1 / 27

Lesson 14 Network Monitoring System Restoration Incident Evaluation

Lesson 14 Network Monitoring System Restoration Incident Evaluation. The Role of Network Forensics. “Network Forensics analysis tools (NFATS) reveal insecurities, turn system administrators into system detectives.” Nate King & Errol Weiss Information Security Magazine. Network Forensics.

latika
Télécharger la présentation

Lesson 14 Network Monitoring System Restoration Incident Evaluation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lesson 14Network MonitoringSystem RestorationIncident Evaluation

  2. The Role of Network Forensics • “Network Forensics analysis tools (NFATS) reveal insecurities, turn system administrators into system detectives.” Nate King & Errol Weiss Information Security Magazine

  3. Network Forensics

  4. Definitions • Sniffer: Hardware or software that passively intercepts packets as they traverse the network. Other name include Protocol Analyzer and Network Monitor. • Silent Sniffers will not respond to any received packets. • Illegal Sniffers violate 18 USC 2511 dealing with wiretaps. • Promiscuous Mode. A sniffer operates in a mode that intercepts all packets flowing across the network. • A normal NIC only intercepts packets packets addressed to its IP address and Broadcasts address. • Transactional (Noncontent) information consists only of header information. For example, IP, TCP or UDP headers. • Same as a LE Trap and Trace or Pen Register. • Content Informationconsists of not only the headers but also part or all of the encapsulated data.

  5. Network Forensics Data • Network data can come from: • Routers, Firewalls, Servers, IDS, DHCP Servers, etc • These logs may have different formats, be difficult to find, difficult to correlate and have a broken chain of custody • Chain of Custody • Strictly controlled network monitoring can maintain a proper chain of custody • Electronic evidence requires tighter control than most other types of evidence because it can be easily altered • A broken chain goes to weight and not admissibility

  6. Chain of Custody • Network data chain of custody should include: • Date and time recorded • Make, model, serial # and description of recording device • Names of individual recording or the name of individuals • recovering the logs • Description of the logs • Name, Signature and date of individual receiving the data. • Evidence Tag for this item • Hash value (MD5) of each log file

  7. Corporate policy must support the type monitoring to be performed! Monitoring The Network • What are the Network Monitoring goals? • Monitor traffic to and from a host? • Monitor traffic to and from a network? • Monitor a specific person? • Verify an intrusion attempt? • Monitor attack signatures? • Monitor a specific protocol? • Monitor a specific port? • Check with legal counsel prior to starting the monitor

  8. Run a Sniffer detection tool prior to connecting yours. Network Monitoring Tool • Network Monitoring Hardware • A Portable laptop • 512 MB Ram • 40 +GB • External Zip drive • Network Monitoring Software • NetBSD is reputedly the best • A Silent Sniffer that speaks only TCP/IP with ARP disabled • Employ VLAN with SSH or a Dial-back modem for Remote Administration

  9. Monitoring The Network Continued • Possible Network Monitors. • tcpdump, Ethereal and Snort • Snoop, iptrace, Snifer Pro, Etherpeek, LANalyzer • NetMon, Network Tracing and Logging and Cisco IDS • Network Monitor Location • Host Monitoring - On the same Hub or switch. • The switch should have Switch Port Analysis (SPAN) • Network Monitoring - At the network perimeter • A Physically secure location

  10. Helpful Hints • Run a Sniffer detection tool prior to connecting yours • Someone may already be listening to the network • Capture the network traffic as close to the source host as possible • Hackers use bounce sites to attack hosts • Have the capability of viewing captured data as a continuous stream. • This provides an overview of what the hacker is attempting to do • Reconstruct documents, etc • Have the capability of viewing the packets at the lowest level • High-level analyzers will sometimes strip off data that is not important for fault analysis but could be important for investigative purposes • Options and fields to identify the OS • Typing speed of user • Printer variables, X display variables , etc

  11. Common Forensics Mistakes • Failure to Monitor • ICMP Traffic • SMTP, POP and IMAP • Traffic • UseNet Traffic • Files saved to external • media • Web Traffic • Senior Executives Traffic • Internal IP Traffic • Failure to Detect • ICMP Covert Channels • UDP Covert Channels • HTTP Covert Channels

  12. Common Forensics Mistakes Continued • Failure to PlayBack • Encrypted traffic • Graphics • Modeling and Simulation traffic • Failure to Trace: • DOS • DDOS • Spoofed EMail • Failure to Detect. • Steganography. • Erasing Logs • File Encryption. • Binary Trojans

  13. Monitoring Tools Dsniff http://www.monkey.org/~dugsong/dsniff tcpdump http://www.tcpdump.org/ WinDump http://netgroup-serv.polito.it/windump/ ethereal http://www.ethereal.com/ Snort http://www.snort.org/ Snoop

  14. System Restoration

  15. System Restoration • System Administrator recovers the system • Don't trust anything that is on-line • Don't believe anything your system tells you • Reformat disks • Restore operating system • Reload software • Assign new passwords • Scan the /etc/passwd for newly created files • Check for changes to files that may affect security (trapdoors, logic bombs, etc.)

  16. System Restoration • Check critical files for the appropriate file protection and permissions • Scan the system for newly created SUID and SGID files • Delete and recreate all .rhosts files • Check for changes to the /etc/hosts.equiv file • Check for changes in user startup files • Check for a modified .forward file • Check for hidden or unowned files and directories • Run audit tools such a COPS and Tripwire

  17. System Restoration • The recovery should be planned to have minimal impacton the users • Keep the users informed • Engage in rumor control

  18. Incident Evaluation

  19. After Action Meeting and Report • Conduct an after actionmeeting • Prepare an after action report to document the incident, the response to the incident and the recovery from the incident • Lessons Learned? • Policy to general • Responsibilities not sufficiently defined • Inadequate monitoring tools • Systems not backed up • Hard disk needs smaller partitions • Set smaller limits on disk usage • System not scanned with tools: SATAN and ISS

  20. Action List • Law Enforcement report? • Regulatory agency report? • Insurance claim? • Disciplinary action? • Dismissal action? • Vendor report? • Updatedisaster recovery plan? • Update software to new versions? • Update employee training? • Public Affairs report? • CEO report to employees?

  21. Notify law Enforcement. • Brief/coordinate with upper management • The Law Enforcement Computer Crime Team • assumes control. • Computer crime investigation is complex, • time consuming, and resource intensive • Allow time/resources for • Investigation • Prosecution Computer Crime Investigation

  22. Define Roles. • Establish Policies. • Identify Tools. • Network Preparation. Incident Preparation Incident Response Process • Firewall Logs. • IDS Logs. • Suspicious User. • System Administrator. • Complete IR Checklist • Who/What/Where/When. • Incident Description • Hardware/Software. • Personnel Involved. • Network. Incident Detection Activate IR Team • Verify Incident. • Affected Systems. • Users Involved. • Business Impact. Initial Response Completed IR Checklist. Is it really and Incident?

  23. System Criticality. • Information Sensitivity. • Perpetrators. • Publicity. • Skill of Attacker. • System Downtime. • Dollar Loss. • Management Approval • Dollar Loss. • Downtime. • Legal Liability. • Publicity. • Intellectual Property. Response Strategy Incident Response Process-Continued Accumulate Evidence & Secure System • Best Evidence Rule. • Chain of custody. • Data Volatility. Forensic Duplication

  24. Investigate Implement Security Measures Incident Response Process Contd • Who, What, When, Where, How. • People and Things. • Isolate and Contain. • Disconnect. • Electronically isolate. • Network Filtering. Network Monitoring • Monitor throughout the incident. • Track the hacker. • No incident recurrence. • Monitor on subnet. • Monitor at boundary.

  25. New Procedures. • Reinstall files. • Reinstall from CD-Rom. • Secure System. • Turnoff unneeded services. • Apply patches. • Strong Passwords. • Strong Administration. Recovery Incident Response Process-Continued Documentation • Document everything as it occurs. • Support both criminal and civil prosecution. • Produce the final report. • Process improvement.

  26. Brave New Battles Each new technology will bring with it new forms of crime, demanding innovative security. That is the dynamic which drives our modern progress: not dreams, not ideas, but the simple desire on the part of criminals to take what is not theirs by law, and the determination of others to keep them from doing so. “This Alien Shore”, C. S. Friedman (C) 1998

  27. Summary • Thorough analysis is hard • Don’t forget to restore with same ZEAL as you investigate • Incident evaluation is critical for lessons learned

More Related