Download presentation
Presentation is loading. Please wait.
1
Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 8, 2014 DRAFT1 Chapter 9: Cyber Network Defense using Advanced Log Analysis
2
Introduction to Cyber Network Defense Cyber Network Defense (CND) is continuously improving process for defending IT assets The CND approach in this Chapter includes: –Lightweight process for CND –Set of open source scripts for network monitoring and Advanced Log Analysis (ALA) on Backtrack –Agile strategy for escalating defenses –Cyber investigations process –Scenario for eradicating browser-based spyware –Instructions for implementing the processes 10/8/2014 DRAFT2 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
3
General Method and Tools for Cyber Investigations Investigations are based upon The Scientific Method to focus activities: –Observation –Hypothesis –Evaluation: Analyze and Interpret Data –Prediction –Repeat the method to validate predictions 10/8/2014 DRAFT3 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4
Continuous Cyber Investigation Strategy Full packet capture when network quiet Capture IDS alerts during busy hours Investigation of suspicious alerts Host-Based Security (HBS) Firewalls Regular updates/upgrades to processes and technical components Integrated CND 10/8/2014 DRAFT4 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
5
Summary of Cyber Investigation Process Use the custom CND scripts, a daily monitoring & investigation process: #./snortcap - Run IDS on overnight packet capture. #./headcap | wc - How many alerts overnight? #./statcap - Count and rank the top alerts. #./hostcap - Which are the top alerting hosts? #./alertipcap 10.10.100.10 - What are the alert details for that host? # sort sum*10.10* | uniq –c | sort –rn - Rank the top alerts for IP #./iporgcap 10.10.100.10 - Which external domains are alerting for IP? # whois 64.94.107.15- Who owns this unresolved domain? Use an Internet browser to investigate external IPs and domains. Discover these domains with the following command: #./orgcap - What are all the external alerting domains? 10/8/2014 DRAFT5 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
6
Network Monitoring Establish Switched Port Analyzer (SPAN) on the core switch or firewall –Mirrors all network traffic for IDS To begin the IDS in real time, you can use the following daycap script: –#!/bin/bash –# Add a parameter like./daycap keep -- in order to append to logs –# By default, daytime logs are deleted to conserve space –if [$1 -eq ""]; then rm /tmp/alert /tmp/snort.log.*; fi –/usr/local/bin/snort -A full -c /etc/snort/snort.conf -l /tmp 10/8/2014 DRAFT6 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Network Monitoring Establish Switched Port Analyzer (SPAN) on the core switch or firewall –Mirrors all network traffic for IDS To begin the IDS in real time, you can use the following daycap script: –#!/bin/bash –# Add a parameter like./daycap keep -- in order to append to logs –# By default, daytime logs are deleted to conserve space –if [$1 -eq ]; then rm /tmp/alert /tmp/snort.log.*; fi –/usr/local/bin/snort -A full -c /etc/snort/snort.conf -l /tmp 10/8/2014 DRAFT6 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions](http://images.slideplayer.com./9/2419402/slides/slide_6.jpg "Network Monitoring Establish Switched Port Analyzer (SPAN) on the core switch or firewall –Mirrors all network traffic for IDS To begin the IDS in real time, you can use the following daycap script: –#!/bin/bash –# Add a parameter like./daycap keep -- in order to append to logs –# By default, daytime logs are deleted to conserve space –if [$1 -eq ]; then rm /tmp/alert /tmp/snort.log.*; fi –/usr/local/bin/snort -A full -c /etc/snort/snort.conf -l /tmp 10/8/2014 DRAFT6 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions")
7
Advanced Text Log Analysis A set of custom scripts are explained in detail in Chapter 9 – teaching you gawk Example: The statcap script creates a histogram of the most frequent alerts: –#!/bin/bash –gawk "BEGIN {FS=\"\n\";RS=\"\n\n\"} {print $1}" alert | gawk '/\[\*\*\]/' | sort | uniq -c | sort -rn | less The hostcap script finds the host generating the most alerts: –#!/bin/bash –cat alert | gawk '{FS="\n";RS="\n\n"; /TCP/; print $3}' | gawk '{print $2}' | gawk -F\: '{print $1}' | gawk '/[0- 9\.]+/' | sort | uniq -c | sort –rn 10/8/2014 DRAFT7 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Advanced Text Log Analysis A set of custom scripts are explained in detail in Chapter 9 – teaching you gawk Example: The statcap script creates a histogram of the most frequent alerts: –#!/bin/bash –gawk BEGIN {FS=\ \n\ ;RS=\ \n\n\ } {print $1} alert | gawk /\[\*\*\]/ | sort | uniq -c | sort -rn | less The hostcap script finds the host generating the most alerts: –#!/bin/bash –cat alert | gawk {FS= \n ;RS= \n\n ; /TCP/; print $3} | gawk {print $2} | gawk -F\: {print $1} | gawk /[0- 9\.]+/ | sort | uniq -c | sort –rn 10/8/2014 DRAFT7 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions](http://images.slideplayer.com./9/2419402/slides/slide_7.jpg "Advanced Text Log Analysis A set of custom scripts are explained in detail in Chapter 9 – teaching you gawk Example: The statcap script creates a histogram of the most frequent alerts: –#!/bin/bash –gawk BEGIN {FS=\ \n\ ;RS=\ \n\n\ } {print $1} alert | gawk /\[\*\*\]/ | sort | uniq -c | sort -rn | less The hostcap script finds the host generating the most alerts: –#!/bin/bash –cat alert | gawk {FS= \n ;RS= \n\n ; /TCP/; print $3} | gawk {print $2} | gawk -F\: {print $1} | gawk /[0- 9\.]+/ | sort | uniq -c | sort –rn 10/8/2014 DRAFT7 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions")
8
Advanced Binary Log Analysis: Wireshark 10/8/2014 DRAFT8 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
9
Advanced Binary Log Analysis: tcpdump 10/8/2014 DRAFT9 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
10
Reporting Cyber Investigations Lesson Learned: Do not go to a cybersecurity professional and inform them that their machine is generating copious beacons – Panic ensues! Instead, approach reporting in a non- judgemental, diplomatic manner Provide proof of your findings –It will certainly be requested Empower people to resolve the problem with guidance and mentoring 10/8/2014 DRAFT10 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
11
Elimination of Cyber Threats Block suspicious IPs using the host file (Windows and Linux): –127.0.0.1 ak.quantcast.com Block suspicious IPs from entire net at firewall (e.g. CISCO): –$ enable –Password: –# config t –(config)# object-group network Blocked_IPs –(config-network)# network-object 64.94.107.0 255.255.255.0 –(config-network)# network-object 66.235.147.0 255.255.255.0 – –(config-network)# exit –(config)# access-list in2out2 extended deny ip any object-group Blocked_IPs –(config)# access-list in2out2 extended permit ip any any –(config)# access-group in2out2 in int inside –(config)# show config –(config)# wr mem –(config)# exit –# exit 10/8/2014 DRAFT11 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
12
Logs on Various OS/Services 10/8/2014 DRAFT12 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
13
Intrusion Discovery on Windows To detect intrusions, seek out: –Unusual processes and services –Unusual files and registry keys –Unusual network activity –Unusual scheduled tasks –Unusual accounts –Unusual log entries 10/8/2014 DRAFT13 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
14
REVIEW CHAPTER SUMMARY Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 10/8/2014 DRAFT14
Similar presentations
