You are on page 1of 18

Attendees:

Course notes online Case Studies in


at www.packet-level.com. Implementing
www.packet-level.com/resources/hpetsnotes.txt
Packet-Level
Analysis-based
Security Solutions
(what a mouthful!)

Sessions this week: Laura Chappell


Thursday – 1728 Cybercrime 1 – 9:30 Rm124 Protocol Analysis Institute
Thursday – 1729 Cybercrime 2 – 2:00 Rm224 www.packet-level.com
Friday – 1730 Advanced Analysis – 8:00a Rm124
Friday – 1731 Case Studies/Security – 11:00a Rm124

Remember to fill out your evaluations! October 11, 2002

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 1

This Lecture Covers...


Selecting and Implementing an Analyzer Solution
Intruder Detection Systems
Forensics
Case Studies

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 2

1
Getting and
Implementing
Your Protocol
Analyzer

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 3

Analyzer Selection
Standalone
Distributed
Software only
Hardware/software

My opinions…

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 4

2
Analyzer Placement – Hub Networks

All packets go everywhere in a hubbed environment

Hub

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 5

Analyzer Placement – Switch Networks

Yipes! Virtual circuits ruin our analysis.


Consider the solutions
• Hubbing out
• Mirroring/spanning
• Hacking… Switch

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 6

3
Analyzer Placement – Routed Networks

You can’t analyze through a router.

Router

Hub Hub

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 7

Learning Packets and Protocols

www.ieee.org
www.iana.org
www.ietf.org
www.packet-level.com
www.podbooks.com
www.sans.org
www.cert.org

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 8

4
Baselining the Network

“The laying on of hands” approach


Look for:
• Broadcasts/multicasts
• ICMP traffic
• Client login sequences
• Too much visibility

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 9

Alarms/Alerts

Automatic notification of unusual events


Watch the thresholds
Trends enable you to set appropriate thresholds
Don’t trust all alarms/alerts— research their cause

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 10

5
Defining Alarms

Consider performing a ‘baseline’ before changing alarms.

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 11

Use a Cyclical Buffer

Use with a trigger to ‘catch’ an event

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 12

6
Building Security Filters

Test your firewall – firewall filters


Get hot port list
Build application-layer filters
• i.e., FTP or Gnutella filter
• DNS queries
• Hidden DHCP servers
• Hidden web servers Offset
0x36
(54d)

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 13

Documenting the Network

Step 1: Gather traces – take notes


– Use good naming techniques
– Gen1.cap, switch1-nospan.cap, mike-boot.cap
– Use last-page listing
Step 2: Build an outline
– Include 1 paragraph descriptions
Step 3: Review traces and take screenshots
– Use SnagIt by TechSmith
Address Execs separate from Techs

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 14

7
Consider
An Intruder
Detection
Systems

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 15

Active v. Passive IDS

Active IDS
• Actively looking for attack signatures in real time.
• ISS Real Secure
Passive IDS
• Passively gathering data for later signature checking and
correlation.
• Offline buffer filtering

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 16

8
Snort IDS

Network Intruder Detection System (NIDS)


Rules-based
Plug-ins available
Sample snort rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 3128
(msg:"INFO - Possible Squid Scan"; flags:S;
classtype:attempted-recon; sid:618; rev:1;)

Link: www.snort.org
© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 17

Where do You Put Your Pig?

Off a hub
Off a spanned/mirrored switch port

Switch

2 Hub

Client A Client B

1
Server 1

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 18

9
Forensics
Forensics
And Other Tools

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 19

Forensic Computing

Gathering and analyzing data in a manner as free from


distortion or bias as possible to reconstruct data or what
has happened in the past on a system.

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 20

10
Forensic Ordering

Follow the order of volatility


• memory, cache
• swap files
• network state
• running processes
• disks (local)
• peripheral storage

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 21

Forensics

Take system offline


Track everything you do/type
Consider your space restrictions
Grab first; analyze later
Note hardware/software configuration
• netstat, route, arp, logfiles, kernel info

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 22

11
Unix Forensic Tools

Grave Robber
• memory
• netstat, route, arp, etc.
• capture process data
• log files

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 23

Windows NTFS Suite by NTI

DiskSearch NT - A Text Search Utility for Windows NT. It searches files, slack and
erased space.

FileList NT - A disk catalog tool used to evaluate computer use time lines for
normal and erased files on Windows NT systems.

GetFree NT - An ambient data collection tool used to capture unallocated data on


Windows NT systems.

GetSlack NT - An ambient data collection tool used to capture file slack on


Windows NT systems.

ShowFL NT - A program used to analyze the output of the NT FileList program.

PTable - A partition table analysis tool which is essential for the processing of NT
based systems.

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 24

12
Law Enforcement (LE) Tools
Tools we can only dream about
• Coroner’s Toolkit
• Encase
• A-TIP (Alarm-Triggered IP)
• Nasa VISAR
• Carnivore (FBI) Before VISAR After VISAR
Enhancement Enhancement

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 25

The Future of IP Traceback

“Practical Network Support for IP Traceback” [Savage,


Wetherall, Karlin, Anderson] Technical Report UW-CSE-00-02-01

2
5
7 V
A 1
3
6
4 •Node Append <all rtrs>
A=attacker •Node Sampling <one rtr each>
V=victim •Edge Sampling <outside rtrs>
•Compressed Edge Sampling
<combo edge rtrs>

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 26

13
Case Studies

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 27

Case #1: Catching Hacks in the Wild

The situation:
Onsite training class – tapped into the live network.
Suddenly, the firewall was breached.

Filters
Based
On
Blocked
Firewall
ports

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 28

14
Case #2: Dodging the Firewall

Clients opening up p2p sharing after all the authentication


put in place. Shared:
• C:\
• F:\user\[username]

Filter
Based
On
Gnutella
signature

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 29

Case #3: Dumpsters Rule!

One dumpster diving trip yielded a tremendous amount of


financial and client data.

Love
Confidential
Client Payroll That
Files
List AR/AP Data Expense Copy
Info Info Room!

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 30

15
Case #4: The Open Door Policy

Citrix box right onto the network…

CITRIX

Internet

Router

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 31

Case #5: Death by Application

100% server utilization (roaming)


Poor printing performance (roaming)
5 minute login time (static)
Lousy network performance (static)

The Culprit

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 32

16
Your Turn to Hack/Crack

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 33

More Training/Information
• Attend other analysis sessions
• US/Canada Roadshow (www.nuihotlabs.com)
• Hands-On Analysis, Troubleshooting and
Cybercrime
• Classes (private and public)
• Read the specs along side your analyzer
• Read books focusing on analysis and packet-level
communications
• see www.podbooks.com
• Get online at www.packet-level.com—join the mailing list

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 34

17
© 2002 hp

18