Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 8, 2014 DRAFT1.

Lecture Materials for the John Wiley & Sons book:Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

April 11, 2023 DRAFT 1

Chapter 9: Cyber Network Defense using Advanced Log Analysis

Introduction to Cyber Network Defense•Cyber Network Defense (CND) is continuously

improving process for defending IT assets•The CND approach in this Chapter includes:

–Lightweight process for CND–Set of open source scripts for network

monitoring and Advanced Log Analysis (ALA) on Backtrack–Agile strategy for escalating defenses–Cyber investigations process–Scenario for eradicating browser-based spyware–Instructions for implementing the processes

04/11/23 DRAFT 2Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

General Method and Tools for Cyber Investigations•Investigations are based upon

The Scientific Method to focus activities:

–Observation–Hypothesis–Evaluation: Analyze and Interpret

Data–Prediction–Repeat the method to validate

predictions

04/11/23 DRAFT 3Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Continuous Cyber Investigation Strategy•Full packet capture when network

quiet•Capture IDS alerts during busy hours•Investigation of suspicious alerts•Host-Based Security (HBS)•Firewalls•Regular updates/upgrades to

processes and technical components•Integrated CND

04/11/23 DRAFT 4Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Summary of Cyber Investigation Process

•Use the custom CND scripts, a daily monitoring & investigation process:•# ./snortcap - Run IDS on overnight packet

capture.•# ./headcap | wc - How many alerts overnight?•# ./statcap - Count and rank the top

alerts.•# ./hostcap - Which are the top alerting

hosts?•# ./alertipcap 10.10.100.10 - What are the alert details

for that host?•# sort sum*10.10* | uniq –c | sort –rn - Rank the top

alerts for IP•# ./iporgcap 10.10.100.10 - Which external domains are

alerting for IP?•# whois 64.94.107.15 - Who owns this unresolved domain?•Use an Internet browser to investigate external IPs and

domains. Discover these domains with the following command:•# ./orgcap - What are all the external

alerting domains?

04/11/23 DRAFT 5Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Network Monitoring

•Establish Switched Port Analyzer (SPAN) on the core switch or firewall

–Mirrors all network traffic for IDS

•To begin the IDS in real time, you can use the following daycap script:

–#!/bin/bash–# Add a parameter like ./daycap keep -- in order to

append to logs–# By default, daytime logs are deleted to conserve

space–if [$1 -eq ""]; then rm /tmp/alert /tmp/snort.log.*;

fi–/usr/local/bin/snort -A full -c /etc/snort/snort.conf

-l /tmp

04/11/23 DRAFT 6Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Advanced Text Log Analysis•A set of custom scripts are explained in

detail in Chapter 9 – teaching you gawk•Example: The statcap script creates a

histogram of the most frequent alerts:–#!/bin/bash–gawk "BEGIN {FS=\"\n\";RS=\"\n\n\"} {print

$1}" alert | gawk '/\[\*\*\]/' | sort | uniq -c | sort -rn | less•The hostcap script finds the host

generating the most alerts:–#!/bin/bash–cat alert | gawk '{FS="\n";RS="\n\n"; /TCP/;

print $3}' | gawk '{print $2}' | gawk -F\: '{print $1}' | gawk '/[0-9\.]+/' | sort | uniq -c | sort –rn

04/11/23 DRAFT 7Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Advanced Binary Log Analysis: Wireshark

04/11/23 DRAFT 8Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Advanced Binary Log Analysis: tcpdump

04/11/23 DRAFT 9Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Reporting Cyber Investigations•Lesson Learned: Do not go to a

cybersecurity professional and inform them that their machine is generating copious beacons – Panic ensues!•Instead, approach reporting in a

non-judgemental, diplomatic manner•Provide proof of your findings–It will certainly be requested

•Empower people to resolve the problem with guidance and mentoring

04/11/23 DRAFT 10Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Elimination of Cyber Threats•Block suspicious IPs using the host file (Windows and Linux):

–127.0.0.1 ak.quantcast.com•Block suspicious IPs from entire net at firewall (e.g.

CISCO):–$ enable–Password:–# config t–(config)# object-group network Blocked_IPs–(config-network)# network-object 64.94.107.0 255.255.255.0–(config-network)# network-object 66.235.147.0 255.255.255.0–<repeat for additional IPs>–(config-network)# exit–(config)# access-list in2out2 extended deny ip any object-group

Blocked_IPs–(config)# access-list in2out2 extended permit ip any any–(config)# access-group in2out2 in int inside–(config)# show config–(config)# wr mem–(config)# exit–# exit

04/11/23 DRAFT 11Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Logs on Various OS/Services

04/11/23 DRAFT 12Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Intrusion Discovery on Windows•To detect intrusions, seek

out:–Unusual processes and services–Unusual files and registry keys–Unusual network activity–Unusual scheduled tasks–Unusual accounts–Unusual log entries

04/11/23 DRAFT 13Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

REVIEW Chapter Summary

Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

04/11/23 DRAFT 14