Near Term Tools: Using honeynet tools and techniques for post intrusion intelligence gathering Edward G. Balas Indiana University Advanced Network Management.

Slides:

Advertisements

Similar presentations

Presented by Nikita Shah 5th IT ( )

Advertisements

F3 Collecting Network Based Evidence (NBE)

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

HP Quality Center Overview.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

The Most Analytical and Comprehensive Defense Network in a Box.

ISecurity Complete Product Series For System i. About Raz-Lee Internationally renowned System i solutions provider Founded in 1983; 100% focused on System.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.

Honeywall CD-ROM. Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.

Pacific North West Honeynet Project Dave Dittrich The Information School University of Washington DIMACS Large Scale Attack Workshop, Sept. 23, 2003.

Manuka project IEEE IA Workshop June 10, Agenda Introduction Inspiration to Solution Manuka Use SE Approach Conclusion.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

PNW Honeynet Overview. Agenda What is a Honeynet What is the PNW Honeynet Alliance Who is involved in the project Where to get more information.

Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Incident Response and Forensic Course Disk Image Cataloging Project Concepts and Deliverables.

Maintaining and Updating Windows Server 2008

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Lecture 11 Intrusion Detection (cont)

Department Of Computer Engineering

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Chapter 17: Watching Your System BAI617. Chapter Topics Working With Event Viewer Performance Monitor Resource Monitor.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Penetration Testing Security Analysis and Advanced Tools: Snort.

IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.

The Most Analytical and Comprehensive Defense Network in a Box.

Automating Forensics. 2 Speaker Passion is honeypots. President, Honeynet Project Author Honeypots: Tracking and Co-Author Know Your Enemy. 8 Years in.

Honeynets in operational use Gregory Travis Indiana University, Advanced Network Management Lab

Module 7: Fundamentals of Administering Windows Server 2008.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

Advanced Attack Detection and Infrastructure Protection Sean Ensz –OU IT Security Analyst Sallie Wright –OSU IT Security Officer Dr. Mark Weiser –OSU Director.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Data Capture in Encrypted Environments with Sebek.

Honeynet Data Analysis: A technique for correlating sebek and network data Edward G. Balas Indiana University Advanced Network Management Lab 6/15/2004.

High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions.

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

OOI CI LCA REVIEW August 2010 Ocean Observatories Initiative OOI Cyberinfrastructure Architecture Overview Michael Meisinger Life Cycle Architecture Review.

HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

Linux Networking and Security

Chapter 5: Implementing Intrusion Prevention

1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.

SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.

Security monitoring boxes Andrew McNab University of Manchester.

Honeynet Data Analysis: A technique for correlating sebek and network data Edward G. Balas Indiana University Advanced Network Management Lab 6/15/2004.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

1 HoneyNets, Intrusion Detection Systems, and Network Forensics.

S E C U R E C O M P U T I N G Not For Public Release 1 Intrusion Tolerant Server Infrastructure Dick O’Brien OASIS PI Meeting July 25, 2001.

INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.

Cryptography and Network Security Sixth Edition by William Stallings.

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 Automate your way to.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Intrusion Detection System

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

Click to edit Master title style Click to edit Master text styles –Second level Third level –Fourth level »Fifth level 1 CustomerSoft ESP Contact Operations.

Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.

Role Of Network IDS in Network Perimeter Defense.

Copyright 2007, Information Builders. Slide 1 iWay Web Services and WebFOCUS Consumption Michael Florkowski Information Builders.

Maintaining and Updating Windows Server 2008 Lesson 8.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.

Honeypots and Honeynets

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Intrusion Detection system

Presentation transcript:

Near Term Tools: Using honeynet tools and techniques for post intrusion intelligence gathering Edward G. Balas Indiana University Advanced Network Management Lab 6/15/2004

2 About the Author Edward G. Balas –Security Researcher at Indiana University’s Advanced Network Management Lab. –Honeynet Project Member Sebek lead Honeywall User Interface lead Research Sponsorship This materials based on research sponsored by the Air Force Research Laboratory under agreement number F The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon.

3 Roadmap Honeynets are an idealized forensic testbed Latest developments –Sebek version 2.2.x –Hflow data fusion tool –Honeynet Data Analysis interface –Bootable CDROM honeywall. Near-term goal, improve honeynet data analysis Long-term goal, provide system to support realtime forensics and post intrusion intelligence gathering.

4 Honeynets A network containing information system resources who’s value lies in unauthorized or illicit use of those resources No production value All traffic is suspicious Primary value is the information gained.

5

6 Want to support the Project?

7 Sebek version 2.2.x kernel “module”, acts as a host level blackbox or flight recorder. Designed to be invisible to all users. Circumvents encryption. Can be installed post intrusion. Captures: –Process Tree information –Names of files opened by a process –Data read by a process, including keystrokes –all socket activity

8 Sebek Illustrations top left shows general architecture bottom left provides illustration of how Sebek gains access to sys_read data.

9 Data Analysis Honeynet data analysis and traditional incident response are similar. Multiple Data types examined –Network traffic logs –IDS / Event logs –Disk Analysis –Sebek or other keystroke logs Time consuming and error prone.

10 How it is done today Each data type has its own analysis tool –causing a stovepipe effect. –each data set is examined in isolation. Switching data sources causes wetware context switch. Relations manually discovered and expressed to each tool for screening by analyst. No automatic way to track interesting sequences across data sources.

11 Where we want to be Shift the Screening and Coalescing burden to the computer. Focus human effort on tasks best suited to the human. Provide an interface that supports the analyst’s workflow. Provide a system that may have use in production networks.

12 Improving Data Analysis The new data coming from sebek allows us to automatically relate network and sebek data. To automate coalescing we developed a backend daemon called Hflow. To demonstrate the impact of these capabilities on reporting, we developed a web based user interface named Walleye.

13 The challenge facing Hflow

14 Hflow Overview Fancy perl daemon, which consumes multiple data streams. Automates the process of data fusion. Inputs: –Argus data –Snort IDS events. –Sebek socket records. –p0f OS fingerprints. Outputs: –normalized honeynet network data uploaded into relational database.

15 Hflow Illustration

16 What this gives us. –Automatic identification Type of OS initiating a network connection IDS events related to a network connection IDS evens related to a process and user on a host. Point where non root user gained root access. List of files associated with an intrusion Sense of Attribution between 2 related flows on a monitored box. –Operate at higher lever where we can scale to support operational networks Using Argus, central theme of an event sequence can be identified without having to examining packet traces. When packet traces needed, argus info helps facilitate retrieval.

17 Reporting with Walleye Web interface provides unified view of all network data –Network “flow” records –IDS events –OS Fingerprints –system level socket records. Allows user to jump from network to host data. Visualizes multiple data types together. reduced stove-pipe effect

18

19

20 Looking closely host x.x.x.31 attacked x.x.x.25 on its https port. x.x.x.31 was a linux host. The attack matched the OpenSSL worm signature and and triggered 2 additional alerts that indicate the attacker gained www and then root access. If we click on Proc View, we jump to a high level view of related process activity.

21

22 What you are seeing Display shows a process tree and its associated IDS events. –created by querying on a single IDS event. –Yellow Boxes are root processes –Cyan Boxes are non-root processes –Red Boxes are IDS events –Red Arrow represents direction of flow associated with event Only displaying IDS related flows. Graph automatically generated from DB, rendered with the graphviz tool from ATT. Notice anything odd about the graph?

23

24 Honeywall bootable CDROM CDROM makes deployment –faster –less error prone –more consistent Provides Data –capture –control –analysis

25 Honeywall Bootable Linux Distro Contains all tools needed to rapidly roll out a local or distributed honeynet Provides: –Layer 2 bridging firewall –Snort IDS sensor –Inline Snort with drop capability –traffic accounting via Argus –Full archive of all packets –traffic rate limiting. –hflow and the walleye UI (comming soon) Strong support for customization. Effort lead by Dave UW.

26 Status of components Everything will be release grade within 9 months Sebek –Linux client stable, internal beta –compatible win32, xBSD and Solaris on the way Hflow –internal beta Walleye interface –internal alpha Honeywall CDROM –public beta

27 Next Steps Flesh out UI Testing, Lots of testing development of new analysis techniques –intruder identification –intruder classification Take tools and techniques and use in production networks as part of incident response.

28 How these tools might be used in the field. 1.Intrusion occurs, and incident response begins. 2.Bootable cdrom throw into spare pc with 3 nics 3.Honeywall is configured 4.Honeywall placed upstream of the compromised host 5.Sebek is installed on the host 6.intruder is now fully monitored.