Professional Documents
Culture Documents
BRKSEC-2006
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33
Data Center
NetFlow
anomaly detection CCM CCM
424 424
Cisco IDS
CSIRT monitoring CS-MARS
IDS events
signature detection
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5
False Positive:
normal sync traffic
between call
managers
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6
6. Troubleshoot
Six Steps to 5. Feed and tune
Improve Your 4. Choose event sources
Security
3. Select targets
Monitoring
2. Know the network
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10
Who changed
the Pix config?
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14
Caught direct
root login via
syslog
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Step 2: Know Your Network
18
Unknown
Unmonitored
Uncontrolled
Unmanned
Trusted
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20
Supports investigations
Tools can collect, trend,
and correlate activity
Well supported
Arbor PeakFlow
CS-MARS
NetQoS
OSU FlowTools
Simple to understand
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21
Network Telemetry—
Time Synchronization
Without it, can’t correlate
different sources
Enable Network Time
Protocol (NTP)
everywhere
supported by routers,
switches, firewalls, hosts,
and other network-
attached devices
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22
Egress i/f
w
Usage
Packet Count Source IP Address From/To
Byte Count Destination IP Address
Export netflow
data to OSU
Regionalized Flowtools
collection to Collector
minimize
WAN impact
Storage
Collector
NetFlow data
copied to other
destinations with Peakflow
NetQoS
flow-fanout
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26
Examples of capabilities
Did 192.168.15.40 talk to
216.213.22.14?
What hosts and ports did
192.168.15.40 talk to?
Who’s connecting to port
TCP/6667?
Did anyone transfer data >
500MB to an external host?
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31
BRKSEC-2006
17796_04_2008_c1
Step 4. Choose Event Sources
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Step 5. Feed and Tune
46
Traffic Flow
Alert
Traffic Flow
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47
Design
Tuning and
Deploy management
are ongoing
Tune
Manage
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48
CPU 2 PWR 2
I/O Card 1 I/O Card 2
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49
CPU 2 PWR 2
I/O Card 1 I/O Card 2
IDS or IPS?
IDS HERE
IPS HERE
Ingress/
Ingress/
egress traffic only
egress traffic only
BB uplinks
mirrored to
sensor
BB uplinks
mirrored to
load
balancer
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53
Tune IDS
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56
Benign triggers
info tells me
that this may be
normal traffic
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61
Regionalize deployment
Minimize sending over network
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62
Other Logs
Web server logs
Can verify and elaborate attacks
Use HTTP status codes to
determine if IDS alert
really worked
Can provide URL details
during attack
Apache
Send as syslog via
httpd.conf setting
IIS
Send as syslog via
MonitorWare Agent
App server logs
SIM Find way to relay as syslog
Send via SNMP events
Pull via SQL queries
Oracle logs
Pull logs from AUD$ table via SQL
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64
Number of Services/Protocols
SMTP DNS
FTP HTTP
HTTPS SSH DMZ SMTP DNS FTP HTTP HTTPS
SSH POP IMAP NFS TFTP
TACACS TELNET NETBIOS
POP IMAP SUNRPC NNTP NTP SQL
SNMP LDAP SMB CIFS RPC
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67
False positives
Difficult and time consuming to identify
Key: good relationship with IT application and service owners
[mynfchost]# crontab -e
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71
71
xxx-dc-nms-1# conf t
create variables
xxx-dc-nms-1(config)#
based on IPAM data
service event-action-rules rules0
variables ORACLE_10G address 10.10.0.128-10.10.0.255
variables ORACLE_WEBAPP address 10.10.1.64-10.10.1.95
variables DESKTOP_NETS address 10.10.32.0-10.10.63.255
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72
72
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73
73
apply filters to
remove alerting for
management
systems to dev dBs
filters insert drop_desktop_to_devdb_alerts
signature-id-range 60002
attacker-address-range $MGT_SERVERS
victim-address-range 10.10.0.120
actions-to-remove produce-alert|produce-verbose-alert
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74
74
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77
Verify Feeds
Syslog feed verification
Script awk to grab
hostnames of systems
that syslog day and
do a diff
Ask IT to use a daily
cron to re-set syslog.conf
on servers
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79
Lessons Learned
Start small
Too many events at once is
overwhelming
Understand/tune each source
before adding more
Understand “normal” traffic thoroughly
before moving on
Avoid alerting on false-positives
Use a SIM
Event correlation, false positive reduction
Choose carefully what you want
to monitor
…or you’ll waste your time chasing
false positives
Use defined playbooks, escalation
procedures
Have allies in the IT support teams
Network support, DBA’s, webmasters, etc.
BRKSEC-2006
They can explain/remediate issues you find
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81
Q and A
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82
BRKSEC-2006
17796_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84