Presentation on theme: "F3 Collecting Network Based Evidence (NBE)"— Presentation transcript:
1F3 Collecting Network Based Evidence (NBE) Dr. John P. AbrahamProfessorUTPA
2NBE Proactive Reactive Collect To prevent attacks Attack already happened.CollectFull content dataSession dataAlert dataStatistical data
3Full Content Data Similar to recording all conversations of suspects. Collecting all computer activities. Intercept all packets and record.Takes a lot of disk space.Takes a lot of time for analysisBeyond the means of most organizations to collect full content data.Usually this is not done.
4Session DataSimilar to recording one conversation between suspects. Also retrieve phone company records for a summary of all conversations.You can get a summary of sessions with date and time, from source and destination addresses and how it was terminated.
5Alert Data Analyzing NBE for a predefined items of interest. For example, when a particular pair of source/destination addresses are encountered. Programmed to recognize bit patterns. It might trigger a precursor to an attack.Similar to a red light going off when a particular word is heard, such as OSAMA.
6Statistical dataSimilar to time of the day of the regular calls between subjects, duration, etc.Most active IP addresses, ports, data length, etc.
7A standard Intrusion scenario ExampleReconnaissance. Preliminary examination before an attack. Validate address and connectivity, enumerate services, and check for vulnerable versions of software.Reinforcement. Download attack tools. Attempt to elevate privileges at the target, perhaps using a backdoor.Consolidation. Use someone else’s IP address to connect to the victim. Or have the victim connect to a chat, and enter through that.Pillage. Steal info. Damage computer, etc.
8Using full content data Data collected using network security monitoring. By collecting every packet you could have a complete record of intruder’s actions, unless the intruder used encryption. The following questions could be answered:Is the web server compromised?What info was lost.Where did the intruder go to get the info.Find the backdoor
9Using session data Sessions data is a summary of conversations. Easiest form of data to understand and manipulate because packets are not collected nor examined. Scanmap3d is a visualization software for session data, available:http://scanmap3d.sourceforge.net/Scanmap3d is a JAVA program, written as a concept demonstration for visualisation of network intrusion detection information. The program reads information from a MySQL database and produces a 3D map of network traffic. The visualisation is very useful for intrusion detection or network troubleshooting. The code is now in a stable enough state to be useful in analysing tcpdump/snort data within a mysql database.
10Session data provides answers Is the web server compromised? You can view suspicious connections. Usual web requests are inbound connections. Suspicious are outbound connections. Also using ports other than 80.Did the intruder visit other machines using the webserver? You can get this information from the sessions data.Is the intruder present now? How frequent are the visits?
11Using Alert DataIntrusion detection system is a device or application used to inspect all network traffic and alert the user or administrator when there has been unauthorized attempts or access. The two primary methods of monitoring are signature-based and anomaly-based. Depending on the device or application used, the IDS can either simply alert the user or administrator or it could be set up to block specific traffic or automatically respond in some way. Signature-based detection relies on comparison of traffic to a database containing signatures of known attack methods.Good to determine if the system was scanned.
12Using Statistical Data Information on unusual ports or protocols, amount of traffic, etc.
13Data CollectionHubs. Forwards to all ports, a monitoring station can detect all packets. Operates under half duplex, so the speed suffers, perhaps can get about 60Mbps. Place it between the router and the next device (switch, firewall, etc).Taps. More expensive. Works the same way, with improved speed.Bridges. You can use a computer with two network ports, bridged to do the same as a tap.Switched port analyzer. Set a port as a mirror port
14Collecting and Storing Traffic Full content data tools: is the standard packet capture program. Use the program libpcap to make copies of traffic. For PCs may use wincap.org/windump or winPcap.orgFor analyzing, use and to view graphically, useThere are freeware available to search in a dump.
15Session Data toolsDownload argus from several versions available.Operates in live or batch mode.is designed to interpret traffic in batch mode.Tcpflow from circlemud can work with full content data and it can rebuild the contents of individual sessions.