Intrusion Analysis - Rci.rutgers.edu
Download
Report
Transcript Intrusion Analysis - Rci.rutgers.edu
Intrusion Detection and Analysis for
Windows-Based Computers
Rutgers University
Office of Information Technology
Presented By: Bruce Rights
Systems Administrator
Information Protection and Security,
Enterprise Systems and Services
Housekeeping
Hours
Bathrooms
Fire exits
Telephones
Recycling
Smoking
Contact information
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion Detection & Analysis
for Windows-Based Computers
Welcome
Introduction
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Expectations and Objectives
What would you like to get out of
this?
What are your past experiences
What has happened in the last
month?
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview
Intrusions - definitions and examples
Anatomy of an Intrusion
Analysis and detection tools: built-in; free;
third-party
Logging and Auditing
IDS and HIDS
Incidence Response
Forensics
Final Thoughts
Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview
Intrusions - definitions and examples
Anatomy of an Intrusion
Analysis and detection tools: built-in; free;
third-party
Logging and Auditing
IDS and HIDS
Incidence Response
Forensics
Final Thoughts
Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: a definition
Intrude - to thrust oneself in; to
enter uninvited or unwelcome, to
force in.
intrusion - act of intruding
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples
Viruses
Worms
Trojans
Spyware
Browser Helper Objects (BHO)
P2P leverage
Data theft
Denial of service
Remote Control
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples
‘I was just looking around’
Keystroke logger
Rootkits
Cross Site Scripting
Man in the Middle
Sniffing
Buffer Overflow
SQL Injection
Password Cracking
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: viruses
Sasser, Melinda, Sobig, Mydoom, etc.
Self-propagating
Purely malicious
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: worms
Code Red
Nimda
Slammer
Blaster
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: trojans
“a Trojan horse is a malicious
program that is disguised as or
embedded within legitimate software.
The term is derived from the classical
myth of the Trojan Horse. They may
look useful or interesting (or at the
very least harmless) to an
unsuspecting user, but are actually
harmful when executed.”
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: spyware
“…applications [that] collect information,
may or may not install in stealth, and
are designed to transmit that
information to 2nd, or 3rd parties
covertly employing the user's connection
without their consent and knowledge.
The word defines the actual intent; this
is software (ware) that is designed to
collect information in secret (spy).”
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: browser
helper objects
BHOs - a DLL that allows developers to
customize and control Internet Explorer
Most are good:
Google Toolbar
Some are bad:
CoolWebSearch
Bonzai Buddy
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: P2P leverage
Attacker is looking to set up a music
or movie download site
They are looking to use your
resources
They are looking to hide their tracks
Bittorrent, port 6881
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: denial-of-service
lsass.exe exploit (sasser)
Traffic flooding:
(Syn flood, Ping-of-death)
E-mail flooding
Log filling
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: remote control
Remore Desktop
VNC
Go-To-My-PC
PCAnywhere
Back Orifice
Beast
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: remote control
Dameware – a remote control utility
It has been hijacked by the bad guys
Processes to look for include
DNTUCli.exe,DNTUCnvt.exe, DNTUS26.exe,
DWADEA.exe, DWExp.exe, DWMacDis.exe,
DWRCC.exe, DWRCCMD.exe,
DWRCCnvt.exe, DWRCINS.exe,
DWRCS.exe, DWRCST.exe, DWRTDE.exe
TCP Port 6129
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: just looking around
Attacker could be practicing
techniques, takes nothing, but leaves
a ‘calling card’
Or they could be waiting to see if
they get caught.
Or they were looking for something
specific you did not have.
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: keystroke logger
Can be a hardware or software device
How many of you check your
keyboard connector every morning?
http://www.keyghost.com
Ctrl-Alt-Del provides some protection
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: rootkits
Malware which hides itself from typical detection
methods
Can be persistent or memory-based
User-mode rootkits modify API calls (such as Windows
Explorer)
Kernel-mode rootkits modify calls to Task Manager
BlackLight: http://www.f-secure.com/blacklight
Rootkit Revealer:
http://www.microsoft.com/technet/sysinternals/utiliti
es/RootkitRevealer.mspx
http://invisiblethings.org/
http://www.rootkit.com/
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview
Intrusions - definitions and examples
Anatomy of an Intrusion
Analysis and detection tools: built-in; free;
third-party
Logging and Auditing
IDS and HIDS
Incidence Response
Forensics
Final Thoughts
Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Anatomy of an intrusion: Typical process
Reconnaissance
Scanning
Exploit systems
Keeping access
Covering tracks
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Anatomy of an intrusion: sql injection
From an article by Jesper Johansson,
Microsoft, which appeared in Technet
magazine, Winter 2005
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Anatomy of an intrusion: sql injection
Bad Guy
Firewall
Web Server
Internet
Internal Domain
SQL Server
172.17.0.1
192.168.2.30
Router
Data Center DC
10.1.2.x
Router
Firewall
172.17.0.2
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview
Intrusions - definitions and examples
Anatomy of an Intrusion
Analysis and detection tools: built-in;
free; third-party
Logging and Auditing
IDS and HIDS
Incidence Response
Forensics
Final Thoughts
Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Analysis and detection tools: built-in
Task Manager
Add / Remove Programs
Event Viewer
Perfmon
ADUC / Computer Management MMC
Msconfig
IE Add-In Manager
Command line tools, e.g., netstat
Windows Explorer
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Analysis and detection tools: free
Spybot, http://safer-networking.org
Ad-Aware,
http://www.lavasoftusa.com
RADS, http://software.rutgers.edu
Silent Runners,
http://www.silentrunners.org
HijackThis, http://www.merijn.org
CWShredder, http://www.merijn.org
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Analysis and detection tools: third-party
Trojan Hunter,
http://www.trojanhunter.com
http://www.misec.net/
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview
Intrusions - definitions and examples
Anatomy of an Intrusion
Analysis and detection tools: built-in; free;
third-party
Logging and Auditing
IDS and HIDS
Incidence Response
Forensics
Final Thoughts
Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Logging and Auditing
Establish an auditing and logging
policy
This will include what to audit, and
how to store and read the logs
Know what you are looking for –
events like 513, 529, 530, 531 and
539
Read the logs using filtering, Event
CombMT or MOM
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview
Intrusions - definitions and examples
Anatomy of an Intrusion
Analysis and detection tools: built-in; free;
third-party
Logging and Auditing
IDS and HIDS
Incidence Response
Forensics
Final Thoughts
Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
IDS and HIDS
Analyze incoming traffic at the application
layer, looking for malicious payloads
Reconnaissance attacks, exploit attacks,
DoS attacks
They use a combination of anomaly
detection, and signature recognition
HIDS often utilizes information in the Event
Logs
Honeypots
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
IDS and HIDS
TrendMicro firewall
WireShark – http://www.wireshark.org/
IDS - Cisco Secure IDS,
http://www.cisco.com
IDS – Snort, http://www.snort.org
HIDS - BlackIce Defender,
http://www.iss.net/products_services/prod
ucts.php (IBM)
Honeypots – http://www.honeypots.net
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview
Intrusions - definitions and examples
Anatomy of an Intrusion
Rootkits
Analysis and detection tools: built-in; free;
third-party
IDS and HIDS
Incidence Response
Forensics
Final Thoughts
Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Incidence Response
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Incidence Response
Do you have a plan?
Phone numbers (vendors, colleagues, managers, IPS,
RUPD); installation CDs; IP addresses; firewall and
router configs; passwords; phone-tree to notify users
Will you clean the infected machine(s), rebuild or call the
police?
What do you need to do to comply with the law?
Who is the decision-maker?
Will you keep the logs for analysis?
Will you be prepared to take notes to document every
stage of the response?
www.sans.org/score/incidentforms
www.net-security.org/article.php?id=775
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview
Intrusions - definitions and examples
Anatomy of an Intrusion
Rootkits
Analysis and detection tools: built-in; free;
third-party
IDS and HIDS
Incidence Response
Forensics
Final Thoughts
Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Forensics
What are you trying to achieve?
Best left to outside agency / LEO
Kits are available
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview
Intrusions - definitions and examples
Anatomy of an Intrusion
Rootkits
Analysis and detection tools: built-in; free;
third-party
IDS and HIDS
Incidence Response
Forensics
Final Thoughts
Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Final thoughts
The focus needs to be on where the
attacks are coming from
http://www.dshield.org
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Questions
What questions do you have that I
did not answer?
What does the future hold?
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Questions?
Contact Details:
Bruce Rights
[email protected]
732-445-8702
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Thank you for coming
This course is an elective component
of the IT Certificate Program, a
collaborative effort of the Office of
Information Technology, University
Human Resources, and the Internal
Audit Department
http://uhr.rutgers.edu/profdev/itcert-program-info.asp
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Information Protection & Security
(A Division of the Office of Information
Technology [OIT])
ASB Annex 1
Room 102
Busch campus
56 Bevier road
Piscataway, NJ 08854
phone: (732) 445-8011
fax: (732) 445-8023
[email protected]
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015