Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

Introduction To The Course Network Architecture Hervey Allen Chris Evans Phil Regnauld September 3 - 4, 2009 Santiago, Chile.
Cyber Attack Scenario Overview Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
System and Network Security Practices COEN 351 E-Commerce Security.
Enterprise Network Security Accessing the WAN Lecture week 4.
COEN 252: Computer Forensics Router Investigation.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Security Guidelines and Management
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Secure Registry Operations Framework Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
IPv6 Network Assessor 111 © 2005 Cisco Systems, Inc. All rights reserved. Susan Shareshian Solutions Manager, Cisco Systems, Inc.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Disruption Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
IT Audit 2006 Deborah Joyner, Marjorie Tucker, Kay Simpson, Dawn Rountree, Kathy Jones.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
1 Firewall Rules. 2 Firewall Configuration l Firewalls can generally be configured in one of two fundamental ways. –Permit all that is not expressly denied.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
Footprinting and Scanning
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Mitigation Strategies Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
Role Of Network IDS in Network Perimeter Defense.
Enumeration. Definition Scanning identifies live hosts and running services Enumeration probes the identified services more fully for known weaknesses.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
By Steve Shenfield COSC 480.  Definition  Incidents  Damages  Defense Mechanisms Firewalls/Switches/Routers Routing Techniques (Blackholing/Sinkholing)
Syo-401 Question Answer. QUESTION 1 An achievement in providing worldwide Internet security was the signing of certificates associated with which of the.
ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Privilege Escalation Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
Final Project: Advanced Security Blade IPS and DLP blades.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
CISOs Guide To Communicating WNCRY.
CompTIA Security+ Study Guide (SY0-401)
Working at a Small-to-Medium Business or ISP – Chapter 8
Critical Security Controls
Footprinting and Scanning
CompTIA Security+ SY0-401 Real Exam Question Answer
Disruption Baseline, Monitor, Detect, Analyze, Respond, & Recover
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009
Introduction to Networking
Introduction to Networking
Introduction to Networking
Footprinting and Scanning
CompTIA Security+ Study Guide (SY0-401)
IS4680 Security Auditing for Compliance
Lecture 3: Secure Network Architecture
Network hardening Chapter 14.
Firewalls Chapter 8.
6. Application Software Security
Presentation transcript:

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile

Overview Reconnaissance & Enumeration – Concepts, Examples, Motivations Hands-on Cyber Attacks – Concept – Establishing a Baseline – Demonstration of the Attack – Monitoring & Detection – Analyzing the Attack – Response & Recovery – Enacting Mitigation Actions 2 Port Scanning DNS Zone Transfer

Reconnaissance & Enumeration Reconnaissance and Enumeration is the act of scanning a network to determine its layout, hosts, services, users, and other information which may be useful in a cyber attack 3

Reconnaissance & Enumeration Some Examples: Network mapping – scanning a network to determine what hosts are present Port Scanning – scanning a network or hosts to determine what services (ports) are open and what applications are running behind those ports Website Crawling – gleaning useful information from publicly available websites Cold Calling – asking your personnel sensitive questions Running Process Lists – determining what programs are running and on what hosts User Accounts – determining what user accounts are available on a host 4

Reconnaissance & Enumeration Why are these attacks important to you? – Network attacks are often preceded by these actions and may be an indicator of a future attack These attacks may not actually affect your network – These attacks may serve as a “smoke screen” – Prioritize accordingly 5

Reconnaissance & Enumeration 6 Cyber Attack - Port Scanning -

Attacker’s View

Multiple Protocol SYN Packets Open Port Found Your View

R&E Cyber Attack – Port Scanning Hosts on the network frequently have ports open that allow the host to communicate with other hosts on the network and offer services – e.g. Port 22 is SSH, Port 80 is WWW Port scanning is the act of scanning a host or hosts to determine what ports are open and closed 9

R&E Cyber Attack – Port Scanning Malicious actors use this technique to: – Determine what applications are remotely accessible on the host – Determine version or other useful information for those applications Why? – Build target lists for specific attacks – Curiosity 10

R&E Cyber Attack – Port Scanning Port scanning uses standard network protocols to query a host to find open ports and information This attack targets hosts that are remotely accessible and have services that are also remotely accessible 11

R&E Cyber Attack – Port Scanning 12 Website Graphic Version & Port Information

R&E Cyber Attack – Port Scanning 13 Monitor Detect Respond Recover Analyze Baseline

R&E Cyber Attack – Port Scanning Establish a Baseline for What’s Normal for Your Network: – Do you have applications that regularly scan your network (e.g. vulnerability assessment tools)? – Do you have administrators that regularly scan your network looking for rogue devices? Use this baseline to compare what you currently see to what you expect – Any differences are a good indication of something going on! 14

R&E Cyber Attack – Port Scanning 15 Attack Demonstration

R&E Cyber Attack – Port Scanning Monitoring & Detection – Router ACLs & Logging – Log Analysis 16 Cisco Configuration Elements Log Management

R&E Cyber Attack – Port Scanning Monitoring & Detection – Configure your network to detect port scanning – Monitor your detection tool(s) – Establish a Baseline 17 EX: Syslog-ng EX: Cisco IOS Logging EX: Port Scan ACL EX: SWATCH

R&E Cyber Attack – Port Scanning 18 Attack Demonstration (This time you can see how your network views the attack)

R&E Cyber Attack – Port Scanning Analysis - what did your detection tools report? Is this really an attack? – Router ACL Logging – Log Analysis Where is attack coming from? Are any IPs or Ports of particular interest? – Are there any recent attacks targeting these applications, operating systems, etc? Are there any patterns? 19

R&E Cyber Attack – Port Scanning Response Actions – aka “I’m Under Attack – What Do I Do Now?!” 1)Prioritize – is anything else happening? 2)If analysis indicates particular interest in an IP or Port, and a vulnerability exists, patch it or block it! Blocking source IPs is a losing game – a dedicated attacker can switch sources at the drop of a hat Too many firewall rules make things ungainly & slow If you choose to block it (and you can!), put it in for a set period of time (say 2 weeks), then remove it. This takes firewall discipline! 20

R&E Cyber Attack – Port Scanning Recovery Actions – The attack is over – how do I prevent this again? 1)Ask yourself “What _could_ have happened here?” 2)Consider “whitelisting” for critical applications that only certain people need to access 3)Other “mitigation” strategies… What is appropriate for your network & resources? 21

R&E Cyber Attack – Port Scanning What Other Mitigation Steps Would You Take? – Please don’t make any changes right now – it may affect the other attacks we want to demonstrate! 22 DISCUSSIONS ??

R&E Cyber Attack – Port Scanning 23 Final Attack Demonstration

R&E Cyber Attack – Port Scanning Attack Discussion – Did the mitigation steps help? – How else can you protect your network? Other Thoughts Before We Move On? 24

Reconnaissance & Enumeration 25 Cyber Attack - Zone Transfer -

Attacker’s View Make them work for targets….don’t give ‘em away…..

R&E Cyber Attack – Zone Transfer The DNS allows a “Zone Transfer” to keep secondary servers in sync with their master – This is a normal part of DNS operations A zone transfer copies all the data in the zone file from the DNS server to the requester 27

R&E Cyber Attack – Zone Transfer Malicious actors use this technique to: – Easily determine what domains are registered (and therefore, which ones are not) – Easily determine key servers and hosts that are publicly accessible (why else would they be in the DNS?) – Easily find potentially sensitive information DNS zone administrators have left in their zone files Why? – Build target lists for attacks – Potentially find key hosts (i.e. administrators workstation) to attack 28

R&E Cyber Attack – Zone Transfer Zone transfers use standard DNS protocols to transfer data from a server This attack targets authoritative DNS servers that are remotely accessible and allow zone transfers from “unverifiable” sources 29

R&E Cyber Attack – Zone Transfer 30 Sample Output from Zone Transfer

R&E Cyber Attack – Zone Transfer 31 Monitor Detect Respond Recover Analyze Baseline

R&E Cyber Attack – Zone Transfer Establish a Baseline for What’s Normal for Your Network: – What servers are supposed to conduct zone transfers? – Don’t forget the time component – When are zone transfers supposed to occur? – Do you administrators conduct zone transfers to check the contents of their zones? – Do you have applications that do this? Use this baseline to compare what you currently see to what you expect – Any differences are a good indication of something going on! 32

R&E Cyber Attack – Zone Transfer 33 Attack Demonstration

R&E Cyber Attack – Zone Transfer Monitoring & Detection – BIND (or DNS Server) Configuration – Log Analysis 34 Installation Configuration Operation

R&E Cyber Attack – Zone Transfer Monitoring & Detection – Configure your network to detect zone transfers – Monitor your detection tool(s) – Establish a Baseline 35 EX: Zone Transfer Detection

R&E Cyber Attack – Zone Transfer 36 Attack Demonstration (This time you can see how your network views the attack)

R&E Cyber Attack – Zone Transfer Analysis - what did your detection tools report? Is this really an attack? Did a zone transfer actually occur? – Log Analysis Where is attack coming from? 37

R&E Cyber Attack – Zone Transfer Response Actions – aka “I’m Under Attack – What Do I Do Now?!” 1)Prioritize – is anything else happening? 2)If analysis determines a zone transfer occurred to an unauthorized host, what was compromised? - If anything sensitive was compromised – take appropriate action! 38

R&E Cyber Attack – Zone Transfer Recovery Actions – The attack is over – how do I prevent this again? 1)Ask yourself “What _could_ have happened here?” 2)Scrub zone file for any sensitive information… 3)Configure DNS server to only allow zone transfers from authorized hosts (“whitelisting”) 4)Other “mitigation” strategies… What is appropriate for your network & resources? 39

R&E Cyber Attack – Zone Transfer What Mitigation Steps Would You Take? – Configuring BIND to allow authorized zone transfers… 40 DISCUSSIONS ?? EX: Zone Transfer Mitigation

R&E Cyber Attack – Zone Transfer 41 Final Attack Demonstration

R&E Cyber Attack – Zone Transfer Attack Discussion – Did the mitigation steps help? – How else can you protect your network? Other Thoughts Before We Move On? 42

QUESTIONS? 43 ? Do you have any questions about … –Reconnaissance & Enumeration –Detecting This Type of Attack –Responding & Recovering From This Type of Attack

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.