Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Published byCaroline Barker Modified over 9 years ago

Similar presentations

Presentation on theme: "Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,"— Presentation transcript:

1 Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile

2 Overview Reconnaissance & Enumeration – Concepts, Examples, Motivations Hands-on Cyber Attacks – Concept – Establishing a Baseline – Demonstration of the Attack – Monitoring & Detection – Analyzing the Attack – Response & Recovery – Enacting Mitigation Actions 2 Port Scanning DNS Zone Transfer

3 Reconnaissance & Enumeration Reconnaissance and Enumeration is the act of scanning a network to determine its layout, hosts, services, users, and other information which may be useful in a cyber attack 3

4 Reconnaissance & Enumeration Some Examples: Network mapping – scanning a network to determine what hosts are present Port Scanning – scanning a network or hosts to determine what services (ports) are open and what applications are running behind those ports Website Crawling – gleaning useful information from publicly available websites Cold Calling – asking your personnel sensitive questions Running Process Lists – determining what programs are running and on what hosts User Accounts – determining what user accounts are available on a host 4

5 Reconnaissance & Enumeration Why are these attacks important to you? – Network attacks are often preceded by these actions and may be an indicator of a future attack These attacks may not actually affect your network – These attacks may serve as a “smoke screen” – Prioritize accordingly 5

6 Reconnaissance & Enumeration 6 Cyber Attack - Port Scanning -

7 Attacker’s View

8 Multiple Protocol SYN Packets Open Port Found Your View

9 R&E Cyber Attack – Port Scanning Hosts on the network frequently have ports open that allow the host to communicate with other hosts on the network and offer services – e.g. Port 22 is SSH, Port 80 is WWW Port scanning is the act of scanning a host or hosts to determine what ports are open and closed 9

10 R&E Cyber Attack – Port Scanning Malicious actors use this technique to: – Determine what applications are remotely accessible on the host – Determine version or other useful information for those applications Why? – Build target lists for specific attacks – Curiosity 10

11 R&E Cyber Attack – Port Scanning Port scanning uses standard network protocols to query a host to find open ports and information This attack targets hosts that are remotely accessible and have services that are also remotely accessible 11

12 R&E Cyber Attack – Port Scanning 12 Website Graphic Version & Port Information

13 R&E Cyber Attack – Port Scanning 13 Monitor Detect Respond Recover Analyze Baseline

14 R&E Cyber Attack – Port Scanning Establish a Baseline for What’s Normal for Your Network: – Do you have applications that regularly scan your network (e.g. vulnerability assessment tools)? – Do you have administrators that regularly scan your network looking for rogue devices? Use this baseline to compare what you currently see to what you expect – Any differences are a good indication of something going on! 14

15 R&E Cyber Attack – Port Scanning 15 Attack Demonstration

16 R&E Cyber Attack – Port Scanning Monitoring & Detection – Router ACLs & Logging – Log Analysis 16 Cisco Configuration Elements Log Management

17 R&E Cyber Attack – Port Scanning Monitoring & Detection – Configure your network to detect port scanning – Monitor your detection tool(s) – Establish a Baseline 17 EX: Syslog-ng EX: Cisco IOS Logging EX: Port Scan ACL EX: SWATCH

18 R&E Cyber Attack – Port Scanning 18 Attack Demonstration (This time you can see how your network views the attack)

19 R&E Cyber Attack – Port Scanning Analysis - what did your detection tools report? Is this really an attack? – Router ACL Logging – Log Analysis Where is attack coming from? Are any IPs or Ports of particular interest? – Are there any recent attacks targeting these applications, operating systems, etc? Are there any patterns? 19

20 R&E Cyber Attack – Port Scanning Response Actions – aka “I’m Under Attack – What Do I Do Now?!” 1)Prioritize – is anything else happening? 2)If analysis indicates particular interest in an IP or Port, and a vulnerability exists, patch it or block it! Blocking source IPs is a losing game – a dedicated attacker can switch sources at the drop of a hat Too many firewall rules make things ungainly & slow If you choose to block it (and you can!), put it in for a set period of time (say 2 weeks), then remove it. This takes firewall discipline! 20

21 R&E Cyber Attack – Port Scanning Recovery Actions – The attack is over – how do I prevent this again? 1)Ask yourself “What _could_ have happened here?” 2)Consider “whitelisting” for critical applications that only certain people need to access 3)Other “mitigation” strategies… What is appropriate for your network & resources? 21

22 R&E Cyber Attack – Port Scanning What Other Mitigation Steps Would You Take? – Please don’t make any changes right now – it may affect the other attacks we want to demonstrate! 22 DISCUSSIONS ??

23 R&E Cyber Attack – Port Scanning 23 Final Attack Demonstration

24 R&E Cyber Attack – Port Scanning Attack Discussion – Did the mitigation steps help? – How else can you protect your network? Other Thoughts Before We Move On? 24

25 Reconnaissance & Enumeration 25 Cyber Attack - Zone Transfer -

26 Attacker’s View Make them work for targets….don’t give ‘em away…..

27 R&E Cyber Attack – Zone Transfer The DNS allows a “Zone Transfer” to keep secondary servers in sync with their master – This is a normal part of DNS operations A zone transfer copies all the data in the zone file from the DNS server to the requester 27

28 R&E Cyber Attack – Zone Transfer Malicious actors use this technique to: – Easily determine what domains are registered (and therefore, which ones are not) – Easily determine key servers and hosts that are publicly accessible (why else would they be in the DNS?) – Easily find potentially sensitive information DNS zone administrators have left in their zone files Why? – Build target lists for attacks – Potentially find key hosts (i.e. administrators workstation) to attack 28

29 R&E Cyber Attack – Zone Transfer Zone transfers use standard DNS protocols to transfer data from a server This attack targets authoritative DNS servers that are remotely accessible and allow zone transfers from “unverifiable” sources 29

30 R&E Cyber Attack – Zone Transfer 30 Sample Output from Zone Transfer

31 R&E Cyber Attack – Zone Transfer 31 Monitor Detect Respond Recover Analyze Baseline

32 R&E Cyber Attack – Zone Transfer Establish a Baseline for What’s Normal for Your Network: – What servers are supposed to conduct zone transfers? – Don’t forget the time component – When are zone transfers supposed to occur? – Do you administrators conduct zone transfers to check the contents of their zones? – Do you have applications that do this? Use this baseline to compare what you currently see to what you expect – Any differences are a good indication of something going on! 32

33 R&E Cyber Attack – Zone Transfer 33 Attack Demonstration

34 R&E Cyber Attack – Zone Transfer Monitoring & Detection – BIND (or DNS Server) Configuration – Log Analysis 34 Installation Configuration Operation

35 R&E Cyber Attack – Zone Transfer Monitoring & Detection – Configure your network to detect zone transfers – Monitor your detection tool(s) – Establish a Baseline 35 EX: Zone Transfer Detection

36 R&E Cyber Attack – Zone Transfer 36 Attack Demonstration (This time you can see how your network views the attack)

37 R&E Cyber Attack – Zone Transfer Analysis - what did your detection tools report? Is this really an attack? Did a zone transfer actually occur? – Log Analysis Where is attack coming from? 37

38 R&E Cyber Attack – Zone Transfer Response Actions – aka “I’m Under Attack – What Do I Do Now?!” 1)Prioritize – is anything else happening? 2)If analysis determines a zone transfer occurred to an unauthorized host, what was compromised? - If anything sensitive was compromised – take appropriate action! 38

39 R&E Cyber Attack – Zone Transfer Recovery Actions – The attack is over – how do I prevent this again? 1)Ask yourself “What _could_ have happened here?” 2)Scrub zone file for any sensitive information… 3)Configure DNS server to only allow zone transfers from authorized hosts (“whitelisting”) 4)Other “mitigation” strategies… What is appropriate for your network & resources? 39

40 R&E Cyber Attack – Zone Transfer What Mitigation Steps Would You Take? – Configuring BIND to allow authorized zone transfers… 40 DISCUSSIONS ?? EX: Zone Transfer Mitigation

41 R&E Cyber Attack – Zone Transfer 41 Final Attack Demonstration

42 R&E Cyber Attack – Zone Transfer Attack Discussion – Did the mitigation steps help? – How else can you protect your network? Other Thoughts Before We Move On? 42

43 QUESTIONS? 43 ? Do you have any questions about … –Reconnaissance & Enumeration –Detecting This Type of Attack –Responding & Recovering From This Type of Attack

Download ppt "Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,"

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Introduction To The Course Network Architecture Hervey Allen Chris Evans Phil Regnauld September 3 - 4, 2009 Santiago, Chile.

Introduction To The Course Network Architecture Hervey Allen Chris Evans Phil Regnauld September 3 - 4, 2009 Santiago, Chile.
Cyber Attack Scenario Overview Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.

Cyber Attack Scenario Overview Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Security Guidelines and Management

Security Guidelines and Management
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Secure Registry Operations Framework Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.

Secure Registry Operations Framework Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
IPv6 Network Assessor 111 © 2005 Cisco Systems, Inc. All rights reserved. Susan Shareshian Solutions Manager, Cisco Systems, Inc.

IPv6 Network Assessor 111 © 2005 Cisco Systems, Inc. All rights reserved. Susan Shareshian Solutions Manager, Cisco Systems, Inc.
OV 12 - 1 Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
OV 12 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Similar presentations

Ads by Google