Transcript Solving Network Mysteries

INTERNATIONAL, INC.
SRA International, Inc.
Information Assurance Division
Black Hat Briefings 2001
Solving Network Mysteries
Dan VanBelleghem, CISSP
SRA International, Inc.
[email protected]
Dan VanBelleghem

Senior Information Assurance Engineer - SRA
Penetration Testing
 Security Training
 Security Readiness Reviews
 Incident Response
 Security Assessments




Director of Security Programs - Network Forensics
Security Assistance Teams for US DoD - BAH
Security Audits and Assessments for Fortune 500 - D&T
Solving Network Mysteries
Slide - 2
Network Mystery Quiz

Do you know:
What is happening on your network?
 What users are doing?
 If users are compliant with policy?
 If users’ internal and external network
communications affect the enterprise security
posture?
 If anomalous behavior is detectable on the
network?
 Why network diagrams are not enough?

Solving Network Mysteries
Slide - 3
Objectives
The objectives of this session are to provide an
overview of the following:
Examples of network activities that are often
overlooked
 Techniques used in solving mysteries
 Benefits from audit & monitoring
 Recommendations for performing audit &
monitoring

Solving Network Mysteries
Slide - 4
Observations
•
•
The following observations will provide examples of
network security issues that could have been discovered
with good audit and monitoring practices in place
Discovery, analysis and lessons learned will be discussed
for each of the following examples:
• Uncovering DDOS agents
• Harassing e-mails
• Rogue servers and applications
• System administrator misuse
Solving Network Mysteries
Slide - 5
DDOS Agent Discovery
Background
•
•
•
•
Enterprise network solution company
Firewall policy allowed DNS traffic
Firewalls managed in Colorado
DNS servers managed locally at other
national offices
Solving Network Mysteries
Slide - 6
DDOS
INTERNET
victim.com
Local Offices
F
Permit DNS
victim.com
HQ
Managed
by network
operations
Solving Network Mysteries
Primary
DNS
Secondary
DNS
Managed
by local
office staff
Local
DNS
Slide - 7
DDOS
Attacker
INTERNET
victim.com
Local Offices
F
victim.com
HQ
Primary
DNS
Solving Network Mysteries
Secondary
DNS
Local
DNS
•DNS service
exploited
•Root access gained
•Trust relationships
exploited
•DDOS agent planted
Slide - 8
DDOS Agent Discovery
Techniques used for discovery
•
Network traffic analysis
•
•
•
“unusual traffic”
Firewall logs reviewed
DNS server and OS logs reviewed
Solving Network Mysteries
Slide - 9
DDOS Agent Discovery
Lessons learned
•
•
•
•
Firewall logs not reviewed
DNS server (OS and application) logs not
reviewed
IP spoofing not monitored internally
Integrity checking not performed
Solving Network Mysteries
Slide - 10
DDOS Agent Discovery
Recommendations
•
Perform regular log review of network service
systems (DNS, Firewall, Mail, etc)
•
•
•
Monitor and review network traffic patterns and
trends
•
•
•
Automate
Outsource
Network monitors
Network device logs
Perform host integrity checking for critical assets
•
•
Solving Network Mysteries
Tripwire
System profile checkers
Slide - 11
Harassing E-mails
Background
•
•
Employee was receiving harassing e-mails
from an anonymous external source (e.g.,
hotmail)
An internal employee was suspected but could
not be confirmed
Solving Network Mysteries
Slide - 12
Harassing E-mails
Techniques used for discovery




Collected network traffic using a packet sniffer
Searched traffic for hosts going to and from hotmail.com
Once an originating IP address was found, then searched for
user name that sent anonymous e-mail
Specifically looked for CGI postings of the message - this
was the proof to determine the person who sent it
Solving Network Mysteries
Slide - 13
Solving Network Mysteries
Slide - 14
Solving Network Mysteries
Slide - 15
Solving Network Mysteries
Slide - 16
Harassing E-mails (cont.)
Solving Network Mysteries
Slide - 17
Solving Network Mysteries
Slide - 18
Solving Network Mysteries
Slide - 19
Solving Network Mysteries
Slide - 20
Solving Network Mysteries
Slide - 21
Solving Network Mysteries
Slide - 22
Harassing E-mails
Recommendations



Implement e-mail policy
Monitor for non-production e-mail traffic
Develop monitoring scripts or procure
commercial tools
Solving Network Mysteries
Slide - 23
Rogue Servers/Applications
Background
•
•
•
Users install unauthorized devices, “stowaways,” on
the production network
Enabling write access on anonymous ftp services for
convenience
Users installing unauthorized services (e.g., web
servers) to the production network
Solving Network Mysteries
Slide - 24
Rogue Servers/Applications
Techniques used for discovery
•
•
Monitoring procedures implemented
Leveraged automation
•
•
•
Network sweep: fping
TCP/UDP port scanning: nmap
Consider appliance solution: NetFox
Solving Network Mysteries
Slide - 25
Rogue Servers/Applications
Solving Network Mysteries
Slide - 26
Rogue Servers/Applications
Solving Network Mysteries
Slide - 27
Rogue Servers/Applications
Recommendations
• Create a robust network security policy
• Educate the user knowledge base to the policies and
security fundamentals
• Implement consistent procedures to achieve these
goals
Solving Network Mysteries
Slide - 28
System Administrator
Background
•
•
•
•
•
Government agency
Outsourced system administration duties
Controlled application network with strict perimeter
security
Only database and e-mail traffic in and out of control
network
Firewall was monitored for all unsuccessful attempts
Solving Network Mysteries
Slide - 29
System Administrator
•
•
•
Monitor status of network remotely
Batch job to inspect health of systems
Sent results of process to home account - - in
clear text
Solving Network Mysteries
Slide - 30
System Administrator
From: [email protected]
To: [email protected]
Subject: System Report
Hostname: database.victim.gov
System uptime: 2 days 14 hours
Active users:
oracle system larry steve
interface status:
hme0 10.10.150.12
Services Running:
db http inetd
Solving Network Mysteries
Slide - 31
System Administrator
Techniques used for discovery
•
•
Firewall logs reviewed
Network traffic analysis
Solving Network Mysteries
Slide - 32
System Administrator
Lessons learned
•
•
•
Administrators needed security awareness
training
No official remote administration procedures
were in place
Adequate tools were not available to support
environment requirements
Solving Network Mysteries
Slide - 33
System Administrator
Recommendations
•
•
Implement appropriate remote administration
solution
Conduct constant administrator training
Solving Network Mysteries
Slide - 34
Audit & Monitoring Goals

Protect



Detect




Provides input to policy changes or mis-configurations
Acts as a deterrent
Analysis of all data
Passive collection
Active scanning
Analyze and Recover





Forensic level analysis
Rapid answers to the who, what, when, where, how questions
Full damage control
Network, system and application level audit logs
Centralized information source
Solving Network Mysteries
Slide - 35
Audit & Monitoring Enablers



Logs
 Host
 Application
 System
Network
 Packet sniffers
 NIDS
Analysis
 Database
 Scripts
Solving Network Mysteries
Slide - 36
Logs

Logs are great source of information if:
They have been enabled
 They are still there
 Their integrity is not questionable
 Someone reads them!



Provide Who and When
Do not provide content (e.g.,What)
Solving Network Mysteries
Slide - 37
Sniffers
Source: U.S. News
Testing sniffers means different things to different people!
Solving Network Mysteries
Slide - 38
Network




Sniffers are needed to “see” what is on your
network
NIDS provide a means for pre-processing
Switched environments can provide a challenge
Since no two networking environments are the
same, methodologies will need to be tailored for
each network
Solving Network Mysteries
Slide - 39
Raw Output
Solving Network Mysteries
Slide - 40
NIDS Output (Dragon)
Solving Network Mysteries
Slide - 41
Analysis
 Collecting
gigabytes of data… now what?
 A system or tools to assist with analysis is
vital
 Implementing a system with consistent
procedures is a challenge
 Filter and focus before drowning in data
Solving Network Mysteries
Slide - 42
Audit & Monitoring Tool Trends
•
•
•
•
•
•
•
•
Evidence preservation
Data warehousing
Data mining
Automatic correlation
Event interpretation
Passive monitoring
Data exchange
AI based attack prediction
Solving Network Mysteries
Slide - 43
Audit & Monitoring Tool Trends
•
Outsourced Managed Security
•
•
•
•
Network Appliances
•
•
Counterpane – www.counterpane.com
SecurityTracker – www.securitytracker.net
ServerVault – www.servervault.com
NetFox – www.securityfox.net
Interactive Analysis
SilentRunner – www.silentrunner.com
Log Consolidators
• Kane – www.intrusion.com
• eSecurity – www.esecurityinc.com
•
•
Solving Network Mysteries
Slide - 44
Tips
 Do’s
 One
step at a time
 Automation is your
friend
 Storage
 Data sensitivity
 Measure
Solving Network Mysteries
 Don’ts
 Underestimate
 Forget
legal
responsibilities
 Be unprepared
 Believe in silver
bullets
Slide - 45
In Closing…
• Potential Benefits:
• Increased knowledge and awareness of
•
•
•
•
network usage practices
Enhance current detection and
protection process
Reduced time and resource cost when
responding to an incident
Reduced network misuse and abuse
Enforcement of policy
Solving Network Mysteries
Slide - 46
Questions
Solving Network Mysteries
Slide - 47