Nate King & Errol Weiss. Information Security Magazine - PowerPoint PPT Presentation


PPT – Nate King & Errol Weiss. Information Security Magazine PowerPoint presentation | free to download - id: 23c5a-YmRlZ


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Nate King & Errol Weiss. Information Security Magazine


Nate King & Errol Weiss. Information Security Magazine. Network Forensics ... Other name include Protocol Analyzer and Network Monitor. ... – PowerPoint PPT presentation

Number of Views:72
Avg rating:3.0/5.0
Slides: 28
Provided by: Kauf


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Nate King & Errol Weiss. Information Security Magazine

Lesson 14Network MonitoringSystem
RestorationIncident Evaluation
The Role of Network Forensics
  • Network Forensics analysis tools (NFATS) reveal
    insecurities, turn system administrators into
    system detectives.
  • Nate King Errol Weiss
  • Information Security Magazine

Network Forensics
  • Sniffer Hardware or software that passively
    intercepts packets as they traverse the network.
    Other name include Protocol Analyzer and Network
  • Silent Sniffers will not respond to any received
  • Illegal Sniffers violate 18 USC 2511 dealing
    with wiretaps.
  • Promiscuous Mode. A sniffer operates in a mode
    that intercepts all packets flowing across the
  • A normal NIC only intercepts packets packets
    addressed to its IP address and Broadcasts
  • Transactional (Noncontent) information consists
    only of header information. For example, IP, TCP
    or UDP headers.
  • Same as a LE Trap and Trace or Pen Register.
  • Content Information consists of not only the
    headers but also part or all of the encapsulated

Network Forensics Data
  • Network data can come from
  • Routers, Firewalls, Servers, IDS, DHCP
    Servers, etc
  • These logs may have different formats, be
    difficult to find, difficult to correlate and
    have a broken chain of custody
  • Chain of Custody
  • Strictly controlled network monitoring can
    maintain a proper chain of custody
  • Electronic evidence requires tighter control
    than most other types of evidence because it can
    be easily altered
  • A broken chain goes to weight and not

Chain of Custody
  • Network data chain of custody should include
  • Date and time recorded
  • Make, model, serial and description of
    recording device
  • Names of individual recording or the name of
  • recovering the logs
  • Description of the logs
  • Name, Signature and date of individual receiving
    the data.
  • Evidence Tag for this item
  • Hash value (MD5) of each log file

Monitoring The Network
  • What are the Network Monitoring goals?
  • Monitor traffic to and from a host?
  • Monitor traffic to and from a network?
  • Monitor a specific person?
  • Verify an intrusion attempt?
  • Monitor attack signatures?
  • Monitor a specific protocol?
  • Monitor a specific port?
  • Check with legal counsel prior to starting the

Network Monitoring Tool
  • Network Monitoring Hardware
  • A Portable laptop
  • 512 MB Ram
  • 40 GB
  • External Zip drive
  • Network Monitoring Software
  • NetBSD is reputedly the best
  • A Silent Sniffer that speaks only TCP/IP with
    ARP disabled
  • Employ VLAN with SSH or a Dial-back modem for
    Remote Administration

Monitoring The Network Continued
  • Possible Network Monitors.
  • tcpdump, Ethereal and Snort
  • Snoop, iptrace, Snifer Pro, Etherpeek, LANalyzer
  • NetMon, Network Tracing and Logging and Cisco
  • Network Monitor Location
  • Host Monitoring - On the same Hub or switch.
  • The switch should have Switch Port Analysis
  • Network Monitoring - At the network perimeter
  • A Physically secure location

Helpful Hints
  • Run a Sniffer detection tool prior to connecting
  • Someone may already be listening to the network
  • Capture the network traffic as close to the
    source host as possible
  • Hackers use bounce sites to attack hosts
  • Have the capability of viewing captured data as
    a continuous stream.
  • This provides an overview of what the hacker is
    attempting to do
  • Reconstruct documents, etc
  • Have the capability of viewing the packets at
    the lowest level
  • High-level analyzers will sometimes strip off
    data that is not important for fault analysis but
    could be important for investigative purposes
  • Options and fields to identify the OS
  • Typing speed of user
  • Printer variables, X display variables , etc

Common Forensics Mistakes
  • Failure to Monitor
  • ICMP Traffic
  • SMTP, POP and IMAP
  • Traffic
  • UseNet Traffic
  • Files saved to external
  • media
  • Web Traffic
  • Senior Executives Traffic
  • Internal IP Traffic
  • Failure to Detect
  • ICMP Covert Channels
  • UDP Covert Channels
  • HTTP Covert Channels

Common Forensics Mistakes Continued
  • Failure to PlayBack
  • Encrypted traffic
  • Graphics
  • Modeling and Simulation traffic
  • Failure to Trace
  • DOS
  • DDOS
  • Spoofed EMail
  • Failure to Detect.
  • Steganography.
  • Erasing Logs
  • File Encryption.
  • Binary Trojans

Monitoring Tools
Dsniff http// tcpd
ump http// WinDump http//netgrou ethereal http//www.ethe Snort http// Snoop
System Restoration
System Restoration
  • System Administrator recovers the system
  • Don't trust anything that is on-line
  • Don't believe anything your system tells you
  • Reformat disks
  • Restore operating system
  • Reload software
  • Assign new passwords
  • Scan the /etc/passwd for newly created files
  • Check for changes to files that may affect
    security (trapdoors, logic bombs, etc.)

System Restoration
  • Check critical files for the appropriate file
  • protection and permissions
  • Scan the system for newly created SUID and
  • SGID files
  • Delete and recreate all .rhosts files
  • Check for changes to the /etc/hosts.equiv file
  • Check for changes in user startup files
  • Check for a modified .forward file
  • Check for hidden or unowned files and
  • directories
  • Run audit tools such a COPS and Tripwire

System Restoration
  • The recovery should be planned to
  • have minimal impact on the users
  • Keep the users informed
  • Engage in rumor control

Incident Evaluation
After Action Meeting and Report
  • Conduct an after action meeting
  • Prepare an after action report to document the
    incident, the response to the incident and the
    recovery from the incident
  • Lessons Learned?
  • Policy to general
  • Responsibilities not sufficiently defined
  • Inadequate monitoring tools
  • Systems not backed up
  • Hard disk needs smaller partitions
  • Set smaller limits on disk usage
  • System not scanned with tools SATAN and ISS

Action List
  • Law Enforcement report?
  • Regulatory agency report?
  • Insurance claim?
  • Disciplinary action?
  • Dismissal action?
  • Vendor report?
  • Update disaster recovery plan?
  • Update software to new versions?
  • Update employee training?
  • Public Affairs report?
  • CEO report to employees?

  • Computer Crime Investigation
  • Notify law Enforcement.
  • Brief/coordinate with upper management
  • The Law Enforcement Computer Crime Team
  • assumes control.
  • Computer crime investigation is complex,
  • time consuming, and resource intensive
  • Allow time/resources for
  • Investigation
  • Prosecution

  • Incident Response Process
  • Define Roles.
  • Establish Policies.
  • Identify Tools.
  • Network Preparation.

Incident Preparation
  • Firewall Logs.
  • IDS Logs.
  • Suspicious User.
  • System Administrator.
  • Complete IR Checklist
  • Who/What/Where/When.
  • Incident Description
  • Hardware/Software.
  • Personnel Involved.
  • Network.

Incident Detection
Activate IR Team
  • Verify Incident.
  • Affected Systems.
  • Users Involved.
  • Business Impact.

Initial Response
Completed IR Checklist.
Is it really and Incident?
  • Incident Response Process-Continued
  • System Criticality.
  • Information Sensitivity.
  • Perpetrators.
  • Publicity.
  • Skill of Attacker.
  • System Downtime.
  • Dollar Loss.
  • Management Approval
  • Dollar Loss.
  • Downtime.
  • Legal Liability.
  • Publicity.
  • Intellectual Property.

Response Strategy
Accumulate Evidence Secure System
  • Best Evidence Rule.
  • Chain of custody.
  • Data Volatility.

Forensic Duplication
  • Incident Response Process Contd

Implement Security Measures
  • Who, What, When, Where, How.
  • People and Things.
  • Isolate and Contain.
  • Disconnect.
  • Electronically isolate.
  • Network Filtering.

Network Monitoring
  • Monitor throughout the incident.
  • Track the hacker.
  • No incident recurrence.
  • Monitor on subnet.
  • Monitor at boundary.

  • Incident Response Process-Continued
  • New Procedures.
  • Reinstall files.
  • Reinstall from CD-Rom.
  • Secure System.
  • Turnoff unneeded services.
  • Apply patches.
  • Strong Passwords.
  • Strong Administration.

  • Document everything as it occurs.
  • Support both criminal and civil prosecution.
  • Produce the final report.
  • Process improvement.

Brave New Battles
Each new technology will bring with it new forms
of crime, demanding innovative security. That is
the dynamic which drives our modern progress not
dreams, not ideas, but the simple desire on the
part of criminals to take what is not theirs by
law, and the determination of others to keep them
from doing so.
This Alien Shore, C. S. Friedman (C) 1998
  • Thorough analysis is hard
  • Dont forget to restore with same ZEAL as you
  • Incident evaluation is critical for lessons
    learnedlessons to teach