Chapter 9: Cyber Network Defense using Advanced Log Analysis

1. Chapter 9: Cyber Network Defense using Advanced Log Analysis Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

2. Introduction to Cyber Network Defense • Cyber Network Defense (CND) is continuously improving process for defending IT assets • The CND approach in this Chapter includes: • Lightweight process for CND • Set of open source scripts for network monitoring and Advanced Log Analysis (ALA) on Backtrack • Agile strategy for escalating defenses • Cyber investigations process • Scenario for eradicating browser-based spyware • Instructions for implementing the processes Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

3. General Method and Tools for Cyber Investigations • Investigations are based upon The Scientific Method to focus activities: • Observation • Hypothesis • Evaluation: Analyze and Interpret Data • Prediction • Repeat the method to validate predictions Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

4. Continuous Cyber Investigation Strategy • Full packet capture when network quiet • Capture IDS alerts during busy hours • Investigation of suspicious alerts • Host-Based Security (HBS) • Firewalls • Regular updates/upgrades to processes and technical components • Integrated CND Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

5. Summary of Cyber Investigation Process • Use the custom CND scripts, a daily monitoring & investigation process: • # ./snortcap - Run IDS on overnight packet capture. • # ./headcap | wc - How many alerts overnight? • # ./statcap - Count and rank the top alerts. • # ./hostcap - Which are the top alerting hosts? • # ./alertipcap 10.10.100.10 - What are the alert details for that host? • # sort sum*10.10* | uniq –c | sort –rn - Rank the top alerts for IP • # ./iporgcap 10.10.100.10 - Which external domains are alerting for IP? • # whois 64.94.107.15 - Who owns this unresolved domain? • Use an Internet browser to investigate external IPs and domains. Discover these domains with the following command: • # ./orgcap - What are all the external alerting domains? Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

6. Network Monitoring • Establish Switched Port Analyzer (SPAN) on the core switch or firewall • Mirrors all network traffic for IDS • To begin the IDS in real time, you can use the following daycap script: • #!/bin/bash • # Add a parameter like ./daycap keep -- in order to append to logs • # By default, daytime logs are deleted to conserve space • if [$1 -eq ""]; then rm /tmp/alert /tmp/snort.log.*; fi • /usr/local/bin/snort -A full -c /etc/snort/snort.conf -l /tmp Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

7. Advanced Text Log Analysis • A set of custom scripts are explained in detail in Chapter 9 – teaching you gawk • Example: The statcap script creates a histogram of the most frequent alerts: • #!/bin/bash • gawk "BEGIN {FS=\"\n\";RS=\"\n\n\"} {print $1}" alert | gawk '/\[\*\*\]/' | sort | uniq -c | sort -rn | less • The hostcap script finds the host generating the most alerts: • #!/bin/bash • cat alert | gawk '{FS="\n";RS="\n\n"; /TCP/; print $3}' | gawk '{print $2}' | gawk -F\: '{print $1}' | gawk '/[0-9\.]+/' | sort | uniq -c | sort –rn Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

8. Advanced Binary Log Analysis: Wireshark Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

9. Advanced Binary Log Analysis: tcpdump Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

10. Reporting Cyber Investigations • Lesson Learned: Do not go to a cybersecurity professional and inform them that their machine is generating copious beacons – Panic ensues! • Instead, approach reporting in a non-judgemental, diplomatic manner • Provide proof of your findings • It will certainly be requested • Empower people to resolve the problem with guidance and mentoring Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

11. Elimination of Cyber Threats • Block suspicious IPs using the host file (Windows and Linux): • 127.0.0.1 ak.quantcast.com • Block suspicious IPs from entire net at firewall (e.g. CISCO): • $ enable • Password: • # config t • (config)# object-group network Blocked_IPs • (config-network)# network-object 64.94.107.0 255.255.255.0 • (config-network)# network-object 66.235.147.0 255.255.255.0 • <repeat for additional IPs> • (config-network)# exit • (config)# access-list in2out2 extended deny ip any object-group Blocked_IPs • (config)# access-list in2out2 extended permit ip any any • (config)# access-group in2out2 in int inside • (config)# show config • (config)# wr mem • (config)# exit • # exit Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

12. Logs on Various OS/Services Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

13. Intrusion Discovery on Windows • To detect intrusions, seek out: • Unusual processes and services • Unusual files and registry keys • Unusual network activity • Unusual scheduled tasks • Unusual accounts • Unusual log entries Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

14. Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions REVIEW Chapter Summary