lesson 14 network monitoring system restoration incident evaluation
Skip this Video
Download Presentation
Lesson 14 Network Monitoring System Restoration Incident Evaluation

Loading in 2 Seconds...

play fullscreen
1 / 27

Lesson 14 Network Monitoring System Restoration Incident Evaluation - PowerPoint PPT Presentation

  • Uploaded on

Lesson 14 Network Monitoring System Restoration Incident Evaluation. The Role of Network Forensics. “Network Forensics analysis tools (NFATS) reveal insecurities, turn system administrators into system detectives.” Nate King & Errol Weiss Information Security Magazine. Network Forensics.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Lesson 14 Network Monitoring System Restoration Incident Evaluation' - latika

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the role of network forensics
The Role of Network Forensics
  • “Network Forensics analysis tools (NFATS) reveal insecurities, turn system administrators into system detectives.”

Nate King & Errol Weiss

Information Security Magazine



  • Sniffer: Hardware or software that passively intercepts packets as they traverse the network. Other name include Protocol Analyzer and Network Monitor.
    • Silent Sniffers will not respond to any received packets.
    • Illegal Sniffers violate 18 USC 2511 dealing with wiretaps.
  • Promiscuous Mode. A sniffer operates in a mode that intercepts all packets flowing across the network.
    • A normal NIC only intercepts packets packets addressed to its IP address and Broadcasts address.
  • Transactional (Noncontent) information consists only of header information. For example, IP, TCP or UDP headers.
    • Same as a LE Trap and Trace or Pen Register.
  • Content Informationconsists of not only the headers but also part or all of the encapsulated data.

Network Forensics Data

  • Network data can come from:
    • Routers, Firewalls, Servers, IDS, DHCP Servers, etc
    • These logs may have different formats, be difficult to find, difficult to correlate and have a broken chain of custody
  • Chain of Custody
    • Strictly controlled network monitoring can maintain a proper chain of custody
      • Electronic evidence requires tighter control than most other types of evidence because it can be easily altered
      • A broken chain goes to weight and not admissibility

Chain of Custody

  • Network data chain of custody should include:
    • Date and time recorded
    • Make, model, serial # and description of recording device
    • Names of individual recording or the name of individuals
    • recovering the logs
    • Description of the logs
    • Name, Signature and date of individual receiving the data.
    • Evidence Tag for this item
    • Hash value (MD5) of each log file

Corporate policy must support the type monitoring to be performed!

Monitoring The Network

  • What are the Network Monitoring goals?
    • Monitor traffic to and from a host?
    • Monitor traffic to and from a network?
    • Monitor a specific person?
    • Verify an intrusion attempt?
    • Monitor attack signatures?
    • Monitor a specific protocol?
    • Monitor a specific port?
  • Check with legal counsel prior to starting the monitor

Run a Sniffer detection tool prior to connecting yours.

Network Monitoring Tool

  • Network Monitoring Hardware
    • A Portable laptop
    • 512 MB Ram
    • 40 +GB
    • External Zip drive
  • Network Monitoring Software
    • NetBSD is reputedly the best
    • A Silent Sniffer that speaks only TCP/IP with ARP disabled
    • Employ VLAN with SSH or a Dial-back modem for Remote Administration

Monitoring The Network Continued

  • Possible Network Monitors.
    • tcpdump, Ethereal and Snort
    • Snoop, iptrace, Snifer Pro, Etherpeek, LANalyzer
    • NetMon, Network Tracing and Logging and Cisco IDS
  • Network Monitor Location
    • Host Monitoring - On the same Hub or switch.
      • The switch should have Switch Port Analysis (SPAN)
    • Network Monitoring - At the network perimeter
    • A Physically secure location

Helpful Hints

  • Run a Sniffer detection tool prior to connecting yours
    • Someone may already be listening to the network
  • Capture the network traffic as close to the source host as possible
    • Hackers use bounce sites to attack hosts
  • Have the capability of viewing captured data as a continuous stream.
    • This provides an overview of what the hacker is attempting to do
    • Reconstruct documents, etc
  • Have the capability of viewing the packets at the lowest level
    • High-level analyzers will sometimes strip off data that is not important for fault analysis but could be important for investigative purposes
      • Options and fields to identify the OS
      • Typing speed of user
      • Printer variables, X display variables , etc

Common Forensics Mistakes

  • Failure to Monitor
    • ICMP Traffic
    • SMTP, POP and IMAP
    • Traffic
    • UseNet Traffic
    • Files saved to external
    • media
    • Web Traffic
    • Senior Executives Traffic
    • Internal IP Traffic
  • Failure to Detect
    • ICMP Covert Channels
    • UDP Covert Channels
    • HTTP Covert Channels

Common Forensics Mistakes Continued

  • Failure to PlayBack
    • Encrypted traffic
    • Graphics
    • Modeling and Simulation traffic
  • Failure to Trace:
    • DOS
    • DDOS
    • Spoofed EMail
  • Failure to Detect.
    • Steganography.
    • Erasing Logs
    • File Encryption.
    • Binary Trojans

Monitoring Tools

Dsniff http://www.monkey.org/~dugsong/dsniff

tcpdump http://www.tcpdump.org/

WinDump http://netgroup-serv.polito.it/windump/

ethereal http://www.ethereal.com/

Snort http://www.snort.org/



System Restoration

  • System Administrator recovers the system
    • Don\'t trust anything that is on-line
    • Don\'t believe anything your system tells you
      • Reformat disks
      • Restore operating system
      • Reload software
      • Assign new passwords
      • Scan the /etc/passwd for newly created files
      • Check for changes to files that may affect security (trapdoors, logic bombs, etc.)

System Restoration

  • Check critical files for the appropriate file

protection and permissions

  • Scan the system for newly created SUID and

SGID files

  • Delete and recreate all .rhosts files
  • Check for changes to the /etc/hosts.equiv file
  • Check for changes in user startup files
  • Check for a modified .forward file
  • Check for hidden or unowned files and


  • Run audit tools such a COPS and Tripwire

System Restoration

  • The recovery should be planned to

have minimal impacton the users

  • Keep the users informed
    • Engage in rumor control

After Action Meeting and Report

  • Conduct an after actionmeeting
  • Prepare an after action report to document the incident, the response to the incident and the recovery from the incident
    • Lessons Learned?
      • Policy to general
      • Responsibilities not sufficiently defined
      • Inadequate monitoring tools
      • Systems not backed up
      • Hard disk needs smaller partitions
      • Set smaller limits on disk usage
      • System not scanned with tools: SATAN and ISS

Action List

  • Law Enforcement report?
    • Regulatory agency report?
    • Insurance claim?
    • Disciplinary action?
    • Dismissal action?
    • Vendor report?
    • Updatedisaster recovery plan?
    • Update software to new versions?
    • Update employee training?
    • Public Affairs report?
    • CEO report to employees?

Notify law Enforcement.

    • Brief/coordinate with upper management
    • The Law Enforcement Computer Crime Team
    • assumes control.
    • Computer crime investigation is complex,
    • time consuming, and resource intensive
    • Allow time/resources for
      • Investigation
      • Prosecution

Computer Crime Investigation


Define Roles.

  • Establish Policies.
  • Identify Tools.
  • Network Preparation.

Incident Preparation

Incident Response Process

  • Firewall Logs.
  • IDS Logs.
  • Suspicious User.
  • System Administrator.
  • Complete IR Checklist
    • Who/What/Where/When.
    • Incident Description
    • Hardware/Software.
    • Personnel Involved.
    • Network.

Incident Detection

Activate IR Team

  • Verify Incident.
  • Affected Systems.
  • Users Involved.
  • Business Impact.

Initial Response

Completed IR Checklist.

Is it really and Incident?


System Criticality.

  • Information Sensitivity.
  • Perpetrators.
  • Publicity.
  • Skill of Attacker.
  • System Downtime.
  • Dollar Loss.
  • Management Approval
    • Dollar Loss.
    • Downtime.
    • Legal Liability.
    • Publicity.
    • Intellectual Property.

Response Strategy

Incident Response Process-Continued

Accumulate Evidence


Secure System

  • Best Evidence Rule.
  • Chain of custody.
  • Data Volatility.

Forensic Duplication



Implement Security Measures

Incident Response Process Contd

  • Who, What, When, Where, How.
  • People and Things.
  • Isolate and Contain.
    • Disconnect.
    • Electronically isolate.
    • Network Filtering.

Network Monitoring

  • Monitor throughout the incident.
    • Track the hacker.
    • No incident recurrence.
  • Monitor on subnet.
  • Monitor at boundary.

New Procedures.

  • Reinstall files.
  • Reinstall from CD-Rom.
  • Secure System.
    • Turnoff unneeded services.
    • Apply patches.
    • Strong Passwords.
    • Strong Administration.


Incident Response Process-Continued


  • Document everything as it occurs.
  • Support both criminal and civil prosecution.
  • Produce the final report.
  • Process improvement.

Brave New Battles

Each new technology will bring with it new forms of crime, demanding innovative security. That is the dynamic which drives our modern progress: not dreams, not ideas, but the simple desire on the part of criminals to take what is not theirs by law, and the determination of others to keep them from doing so.

“This Alien Shore”, C. S. Friedman (C) 1998

  • Thorough analysis is hard
  • Don’t forget to restore with same ZEAL as you investigate
  • Incident evaluation is critical for lessons learned