black hat briefings 2001 solving network mysteries dan vanbelleghem, cissp sra international, inc....

Black Hat Briefings 2001Black Hat Briefings 2001

Solving Network MysteriesSolving Network Mysteries

Dan VanBelleghem, CISSPDan VanBelleghem, CISSP

SRA International, Inc.SRA International, Inc.

[email protected][email protected]

SRA International, Inc.Information Assurance Division

INTERNATIONAL, INC.

Slide - Slide - 22Solving Network MysteriesSolving Network Mysteries

Dan VanBelleghemDan VanBelleghemDan VanBelleghemDan VanBelleghem

Senior Information Assurance Engineer - SRASenior Information Assurance Engineer - SRA Penetration TestingPenetration Testing Security TrainingSecurity Training Security Readiness ReviewsSecurity Readiness Reviews Incident ResponseIncident Response Security AssessmentsSecurity Assessments

Director of Security Programs - Network ForensicsDirector of Security Programs - Network Forensics Security Assistance Teams for US DoD - BAHSecurity Assistance Teams for US DoD - BAH Security Audits and Assessments for Fortune 500 - D&TSecurity Audits and Assessments for Fortune 500 - D&T


Network Mystery QuizNetwork Mystery QuizNetwork Mystery QuizNetwork Mystery Quiz

Do you know:Do you know: What is happening on your network?What is happening on your network? What users are doing?What users are doing? If users are compliant with policy?If users are compliant with policy? If users’ internal and external network If users’ internal and external network

communications affect the enterprise security communications affect the enterprise security posture?posture?

If anomalous behavior is detectable on the If anomalous behavior is detectable on the network?network?

Why network diagrams are not enough?Why network diagrams are not enough?


ObjectivesObjectivesObjectivesObjectives

The objectives of this session are to provide an The objectives of this session are to provide an overview of the following:overview of the following:

Examples of network activities that are often Examples of network activities that are often overlookedoverlooked

Techniques used in solving mysteriesTechniques used in solving mysteries Benefits from audit & monitoringBenefits from audit & monitoring Recommendations for performing audit & Recommendations for performing audit &

monitoringmonitoring


ObservationsObservationsObservationsObservations

• The following observations will provide examples of The following observations will provide examples of network security issues that could have been discovered network security issues that could have been discovered with good audit and monitoring practices in placewith good audit and monitoring practices in place

• Discovery, analysis and lessons learned will be discussed Discovery, analysis and lessons learned will be discussed for each of the following examples:for each of the following examples:• Uncovering DDOS agentsUncovering DDOS agents• Harassing e-mailsHarassing e-mails• Rogue servers and applicationsRogue servers and applications• System administrator misuseSystem administrator misuse


DDOS Agent DiscoveryDDOS Agent DiscoveryDDOS Agent DiscoveryDDOS Agent Discovery

BackgroundBackground• Enterprise network solution companyEnterprise network solution company• Firewall policy allowed DNS trafficFirewall policy allowed DNS traffic• Firewalls managed in ColoradoFirewalls managed in Colorado• DNS servers managed locally at other DNS servers managed locally at other

national officesnational offices


DDOSDDOSDDOSDDOS

F

INTERNET

victim.comHQ

Local DNS

Secondary DNS

victim.comLocal Offices

Primary DNS

Managed by network operations

Permit DNS

Managed by local office staff


DDOS DDOS DDOS DDOS

F

INTERNET

victim.comHQ

Local DNS

Secondary DNS

victim.comLocal Offices

Primary DNS

Attacker

•DNS service exploited•Root access gained•Trust relationships exploited•DDOS agent planted



Techniques used for discoveryTechniques used for discovery• Network traffic analysis Network traffic analysis

• ““unusual traffic”unusual traffic”

• Firewall logs reviewedFirewall logs reviewed• DNS server and OS logs reviewedDNS server and OS logs reviewed



Lessons learnedLessons learned• Firewall logs not reviewedFirewall logs not reviewed• DNS server (OS and application) logs not DNS server (OS and application) logs not

reviewedreviewed• IP spoofing not monitored internallyIP spoofing not monitored internally• Integrity checking not performedIntegrity checking not performed



RecommendationsRecommendations• Perform regular log review of network service Perform regular log review of network service

systems (DNS, Firewall, Mail, etc)systems (DNS, Firewall, Mail, etc)• AutomateAutomate• OutsourceOutsource

• Monitor and review network traffic patterns and Monitor and review network traffic patterns and trendstrends

• Network monitorsNetwork monitors• Network device logsNetwork device logs

• Perform host integrity checking for critical assets Perform host integrity checking for critical assets • TripwireTripwire• System profile checkersSystem profile checkers


Harassing E-mailsHarassing E-mailsHarassing E-mailsHarassing E-mails

BackgroundBackground• Employee was receiving harassing e-mails Employee was receiving harassing e-mails

from an anonymous external source (e.g., from an anonymous external source (e.g., hotmail)hotmail)

• An internal employee was suspected but could An internal employee was suspected but could not be confirmednot be confirmed



Techniques used for discoveryTechniques used for discovery Collected network traffic using a packet snifferCollected network traffic using a packet sniffer Searched traffic for hosts going to and from hotmail.comSearched traffic for hosts going to and from hotmail.com Once an originating IP address was found, then searched Once an originating IP address was found, then searched

for user name that sent anonymous e-mailfor user name that sent anonymous e-mail Specifically looked for CGI postings of the message - this Specifically looked for CGI postings of the message - this

was the proof to determine the person who sent itwas the proof to determine the person who sent it


Harassing E-mails (cont.)Harassing E-mails (cont.)Harassing E-mails (cont.)Harassing E-mails (cont.)



RecommendationsRecommendations Implement e-mail policyImplement e-mail policy Monitor for non-production e-mail trafficMonitor for non-production e-mail traffic Develop monitoring scripts or procure Develop monitoring scripts or procure

commercial toolscommercial tools


Rogue Servers/ApplicationsRogue Servers/ApplicationsRogue Servers/ApplicationsRogue Servers/Applications

BackgroundBackground• Users install unauthorized devices, “stowaways,” on Users install unauthorized devices, “stowaways,” on

the production networkthe production network• Enabling write access on anonymous ftp services for Enabling write access on anonymous ftp services for

convenienceconvenience• Users installing unauthorized services (e.g., web Users installing unauthorized services (e.g., web

servers) to the production networkservers) to the production network



Techniques used for discoveryTechniques used for discovery• Monitoring procedures implemented Monitoring procedures implemented • Leveraged automationLeveraged automation

• Network sweep: fpingNetwork sweep: fping• TCP/UDP port scanning: nmapTCP/UDP port scanning: nmap

• Consider appliance solution: NetFoxConsider appliance solution: NetFox



RecommendationsRecommendations• Create a robust network security policyCreate a robust network security policy• Educate the user knowledge base to the policies and Educate the user knowledge base to the policies and

security fundamentalssecurity fundamentals• Implement consistent procedures to achieve these Implement consistent procedures to achieve these

goalsgoals


System AdministratorSystem AdministratorSystem AdministratorSystem Administrator

BackgroundBackground• Government agencyGovernment agency• Outsourced system administration dutiesOutsourced system administration duties• Controlled application network with strict perimeter Controlled application network with strict perimeter

securitysecurity• Only database and e-mail traffic in and out of control Only database and e-mail traffic in and out of control

networknetwork• Firewall was monitored for all unsuccessful attemptsFirewall was monitored for all unsuccessful attempts



• Monitor status of network remotelyMonitor status of network remotely• Batch job to inspect health of systemsBatch job to inspect health of systems• Sent results of process to home account - - in Sent results of process to home account - - in

clear textclear text



From: [email protected]: [email protected]: System Report

Hostname: database.victim.gov

System uptime: 2 days 14 hours

Active users:oracle system larry steve

interface status:hme0 10.10.150.12

Services Running:db http inetd



Techniques used for discoveryTechniques used for discovery• Firewall logs reviewedFirewall logs reviewed• Network traffic analysisNetwork traffic analysis



Lessons learnedLessons learned• Administrators needed security awareness Administrators needed security awareness

trainingtraining• No official remote administration procedures No official remote administration procedures

were in placewere in place• Adequate tools were not available to support Adequate tools were not available to support

environment requirementsenvironment requirements



RecommendationsRecommendations• Implement appropriate remote administration Implement appropriate remote administration

solutionsolution• Conduct constant administrator trainingConduct constant administrator training


Audit & Monitoring GoalsAudit & Monitoring GoalsAudit & Monitoring GoalsAudit & Monitoring Goals

ProtectProtect Provides input to policy changes or mis-configurationsProvides input to policy changes or mis-configurations Acts as a deterrentActs as a deterrent

DetectDetect Analysis of all data Analysis of all data Passive collection Passive collection Active scanningActive scanning

Analyze and RecoverAnalyze and Recover Forensic level analysisForensic level analysis Rapid answers to the who, what, when, where, how questionsRapid answers to the who, what, when, where, how questions Full damage controlFull damage control Network, system and application level audit logsNetwork, system and application level audit logs Centralized information sourceCentralized information source


Audit & Monitoring Enablers Audit & Monitoring Enablers Audit & Monitoring Enablers Audit & Monitoring Enablers

LogsLogs HostHost ApplicationApplication SystemSystem

NetworkNetwork Packet sniffersPacket sniffers NIDSNIDS

AnalysisAnalysis DatabaseDatabase ScriptsScripts


LogsLogsLogsLogs

Logs are great source of information if:Logs are great source of information if: They have been enabledThey have been enabled They are still thereThey are still there Their integrity is not questionableTheir integrity is not questionable Someone reads them!Someone reads them!

Provide Who and WhenProvide Who and When Do not provide content (e.g.,What)Do not provide content (e.g.,What)


Testing sniffers means different things to different people!

Sniffers

Source: U.S. News


NetworkNetworkNetworkNetwork

Sniffers are needed to “see” what is on your Sniffers are needed to “see” what is on your networknetwork

NIDS provide a means for pre-processingNIDS provide a means for pre-processing Switched environments can provide a challengeSwitched environments can provide a challenge Since no two networking environments are the Since no two networking environments are the

same, methodologies will need to be tailored for same, methodologies will need to be tailored for each networkeach network


Raw Output Raw Output Raw Output Raw Output


NIDS Output (Dragon)NIDS Output (Dragon)NIDS Output (Dragon)NIDS Output (Dragon)


AnalysisAnalysisAnalysisAnalysis

Collecting gigabytes of data… now what?Collecting gigabytes of data… now what? A system or tools to assist with analysis is A system or tools to assist with analysis is

vitalvital Implementing a system with consistent Implementing a system with consistent

procedures is a challengeprocedures is a challenge Filter and focus before drowning in dataFilter and focus before drowning in data


Audit & Monitoring Tool TrendsAudit & Monitoring Tool TrendsAudit & Monitoring Tool TrendsAudit & Monitoring Tool Trends

• Evidence preservationEvidence preservation• Data warehousingData warehousing• Data miningData mining• Automatic correlationAutomatic correlation• Event interpretationEvent interpretation• Passive monitoringPassive monitoring• Data exchangeData exchange• AI based attack predictionAI based attack prediction


Audit & Monitoring Tool TrendsAudit & Monitoring Tool TrendsAudit & Monitoring Tool TrendsAudit & Monitoring Tool Trends

• Outsourced Managed SecurityOutsourced Managed Security• Counterpane – www.counterpane.comCounterpane – www.counterpane.com• SecurityTracker – www.securitytracker.netSecurityTracker – www.securitytracker.net• ServerVault – www.servervault.comServerVault – www.servervault.com

• Network AppliancesNetwork Appliances• NetFox – www.securityfox.netNetFox – www.securityfox.net

• Interactive AnalysisInteractive Analysis• SilentRunner – www.silentrunner.comSilentRunner – www.silentrunner.com

• Log ConsolidatorsLog Consolidators• Kane – www.intrusion.comKane – www.intrusion.com• eSecurity – www.esecurityinc.comeSecurity – www.esecurityinc.com


TipsTipsTipsTips

Do’sDo’s One step at a timeOne step at a time Automation is your Automation is your

friendfriend StorageStorage Data sensitivityData sensitivity MeasureMeasure

Don’tsDon’ts UnderestimateUnderestimate Forget legal Forget legal

responsibilitiesresponsibilities Be unpreparedBe unprepared Believe in silver Believe in silver

bulletsbullets


In Closing…In Closing…In Closing…In Closing…

• Potential Benefits:• Increased knowledge and awareness of

network usage practices

• Enhance current detection and protection process

• Reduced time and resource cost when responding to an incident

• Reduced network misuse and abuse

• Enforcement of policy


QuestionsQuestionsQuestionsQuestions

black hat briefings 2001 solving network mysteries dan vanbelleghem, cissp sra international, inc....

Documents