black hat briefings 2001 solving network mysteries dan vanbelleghem, cissp sra international, inc....
TRANSCRIPT
Black Hat Briefings 2001Black Hat Briefings 2001
Solving Network MysteriesSolving Network Mysteries
Dan VanBelleghem, CISSPDan VanBelleghem, CISSP
SRA International, Inc.SRA International, Inc.
[email protected][email protected]
SRA International, Inc.Information Assurance Division
INTERNATIONAL, INC.
Slide - Slide - 22Solving Network MysteriesSolving Network Mysteries
Dan VanBelleghemDan VanBelleghemDan VanBelleghemDan VanBelleghem
Senior Information Assurance Engineer - SRASenior Information Assurance Engineer - SRA Penetration TestingPenetration Testing Security TrainingSecurity Training Security Readiness ReviewsSecurity Readiness Reviews Incident ResponseIncident Response Security AssessmentsSecurity Assessments
Director of Security Programs - Network ForensicsDirector of Security Programs - Network Forensics Security Assistance Teams for US DoD - BAHSecurity Assistance Teams for US DoD - BAH Security Audits and Assessments for Fortune 500 - D&TSecurity Audits and Assessments for Fortune 500 - D&T
Slide - Slide - 33Solving Network MysteriesSolving Network Mysteries
Network Mystery QuizNetwork Mystery QuizNetwork Mystery QuizNetwork Mystery Quiz
Do you know:Do you know: What is happening on your network?What is happening on your network? What users are doing?What users are doing? If users are compliant with policy?If users are compliant with policy? If users’ internal and external network If users’ internal and external network
communications affect the enterprise security communications affect the enterprise security posture?posture?
If anomalous behavior is detectable on the If anomalous behavior is detectable on the network?network?
Why network diagrams are not enough?Why network diagrams are not enough?
Slide - Slide - 44Solving Network MysteriesSolving Network Mysteries
ObjectivesObjectivesObjectivesObjectives
The objectives of this session are to provide an The objectives of this session are to provide an overview of the following:overview of the following:
Examples of network activities that are often Examples of network activities that are often overlookedoverlooked
Techniques used in solving mysteriesTechniques used in solving mysteries Benefits from audit & monitoringBenefits from audit & monitoring Recommendations for performing audit & Recommendations for performing audit &
monitoringmonitoring
Slide - Slide - 55Solving Network MysteriesSolving Network Mysteries
ObservationsObservationsObservationsObservations
• The following observations will provide examples of The following observations will provide examples of network security issues that could have been discovered network security issues that could have been discovered with good audit and monitoring practices in placewith good audit and monitoring practices in place
• Discovery, analysis and lessons learned will be discussed Discovery, analysis and lessons learned will be discussed for each of the following examples:for each of the following examples:• Uncovering DDOS agentsUncovering DDOS agents• Harassing e-mailsHarassing e-mails• Rogue servers and applicationsRogue servers and applications• System administrator misuseSystem administrator misuse
Slide - Slide - 66Solving Network MysteriesSolving Network Mysteries
DDOS Agent DiscoveryDDOS Agent DiscoveryDDOS Agent DiscoveryDDOS Agent Discovery
BackgroundBackground• Enterprise network solution companyEnterprise network solution company• Firewall policy allowed DNS trafficFirewall policy allowed DNS traffic• Firewalls managed in ColoradoFirewalls managed in Colorado• DNS servers managed locally at other DNS servers managed locally at other
national officesnational offices
Slide - Slide - 77Solving Network MysteriesSolving Network Mysteries
DDOSDDOSDDOSDDOS
F
INTERNET
victim.comHQ
Local DNS
Secondary DNS
victim.comLocal Offices
Primary DNS
Managed by network operations
Permit DNS
Managed by local office staff
Slide - Slide - 88Solving Network MysteriesSolving Network Mysteries
DDOS DDOS DDOS DDOS
F
INTERNET
victim.comHQ
Local DNS
Secondary DNS
victim.comLocal Offices
Primary DNS
Attacker
•DNS service exploited•Root access gained•Trust relationships exploited•DDOS agent planted
Slide - Slide - 99Solving Network MysteriesSolving Network Mysteries
DDOS Agent DiscoveryDDOS Agent DiscoveryDDOS Agent DiscoveryDDOS Agent Discovery
Techniques used for discoveryTechniques used for discovery• Network traffic analysis Network traffic analysis
• ““unusual traffic”unusual traffic”
• Firewall logs reviewedFirewall logs reviewed• DNS server and OS logs reviewedDNS server and OS logs reviewed
Slide - Slide - 1010Solving Network MysteriesSolving Network Mysteries
DDOS Agent DiscoveryDDOS Agent DiscoveryDDOS Agent DiscoveryDDOS Agent Discovery
Lessons learnedLessons learned• Firewall logs not reviewedFirewall logs not reviewed• DNS server (OS and application) logs not DNS server (OS and application) logs not
reviewedreviewed• IP spoofing not monitored internallyIP spoofing not monitored internally• Integrity checking not performedIntegrity checking not performed
Slide - Slide - 1111Solving Network MysteriesSolving Network Mysteries
DDOS Agent DiscoveryDDOS Agent DiscoveryDDOS Agent DiscoveryDDOS Agent Discovery
RecommendationsRecommendations• Perform regular log review of network service Perform regular log review of network service
systems (DNS, Firewall, Mail, etc)systems (DNS, Firewall, Mail, etc)• AutomateAutomate• OutsourceOutsource
• Monitor and review network traffic patterns and Monitor and review network traffic patterns and trendstrends
• Network monitorsNetwork monitors• Network device logsNetwork device logs
• Perform host integrity checking for critical assets Perform host integrity checking for critical assets • TripwireTripwire• System profile checkersSystem profile checkers
Slide - Slide - 1212Solving Network MysteriesSolving Network Mysteries
Harassing E-mailsHarassing E-mailsHarassing E-mailsHarassing E-mails
BackgroundBackground• Employee was receiving harassing e-mails Employee was receiving harassing e-mails
from an anonymous external source (e.g., from an anonymous external source (e.g., hotmail)hotmail)
• An internal employee was suspected but could An internal employee was suspected but could not be confirmednot be confirmed
Slide - Slide - 1313Solving Network MysteriesSolving Network Mysteries
Harassing E-mailsHarassing E-mailsHarassing E-mailsHarassing E-mails
Techniques used for discoveryTechniques used for discovery Collected network traffic using a packet snifferCollected network traffic using a packet sniffer Searched traffic for hosts going to and from hotmail.comSearched traffic for hosts going to and from hotmail.com Once an originating IP address was found, then searched Once an originating IP address was found, then searched
for user name that sent anonymous e-mailfor user name that sent anonymous e-mail Specifically looked for CGI postings of the message - this Specifically looked for CGI postings of the message - this
was the proof to determine the person who sent itwas the proof to determine the person who sent it
Slide - Slide - 1717Solving Network MysteriesSolving Network Mysteries
Harassing E-mails (cont.)Harassing E-mails (cont.)Harassing E-mails (cont.)Harassing E-mails (cont.)
Slide - Slide - 2323Solving Network MysteriesSolving Network Mysteries
Harassing E-mailsHarassing E-mailsHarassing E-mailsHarassing E-mails
RecommendationsRecommendations Implement e-mail policyImplement e-mail policy Monitor for non-production e-mail trafficMonitor for non-production e-mail traffic Develop monitoring scripts or procure Develop monitoring scripts or procure
commercial toolscommercial tools
Slide - Slide - 2424Solving Network MysteriesSolving Network Mysteries
Rogue Servers/ApplicationsRogue Servers/ApplicationsRogue Servers/ApplicationsRogue Servers/Applications
BackgroundBackground• Users install unauthorized devices, “stowaways,” on Users install unauthorized devices, “stowaways,” on
the production networkthe production network• Enabling write access on anonymous ftp services for Enabling write access on anonymous ftp services for
convenienceconvenience• Users installing unauthorized services (e.g., web Users installing unauthorized services (e.g., web
servers) to the production networkservers) to the production network
Slide - Slide - 2525Solving Network MysteriesSolving Network Mysteries
Rogue Servers/ApplicationsRogue Servers/ApplicationsRogue Servers/ApplicationsRogue Servers/Applications
Techniques used for discoveryTechniques used for discovery• Monitoring procedures implemented Monitoring procedures implemented • Leveraged automationLeveraged automation
• Network sweep: fpingNetwork sweep: fping• TCP/UDP port scanning: nmapTCP/UDP port scanning: nmap
• Consider appliance solution: NetFoxConsider appliance solution: NetFox
Slide - Slide - 2626Solving Network MysteriesSolving Network Mysteries
Rogue Servers/ApplicationsRogue Servers/ApplicationsRogue Servers/ApplicationsRogue Servers/Applications
Slide - Slide - 2727Solving Network MysteriesSolving Network Mysteries
Rogue Servers/ApplicationsRogue Servers/ApplicationsRogue Servers/ApplicationsRogue Servers/Applications
Slide - Slide - 2828Solving Network MysteriesSolving Network Mysteries
Rogue Servers/ApplicationsRogue Servers/ApplicationsRogue Servers/ApplicationsRogue Servers/Applications
RecommendationsRecommendations• Create a robust network security policyCreate a robust network security policy• Educate the user knowledge base to the policies and Educate the user knowledge base to the policies and
security fundamentalssecurity fundamentals• Implement consistent procedures to achieve these Implement consistent procedures to achieve these
goalsgoals
Slide - Slide - 2929Solving Network MysteriesSolving Network Mysteries
System AdministratorSystem AdministratorSystem AdministratorSystem Administrator
BackgroundBackground• Government agencyGovernment agency• Outsourced system administration dutiesOutsourced system administration duties• Controlled application network with strict perimeter Controlled application network with strict perimeter
securitysecurity• Only database and e-mail traffic in and out of control Only database and e-mail traffic in and out of control
networknetwork• Firewall was monitored for all unsuccessful attemptsFirewall was monitored for all unsuccessful attempts
Slide - Slide - 3030Solving Network MysteriesSolving Network Mysteries
System AdministratorSystem AdministratorSystem AdministratorSystem Administrator
• Monitor status of network remotelyMonitor status of network remotely• Batch job to inspect health of systemsBatch job to inspect health of systems• Sent results of process to home account - - in Sent results of process to home account - - in
clear textclear text
Slide - Slide - 3131Solving Network MysteriesSolving Network Mysteries
System AdministratorSystem AdministratorSystem AdministratorSystem Administrator
From: [email protected]: [email protected]: System Report
Hostname: database.victim.gov
System uptime: 2 days 14 hours
Active users:oracle system larry steve
interface status:hme0 10.10.150.12
Services Running:db http inetd
Slide - Slide - 3232Solving Network MysteriesSolving Network Mysteries
System AdministratorSystem AdministratorSystem AdministratorSystem Administrator
Techniques used for discoveryTechniques used for discovery• Firewall logs reviewedFirewall logs reviewed• Network traffic analysisNetwork traffic analysis
Slide - Slide - 3333Solving Network MysteriesSolving Network Mysteries
System AdministratorSystem AdministratorSystem AdministratorSystem Administrator
Lessons learnedLessons learned• Administrators needed security awareness Administrators needed security awareness
trainingtraining• No official remote administration procedures No official remote administration procedures
were in placewere in place• Adequate tools were not available to support Adequate tools were not available to support
environment requirementsenvironment requirements
Slide - Slide - 3434Solving Network MysteriesSolving Network Mysteries
System AdministratorSystem AdministratorSystem AdministratorSystem Administrator
RecommendationsRecommendations• Implement appropriate remote administration Implement appropriate remote administration
solutionsolution• Conduct constant administrator trainingConduct constant administrator training
Slide - Slide - 3535Solving Network MysteriesSolving Network Mysteries
Audit & Monitoring GoalsAudit & Monitoring GoalsAudit & Monitoring GoalsAudit & Monitoring Goals
ProtectProtect Provides input to policy changes or mis-configurationsProvides input to policy changes or mis-configurations Acts as a deterrentActs as a deterrent
DetectDetect Analysis of all data Analysis of all data Passive collection Passive collection Active scanningActive scanning
Analyze and RecoverAnalyze and Recover Forensic level analysisForensic level analysis Rapid answers to the who, what, when, where, how questionsRapid answers to the who, what, when, where, how questions Full damage controlFull damage control Network, system and application level audit logsNetwork, system and application level audit logs Centralized information sourceCentralized information source
Slide - Slide - 3636Solving Network MysteriesSolving Network Mysteries
Audit & Monitoring Enablers Audit & Monitoring Enablers Audit & Monitoring Enablers Audit & Monitoring Enablers
LogsLogs HostHost ApplicationApplication SystemSystem
NetworkNetwork Packet sniffersPacket sniffers NIDSNIDS
AnalysisAnalysis DatabaseDatabase ScriptsScripts
Slide - Slide - 3737Solving Network MysteriesSolving Network Mysteries
LogsLogsLogsLogs
Logs are great source of information if:Logs are great source of information if: They have been enabledThey have been enabled They are still thereThey are still there Their integrity is not questionableTheir integrity is not questionable Someone reads them!Someone reads them!
Provide Who and WhenProvide Who and When Do not provide content (e.g.,What)Do not provide content (e.g.,What)
Slide - Slide - 3838Solving Network MysteriesSolving Network Mysteries
Testing sniffers means different things to different people!
Sniffers
Source: U.S. News
Slide - Slide - 3939Solving Network MysteriesSolving Network Mysteries
NetworkNetworkNetworkNetwork
Sniffers are needed to “see” what is on your Sniffers are needed to “see” what is on your networknetwork
NIDS provide a means for pre-processingNIDS provide a means for pre-processing Switched environments can provide a challengeSwitched environments can provide a challenge Since no two networking environments are the Since no two networking environments are the
same, methodologies will need to be tailored for same, methodologies will need to be tailored for each networkeach network
Slide - Slide - 4040Solving Network MysteriesSolving Network Mysteries
Raw Output Raw Output Raw Output Raw Output
Slide - Slide - 4141Solving Network MysteriesSolving Network Mysteries
NIDS Output (Dragon)NIDS Output (Dragon)NIDS Output (Dragon)NIDS Output (Dragon)
Slide - Slide - 4242Solving Network MysteriesSolving Network Mysteries
AnalysisAnalysisAnalysisAnalysis
Collecting gigabytes of data… now what?Collecting gigabytes of data… now what? A system or tools to assist with analysis is A system or tools to assist with analysis is
vitalvital Implementing a system with consistent Implementing a system with consistent
procedures is a challengeprocedures is a challenge Filter and focus before drowning in dataFilter and focus before drowning in data
Slide - Slide - 4343Solving Network MysteriesSolving Network Mysteries
Audit & Monitoring Tool TrendsAudit & Monitoring Tool TrendsAudit & Monitoring Tool TrendsAudit & Monitoring Tool Trends
• Evidence preservationEvidence preservation• Data warehousingData warehousing• Data miningData mining• Automatic correlationAutomatic correlation• Event interpretationEvent interpretation• Passive monitoringPassive monitoring• Data exchangeData exchange• AI based attack predictionAI based attack prediction
Slide - Slide - 4444Solving Network MysteriesSolving Network Mysteries
Audit & Monitoring Tool TrendsAudit & Monitoring Tool TrendsAudit & Monitoring Tool TrendsAudit & Monitoring Tool Trends
• Outsourced Managed SecurityOutsourced Managed Security• Counterpane – www.counterpane.comCounterpane – www.counterpane.com• SecurityTracker – www.securitytracker.netSecurityTracker – www.securitytracker.net• ServerVault – www.servervault.comServerVault – www.servervault.com
• Network AppliancesNetwork Appliances• NetFox – www.securityfox.netNetFox – www.securityfox.net
• Interactive AnalysisInteractive Analysis• SilentRunner – www.silentrunner.comSilentRunner – www.silentrunner.com
• Log ConsolidatorsLog Consolidators• Kane – www.intrusion.comKane – www.intrusion.com• eSecurity – www.esecurityinc.comeSecurity – www.esecurityinc.com
Slide - Slide - 4545Solving Network MysteriesSolving Network Mysteries
TipsTipsTipsTips
Do’sDo’s One step at a timeOne step at a time Automation is your Automation is your
friendfriend StorageStorage Data sensitivityData sensitivity MeasureMeasure
Don’tsDon’ts UnderestimateUnderestimate Forget legal Forget legal
responsibilitiesresponsibilities Be unpreparedBe unprepared Believe in silver Believe in silver
bulletsbullets
Slide - Slide - 4646Solving Network MysteriesSolving Network Mysteries
In Closing…In Closing…In Closing…In Closing…
• Potential Benefits:• Increased knowledge and awareness of
network usage practices
• Enhance current detection and protection process
• Reduced time and resource cost when responding to an incident
• Reduced network misuse and abuse
• Enforcement of policy