Solving Network Mysteries Slide - 1 Dan VanBelleghem Senior Information Assurance Engineer - SRA Penetration Testing Security Training Security Readiness Reviews Incident Response Security Assessments Director of Security Programs - Network Forensics Security Assistance Teams for US DoD - BAH Security Audits and Assessments for Fortune 500 - D&T
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Solving Network Mysteries Slide - 1
Dan VanBelleghemDan VanBelleghem
Senior Information Assurance Engineer - SRA Penetration Testing Security Training Security Readiness Reviews Incident Response Security Assessments
Director of Security Programs - Network Forensics Security Assistance Teams for US DoD - BAH Security Audits and Assessments for Fortune 500 - D&T
Solving Network Mysteries Slide - 2
Network Mystery QuizNetwork Mystery Quiz
Do you know: What is happening on your network? What users are doing? If users are compliant with policy? If users’ internal and external network
communications affect the enterprise security posture?
If anomalous behavior is detectable on the network?
Why network diagrams are not enough?
Solving Network Mysteries Slide - 3
ObjectivesObjectives
The objectives of this session are to provide an overview of the following:
Examples of network activities that are often overlooked
Techniques used in solving mysteries Benefits from audit & monitoring Recommendations for performing audit &
monitoring
Solving Network Mysteries Slide - 4
ObservationsObservations
• The following observations will provide examples of network security issues that could have been discovered with good audit and monitoring practices in place
• Discovery, analysis and lessons learned will be discussed for each of the following examples:• Uncovering DDOS agents• Harassing e-mails• Rogue servers and applications• System administrator misuse
Solving Network Mysteries Slide - 5
DDOS Agent DiscoveryDDOS Agent Discovery
Background• Enterprise network solution company• Firewall policy allowed DNS traffic• Firewalls managed in Colorado• DNS servers managed locally at other
national offices
Solving Network Mysteries Slide - 6
DDOSDDOS
F
INTERNET
victim.comHQ
Local DNS
Secondary DNS
victim.comLocal Offices
Primary DNS
Managed by network operations
Permit DNS
Managed by local office staff
Solving Network Mysteries Slide - 7
DDOS DDOS
F
INTERNET
victim.comHQ
Local DNS
Secondary DNS
victim.comLocal Offices
Primary DNS
Attacker
• DNS service exploited
• Root access gained
• Trust relationships exploited
• DDOS agent planted
Solving Network Mysteries Slide - 8
DDOS Agent DiscoveryDDOS Agent Discovery
Techniques used for discovery• Network traffic analysis
• “unusual traffic”• Firewall logs reviewed• DNS server and OS logs reviewed
Solving Network Mysteries Slide - 9
DDOS Agent DiscoveryDDOS Agent Discovery
Lessons learned• Firewall logs not reviewed• DNS server (OS and application) logs not
reviewed• IP spoofing not monitored internally• Integrity checking not performed
Solving Network Mysteries Slide - 10
DDOS Agent DiscoveryDDOS Agent Discovery
Recommendations• Perform regular log review of network service
systems (DNS, Firewall, Mail, etc)• Automate• Outsource
• Monitor and review network traffic patterns and trends
• Network monitors• Network device logs
• Perform host integrity checking for critical assets • Tripwire• System profile checkers
Solving Network Mysteries Slide - 11
Harassing E-mailsHarassing E-mails
Background• Employee was receiving harassing e-mails
from an anonymous external source (e.g., hotmail)
• An internal employee was suspected but could not be confirmed
Solving Network Mysteries Slide - 12
Harassing E-mailsHarassing E-mails
Techniques used for discovery Collected network traffic using a packet sniffer Searched traffic for hosts going to and from hotmail.com Once an originating IP address was found, then searched
for user name that sent anonymous e-mail Specifically looked for CGI postings of the message - this
Protect Provides input to policy changes or mis-configurations Acts as a deterrent
Detect Analysis of all data Passive collection Active scanning
Analyze and Recover Forensic level analysis Rapid answers to the who, what, when, where, how questions Full damage control Network, system and application level audit logs Centralized information source
• Evidence preservation• Data warehousing• Data mining• Automatic correlation• Event interpretation• Passive monitoring• Data exchange• AI based attack prediction