Presentation is loading. Please wait.

Presentation is loading. Please wait.

Near Term Tools: Using honeynet tools and techniques for post intrusion intelligence gathering Edward G. Balas Indiana University Advanced Network Management.

Published byGervais Craig Modified over 9 years ago

Similar presentations

Presentation on theme: "Near Term Tools: Using honeynet tools and techniques for post intrusion intelligence gathering Edward G. Balas Indiana University Advanced Network Management."— Presentation transcript:

1 Near Term Tools: Using honeynet tools and techniques for post intrusion intelligence gathering Edward G. Balas Indiana University Advanced Network Management Lab 6/15/2004

2 2 About the Author Edward G. Balas –Security Researcher at Indiana University’s Advanced Network Management Lab. –Honeynet Project Member Sebek lead Honeywall User Interface lead Research Sponsorship This materials based on research sponsored by the Air Force Research Laboratory under agreement number F30602-02-2-0221. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon.

3 3 Roadmap Honeynets are an idealized forensic testbed Latest developments –Sebek version 2.2.x –Hflow data fusion tool –Honeynet Data Analysis interface –Bootable CDROM honeywall. Near-term goal, improve honeynet data analysis Long-term goal, provide system to support realtime forensics and post intrusion intelligence gathering.

4 4 Honeynets A network containing information system resources who’s value lies in unauthorized or illicit use of those resources No production value All traffic is suspicious Primary value is the information gained.

5 5

6 6 Want to support the Project?

7 7 Sebek version 2.2.x kernel “module”, acts as a host level blackbox or flight recorder. Designed to be invisible to all users. Circumvents encryption. Can be installed post intrusion. Captures: –Process Tree information –Names of files opened by a process –Data read by a process, including keystrokes –all socket activity http://www.honeynet.org/tools/sebek/

8 8 Sebek Illustrations top left shows general architecture bottom left provides illustration of how Sebek gains access to sys_read data.

9 9 Data Analysis Honeynet data analysis and traditional incident response are similar. Multiple Data types examined –Network traffic logs –IDS / Event logs –Disk Analysis –Sebek or other keystroke logs Time consuming and error prone.

10 10 How it is done today Each data type has its own analysis tool –causing a stovepipe effect. –each data set is examined in isolation. Switching data sources causes wetware context switch. Relations manually discovered and expressed to each tool for screening by analyst. No automatic way to track interesting sequences across data sources.

11 11 Where we want to be Shift the Screening and Coalescing burden to the computer. Focus human effort on tasks best suited to the human. Provide an interface that supports the analyst’s workflow. Provide a system that may have use in production networks.

12 12 Improving Data Analysis The new data coming from sebek allows us to automatically relate network and sebek data. To automate coalescing we developed a backend daemon called Hflow. To demonstrate the impact of these capabilities on reporting, we developed a web based user interface named Walleye.

13 13 The challenge facing Hflow

14 14 Hflow Overview Fancy perl daemon, which consumes multiple data streams. Automates the process of data fusion. Inputs: –Argus data –Snort IDS events. –Sebek socket records. –p0f OS fingerprints. Outputs: –normalized honeynet network data uploaded into relational database.

15 15 Hflow Illustration

16 16 What this gives us. –Automatic identification Type of OS initiating a network connection IDS events related to a network connection IDS evens related to a process and user on a host. Point where non root user gained root access. List of files associated with an intrusion Sense of Attribution between 2 related flows on a monitored box. –Operate at higher lever where we can scale to support operational networks Using Argus, central theme of an event sequence can be identified without having to examining packet traces. When packet traces needed, argus info helps facilitate retrieval.

17 17 Reporting with Walleye Web interface provides unified view of all network data –Network “flow” records –IDS events –OS Fingerprints –system level socket records. Allows user to jump from network to host data. Visualizes multiple data types together. reduced stove-pipe effect

18 18

19 19

20 20 Looking closely host x.x.x.31 attacked x.x.x.25 on its https port. x.x.x.31 was a linux host. The attack matched the OpenSSL worm signature and and triggered 2 additional alerts that indicate the attacker gained www and then root access. If we click on Proc View, we jump to a high level view of related process activity.

21 21

22 22 What you are seeing Display shows a process tree and its associated IDS events. –created by querying on a single IDS event. –Yellow Boxes are root processes –Cyan Boxes are non-root processes –Red Boxes are IDS events –Red Arrow represents direction of flow associated with event Only displaying IDS related flows. Graph automatically generated from DB, rendered with the graphviz tool from ATT. Notice anything odd about the graph?

23 23

24 24 Honeywall bootable CDROM CDROM makes deployment –faster –less error prone –more consistent Provides Data –capture –control –analysis

25 25 Honeywall Bootable Linux Distro Contains all tools needed to rapidly roll out a local or distributed honeynet Provides: –Layer 2 bridging firewall –Snort IDS sensor –Inline Snort with drop capability –traffic accounting via Argus –Full archive of all packets –traffic rate limiting. –hflow and the walleye UI (comming soon) Strong support for customization. Effort lead by Dave Dittrich @ UW.

26 26 Status of components Everything will be release grade within 9 months Sebek –Linux client stable, internal beta –compatible win32, xBSD and Solaris on the way Hflow –internal beta Walleye interface –internal alpha Honeywall CDROM –public beta

27 27 Next Steps Flesh out UI Testing, Lots of testing development of new analysis techniques –intruder identification –intruder classification Take tools and techniques and use in production networks as part of incident response.

28 28 How these tools might be used in the field. 1.Intrusion occurs, and incident response begins. 2.Bootable cdrom throw into spare pc with 3 nics 3.Honeywall is configured 4.Honeywall placed upstream of the compromised host 5.Sebek is installed on the host 6.intruder is now fully monitored.

Download ppt "Near Term Tools: Using honeynet tools and techniques for post intrusion intelligence gathering Edward G. Balas Indiana University Advanced Network Management."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
HP Quality Center Overview.

HP Quality Center Overview.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
ISecurity Complete Product Series For System i. About Raz-Lee Internationally renowned System i solutions provider Founded in 1983; 100% focused on System.

ISecurity Complete Product Series For System i. About Raz-Lee Internationally renowned System i solutions provider Founded in 1983; 100% focused on System.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.

1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.
Honeywall CD-ROM. Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Honeywall CD-ROM. Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.

Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.
Pacific North West Honeynet Project Dave Dittrich The Information School University of Washington DIMACS Large Scale Attack Workshop, Sept. 23, 2003.

Pacific North West Honeynet Project Dave Dittrich The Information School University of Washington DIMACS Large Scale Attack Workshop, Sept. 23, 2003.
Manuka project IEEE IA Workshop June 10, 2004. Agenda Introduction Inspiration to Solution Manuka Use SE Approach Conclusion.

Manuka project IEEE IA Workshop June 10, Agenda Introduction Inspiration to Solution Manuka Use SE Approach Conclusion.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
PNW Honeynet Overview. Agenda What is a Honeynet What is the PNW Honeynet Alliance Who is involved in the project Where to get more information.

PNW Honeynet Overview. Agenda What is a Honeynet What is the PNW Honeynet Alliance Who is involved in the project Where to get more information.
Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
Incident Response and Forensic Course Disk Image Cataloging Project Concepts and Deliverables.

Incident Response and Forensic Course Disk Image Cataloging Project Concepts and Deliverables.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Similar presentations

Ads by Google