Network Forensics and Incident Response Overview
Explore the role of network forensics in incident response, focusing on the analysis tools that reveal insecurities in networks. Understand the importance of chain of custody in maintaining electronic evidence integrity and learn about monitoring network data for effective security measures.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Lesson 14 Network Monitoring System Restoration Incident Evaluation
The Role of Network Forensics Network Forensics analysis tools (NFATS) reveal insecurities, turn system administrators into system detectives. Nate King & Errol Weiss Information Security Magazine UTSA IS 6353 Incident Response
Definitions Sniffer: Hardware or software that passively intercepts packets as they traverse the network. Other name include Protocol Analyzer and Network Monitor. Silent Sniffers will not respond to any received packets. Illegal Sniffers violate 18 USC 2511 dealing with wiretaps. Promiscuous Mode. A sniffer operates in a mode that intercepts all packets flowing across the network. A normal NIC only intercepts packets packets addressed to its IP address and Broadcasts address. Transactional (Noncontent) information consists only of header information. For example, IP, TCP or UDP headers. Same as a LE Trap and Trace or Pen Register. Content Information consists of not only the headers but also part or all of the encapsulated data. UTSA IS 6353 Incident Response
Network Forensics Data Network data can come from: Routers, Firewalls, Servers, IDS, DHCP Servers, etc These logs may have different formats, be difficult to find, difficult to correlate and have a broken chain of custody Chain of Custody Strictly controlled network monitoring can maintain a proper chain of custody Electronic evidence requires tighter control than most other types of evidence because it can be easily altered A broken chain goes to weight and not admissibility UTSA IS 6353 Incident Response
Chain of Custody Network data chain of custody should include: Date and time recorded Make, model, serial # and description of recording device Names of individual recording or the name of individuals recovering the logs Description of the logs Name, Signature and date of individual receiving the data. Evidence Tag for this item Hash value (MD5) of each log file UTSA IS 6353 Incident Response
Monitoring The Network What are the Network Monitoring goals? Monitor traffic to and from a host? Monitor traffic to and from a network? Monitor a specific person? Verify an intrusion attempt? Monitor attack signatures? Monitor a specific protocol? Monitor a specific port? Check with legal counsel prior to starting the monitor Corporate policy must support the type monitoring to be performed! UTSA IS 6353 Incident Response
Network Monitoring Tool Network Monitoring Hardware A Portable laptop 512 MB Ram 40 +GB External Zip drive Network Monitoring Software NetBSD is reputedly the best A Silent Sniffer that speaks only TCP/IP with ARP disabled Employ VLAN with SSH or a Dial-back modem for Remote Administration Run a Sniffer detection tool prior to connecting yours. UTSA IS 6353 Incident Response
Monitoring The Network Continued Possible Network Monitors. tcpdump, Ethereal and Snort Snoop, iptrace, Snifer Pro, Etherpeek, LANalyzer NetMon, Network Tracing and Logging and Cisco IDS Network Monitor Location Host Monitoring - On the same Hub or switch. The switch should have Switch Port Analysis (SPAN) Network Monitoring - At the network perimeter A Physically secure location UTSA IS 6353 Incident Response
Helpful Hints Run a Sniffer detection tool prior to connecting yours Someone may already be listening to the network Capture the network traffic as close to the source host as possible Hackers use bounce sites to attack hosts Have the capability of viewing captured data as a continuous stream. This provides an overview of what the hacker is attempting to do Reconstruct documents, etc Have the capability of viewing the packets at the lowest level High-level analyzers will sometimes strip off data that is not important for fault analysis but could be important for investigative purposes Options and fields to identify the OS Typing speed of user Printer variables, X display variables , etc UTSA IS 6353 Incident Response
Common Forensics Mistakes Failure to Monitor ICMP Traffic SMTP, POP and IMAP Traffic UseNet Traffic Files saved to external media Web Traffic Senior Executives Traffic Internal IP Traffic Failure to Detect ICMP Covert Channels UDP Covert Channels HTTP Covert Channels UTSA IS 6353 Incident Response
Common Forensics Mistakes Continued Failure to PlayBack Encrypted traffic Graphics Modeling and Simulation traffic Failure to Trace: DOS DDOS Spoofed EMail Failure to Detect. Steganography. Erasing Logs File Encryption. Binary Trojans UTSA IS 6353 Incident Response
Monitoring Tools Dsniff http://www.monkey.org/~dugsong/dsniff tcpdump http://www.tcpdump.org/ WinDump http://netgroup-serv.polito.it/windump/ ethereal http://www.ethereal.com/ Snort http://www.snort.org/ Snoop UTSA IS 6353 Incident Response
System Restoration System Administrator recovers the system Don't trust anything that is on-line Don't believe anything your system tells you Reformat disks Restore operating system Reload software Assign new passwords Scan the /etc/passwd for newly created files Check for changes to files that may affect security (trapdoors, logic bombs, etc.) UTSA IS 6353 Incident Response
System Restoration Check critical files for the appropriate file protection and permissions Scan the system for newly created SUID and SGID files Delete and recreate all .rhosts files Check for changes to the /etc/hosts.equiv file Check for changes in user startup files Check for a modified .forward file Check for hidden or unowned files and directories Run audit tools such a COPS and Tripwire UTSA IS 6353 Incident Response
System Restoration The recovery should be planned to have minimal impacton the users Keep the users informed Engage in rumor control UTSA IS 6353 Incident Response
Incident Evaluation UTSA IS 6353 Incident Response
After Action Meeting and Report Conduct an after actionmeeting Prepare an after action report to document the incident, the response to the incident and the recovery from the incident Lessons Learned? Policy to general Responsibilities not sufficiently defined Inadequate monitoring tools Systems not backed up Hard disk needs smaller partitions Set smaller limits on disk usage System not scanned with tools: SATAN and ISS UTSA IS 6353 Incident Response
Action List Law Enforcement report? Regulatory agency report? Insurance claim? Disciplinary action? Dismissal action? Vendor report? Updatedisaster recovery plan? Update software to new versions? Update employee training? Public Affairs report? CEO report to employees? UTSA IS 6353 Incident Response
Computer Crime Investigation Notify law Enforcement. Brief/coordinate with upper management The Law Enforcement Computer Crime Team assumes control. Computer crime investigation is complex, time consuming, and resource intensive Allow time/resources for Investigation Prosecution UTSA IS 6353 Incident Response
Incident Response Process Define Roles. Establish Policies. Identify Tools. Network Preparation. Incident Preparation Firewall Logs. IDS Logs. Suspicious User. System Administrator. Complete IR Checklist Who/What/Where/When. Incident Description Hardware/Software. Personnel Involved. Network. Incident Detection Activate IR Team Verify Incident. Affected Systems. Users Involved. Business Impact. Initial Response Completed IR Checklist. Is it really and Incident? UTSA IS 6353 Incident Response
Incident Response Process-Continued System Criticality. Information Sensitivity. Perpetrators. Publicity. Skill of Attacker. System Downtime. Dollar Loss. Management Approval Dollar Loss. Downtime. Legal Liability. Publicity. Intellectual Property. Response Strategy Accumulate Evidence & Secure System Best Evidence Rule. Chain of custody. Data Volatility. Forensic Duplication UTSA IS 6353 Incident Response
Incident Response Process Contd Investigate Implement Security Measures Who, What, When, Where, How. People and Things. Isolate and Contain. Disconnect. Electronically isolate. Network Filtering. Network Monitoring Monitor throughout the incident. Track the hacker. No incident recurrence. Monitor on subnet. Monitor at boundary. UTSA IS 6353 Incident Response
Incident Response Process-Continued New Procedures. Reinstall files. Reinstall from CD-Rom. Secure System. Turnoff unneeded services. Apply patches. Strong Passwords. Strong Administration. Recovery Documentation Document everything as it occurs. Support both criminal and civil prosecution. Produce the final report. Process improvement. UTSA IS 6353 Incident Response
Brave New Battles Each new technology will bring with it new forms of crime, demanding innovative security. That is the dynamic which drives our modern progress: not dreams, not ideas, but the simple desire on the part of criminals to take what is not theirs by law, and the determination of others to keep them from doing so. This Alien Shore , C. S. Friedman (C) 1998 UTSA IS 6353 Incident Response
Summary Thorough analysis is hard Don t forget to restore with same ZEAL as you investigate Incident evaluation is critical for lessons learned lessons to teach UTSA IS 6353 Incident Response