Lesson 14 network monitoring system restoration incident evaluation
This presentation is the property of its rightful owner.
Sponsored Links
1 / 27

Lesson 14 Network Monitoring System Restoration Incident Evaluation PowerPoint PPT Presentation


  • 53 Views
  • Uploaded on
  • Presentation posted in: General

Lesson 14 Network Monitoring System Restoration Incident Evaluation. The Role of Network Forensics. “Network Forensics analysis tools (NFATS) reveal insecurities, turn system administrators into system detectives.” Nate King & Errol Weiss Information Security Magazine. Network Forensics.

Download Presentation

Lesson 14 Network Monitoring System Restoration Incident Evaluation

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Lesson 14 network monitoring system restoration incident evaluation

Lesson 14Network MonitoringSystem RestorationIncident Evaluation


The role of network forensics

The Role of Network Forensics

  • “Network Forensics analysis tools (NFATS) reveal insecurities, turn system administrators into system detectives.”

    Nate King & Errol Weiss

    Information Security Magazine


Lesson 14 network monitoring system restoration incident evaluation

Network Forensics


Lesson 14 network monitoring system restoration incident evaluation

Definitions

  • Sniffer: Hardware or software that passively intercepts packets as they traverse the network. Other name include Protocol Analyzer and Network Monitor.

    • Silent Sniffers will not respond to any received packets.

    • Illegal Sniffers violate 18 USC 2511 dealing with wiretaps.

  • Promiscuous Mode. A sniffer operates in a mode that intercepts all packets flowing across the network.

    • A normal NIC only intercepts packets packets addressed to its IP address and Broadcasts address.

  • Transactional (Noncontent) information consists only of header information. For example, IP, TCP or UDP headers.

    • Same as a LE Trap and Trace or Pen Register.

  • Content Informationconsists of not only the headers but also part or all of the encapsulated data.


Lesson 14 network monitoring system restoration incident evaluation

Network Forensics Data

  • Network data can come from:

    • Routers, Firewalls, Servers, IDS, DHCP Servers, etc

    • These logs may have different formats, be difficult to find, difficult to correlate and have a broken chain of custody

  • Chain of Custody

    • Strictly controlled network monitoring can maintain a proper chain of custody

      • Electronic evidence requires tighter control than most other types of evidence because it can be easily altered

      • A broken chain goes to weight and not admissibility


Lesson 14 network monitoring system restoration incident evaluation

Chain of Custody

  • Network data chain of custody should include:

    • Date and time recorded

    • Make, model, serial # and description of recording device

    • Names of individual recording or the name of individuals

    • recovering the logs

    • Description of the logs

    • Name, Signature and date of individual receiving the data.

    • Evidence Tag for this item

    • Hash value (MD5) of each log file


Lesson 14 network monitoring system restoration incident evaluation

Corporate policy must support the type monitoring to be performed!

Monitoring The Network

  • What are the Network Monitoring goals?

    • Monitor traffic to and from a host?

    • Monitor traffic to and from a network?

    • Monitor a specific person?

    • Verify an intrusion attempt?

    • Monitor attack signatures?

    • Monitor a specific protocol?

    • Monitor a specific port?

  • Check with legal counsel prior to starting the monitor


Lesson 14 network monitoring system restoration incident evaluation

Run a Sniffer detection tool prior to connecting yours.

Network Monitoring Tool

  • Network Monitoring Hardware

    • A Portable laptop

    • 512 MB Ram

    • 40 +GB

    • External Zip drive

  • Network Monitoring Software

    • NetBSD is reputedly the best

    • A Silent Sniffer that speaks only TCP/IP with ARP disabled

    • Employ VLAN with SSH or a Dial-back modem for Remote Administration


Lesson 14 network monitoring system restoration incident evaluation

Monitoring The Network Continued

  • Possible Network Monitors.

    • tcpdump, Ethereal and Snort

    • Snoop, iptrace, Snifer Pro, Etherpeek, LANalyzer

    • NetMon, Network Tracing and Logging and Cisco IDS

  • Network Monitor Location

    • Host Monitoring - On the same Hub or switch.

      • The switch should have Switch Port Analysis (SPAN)

    • Network Monitoring - At the network perimeter

    • A Physically secure location


Lesson 14 network monitoring system restoration incident evaluation

Helpful Hints

  • Run a Sniffer detection tool prior to connecting yours

    • Someone may already be listening to the network

  • Capture the network traffic as close to the source host as possible

    • Hackers use bounce sites to attack hosts

  • Have the capability of viewing captured data as a continuous stream.

    • This provides an overview of what the hacker is attempting to do

    • Reconstruct documents, etc

  • Have the capability of viewing the packets at the lowest level

    • High-level analyzers will sometimes strip off data that is not important for fault analysis but could be important for investigative purposes

      • Options and fields to identify the OS

      • Typing speed of user

      • Printer variables, X display variables , etc


Lesson 14 network monitoring system restoration incident evaluation

Common Forensics Mistakes

  • Failure to Monitor

    • ICMP Traffic

    • SMTP, POP and IMAP

    • Traffic

    • UseNet Traffic

    • Files saved to external

    • media

    • Web Traffic

    • Senior Executives Traffic

    • Internal IP Traffic

  • Failure to Detect

    • ICMP Covert Channels

    • UDP Covert Channels

    • HTTP Covert Channels


Lesson 14 network monitoring system restoration incident evaluation

Common Forensics Mistakes Continued

  • Failure to PlayBack

    • Encrypted traffic

    • Graphics

    • Modeling and Simulation traffic

  • Failure to Trace:

    • DOS

    • DDOS

    • Spoofed EMail

  • Failure to Detect.

    • Steganography.

    • Erasing Logs

    • File Encryption.

    • Binary Trojans


Lesson 14 network monitoring system restoration incident evaluation

Monitoring Tools

Dsniffhttp://www.monkey.org/~dugsong/dsniff

tcpdumphttp://www.tcpdump.org/

WinDumphttp://netgroup-serv.polito.it/windump/

etherealhttp://www.ethereal.com/

Snorthttp://www.snort.org/

Snoop


Lesson 14 network monitoring system restoration incident evaluation

System Restoration


Lesson 14 network monitoring system restoration incident evaluation

System Restoration

  • System Administrator recovers the system

    • Don't trust anything that is on-line

    • Don't believe anything your system tells you

      • Reformat disks

      • Restore operating system

      • Reload software

      • Assign new passwords

      • Scan the /etc/passwd for newly created files

      • Check for changes to files that may affect security (trapdoors, logic bombs, etc.)


Lesson 14 network monitoring system restoration incident evaluation

System Restoration

  • Check critical files for the appropriate file

    protection and permissions

  • Scan the system for newly created SUID and

    SGID files

  • Delete and recreate all .rhosts files

  • Check for changes to the /etc/hosts.equiv file

  • Check for changes in user startup files

  • Check for a modified .forward file

  • Check for hidden or unowned files and

    directories

  • Run audit tools such a COPS and Tripwire


Lesson 14 network monitoring system restoration incident evaluation

System Restoration

  • The recovery should be planned to

    have minimal impacton the users

  • Keep the users informed

    • Engage in rumor control


Lesson 14 network monitoring system restoration incident evaluation

Incident Evaluation


Lesson 14 network monitoring system restoration incident evaluation

After Action Meeting and Report

  • Conduct an after actionmeeting

  • Prepare an after action report to document the incident, the response to the incident and the recovery from the incident

    • Lessons Learned?

      • Policy to general

      • Responsibilities not sufficiently defined

      • Inadequate monitoring tools

      • Systems not backed up

      • Hard disk needs smaller partitions

      • Set smaller limits on disk usage

      • System not scanned with tools: SATAN and ISS


Lesson 14 network monitoring system restoration incident evaluation

Action List

  • Law Enforcement report?

    • Regulatory agency report?

    • Insurance claim?

    • Disciplinary action?

    • Dismissal action?

    • Vendor report?

    • Updatedisaster recovery plan?

    • Update software to new versions?

    • Update employee training?

    • Public Affairs report?

    • CEO report to employees?


Lesson 14 network monitoring system restoration incident evaluation

  • Notify law Enforcement.

    • Brief/coordinate with upper management

    • The Law Enforcement Computer Crime Team

    • assumes control.

    • Computer crime investigation is complex,

    • time consuming, and resource intensive

    • Allow time/resources for

      • Investigation

      • Prosecution

Computer Crime Investigation


Lesson 14 network monitoring system restoration incident evaluation

  • Define Roles.

  • Establish Policies.

  • Identify Tools.

  • Network Preparation.

Incident Preparation

Incident Response Process

  • Firewall Logs.

  • IDS Logs.

  • Suspicious User.

  • System Administrator.

  • Complete IR Checklist

    • Who/What/Where/When.

    • Incident Description

    • Hardware/Software.

    • Personnel Involved.

    • Network.

Incident Detection

Activate IR Team

  • Verify Incident.

  • Affected Systems.

  • Users Involved.

  • Business Impact.

Initial Response

Completed IR Checklist.

Is it really and Incident?


Lesson 14 network monitoring system restoration incident evaluation

  • System Criticality.

  • Information Sensitivity.

  • Perpetrators.

  • Publicity.

  • Skill of Attacker.

  • System Downtime.

  • Dollar Loss.

  • Management Approval

    • Dollar Loss.

    • Downtime.

    • Legal Liability.

    • Publicity.

    • Intellectual Property.

Response Strategy

Incident Response Process-Continued

Accumulate Evidence

&

Secure System

  • Best Evidence Rule.

  • Chain of custody.

  • Data Volatility.

Forensic Duplication


Lesson 14 network monitoring system restoration incident evaluation

Investigate

Implement Security Measures

Incident Response Process Contd

  • Who, What, When, Where, How.

  • People and Things.

  • Isolate and Contain.

    • Disconnect.

    • Electronically isolate.

    • Network Filtering.

Network Monitoring

  • Monitor throughout the incident.

    • Track the hacker.

    • No incident recurrence.

  • Monitor on subnet.

  • Monitor at boundary.


Lesson 14 network monitoring system restoration incident evaluation

  • New Procedures.

  • Reinstall files.

  • Reinstall from CD-Rom.

  • Secure System.

    • Turnoff unneeded services.

    • Apply patches.

    • Strong Passwords.

    • Strong Administration.

Recovery

Incident Response Process-Continued

Documentation

  • Document everything as it occurs.

  • Support both criminal and civil prosecution.

  • Produce the final report.

  • Process improvement.


Lesson 14 network monitoring system restoration incident evaluation

Brave New Battles

Each new technology will bring with it new forms of crime, demanding innovative security. That is the dynamic which drives our modern progress: not dreams, not ideas, but the simple desire on the part of criminals to take what is not theirs by law, and the determination of others to keep them from doing so.

“This Alien Shore”, C. S. Friedman (C) 1998


Summary

Summary

  • Thorough analysis is hard

  • Don’t forget to restore with same ZEAL as you investigate

  • Incident evaluation is critical for lessons learned


  • Login