference• Redundancy
– Frequency Range: 902-928MHz,2.4GHz– Frequency Hopping
• Changes at regular intervals• Lower bandwidth, more secure
– Direct-sequence Modulation• Send different data chunks along multiple
frequencies• Low frequencies (just above noise)
© 2012 JurInnov Ltd. All Rights Reserved.64
Wireless – How it works
• 802.11a– 54Mbps– 5GHz
• 802.11b– 11Mbps– 2.4GHz
• 802.11g– 54Mbps – 2.4GHz– WPA Support
• 802.11n– 300Mbps– 2.4GHz
© 2012 JurInnov Ltd. All Rights Reserved.65
Wireless – How it works
• BSA (Basic Service Area)– Influence of the WAPs– Depends on:• Power of the transmitter• Environment
• BSS (Basic Service Set)– Stations belonging to an AP
© 2012 JurInnov Ltd. All Rights Reserved.66
Attacks Through Wireless Networks• Popular types of wireless networks– Wi-Fi– Bluetooth
• Wi-Fi networks– Wireless local area network (WLAN)– Use radio frequency (WF) transmissions– Devices in range of a connection device can
send and receive information• Estimate: 1.4 billion wireless devices
shipped in 2014
© 2012 JurInnov Ltd. All Rights Reserved.67
Attacks Through Wireless Networks
• Wi-Fi equipment– Mobile device needs a wireless client interface
card adapter (wireless adapter)– Special software to translate between device
and adapter– Wireless broadband router or access point
• Base station for sending and receiving signals• Gateway to the Internet
© 2012 JurInnov Ltd. All Rights Reserved.68
Attacks Through Wireless Networks
• Attacks on home Wi-Fi networks relatively easy– Signal not confined within home walls– Many users do not understand how to
configure router security– Some users consider security an
inconvenience• Types of attacks– Stealing data– Reading wireless transmissions– Injecting malware– Downloading harmful content
© 2012 JurInnov Ltd. All Rights Reserved.69
Attacks Through Wireless Networks
• Free or fee-based wireless network rarely protected
• Evil twin– Attacker’s wireless device– Mimics an authorized Wi-Fi device– Attacker can use to send malware directly to
victim’s computer
© 2012 JurInnov Ltd. All Rights Reserved.70
Wireless – Detecting networks
• Netstumbler• inSSIDer• Commercial enterprise tools
© 2012 JurInnov Ltd. All Rights Reserved.71
Bluetooth
• Bluetooth– Common wireless technology– Short-range
• Up to 33 feet; 1Mbps transmission rate – See Figure 5-5
• Bluetooth attacks– Bluejacking
• Sending text messages– Bluesnarfing
• Accessing unauthorized information
© 2012 JurInnov Ltd. All Rights Reserved.72
Other Protocols
• DNS• DHCP• PPTP, SSTP, L2TP
© 2012 JurInnov Ltd. All Rights Reserved.73
Firewalls
• Packet filters – allow or deny based on…– Source or destination IP address– Source or destination port– Blocked IP lists, blacklists and whitelists
• Session-layer proxies – stateful allow or deny decisions– Middle-man between source and destination– Decrypted content inspection
• Application proxies – examine one or more layer 7 traffic types such as email, SQL or HTTP.
© 2012 JurInnov Ltd. All Rights Reserved.74
Firewall features
• NAT• DHCP• VPN tunneling• Load balancing• Failover• Stateful packet inspection• Performance monitoring• Centralized management• SNMP• Application proxy
© 2012 JurInnov Ltd. All Rights Reserved.75
Common interfaces
• Console – serial (DB9) or USB• Secure Shell (SSH)• Secure Copy (SCP) and SSH FTP (SFTP)• Telnet• Simple Network Management Protocol
(SNMP)• Trivial File Transfer Protocol (TFTP)• Web interfaces
© 2012 JurInnov Ltd. All Rights Reserved.76
Auditing
• Policy• Logs
© 2012 JurInnov Ltd. All Rights Reserved.77
Intrusion Detection and Prevention Systems• IDS – audit only• IPS – audit and respond• Problem with tuning down and exceptions• Types– Port mirrored– Inline– Integrated
© 2012 JurInnov Ltd. All Rights Reserved.78
IPS functionality
• Detection– Signature– Behavior– Malformed data/protocols
• Analysis– Protocol reassembly– Normalization
• Rules
© 2012 JurInnov Ltd. All Rights Reserved.79
IPS functionality
• Alerts– Email– Syslog– SNMP– Database
• Tracing– Summary information– Packet captures
© 2012 JurInnov Ltd. All Rights Reserved.80
IPS Limitations
• Verify scope – sensors may be configured differently
© 2012 JurInnov Ltd. All Rights Reserved.81
IPS Brands
• CheckPoint IPS-1• Cisco IPS• Corero Network Security• Entrasys IPS• HP TippingPoint IPS• IMB Security NIPS• Sourcefire 3D System• Custom built (Snort or Bro)
© 2012 JurInnov Ltd. All Rights Reserved.82
Snort
• Open Source IDS• Extensible• Most widely used
© 2012 JurInnov Ltd. All Rights Reserved.83
Snort Architecture
Capture
packets on
bound interface(s)
Reassemble and
analyze protocol
Anomaly detection• protoc
ol• frame• packet
Passed to rule
engine
Determine actions• Drop and log
(pcap)• Drop, no log• Accept• Accept and log
(pcap)• Notify
© 2012 JurInnov Ltd. All Rights Reserved.84
Rule Matching
Directionality -> <- <>
Protocol
Source IP, network or port• Log tcp !192.168.1.0/24 any -> 192.168.1.0/24 • Matches data from outside the network (192.168.1.0)
Destination IP, network or port• log udp any any -> 192.168.1.0/24 1:1024 • log udp traffic coming from any port and destination ports ranging from 1
to 1024Content• alert tcp !192.168.1.0/24 any -> 192.168.1.19/24 80 (content:
“web.config“; msg: “outside request for web.config”;)• Find requests for web.config from the outside and send an alert
© 2012 JurInnov Ltd. All Rights Reserved.85
Rule matching – additional options
Minfrag – min size for packet fragments
Dsize – packet payload size• Dsize: >100 and < 1000;
Depth – how far to search in the packet
Offset – start searching after this point
Example• alert tcp any any -> 192.168.1.0/24 80 (content: "cgi-
bin/phf"; offset: 3; depth: 22; msg: "CGI-PHF attack";)
© 2012 JurInnov Ltd. All Rights Reserved.86
Rule matching – additional options
• TTL – match on specific TTL• ID – match on specific fragment ID – some
known hacking tools use specific IDs• Logto – create separate output file• Session – records what is typed in telnet,
rlogin, ftp, etc.– log tcp any any <> 192.168.1.0/24 23
(session: printable; logto: “.\telnet\telnet-records.log”;)
– Records telnet sessions
© 2012 JurInnov Ltd. All Rights Reserved.87
Rule matching - Flags
• F - FIN • S – SYN – synchronize (request connection)• R - RST• P – PSH – push data up stack before waiting
for additional data• A - ACK• U – URG - urgent• 2 - Reserved bit (used in fingerprinting)• alert any any -> 192.168.1.0/24 any (flags:
SF; msg: "Possible SYN FIN scan";)
© 2012 JurInnov Ltd. All Rights Reserved.88
Event Collection – Windows logs
Windows NT – 2003• Application• Security • System• Special
– Directory Service– DNS Server– File Replication Service– Powershell
Server 2008 /2008 R2• Includes 2003 logs
plus:– Administrative events– Setup– Server roles
• Organized by installed roles with custom filters
© 2012 JurInnov Ltd. All Rights Reserved.89
Event Collection – Mac Logs
• Stored in library/logs• Over 100 logs including:– System.log– Mail.log– Appfirewall.log
• Aug 27 11:10:54 Iceberg Firewall[113]: Stealth Mode connection attempt to UDP 192.168.0.25:49747 from 192.168.0.1:53
• Unexpected UDP connection attempt– Install.log
© 2012 JurInnov Ltd. All Rights Reserved.90
Event Collection – Linux Logs
• Logs based on syslog• Organized by facility such as mail or web• Syslog-ng – supports TLS encryption for
shipped logs• Rsyslogd – Supports IPv6, RELP (Reliable
Event Logging Protocol), TLS, timestamping and zone logging
© 2012 JurInnov Ltd. All Rights Reserved.91
Event Collection – Linux Logs• /var/log/faillog : This log file contains failed user logins. This can be
very important when tracking attempts to crack into the system.• /var/log/kern.log : This log file is used for messages from the
operating system’s kernel. This is not likely to be pertinent to most computer crime investigations.
• /var/log/lpr.log : This is the printer log and can give you a record of any items that have been printed from this machine. It can be useful in corporate espionage cases.
• /var/log/mail.* : This is the mail server log and can be very useful in any computer crime investigation. Emails can be a component in any computer crime, and even in some non-computer crimes such as fraud.
• /var/log/mysql.* : This log records activities related to the MySQL database server and will usually be of less interest to a computer crime investigation.
© 2012 JurInnov Ltd. All Rights Reserved.92
• /var/log/apache2/* : If a machine is running the Apache web server, then this log will show related activity. This can be very useful in tracking attempts to hack into the web server.
• /var/log/lighttpd/* : If a machine is running the Lighttpd web server, then this log will show related activity. This can be very useful in tracking attempts to hack into the web server.
• /var/log/apport.log : This records application crashes. Sometimes these can reveal attempts to compromise the system, or the presence of a virus or spyware.
• /var/log/user.log : These contain user activity logs and can be very important to a criminal investigation.
Event Collection – Linux Logs
© 2012 JurInnov Ltd. All Rights Reserved.93
• There are several shell commands one can enter to view system logs in Linux. For example, to view the printer log any of the following would work, though some won’t be supported by every Linux shell:
• # tail -f /var/log/lbr.log• # less /var/log/ lbr.log• # more -f /var/log/ lbr.log• # vi /var/log/ lbr.log
Event Collection – Linux Logs
© 2012 JurInnov Ltd. All Rights Reserved.94
Chat Room Logs
• Most chat software keeps at least a temporary log of conversations. This is true for MSN Messenger, Yahoo Messenger and many others.
• The exact path for viewing those logs will vary from product to product.
© 2012 JurInnov Ltd. All Rights Reserved.95
How Logs Get Cleared
• Clearing the log. Any user with administrative privileges can simply wipe out a log. However, this will be obvious when you see an empty event log.
• Using auditpol.exe. This is an administrative utility that exists in Windows systems. It won’t show on the desktop or in the programs—you have to know it’s there and go find it. But using auditpol \\ipaddress /disable turns off logging. Then when the criminal exits, they can use auditpol \\ipaddress /enable to turn it back on.
• There are a number of utilities on the web that will assist an attacker in this process. For example WinZapper allows one to selectively remove certain items from event logs in Windows.
© 2012 JurInnov Ltd. All Rights Reserved.96
Event Collection - Tools
• WinRM – Microsoft tool that runs on Server 2008 R2
• Argus• Softflowd• Cisco MARS (Monitoring, Analysis and
Response System)
© 2012 JurInnov Ltd. All Rights Reserved.97
Event Collection - Tools
• SNARE (System iNtrusion Analysis and Reporting Environment) – open source
• Splunk (only free for 500MB/day)• SCOM (System Center Operations
Manager)• DAD (Distributed log Aggregation for
Data analysis)
© 2012 JurInnov Ltd. All Rights Reserved.98
SIEM
• Security Information and Event Management– Log aggregation– Correlation– Normalization– Alerting– Dashboards– Views– Compliance reports– Retention
© 2012 JurInnov Ltd. All Rights Reserved.99
Automated responses
• Throttle• Drop• Shun• Island
© 2012 JurInnov Ltd. All Rights Reserved.100
Packet Filtering
• Sensor – monitors traffic flow, extracts flow records and sends to collectors
• Collector – receives flow records and stores them
• Aggregator – central collection point when multiple collectors are used
• Analysis – tool that organizes and makes sense of the collected data
© 2012 JurInnov Ltd. All Rights Reserved.101
Network Analysis
• Network schematic• Server roles• Baselining – normal profile– Destination IP addresses– Ports– Protocols– Volume of data and directionality
© 2012 JurInnov Ltd. All Rights Reserved.102
Analysis
• Activity pattern matching• Packet analysis– Libpcap and WinPcap– Wireshark
• Traffic analysis– Networkminer
• Persistent packet sniffing– Data available when needed– High disk and CPU requirement– Must be highly secure
© 2012 JurInnov Ltd. All Rights Reserved.103
Wireshark - Interface
Packet list
Packet details
Packet bytes
© 2012 JurInnov Ltd. All Rights Reserved.104
Wireshark
• Filtering– Frame contains “search term”
• Flow – sequence of packets comprising a single communication segment. – EX: Connection, Negotiation, File Request,
File delivery, checksum, acknowledgment, termination
– Flow record – subset of information from a flow such as source and destination IP, protocol, date or time
© 2012 JurInnov Ltd. All Rights Reserved.105
Wireshark – Encrypted content
• TLS/SSL– Obtain server or workstation private key– Decrypt session keys with private key– Decrypt message stream with session keys– Record session key changes and continue
decrypting message stream– Go to preferences Protocols SSL Edit
RSA keys list New point to private key and enter IP address, port, protocol and password
© 2012 JurInnov Ltd. All Rights Reserved.106
Networkminer
• Traffic analysis tool• Graphical breakdown of…– Hosts– Images– Files– Email– DNS– Sessions
© 2012 JurInnov Ltd. All Rights Reserved.107
Wireshark / Networkminer demo
• Capture data– Send email
• [email protected]• IknowIT2!
– Visit web site– Run lansearch and copy files
• End capture• Export to pcap• View in Networkminer
© 2012 JurInnov Ltd. All Rights Reserved.108
Vulnerability scanning
• Vulnerability scanning – scan and fix vulnerabilities found. Identify and protect machines that could be potential bots. – Nexpose
• Free for up to 32 IP– OpenVAS (Vulnerability Assessment System)
• Linux• VM available (resource intensive)
– Greenbone Desktop Suite (uses OpenVAS)• Windows XP/Vista/7
– MBSA (Microsoft Baseline Security Analyzer)– Secunia PSI (local Windows machine scanning only)
© 2012 JurInnov Ltd. All Rights Reserved.109
Architecting a Solution
– How does it fit in the security strategy?– Scope– Scalability– Regulations and Standards– Structure
• Distributed• Centralized
– Platforms• Black box• Open Source• Commercial Application
© 2012 JurInnov Ltd. All Rights Reserved.110
IDS/IPS
• Active or Passive• Host, Network or Both• Centralized or decentralized
© 2012 JurInnov Ltd. All Rights Reserved.111
Event Logging
• Placement– Perimeter– VLAN or Workgroup– Wireless– Choke points – maximize collection capacity
within budget and ability to process and analyze
– Minimize duplication– Sync time– Normalize– Secure collector transmission pathways
© 2012 JurInnov Ltd. All Rights Reserved.112
Event Logging
• Local• Remote– Centralized– Decentralized– Concerns
• Time stamping• Network reliability• Confidentiality and integrity
© 2012 JurInnov Ltd. All Rights Reserved.113
Quick and Fast Rules
• Compromised hosts generally send out more information
• Patterns (sending perspective)– Many-to-one – DDoS, Syslog, data repository,
email server– One-to-many – web server, email server, SPAM
bot, warez, port scanning– Many-to-many – P2P, virus infection– One-to-one – normal communication, targeted
attack