Transcript Project Presentation Slides

Network Forensics
SI 2007 Project Team “Packet Storm”
Matthew Baron
Charlie Hughes
Matt Mayberry
Bryce Theobald
Project Leaders
Prasad Calyam
Aaron Lafferty
Topics of Discussion






Background on Cyber Crimes
Our Network Forensic Investigation Case
Investigation Methodology
Forensic Evidence
Expert Opinion upon Investigation
Conclusion (Animation)
“Hackers”
• Hackers are intruders who compromise or
incapacitate computer systems using the Internet
– A.k.a. “Cyber-criminals”
• Motivations of a Hacker to perform Cyber-crimes
–
–
–
–
Sabotage for Money (Blackmail)
Hatred towards victim (Government cyber-wars)
Social acceptance (Redirect websites)
“FOR FUN!”
• Hackers are difficult to track-down
– Hide behind the world-wide Internet
• USA-Border jurisdiction issues for FBI or CIA
Hackers use “Botnets”
• “Bot” – a simple program planted on a computer that
accesses a “Command Center” (E.g. IRC Channel)
• A huge group of bots on the Internet is called a “Botnet”
• Botnets are rented out for launching cyber attacks and
spam services
To Victim
Internet
Botnet of Bots
Hacker controls all the
Bots using the Internet
Distributed Denial of Service attacks
(DDoS attacks)
• Coordinated attacks from botnets that slow down
victim servers
– Ping Flood, Smurf (slow down servers)
• Companies hire “DDoS mafias” to attack
competitors and attract their customers
Attacker
SMURF ATTACK
Victim
Broadcast
Network
Adopted from www.networkdictionary.com
DDoS Attack Investigation Case
• “Cyber Games, Ltd.” (fictional) is maliciously
cyber-attacked by “Not-So-Good Cyber Games
Inc.”
– Not-So-Good Cyber Games Inc. employs DDoS
“Mafia”
– Cyber Games, Ltd. customers experience slow
response and service disruptions from servers during
Gaming
– Customers unsubscribe from Cyber Games, Ltd.
services and signup for Not-So-Good Cyber Games
Inc. services
• Due to month long DDoS attacks, Cyber Games
Ltd., lost customers, reputation and revenue
Network Forensic Experts
• Cyber Games, Ltd. hired us - the Network
Forensics Experts
• We investigate the DDoS attacks, identify the
cyber-criminals and prosecute them
• Network Forensic Science is complex!
– Hackers are one-step ahead always
– Required diverse expertise in areas:
•
•
•
•
Networking
Software Programming
Legal Procedures
Criminal Psychology
Investigation Methodology
• Technologies Used
– Honey Pot
• A network setup to trap DDoS attacks at Cyber
Games, Ltd.
– Snort
• An Intrusion detection tool
– Perl
• A Programming language
– MySQL
• A Database
Honey Pot
• Honey Pot is a network of computers that need to
be protected
– It appears to a hacker as a real-system while in fact, it
carefully monitors the hacker attacks
– Collects clues to trace the hacker’s location on the
Internet
• It includes a “Network Monitor” that hosts Snort,
MySql, etc.
– Snort rules need to be configured for creating logs that
contain:
• Alert Timestamp
• Source and Destination IPs
• Alert Signature (E.g. could be DDoS attack, Port-scanning)
Honey Pot
Snort, Mysql
Snort Workflow
Packet
Decoder
2007-07-13 07:15:47
Ping_Flood
250.52.15.4
---------------------------2007-07-13 07:55:00
DNS_Poisoning
19.80.124.164
---------------------------2007-07-13 08:39:44
Buffer_Overflow
19.89.174.34
---------------------------2007-07-13 08:57:59
SSL_Auth
127.166.92.101
Logging and
Alerting
System
Detection
Engine
Packets Are
Dropped
Preprocessors
Perl and MySql
• We wrote Perl script “log_analysis.pl” to
parse Snort log data into MySql database
• Based on Source IP address, geographic
location of Hacker can be determined
– Every IP address has network part and local part
Timestamp
2007-07-13 07:15:47
2007-07-13 07:55:00
2007-07-13 08:39:44
2007-07-13 08:57:59
2007-07-13 08:59:29
2007-07-13 09:38:13
Attack Type
Source IP
Ping_Flood
250.52.15.4
DNS_Poisoning 19.80.124.164
Buffer_Overflow
19.89.174.34
SSL_Auth
127.166.92.101
VNC_Auth
4.5.131.172
DNS_Poisoning
1.96.72.163
Destination IP
15.160.2.100
15.160.2.100
15.160.2.100
15.160.2.100
15.160.2.100
15.160.2.100
Forensic Evidence
• Forensic Evidence includes anything used in
court to prove the validity or falsity of a
statement
– Cannot be “Hearsay” (E.g. monitor 1 or 2 days and
point fingers at attack sources)
– Routine monitoring is hence vital
• Promotes custody of regular records of cyber activity
– Has to present information beyond reasonable doubt
• We wrote a Perl script “db_reader.pl” to
query the daily-attacks data from MySQL
• We use the queried data to create a visualization
which we present as our evidence
– DDoS Mafia hired by Not-so-good Gaming, Inc.
captured by FBI in Antarctica!
Expert Opinion upon Investigation
• No network is fully secure
• Cyber Games, Ltd. did several
good things
– Had a Honey Pot installed with
Firewall
– Maintained clear records of attack
logs
• Both weak and severe
– Ensured no attacks had source within
their network
– Notified us and co-operated to trace
the attackers
• Hence, they deserve to be
compensated for the damages
caused by Not-so-good Cyber
Games, Inc.
Super-smart
Hacker
Variables for Compensation
• Does the hacker live in the USA?
• Money to prosecute the hacker in court
• Revenue, Customers, Reputation lost
due to the DDoS attacks
• Staff time and services of Network
Forensic Experts for the investigation
Damages Compensation
ITEM
COST
Expenses for 3 FTE staff for assisting
in 2 weeks of forensic investigation
$15,000
Expense for hiring the Network
Forensic Experts from SI 2007
$100,000
Lost revenue during the 5 days of
decreased performance or loss of
service
$250,000
Loss of customers, reputation and
subscriber recruiting/advertisement
$500,000
Court costs + Attorney cost for civil
trial proceedings
$300,000
Total Cost $1,165,000