1 / 45

Intrusion Detection and Analysis for Windows-Based Computers Rutgers University

Intrusion Detection and Analysis for Windows-Based Computers Rutgers University Office of Information Technology. Bruce Rights Systems Administrator Information Protection and Security, Enterprise Systems and Services. Presented By:. Housekeeping. Hours Bathrooms Fire exits

pierce
Télécharger la présentation

Intrusion Detection and Analysis for Windows-Based Computers Rutgers University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection and Analysis for Windows-Based Computers Rutgers University Office of Information Technology Bruce Rights Systems Administrator Information Protection and Security, Enterprise Systems and Services Presented By:

  2. Housekeeping • Hours • Bathrooms • Fire exits • Telephones • Recycling • Smoking • Contact information IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  3. Intrusion Detection & Analysis for Windows-Based Computers • Welcome • Introduction IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  4. Expectations and Objectives • What would you like to get out of this? • What are your past experiences • What has happened in the last month? IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  5. Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Analysis and detection tools: built-in; free; third-party • Logging and Auditing • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  6. Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Analysis and detection tools: built-in; free; third-party • Logging and Auditing • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  7. Intrusion: a definition • Intrude- to thrust oneself in; to enter uninvited or unwelcome, to force in. • intrusion - act of intruding IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  8. Intrusion: examples • Viruses • Worms • Trojans • Spyware • Browser Helper Objects (BHO) • P2P leverage • Data theft • Denial of service • Remote Control IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  9. Intrusion: examples • ‘I was just looking around’ • Keystroke logger • Rootkits • Cross Site Scripting • Man in the Middle • Sniffing • Buffer Overflow • SQL Injection • Password Cracking IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  10. Intrusion: examples: viruses • Sasser, Melinda, Sobig, Mydoom, etc. • Self-propagating • Purely malicious IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  11. Intrusion: examples: worms • Code Red • Nimda • Slammer • Blaster IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  12. Intrusion: examples: trojans • “a Trojan horse is a malicious program that is disguised as or embedded within legitimate software. The term is derived from the classical myth of the Trojan Horse. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.” IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  13. Intrusion: examples: spyware • “…applications [that] collect information, may or may not install in stealth, and are designed to transmit that information to 2nd, or 3rd parties covertly employing the user's connection without their consent and knowledge. The word defines the actual intent; this is software (ware) that is designed to collect information in secret (spy).” IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  14. Intrusion: examples: browser helper objects • BHOs - a DLL that allows developers to customize and control Internet Explorer • Most are good: • Google Toolbar • Some are bad: • CoolWebSearch • Bonzai Buddy IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  15. Intrusion: examples: P2P leverage • Attacker is looking to set up a music or movie download site • They are looking to use your resources • They are looking to hide their tracks • Bittorrent, port 6881 IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  16. Intrusion: examples: denial-of-service • lsass.exe exploit (sasser) • Traffic flooding: • (Syn flood, Ping-of-death) • E-mail flooding • Log filling IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  17. Intrusion: examples: remote control • Remore Desktop • VNC • Go-To-My-PC • PCAnywhere • Back Orifice • Beast IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  18. Intrusion: examples: remote control • Dameware – a remote control utility • It has been hijacked by the bad guys • Processes to look for include DNTUCli.exe,DNTUCnvt.exe, DNTUS26.exe, DWADEA.exe, DWExp.exe, DWMacDis.exe, DWRCC.exe, DWRCCMD.exe, DWRCCnvt.exe, DWRCINS.exe, DWRCS.exe, DWRCST.exe, DWRTDE.exe • TCP Port 6129 IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  19. Intrusion: examples: just looking around • Attacker could be practicing techniques, takes nothing, but leaves a ‘calling card’ • Or they could be waiting to see if they get caught. • Or they were looking for something specific you did not have. IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  20. Intrusion: examples: keystroke logger • Can be a hardware or software device • How many of you check your keyboard connector every morning? • http://www.keyghost.com • Ctrl-Alt-Del provides some protection IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  21. Intrusion: examples: rootkits • Malware which hides itself from typical detection methods • Can be persistent or memory-based • User-mode rootkits modify API calls (such as Windows Explorer) • Kernel-mode rootkits modify calls to Task Manager • BlackLight: http://www.f-secure.com/blacklight • Rootkit Revealer: http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx • http://invisiblethings.org/ • http://www.rootkit.com/ IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  22. Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Analysis and detection tools: built-in; free; third-party • Logging and Auditing • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  23. Anatomy of an intrusion: Typical process • Reconnaissance • Scanning • Exploit systems • Keeping access • Covering tracks IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  24. Anatomy of an intrusion: sql injection • From an article by Jesper Johansson, Microsoft, which appeared in Technet magazine, Winter 2005 IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  25. Anatomy of an intrusion: sql injection Bad Guy Firewall Web Server Internet Internal Domain SQL Server 192.168.2.30 Router 172.17.0.1 Data Center DC 10.1.2.x Firewall Router 172.17.0.2 IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  26. Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Analysis and detection tools: built-in; free; third-party • Logging and Auditing • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  27. Analysis and detection tools: built-in • Task Manager • Add / Remove Programs • Event Viewer • Perfmon • ADUC / Computer Management MMC • Msconfig • IE Add-In Manager • Command line tools, e.g., netstat • Windows Explorer IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  28. Analysis and detection tools: free • Spybot, http://safer-networking.org • Ad-Aware, http://www.lavasoftusa.com • RADS, http://software.rutgers.edu • Silent Runners, http://www.silentrunners.org • HijackThis, http://www.merijn.org • CWShredder, http://www.merijn.org IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  29. Analysis and detection tools: third-party • Trojan Hunter, http://www.trojanhunter.com • http://www.misec.net/ IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  30. Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Analysis and detection tools: built-in; free; third-party • Logging and Auditing • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  31. Logging and Auditing • Establish an auditing and logging policy • This will include what to audit, and how to store and read the logs • Know what you are looking for – events like 513, 529, 530, 531 and 539 • Read the logs using filtering, Event CombMT or MOM IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  32. Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Analysis and detection tools: built-in; free; third-party • Logging and Auditing • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  33. IDS and HIDS • Analyze incoming traffic at the application layer, looking for malicious payloads • Reconnaissance attacks, exploit attacks, DoS attacks • They use a combination of anomaly detection, and signature recognition • HIDS often utilizes information in the Event Logs • Honeypots IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  34. IDS and HIDS • TrendMicro firewall • WireShark – http://www.wireshark.org/ • IDS - Cisco Secure IDS, http://www.cisco.com • IDS – Snort, http://www.snort.org • HIDS - BlackIce Defender, http://www.iss.net/products_services/products.php (IBM) • Honeypots – http://www.honeypots.net IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  35. Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Rootkits • Analysis and detection tools: built-in; free; third-party • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  36. Incidence Response • Preparation • Identification • Containment • Eradication • Recovery • Lessons Learned IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  37. Incidence Response • Do you have a plan? • Phone numbers (vendors, colleagues, managers, IPS, RUPD); installation CDs; IP addresses; firewall and router configs; passwords; phone-tree to notify users • Will you clean the infected machine(s), rebuild or call the police? • What do you need to do to comply with the law? • Who is the decision-maker? • Will you keep the logs for analysis? • Will you be prepared to take notes to document every stage of the response? • www.sans.org/score/incidentforms • www.net-security.org/article.php?id=775 IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  38. Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Rootkits • Analysis and detection tools: built-in; free; third-party • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  39. Forensics • What are you trying to achieve? • Best left to outside agency / LEO • Kits are available IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  40. Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Rootkits • Analysis and detection tools: built-in; free; third-party • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  41. Final thoughts • The focus needs to be on where the attacks are coming from • http://www.dshield.org IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  42. Questions • What questions do you have that I did not answer? • What does the future hold? IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  43. Questions? • Contact Details: • Bruce Rights • brights@rutgers.edu • 732-445-8702 IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  44. Thank you for coming • This course is an elective component of the IT Certificate Program, a collaborative effort of the Office of Information Technology, University Human Resources, and the Internal Audit Department • http://uhr.rutgers.edu/profdev/it-cert-program-info.asp IT Certificate Program – Intrusion Analysis for Windows-Based Computers

  45. Information Protection & Security(A Division of the Office of Information Technology [OIT]) • ASB Annex 1 Room 102 Busch campus 56 Bevier road Piscataway, NJ 08854 phone: (732) 445-8011 fax: (732) 445-8023 rusecure@rutgers.edu IT Certificate Program – Intrusion Analysis for Windows-Based Computers

More Related