Más contenido relacionado
La actualidad más candente (20)
Similar a Detecting Intrusions and Malware - Eric Vanderburg - JurInnov (20)
Más de Eric Vanderburg (20)
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
- 1. Detecting Intrusions and Malware
August, 2012
Eric Vanderburg, MBA, CISSP
JurInnov, Ltd.
© 2012 JurInnov Ltd. All Rights Reserved.
- 2. © 2012 JurInnov Ltd. All Rights Reserved.
1
Malware
• Malware
– Software that enters a computer system without the
owner’s knowledge or consent
– Performs unwanted and usually harmful action
• Malware objectives
– Rapidly spread its infection
– Conceal its purpose
– Make profit for its creators
- 3. © 2012 JurInnov Ltd. All Rights Reserved.
2
Malware – Virus
• Viruses
– Malicious computer code that
reproduces on a single
computer
– An FBI survey revealed that
despite protection programs,
82% of organizations have been
infected by a virus.
Virus
Worm
Bot
Trojan
- 4. © 2012 JurInnov Ltd. All Rights Reserved.
3
Malware - Virus
• Methods of spreading virus
– Virus appends itself to a file
– Virus changes the beginning of the file
• Adds jump instruction pointing to the virus
– Swiss cheese infection
Virus
Bot
• Injects portions of code throughout program’s executable
code
Worm
Trojan
- 5. © 2012 JurInnov Ltd. All Rights Reserved.
4
Malware – Virus
• Virus actions
Virus
Bot
– Causing computer to crash repeatedly
– Displaying an annoying message
– Erasing files from hard drive
– Making copies of itself to consume all space on the
hard drive
– Turning off security settings
– Reformatting the hard drive
Worm
Trojan
- 6. © 2012 JurInnov Ltd. All Rights Reserved.
5
Malware – Virus
• Virus can only replicate on host
computer
– Cannot spread between computers without
user action
• Types of viruses
– Program virus
• Infects program executable files
– Macro virus
• Stored within a user document
Virus
Worm
Bot
Trojan
- 7. © 2012 JurInnov Ltd. All Rights Reserved.
6
Malware - Worm
• Worms
– Malicious program designed to
take advantage of a
vulnerability in an application
or operating system
– Searches for another computer
with same vulnerability
– Sends copies of itself over the
network
Virus
Worm
Bot
Trojan
- 8. © 2012 JurInnov Ltd. All Rights Reserved.
7
Malware - Worm
• Worm actions
– Consume network resources
– Allow computer to be controlled remotely
– Delete files
Virus
Worm
Bot
Trojan
- 9. © 2012 JurInnov Ltd. All Rights Reserved.
8
Malware - Trojan
• Trojan horses
– install malicious software
under the guise of doing
something else
– Executable program containing
hidden malware code
– Program advertised as
performing one activity but
actually does something else
Virus
Worm
Bot
Trojan
- 10. © 2012 JurInnov Ltd. All Rights Reserved.
9
Malware - Trojan
Virus
Bot
• Trojan may be installed on user’s system with
user’s approval
• Trojans typically do not replicate to same
computer or another computer
Worm
Trojan
- 11. © 2012 JurInnov Ltd. All Rights Reserved.
10
Malware – Spyware / Adware /
Scareware
• Spyware
– A dangerous, prolific code that logs a users activity
and collects personnel information, which it then
sends to a third party.
• Adware
– A relative of spyware. Typically found with free
software, they display advertisements when the
program is running. They may also contain
spyware.
• Scareware
– Software that is meant to prompt a user to action or
incite panic
Virus
Worm
Bot
Trojan
- 12. © 2012 JurInnov Ltd. All Rights Reserved.
11
Malware – Spyware / Adware /
Scareware
• Spyware’s negative effects on an infected
computer
– Slow system performance
– Create system instability
– Add browser toolbars or menus
– Add shortcuts
– Hijack a home page
– Increase pop-ups
Virus
Worm
Bot
Trojan
- 13. © 2012 JurInnov Ltd. All Rights Reserved.
12
Malware – Spyware / Adware /
Scareware
• Adware
Bot
– Software program that delivers advertising content:
• In an unexpected and unwanted manner
• Adware actions
– Display pop-up ads and banners
– Open Web browsers at random intervals
– May display objectionable content
– May interfere with user productivity
– May track and monitor user actions
Virus
Worm
Trojan
- 14. © 2012 JurInnov Ltd. All Rights Reserved.
13
Malware – Spyware / Adware /
Scareware
• Scareware
Virus
Bot
– Software that displays a fictitious warning
– Tries to impel user to take action
– Uses legitimate trademarks or icons
– Pretends to perform a security scan and find serious
problems
– Offers purchase of full version of software to fix
problems
– Victim provides credit card number to attacker
• Attacker uses number to make fraudulent purchases
Worm
Trojan
- 15. © 2012 JurInnov Ltd. All Rights Reserved.
14
Malware - Rootkit
• Rootkit
Virus
Bot
– Set of software tools used by an attacker
– Conceals presence of other malicious software
– Actions
• Deleting logs
• Changing operating system to ignore malicious activity
Worm
Trojan
- 16. © 2012 JurInnov Ltd. All Rights Reserved.
15
Malware - Keylogger
• Keylogger
Bot
– Hardware or software that captures keystrokes
– Information can be retrieved by an attacker
• Hardware keylogger
– Installed between computer keyboard and USB port
• Software keylogger
– Hides itself from detection by the user
Virus
Worm
Trojan
- 17. © 2012 JurInnov Ltd. All Rights Reserved.
16
Malware - Bots
• Bots
– A type of malware that allows
an attacker to gain control over
the infected computer (also
called “zombie computers”)
and allow them to use a
company’s network to send
spam, launch attacks and infect
other computers.
Virus
Worm
Bot
Trojan
- 18. Threat defined – What is done with botnets?
© 2012 JurInnov Ltd. All Rights Reserved.
17
• DDoS
• Spam
• Distribute copyrighted material
– Torrents
• Data mining
• Hacking
• Spread itself
- 19. 2002 AgoBot
• Modular design
• DDoS
• Hides with rootkit tech
• Turns off antivirus
• Modifies host file
• Delivery: P2P (Kazaa, Grokster,
© 2012 JurInnov Ltd. All Rights Reserved.
18
History
18
1999 Pretty Park
• Used IRC for C&C & updates
• ICQ & email harvesting
• DoS
1999 SubSeven
• Used IRC for C&C
• Keylogger
• Admin shell access
2000 GTBot
• Bounce (relay) IRC traffic
• Port scan
• DDoS
• Delivery: email
2002 SDBot
• Keylogger
• Delivery: WebDav and
MSSQL vulnerabilities,
DameWare remote mgmt
software, password guessing
on common MS ports &
common backdoors
BearShare, Limewire)
2003 SpyBot
• Builds on SDBot
• Customizable to avoid detection
• DDoS, Keylogger, web form
collection, clipboard logging,
webcam capture
• Delivery: SDBot + P2P
2003 RBot
• Encrypts itself
• Admin shell access
2004 PolyBot
• Builds on AgoBot
• Polymorphs through encrypted
encapsulation
2005 MyTob
• DDoS, Keylogger, web form
collection, webcam capture
• Delivery: email spam using
MyDoom w/ own SMTP server
1999 2000 2002 2003 2004 2005 2006
- 20. 2006 2007 2008
© 2012 JurInnov Ltd. All Rights Reserved.
19
History
2007 Cutwail
• Spam, DDoS
• Harvests email addresses
• Rootkit
• Delivery: Email
2006 Rustock
• Spam, DDoS
• Uses rootkit to hide
• Encrypts spam in TLS
• Robust C&C network (over
2500 domains)
• Delivery: email
2008 TDSS
• Sets up a proxy that is rented
to other for anonymous web
access
• Delivery: Trojan embedded
in software
2007 Storm
• Spam
• Dynamic fast flux C&C DNS
• Malware re-encoded
twice/hr
• Defends itself with DDoS
• Sold and “licensed”
• Delivery: Email enticement
for free music
2007 Zeus
• Phishing w/ customizable data
collection methods
• Web based C&C
• Stealthy and difficult to detect
• Sold and “licensed” to hackers
for data theft
• Delivery: Phishing, Social
Networking
2008 Mariposa (Butterfly)
• Rented botnet space for spam,
DDoS, and theft of personal
information
• Delivery: MSN, P2P, USB
- 21. 2006 2007 2008 2009
© 2012 JurInnov Ltd. All Rights Reserved.
20
History
2009 Koobface
• Installs pay-per-install
malware
• Delivery: Social Networking
- 22. Exploit Rally Preserve Inventory
Await
instructions
Update Execute Report
© 2012 JurInnov Ltd. All Rights Reserved.
21
Life Cycle
• Exploit
– Malicious code
– Unpatched vulnerabilities
– Trojan
– Password guessing
– Phish
• Rally - Reporting in
– Log into designated IRC channel and PM master
– Make connection to http server
– Post data to FTP or http form
Clean
up
- 23. Exploit Rally Preserve Inventory
Await
instructions
Update Execute Report
Agobot host control commands
© 2012 JurInnov Ltd. All Rights Reserved.
22
Life Cycle
• Preserve
– Alter A/V dll’s
– Modify Hosts file to prevent A/V
updates
– Remove default shares (IPC$,
ADMIN$, C$)
– Rootkit
– Encrypt
– Polymorph
– Retrieve Anti-A/V module
– Turn off A/V or firewall services
– Kill A/V, firewall or debugging processes
Clean
up
<preserve>
<pctrl.kill “Mcdetect.exe”/>
< pctrl.kill “avgupsvc.exe”/>
< pctrl.kill “avgamsvr.exe”/>
< pctrl.kill “ccapp.exe”/>
</preserve>
- 24. Exploit Rally Preserve Inventory
Await
instructions
© 2012 JurInnov Ltd. All Rights Reserved.
23
Life Cycle
• Inventory
– determine capabilities such as RAM, HDD, Processor,
Bandwidth, and pre-installed tools
• Await instructions from C&C server
• Update
– Download payload/exploit
– Update C&C lists
Update Execute Report
Clean
up
- 25. Exploit Rally Preserve Inventory
Await
instructions
© 2012 JurInnov Ltd. All Rights Reserved.
24
Life Cycle
• Execute commands
– DDoS
– Spam
– Harvest emails
– Keylog
– Screen capture
– Webcam stream
– Steal data
• Report back to C&C server
• Clean up - Erase evidence
Update Execute Report
Clean
up
- 26. © 2012 JurInnov Ltd. All Rights Reserved.
25
Propagation
• Scan for windows shares and guess passwords
($PRINT, C$, D$, E$, ADMIN$, IPC$) – find
usernames, guess passwords from list
– Remember to use strong passwords
Agobot propagation functions
- 27. © 2012 JurInnov Ltd. All Rights Reserved.
26
Propagation
• Use backdoors from common trojans
• P2P – makes files available with enticing names
hoping to be downloaded. File names consist of
celebrity or model names, games, and popular
applications
• Social networking – Facebook posts or messages
that provides a link (Koobface worm)
- 28. © 2012 JurInnov Ltd. All Rights Reserved.
27
Propagation
• SPIM
– Message contact list
– Send friend requests to contacts from email lists or
harvested IM contacts from the Internet
• Email
– Harvests email addresses from ASCII files such as
html, php, asp, txt and csv
– uses own SMTP engine and guesses the mail server by
putting mx, mail, smpt, mx1, mail1, relay or ns in
front of the domain name.
- 29. © 2012 JurInnov Ltd. All Rights Reserved.
28
Command and Control
• C&C or C2
• Networked with redundancy
• Dynamic DNS with short TTL for C&C IP
(weakness is the DNS, not the C&C server)
• Daily rotating encrypted C&C hostnames
• Alternate control channels (Ex: Researchers in
2004 redirected C&C to monitoring server)
- 30. © 2012 JurInnov Ltd. All Rights Reserved.
29
Detecting bots
• Monitor port statistics on network equipment and
alert when machines utilize more than average
– Gather with SNMP, netflow, or first stage probes (sniffers)
attached to port mirrored ports on switches.
• Wireshark
• Real time netflow analyzer- Solarwinds free netflow
tool
• Small Operation Center or MRTG – free
SNMP/syslog server with dashboard
• SNARE – event log monitoring (Linux & Windows
agents)
- 31. © 2012 JurInnov Ltd. All Rights Reserved.
30
Who Are the Attackers?
• Cybercriminals
• Script kiddies
• Spies
• Insiders
• Cyberterrorists
• Hacktivists
• Government agencies
Skills required
- 32. © 2012 JurInnov Ltd. All Rights Reserved.
31
Cybercriminals / Organized Crime
• Generic definition
– People who launch attacks against other users and
their computers
• Specific definition
– Loose network of highly motivated attackers
– Many belong to organized gangs of attackers
• Targets
– Individuals and businesses
– Businesses and governments
- 33. © 2012 JurInnov Ltd. All Rights Reserved.
32
Cybercriminals / Organized Crime
• Lee Klein compromised the Lexis-Nexis system
and may have stolen personal data of up to
13,000 users and sold the data to the Bonanno
crime family.
• Groups based in the former Soviet Union have
been repeatedly implicated in significant
computer breaches.
- 34. © 2012 JurInnov Ltd. All Rights Reserved.
33
Cybercriminals / Organized Crime
• In 2005, federal agents conducted a sting operation
in order to arrest members of a group known as
‘ShadowCrew’. This gang was a group of hackers
working together to conduct a variety of computer
crimes including identity theft.
• This phenomenon is international in scope. Korean
authorities have also arrested gangs of online
criminals
• The most common crime for these groups is identity
theft.
- 35. © 2012 JurInnov Ltd. All Rights Reserved.
34
Script Kiddies
• Attackers who lack knowledge necessary to
perform attack on their own
• Use automated attack software
• Can purchase “exploit kit” for a fee from other
attackers
• Over 40 percent of attacks require low or no
skills
- 36. © 2012 JurInnov Ltd. All Rights Reserved.
35
Spies
• People hired to break into a computer and steal
information
• Do not randomly search for unsecured
computers
– Hired to attack a specific computer or system
• Goal
– Break into computer or system
– Take information without drawing attention to their
actions
• Generally possess excellent computer skills
- 37. © 2012 JurInnov Ltd. All Rights Reserved.
36
Spies
• It is generally believed by security experts that many
companies have purchased information from freelance
individuals without asking where that information came
from.
• In 2008, the SANS institute ranked cyber espionage as
the third greatest threat on the internet.
• In 1993, General Motors (GM) and one if its partners
began to investigate a former executive, Inaki Lopez. GM
alleged that Lopez and seven other former GM
employees had transferred GM proprietary information
to Volkswagen (VW) in Germany via GM's own network.
- 38. © 2012 JurInnov Ltd. All Rights Reserved.
37
Spies
• CIO Magazine examined the issue of government
based cyber espionage in a 2009 article. Their article
discusses the possibility that the Chinese
government was behind a widespread infiltration of
over 1200 computers owned by over 100 countries,
with the express purpose of spying on the activities
of those countries.
• One week before Christmas 2009, the story broke
that hackers had stolen secret defense plans of the
United States and South Korea.
- 39. © 2012 JurInnov Ltd. All Rights Reserved.
38
Insiders
• An organization’s own employees, contractors,
and business partners
• One study showed 48 percent of data breaches
are caused by insiders accessing information
• Most insider attacks: sabotage or theft of
intellectual property
• Most sabotage comes from employees who have
recently been demoted, reprimanded, or left the
company
- 40. © 2012 JurInnov Ltd. All Rights Reserved.
39
Cyberterrorists
• Goals of a cyberattack
– Deface electronic information
• Spread misinformation and propaganda
– Deny service to legitimate computer users
– Cause critical infrastructure outages and corrupt vital
data
• Attacks may be ideologically motivated
- 41. © 2012 JurInnov Ltd. All Rights Reserved.
40
Cyberterrorists
• According to the FBI “cyber terrorism is the
premeditated, politically motivated attack against
information, computer systems, computer
programs, and data which result in violence against
noncombatant targets by sub national groups or
clandestine agents.”
• In 2008 and 2009 there have been growing reports
of attacks on various systems tracing back to South
Korea or China.
- 42. © 2012 JurInnov Ltd. All Rights Reserved.
41
Hacktivists
• Motivated by ideology
• Direct attacks at specific Web sites
• May promote a political agenda
– Or retaliate for a specific prior event
- 43. © 2012 JurInnov Ltd. All Rights Reserved.
42
Governments
• May instigate attacks against own citizens or
foreign governments
• Examples of attacks by government agencies
– Malware Flame targeted at computers in Eastern
Europe
– Malware Stuxnet targeted a nuclear power plant near
Persian Gulf
– Iranian government reads e-mail messages of 30,000
citizens
• Attempt to track down dissidents
- 44. © 2012 JurInnov Ltd. All Rights Reserved.
43
Governments
• Attacks are
– Premeditated, politically-motivated attacks against
computer systems
– Intended to cause panic, provoke violence, or cause
financial catastrophe
• Possible targets
– Banking industry
– Air traffic control centers
– Water systems
- 45. © 2012 JurInnov Ltd. All Rights Reserved.
44
Governments
• This can mean attempting to spread disinformation in an
attempt to mislead the enemy or propaganda in order to
undermine the enemy’s morale.
• The first way in which the internet is used in information
warfare is in the realm of propaganda. Every stakeholder
in any situation has their own interpretation of events
and news.
• Law enforcement agencies have successfully used fake
websites, fake craigslist ads, and other techniques to help
capture criminals. It is also possible to utilize the
internet to feed misinformation to criminals and
terrorists.
- 46. © 2012 JurInnov Ltd. All Rights Reserved.
45
Networking Concepts
• TCP/IP
• IP Addressing
• Packet Fragmentation
• ICMP
• Wireless
• Other Protocols
– DNS
– DHCP
– PPTP, SSTP, L2TP
- 47. OSI Reference Model
Application Application
Presentation Presentation
Session Session
Transport Transport
Network Network
Datalink Datalink
Physical Medium Physical
© 2012 JurInnov Ltd. All Rights Reserved.
- 48. © 2012 JurInnov Ltd. All Rights Reserved.
47
Encapsulation
• Enclosing some data within another thing so
that the included data is not apparent.
- 49. © 2012 JurInnov Ltd. All Rights Reserved.
48
Application – Layer 7
• Where programs access network services
• FTP, HTTP, Client Software
• Problems at this layer:
– Misconfigured settings
– Incompatible commands
- 50. © 2012 JurInnov Ltd. All Rights Reserved.
49
Presentation – Layer 6
• Formats data
• Protocol conversion
• Encryption
• Compression
• Character set (ASCII, Unicode, EBCDIC)
• Problems at this layer:
– Cannot decrypt
– Wrong conversion
- 51. © 2012 JurInnov Ltd. All Rights Reserved.
50
Redirector
• Sends requests for services to the appropriate
network device.
• RDR can sometimes stand for redirector
– Rdr.sys
– Windows redirector registry entries stored in
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetSe
rvices LanmanWorkstationParameters and
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetSe
rvicesRdr
- 52. © 2012 JurInnov Ltd. All Rights Reserved.
51
Session – Layer 5
• Manages communication
• Identification
• Window size
• Keep alive messages
• ACK, NAK
• Name resolution
– DNS
– NetBIOS
• Logon
• Problems at this level:
– Incorrect or no name resolution
- 53. © 2012 JurInnov Ltd. All Rights Reserved.
52
Transport – Layer 4
• Segmenting
• Sequencing
• Error checking
• Flow control – as much data as can handle
• TCP & SPX
• Problems at this layer:
– Overly large segments
- 54. © 2012 JurInnov Ltd. All Rights Reserved.
53
Network – Layer 3
• Logical addressing
• Routing
• QOS
• Deals with packets
• IP & IPX
• Problems at this layer:
– Incorrect routing (bad config)
– Incorrect routing table
– Incorrect routing protocol
– Incorrect IP configuration
- 55. © 2012 JurInnov Ltd. All Rights Reserved.
54
Datalink – Layer 2
• Physical Addressing
• Deals with frames
• Discards bad frames
• Convert to bits
• Problems at this layer:
– Collisions
– Bad frames
– Faulty NIC
– Incorrect bridging tables
- 56. © 2012 JurInnov Ltd. All Rights Reserved.
55
Datalink Sublayers
• MAC
– Manages multiple NICs
– Creates frame and sends to physical
– Sense carrier
– Pass tokens
• LLC
– Error recovery
– Integrity checking
- 57. © 2012 JurInnov Ltd. All Rights Reserved.
56
Physical – Layer 1
• Encoding - Convert bits to signals
– 101001011001
• Problems at this level:
– Interference
– Noise
– Cable not connected
- 58. OSI & TCP/IP
OSI Model TCP/IP
Application Application
Presentation
Session Transport
Transport
Network Internet
Datalink Network
Physical
© 2012 JurInnov Ltd. All Rights Reserved.
- 59. © 2012 JurInnov Ltd. All Rights Reserved.
58
IP Addresses
• Class A - 0nnnnnnn hhhhhhhh hhhhhhhh hhhhhhhh
– First bit 0; 7 network bits; 24 host bits
– Initial byte: 0 - 127
– 126 Class As exist (0 and 127 are reserved)
– 16,777,214 hosts
• Class B - 10nnnnnn nnnnnnnn hhhhhhhh hhhhhhhh
– First two bits 10; 14 network bits; 16 host bits
– Initial byte: 128 - 191
– 16,384 Class Bs exist
– 65,532 hosts
• Class C - 110nnnnn nnnnnnnn nnnnnnnn hhhhhhhh
– First three bits 110; 21 network bits; 8 host bits
– Initial byte: 192 - 223
– 2,097,152 Class Cs exist
– 254 hosts
- 60. © 2012 JurInnov Ltd. All Rights Reserved.
59
Packet Fragmentation
• Data is split into many packets
• Encapsulation, de-encapsulation and padding
causes additional fragmentation
• Reassembled by sequence number
- 61. © 2012 JurInnov Ltd. All Rights Reserved.
60
ICMP – To Ping or not to Ping
• Internet Control Message Protocol
– Checks host alive status
– Susceptible to attacks
• Smurf- broadcast pings with spoofed address
• PoD (Ping of Death) – ICMP packet larger than 65,535 bytes
– causes buffer overflow upon reassembly
– Can be used to footprint
- 62. © 2012 JurInnov Ltd. All Rights Reserved.
61
Wireless - Overview
• How does it work?
• What are the risks?
• What security controls are available?
- 63. © 2012 JurInnov Ltd. All Rights Reserved.
62
Wireless – How it works
• Spread Spectrum Technologies
– Uses multiple frequencies
• Less interference
• Redundancy
– Frequency Range: 902-928MHz,2.4GHz
– Frequency Hopping
• Changes at regular intervals
• Lower bandwidth, more secure
– Direct-sequence Modulation
• Send different data chunks along multiple frequencies
• Low frequencies (just above noise)
- 64. © 2012 JurInnov Ltd. All Rights Reserved.
63
Wireless – How it works
• 802.11a
– 54Mbps
– 5GHz
• 802.11b
– 11Mbps
– 2.4GHz
• 802.11g
– 54Mbps
– 2.4GHz
– WPA Support
• 802.11n
– 300Mbps
– 2.4GHz
- 65. © 2012 JurInnov Ltd. All Rights Reserved.
64
Wireless – How it works
• BSA (Basic Service Area)
– Influence of the WAPs
– Depends on:
• Power of the transmitter
• Environment
• BSS (Basic Service Set)
– Stations belonging to an AP
- 66. © 2012 JurInnov Ltd. All Rights Reserved.
65
Attacks Through Wireless Networks
• Popular types of wireless networks
– Wi-Fi
– Bluetooth
• Wi-Fi networks
– Wireless local area network (WLAN)
– Use radio frequency (WF) transmissions
– Devices in range of a connection device can send and
receive information
• Estimate: 1.4 billion wireless devices shipped in
2014
- 67. © 2012 JurInnov Ltd. All Rights Reserved.
66
Attacks Through Wireless Networks
• Wi-Fi equipment
– Mobile device needs a wireless client interface card
adapter (wireless adapter)
– Special software to translate between device and
adapter
– Wireless broadband router or access point
• Base station for sending and receiving signals
• Gateway to the Internet
- 68. © 2012 JurInnov Ltd. All Rights Reserved.
67
Attacks Through Wireless Networks
• Attacks on home Wi-Fi networks relatively easy
– Signal not confined within home walls
– Many users do not understand how to configure
router security
– Some users consider security an inconvenience
• Types of attacks
– Stealing data
– Reading wireless transmissions
– Injecting malware
– Downloading harmful content
- 69. © 2012 JurInnov Ltd. All Rights Reserved.
68
Attacks Through Wireless Networks
• Free or fee-based wireless network rarely
protected
• Evil twin
– Attacker’s wireless device
– Mimics an authorized Wi-Fi device
– Attacker can use to send malware directly to victim’s
computer
- 70. © 2012 JurInnov Ltd. All Rights Reserved.
69
Wireless – Detecting networks
• Netstumbler
• inSSIDer
• Commercial enterprise tools
- 71. © 2012 JurInnov Ltd. All Rights Reserved.
70
Bluetooth
• Bluetooth
– Common wireless technology
– Short-range
• Up to 33 feet; 1Mbps transmission rate
– See Figure 5-5
• Bluetooth attacks
– Bluejacking
• Sending text messages
– Bluesnarfing
• Accessing unauthorized information
- 72. © 2012 JurInnov Ltd. All Rights Reserved.
71
Other Protocols
• DNS
• DHCP
• PPTP, SSTP, L2TP
- 73. © 2012 JurInnov Ltd. All Rights Reserved.
72
Firewalls
• Packet filters – allow or deny based on…
– Source or destination IP address
– Source or destination port
– Blocked IP lists, blacklists and whitelists
• Session-layer proxies – stateful allow or deny
decisions
– Middle-man between source and destination
– Decrypted content inspection
• Application proxies – examine one or more layer
7 traffic types such as email, SQL or HTTP.
- 74. © 2012 JurInnov Ltd. All Rights Reserved.
73
Firewall features
• NAT
• DHCP
• VPN tunneling
• Load balancing
• Failover
• Stateful packet inspection
• Performance monitoring
• Centralized management
• SNMP
• Application proxy
- 75. © 2012 JurInnov Ltd. All Rights Reserved.
74
Common interfaces
• Console – serial (DB9) or USB
• Secure Shell (SSH)
• Secure Copy (SCP) and SSH FTP (SFTP)
• Telnet
• Simple Network Management Protocol (SNMP)
• Trivial File Transfer Protocol (TFTP)
• Web interfaces
- 77. Intrusion Detection and Prevention Systems
© 2012 JurInnov Ltd. All Rights Reserved.
76
• IDS – audit only
• IPS – audit and respond
• Problem with tuning down and exceptions
• Types
– Port mirrored
– Inline
– Integrated
- 78. © 2012 JurInnov Ltd. All Rights Reserved.
77
IPS functionality
• Detection
– Signature
– Behavior
– Malformed data/protocols
• Analysis
– Protocol reassembly
– Normalization
• Rules
- 79. © 2012 JurInnov Ltd. All Rights Reserved.
78
IPS functionality
• Alerts
– Email
– Syslog
– SNMP
– Database
• Tracing
– Summary information
– Packet captures
- 80. © 2012 JurInnov Ltd. All Rights Reserved.
79
IPS Limitations
• Verify scope – sensors may be configured
differently
- 81. © 2012 JurInnov Ltd. All Rights Reserved.
80
IPS Brands
• CheckPoint IPS-1
• Cisco IPS
• Corero Network Security
• Entrasys IPS
• HP TippingPoint IPS
• IMB Security NIPS
• Sourcefire 3D System
• Custom built (Snort or Bro)
- 82. © 2012 JurInnov Ltd. All Rights Reserved.
81
Snort
• Open Source IDS
• Extensible
• Most widely used
- 83. © 2012 JurInnov Ltd. All Rights Reserved.
82
Snort Architecture
Capture
packets
on
bound
interfac
e(s)
Reassemble
and analyze
protocol
Anomaly
detection
• protocol
• frame
• packet
Passed
to rule
engine
Determine actions
• Drop and log
(pcap)
• Drop, no log
• Accept
• Accept and log
(pcap)
• Notify
- 84. © 2012 JurInnov Ltd. All Rights Reserved.
83
Rule Matching
Directionality -> <- <>
Protocol
Source IP, network or port
• Log tcp !192.168.1.0/24 any -> 192.168.1.0/24
• Matches data from outside the network (192.168.1.0)
Destination IP, network or port
• log udp any any -> 192.168.1.0/24 1:1024
• log udp traffic coming from any port and destination ports ranging from 1 to 1024
Content
• alert tcp !192.168.1.0/24 any -> 192.168.1.19/24 80 (content: “web.config“; msg:
“outside request for web.config”;)
• Find requests for web.config from the outside and send an alert
- 85. © 2012 JurInnov Ltd. All Rights Reserved.
84
Rule matching – additional options
Minfrag – min size for packet fragments
Dsize – packet payload size
• Dsize: >100 and < 1000;
Depth – how far to search in the packet
Offset – start searching after this point
Example
• alert tcp any any -> 192.168.1.0/24 80 (content: "cgi-bin/phf";
offset: 3; depth: 22; msg: "CGI-PHF attack";)
- 86. © 2012 JurInnov Ltd. All Rights Reserved.
85
Rule matching – additional options
• TTL – match on specific TTL
• ID – match on specific fragment ID – some
known hacking tools use specific IDs
• Logto – create separate output file
• Session – records what is typed in telnet, rlogin,
ftp, etc.
– log tcp any any <> 192.168.1.0/24 23 (session:
printable; logto: “.telnettelnet-records.log”;)
– Records telnet sessions
- 87. © 2012 JurInnov Ltd. All Rights Reserved.
86
Rule matching - Flags
• F - FIN
• S – SYN – synchronize (request connection)
• R - RST
• P – PSH – push data up stack before waiting for
additional data
• A - ACK
• U – URG - urgent
• 2 - Reserved bit (used in fingerprinting)
• alert any any -> 192.168.1.0/24 any (flags: SF; msg:
"Possible SYN FIN scan";)
- 88. © 2012 JurInnov Ltd. All Rights Reserved.
87
Event Collection – Windows logs
Windows NT – 2003
• Application
• Security
• System
• Special
– Directory Service
– DNS Server
– File Replication Service
– Powershell
Server 2008 /2008 R2
• Includes 2003 logs plus:
– Administrative events
– Setup
– Server roles
• Organized by installed roles
with custom filters
- 89. © 2012 JurInnov Ltd. All Rights Reserved.
88
Event Collection – Mac Logs
• Stored in library/logs
• Over 100 logs including:
– System.log
– Mail.log
– Appfirewall.log
• Aug 27 11:10:54 Iceberg Firewall[113]: Stealth Mode
connection attempt to UDP 192.168.0.25:49747 from
192.168.0.1:53
• Unexpected UDP connection attempt
– Install.log
- 90. © 2012 JurInnov Ltd. All Rights Reserved.
89
Event Collection – Linux Logs
• Logs based on syslog
• Organized by facility such as mail or web
• Syslog-ng – supports TLS encryption for shipped
logs
• Rsyslogd – Supports IPv6, RELP (Reliable Event
Logging Protocol), TLS, timestamping and zone
logging
- 91. © 2012 JurInnov Ltd. All Rights Reserved.
90
Event Collection – Linux Logs
• /var/log/faillog : This log file contains failed user logins. This can be
very important when tracking attempts to crack into the system.
• /var/log/kern.log : This log file is used for messages from the
operating system’s kernel. This is not likely to be pertinent to most
computer crime investigations.
• /var/log/lpr.log : This is the printer log and can give you a record of
any items that have been printed from this machine. It can be useful
in corporate espionage cases.
• /var/log/mail.* : This is the mail server log and can be very useful in
any computer crime investigation. Emails can be a component in
any computer crime, and even in some non-computer crimes such as
fraud.
• /var/log/mysql.* : This log records activities related to the MySQL
database server and will usually be of less interest to a computer
crime investigation.
- 92. Event Collection – Linux Logs
• /var/log/apache2/* : If a machine is running the Apache web server,
© 2012 JurInnov Ltd. All Rights Reserved.
91
then this log will show related activity. This can be very useful in
tracking attempts to hack into the web server.
• /var/log/lighttpd/* : If a machine is running the Lighttpd web
server, then this log will show related activity. This can be very
useful in tracking attempts to hack into the web server.
• /var/log/apport.log : This records application crashes. Sometimes
these can reveal attempts to compromise the system, or the presence
of a virus or spyware.
• /var/log/user.log : These contain user activity logs and can be very
important to a criminal investigation.
- 93. Event Collection – Linux Logs
© 2012 JurInnov Ltd. All Rights Reserved.
92
• There are several shell commands one can enter to
view system logs in Linux. For example, to view the
printer log any of the following would work, though
some won’t be supported by every Linux shell:
• # tail -f /var/log/lbr.log
• # less /var/log/ lbr.log
• # more -f /var/log/ lbr.log
• # vi /var/log/ lbr.log
- 94. © 2012 JurInnov Ltd. All Rights Reserved.
93
Chat Room Logs
• Most chat software keeps at least a temporary
log of conversations. This is true for MSN
Messenger, Yahoo Messenger and many others.
• The exact path for viewing those logs will vary
from product to product.
- 95. © 2012 JurInnov Ltd. All Rights Reserved.
94
How Logs Get Cleared
• Clearing the log. Any user with administrative privileges can
simply wipe out a log. However, this will be obvious when you
see an empty event log.
• Using auditpol.exe. This is an administrative utility that exists in
Windows systems. It won’t show on the desktop or in the
programs—you have to know it’s there and go find it. But using
auditpol ipaddress /disable turns off logging. Then when
the criminal exits, they can use auditpol ipaddress /enable
to turn it back on.
• There are a number of utilities on the web that will assist an
attacker in this process. For example WinZapper allows one to
selectively remove certain items from event logs in Windows.
- 96. © 2012 JurInnov Ltd. All Rights Reserved.
95
Event Collection - Tools
• WinRM – Microsoft tool that runs on Server
2008 R2
• Argus
• Softflowd
• Cisco MARS (Monitoring, Analysis and
Response System)
- 97. © 2012 JurInnov Ltd. All Rights Reserved.
96
Event Collection - Tools
• SNARE (System iNtrusion Analysis and
Reporting Environment) – open source
• Splunk (only free for 500MB/day)
• SCOM (System Center Operations Manager)
• DAD (Distributed log Aggregation for Data
analysis)
- 98. © 2012 JurInnov Ltd. All Rights Reserved.
97
SIEM
• Security Information and Event Management
– Log aggregation
– Correlation
– Normalization
– Alerting
– Dashboards
– Views
– Compliance reports
– Retention
- 99. © 2012 JurInnov Ltd. All Rights Reserved.
98
Automated responses
• Throttle
• Drop
• Shun
• Island
- 100. © 2012 JurInnov Ltd. All Rights Reserved.
99
Packet Filtering
• Sensor – monitors traffic flow, extracts flow
records and sends to collectors
• Collector – receives flow records and stores them
• Aggregator – central collection point when
multiple collectors are used
• Analysis – tool that organizes and makes sense
of the collected data
- 101. © 2012 JurInnov Ltd. All Rights Reserved.
100
Network Analysis
• Network schematic
• Server roles
• Baselining – normal profile
– Destination IP addresses
– Ports
– Protocols
– Volume of data and directionality
- 102. © 2012 JurInnov Ltd. All Rights Reserved.
101
Analysis
• Activity pattern matching
• Packet analysis
– Libpcap and WinPcap
– Wireshark
• Traffic analysis
– Networkminer
• Persistent packet sniffing
– Data available when needed
– High disk and CPU requirement
– Must be highly secure
- 103. © 2012 JurInnov Ltd. All Rights Reserved.
102
Wireshark - Interface
Packet list
Packet details
Packet bytes
- 104. © 2012 JurInnov Ltd. All Rights Reserved.
103
Wireshark
• Filtering
– Frame contains “search term”
• Flow – sequence of packets comprising a single
communication segment.
– EX: Connection, Negotiation, File Request, File
delivery, checksum, acknowledgment, termination
– Flow record – subset of information from a flow such
as source and destination IP, protocol, date or time
- 105. © 2012 JurInnov Ltd. All Rights Reserved.
104
Wireshark – Encrypted content
• TLS/SSL
– Obtain server or workstation private key
– Decrypt session keys with private key
– Decrypt message stream with session keys
– Record session key changes and continue decrypting
message stream
– Go to preferences Protocols SSL Edit RSA
keys list New point to private key and enter IP
address, port, protocol and password
- 106. © 2012 JurInnov Ltd. All Rights Reserved.
105
Networkminer
• Traffic analysis tool
• Graphical breakdown of…
– Hosts
– Images
– Files
– Email
– DNS
– Sessions
- 107. © 2012 JurInnov Ltd. All Rights Reserved.
106
Wireshark / Networkminer demo
• Capture data
– Send email
• Msmith-jur2012@hotmail.com
• IknowIT2!
– Visit web site
– Run lansearch and copy files
• End capture
• Export to pcap
• View in Networkminer
- 108. © 2012 JurInnov Ltd. All Rights Reserved.
107
Vulnerability scanning
• Vulnerability scanning – scan and fix vulnerabilities
found. Identify and protect machines that could be
potential bots.
– Nexpose
• Free for up to 32 IP
– OpenVAS (Vulnerability Assessment System)
• Linux
• VM available (resource intensive)
– Greenbone Desktop Suite (uses OpenVAS)
• Windows XP/Vista/7
– MBSA (Microsoft Baseline Security Analyzer)
– Secunia PSI (local Windows machine scanning only)
- 109. © 2012 JurInnov Ltd. All Rights Reserved.
108
Architecting a Solution
– How does it fit in the security strategy?
– Scope
– Scalability
– Regulations and Standards
– Structure
• Distributed
• Centralized
– Platforms
• Black box
• Open Source
• Commercial Application
- 110. © 2012 JurInnov Ltd. All Rights Reserved.
109
IDS/IPS
• Active or Passive
• Host, Network or Both
• Centralized or decentralized
- 111. © 2012 JurInnov Ltd. All Rights Reserved.
110
Event Logging
• Placement
– Perimeter
– VLAN or Workgroup
– Wireless
– Choke points – maximize collection capacity within
budget and ability to process and analyze
– Minimize duplication
– Sync time
– Normalize
– Secure collector transmission pathways
- 112. © 2012 JurInnov Ltd. All Rights Reserved.
111
Event Logging
• Local
• Remote
– Centralized
– Decentralized
– Concerns
• Time stamping
• Network reliability
• Confidentiality and integrity
- 113. © 2012 JurInnov Ltd. All Rights Reserved.
112
Quick and Fast Rules
• Compromised hosts generally send out more
information
• Patterns (sending perspective)
– Many-to-one – DDoS, Syslog, data repository, email
server
– One-to-many – web server, email server, SPAM bot,
warez, port scanning
– Many-to-many – P2P, virus infection
– One-to-one – normal communication, targeted attack