Transcript Document
Chapter 9: Cyber Network
Defense using Advanced
Log Analysis
Lecture Materials for the John Wiley & Sons book:
Cyber Security: Managing Networks, Conducting
Tests, and Investigating Intrusions
July 21, 2015 DRAFT
1
Introduction to Cyber Network
Defense
• Cyber Network Defense (CND) is continuously
improving process for defending IT assets
• The CND approach in this Chapter includes:
– Lightweight process for CND
– Set of open source scripts for network monitoring
and Advanced Log Analysis (ALA) on Backtrack
– Agile strategy for escalating defenses
– Cyber investigations process
– Scenario for eradicating browser-based spyware
– Instructions for implementing the processes
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/21/2015 DRAFT
2
General Method and Tools for
Cyber Investigations
• Investigations are based upon The
Scientific Method to focus activities:
– Observation
– Hypothesis
– Evaluation: Analyze and Interpret Data
– Prediction
– Repeat the method to validate predictions
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/21/2015 DRAFT
3
Continuous Cyber
Investigation Strategy
• Full packet capture when network quiet
• Capture IDS alerts during busy hours
• Investigation of suspicious alerts
• Host-Based Security (HBS)
• Firewalls
• Regular updates/upgrades to processes
and technical components
• Integrated CND
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/21/2015 DRAFT
4
Summary of Cyber
Investigation Process
• Use the custom CND scripts, a daily monitoring
& investigation process:
• # ./snortcap
- Run IDS on overnight packet capture.
• # ./headcap | wc
- How many alerts overnight?
• # ./statcap
- Count and rank the top alerts.
• # ./hostcap
- Which are the top alerting hosts?
• # ./alertipcap 10.10.100.10 - What are the alert details for that host?
• # sort sum*10.10* | uniq –c | sort –rn - Rank the top alerts for IP
• # ./iporgcap 10.10.100.10 - Which external domains are alerting for IP?
• # whois 64.94.107.15
- Who owns this unresolved domain?
• Use an Internet browser to investigate external IPs and domains. Discover
these domains with the following command:
• # ./orgcap
- What are all the external alerting domains?
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/21/2015 DRAFT
5
Network Monitoring
• Establish Switched Port Analyzer (SPAN) on the core
switch or firewall
– Mirrors all network traffic for IDS
• To begin the IDS in real time, you can use the following
daycap script:
–
–
–
–
–
#!/bin/bash
# Add a parameter like ./daycap keep -- in order to append to logs
# By default, daytime logs are deleted to conserve space
if [$1 -eq ""]; then rm /tmp/alert /tmp/snort.log.*; fi
/usr/local/bin/snort -A full -c /etc/snort/snort.conf -l /tmp
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/21/2015 DRAFT
6
Advanced Text Log Analysis
• A set of custom scripts are explained in detail in
Chapter 9 – teaching you gawk
• Example: The statcap script creates a
histogram of the most frequent alerts:
– #!/bin/bash
– gawk "BEGIN {FS=\"\n\";RS=\"\n\n\"} {print $1}" alert
| gawk '/\[\*\*\]/' | sort | uniq -c | sort -rn | less
• The hostcap script finds the host generating the
most alerts:
– #!/bin/bash
– cat alert | gawk '{FS="\n";RS="\n\n"; /TCP/; print $3}'
| gawk '{print $2}' | gawk -F\: '{print $1}' | gawk '/[09\.]+/' | sort | uniq -c | sort –rn
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/21/2015 DRAFT
7
Advanced Binary Log Analysis: Wireshark
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/21/2015 DRAFT
8
Advanced Binary Log Analysis: tcpdump
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/21/2015 DRAFT
9
Reporting Cyber Investigations
• Lesson Learned: Do not go to a
cybersecurity professional and inform them
that their machine is generating copious
beacons – Panic ensues!
• Instead, approach reporting in a nonjudgemental, diplomatic manner
• Provide proof of your findings
– It will certainly be requested
• Empower people to resolve the problem
with guidance and mentoring
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/21/2015 DRAFT
10
Elimination of Cyber Threats
• Block suspicious IPs using the host file (Windows and Linux):
– 127.0.0.1 ak.quantcast.com
• Block suspicious IPs from entire net at firewall (e.g. CISCO):
–
–
–
–
–
$ enable
Password:
# config t
(config)# object-group network Blocked_IPs
(config-network)# network-object 64.94.107.0 255.255.255.0
–
–
–
–
–
–
–
–
–
–
(config-network)# network-object 66.235.147.0 255.255.255.0
<repeat for additional IPs>
(config-network)# exit
(config)# access-list in2out2 extended deny ip any object-group Blocked_IPs
(config)# access-list in2out2 extended permit ip any any
(config)# access-group in2out2 in int inside
(config)# show config
(config)# wr mem
(config)# exit
# exit
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/21/2015 DRAFT
11
Logs on Various OS/Services
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/21/2015 DRAFT
12
Intrusion Discovery on
Windows
• To detect intrusions, seek out:
– Unusual processes and services
– Unusual files and registry keys
– Unusual network activity
– Unusual scheduled tasks
– Unusual accounts
– Unusual log entries
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/21/2015 DRAFT
13
Cyber Security: Managing Networks,
Conducting Tests, and Investigating Intrusions
REVIEW CHAPTER SUMMARY
7/21/2015 DRAFT
14