* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Document
Survey
Document related concepts
Unix security wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Citizen Lab wikipedia , lookup
Deep packet inspection wikipedia , lookup
Mobile security wikipedia , lookup
Wireless security wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Security-focused operating system wikipedia , lookup
Distributed firewall wikipedia , lookup
International cybercrime wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Cybercrime countermeasures wikipedia , lookup
Cyberterrorism wikipedia , lookup
Computer security wikipedia , lookup
Transcript
Chapter 9: Cyber Network Defense using Advanced Log Analysis Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions May 25, 2017 DRAFT 1 Introduction to Cyber Network Defense • Cyber Network Defense (CND) is continuously improving process for defending IT assets • The CND approach in this Chapter includes: – Lightweight process for CND – Set of open source scripts for network monitoring and Advanced Log Analysis (ALA) on Backtrack – Agile strategy for escalating defenses – Cyber investigations process – Scenario for eradicating browser-based spyware – Instructions for implementing the processes Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 5/25/2017 DRAFT 2 General Method and Tools for Cyber Investigations • Investigations are based upon The Scientific Method to focus activities: – Observation – Hypothesis – Evaluation: Analyze and Interpret Data – Prediction – Repeat the method to validate predictions Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 5/25/2017 DRAFT 3 Continuous Cyber Investigation Strategy • Full packet capture when network quiet • Capture IDS alerts during busy hours • Investigation of suspicious alerts • Host-Based Security (HBS) • Firewalls • Regular updates/upgrades to processes and technical components • Integrated CND Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 5/25/2017 DRAFT 4 Summary of Cyber Investigation Process • Use the custom CND scripts, a daily monitoring & investigation process: • # ./snortcap - Run IDS on overnight packet capture. • # ./headcap | wc - How many alerts overnight? • # ./statcap - Count and rank the top alerts. • # ./hostcap - Which are the top alerting hosts? • # ./alertipcap 10.10.100.10 - What are the alert details for that host? • # sort sum*10.10* | uniq –c | sort –rn - Rank the top alerts for IP • # ./iporgcap 10.10.100.10 - Which external domains are alerting for IP? • # whois 64.94.107.15 - Who owns this unresolved domain? • Use an Internet browser to investigate external IPs and domains. Discover these domains with the following command: • # ./orgcap - What are all the external alerting domains? Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 5/25/2017 DRAFT 5 Network Monitoring • Establish Switched Port Analyzer (SPAN) on the core switch or firewall – Mirrors all network traffic for IDS • To begin the IDS in real time, you can use the following daycap script: – – – – – #!/bin/bash # Add a parameter like ./daycap keep -- in order to append to logs # By default, daytime logs are deleted to conserve space if [$1 -eq ""]; then rm /tmp/alert /tmp/snort.log.*; fi /usr/local/bin/snort -A full -c /etc/snort/snort.conf -l /tmp Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 5/25/2017 DRAFT 6 Advanced Text Log Analysis • A set of custom scripts are explained in detail in Chapter 9 – teaching you gawk • Example: The statcap script creates a histogram of the most frequent alerts: – #!/bin/bash – gawk "BEGIN {FS=\"\n\";RS=\"\n\n\"} {print $1}" alert | gawk '/\[\*\*\]/' | sort | uniq -c | sort -rn | less • The hostcap script finds the host generating the most alerts: – #!/bin/bash – cat alert | gawk '{FS="\n";RS="\n\n"; /TCP/; print $3}' | gawk '{print $2}' | gawk -F\: '{print $1}' | gawk '/[09\.]+/' | sort | uniq -c | sort –rn Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 5/25/2017 DRAFT 7 Advanced Binary Log Analysis: Wireshark Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 5/25/2017 DRAFT 8 Advanced Binary Log Analysis: tcpdump Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 5/25/2017 DRAFT 9 Reporting Cyber Investigations • Lesson Learned: Do not go to a cybersecurity professional and inform them that their machine is generating copious beacons – Panic ensues! • Instead, approach reporting in a nonjudgemental, diplomatic manner • Provide proof of your findings – It will certainly be requested • Empower people to resolve the problem with guidance and mentoring Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 5/25/2017 DRAFT 10 Elimination of Cyber Threats • Block suspicious IPs using the host file (Windows and Linux): – 127.0.0.1 ak.quantcast.com • Block suspicious IPs from entire net at firewall (e.g. CISCO): – – – – – $ enable Password: # config t (config)# object-group network Blocked_IPs (config-network)# network-object 64.94.107.0 255.255.255.0 – – – – – – – – – – (config-network)# network-object 66.235.147.0 255.255.255.0 <repeat for additional IPs> (config-network)# exit (config)# access-list in2out2 extended deny ip any object-group Blocked_IPs (config)# access-list in2out2 extended permit ip any any (config)# access-group in2out2 in int inside (config)# show config (config)# wr mem (config)# exit # exit Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 5/25/2017 DRAFT 11 Logs on Various OS/Services Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 5/25/2017 DRAFT 12 Intrusion Discovery on Windows • To detect intrusions, seek out: – Unusual processes and services – Unusual files and registry keys – Unusual network activity – Unusual scheduled tasks – Unusual accounts – Unusual log entries Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 5/25/2017 DRAFT 13 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions REVIEW CHAPTER SUMMARY 5/25/2017 DRAFT 14