Intrusion Analysis - Rci.rutgers.edu

Download Report

Transcript Intrusion Analysis - Rci.rutgers.edu 

Intrusion Detection and Analysis for
Windows-Based Computers
Rutgers University
Office of Information Technology
Presented By: Bruce Rights
Systems Administrator
Information Protection and Security,
Enterprise Systems and Services
Housekeeping







Hours
Bathrooms
Fire exits
Telephones
Recycling
Smoking
Contact information
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion Detection & Analysis
for Windows-Based Computers
 Welcome
 Introduction
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Expectations and Objectives
 What would you like to get out of
this?
 What are your past experiences
 What has happened in the last
month?
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview
 Intrusions - definitions and examples
 Anatomy of an Intrusion
 Analysis and detection tools: built-in; free;
third-party
 Logging and Auditing
 IDS and HIDS
 Incidence Response
 Forensics
 Final Thoughts
 Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview
 Intrusions - definitions and examples
 Anatomy of an Intrusion
 Analysis and detection tools: built-in; free;
third-party
 Logging and Auditing
 IDS and HIDS
 Incidence Response
 Forensics
 Final Thoughts
 Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: a definition
 Intrude - to thrust oneself in; to
enter uninvited or unwelcome, to
force in.
 intrusion - act of intruding
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples









Viruses
Worms
Trojans
Spyware
Browser Helper Objects (BHO)
P2P leverage
Data theft
Denial of service
Remote Control
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples









‘I was just looking around’
Keystroke logger
Rootkits
Cross Site Scripting
Man in the Middle
Sniffing
Buffer Overflow
SQL Injection
Password Cracking
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: viruses
 Sasser, Melinda, Sobig, Mydoom, etc.
 Self-propagating
 Purely malicious
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: worms




Code Red
Nimda
Slammer
Blaster
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: trojans
 “a Trojan horse is a malicious
program that is disguised as or
embedded within legitimate software.
The term is derived from the classical
myth of the Trojan Horse. They may
look useful or interesting (or at the
very least harmless) to an
unsuspecting user, but are actually
harmful when executed.”
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: spyware
 “…applications [that] collect information,
may or may not install in stealth, and
are designed to transmit that
information to 2nd, or 3rd parties
covertly employing the user's connection
without their consent and knowledge.
The word defines the actual intent; this
is software (ware) that is designed to
collect information in secret (spy).”
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: browser
helper objects
 BHOs - a DLL that allows developers to
customize and control Internet Explorer
 Most are good:
 Google Toolbar
 Some are bad:
 CoolWebSearch
 Bonzai Buddy
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: P2P leverage
 Attacker is looking to set up a music
or movie download site
 They are looking to use your
resources
 They are looking to hide their tracks
 Bittorrent, port 6881
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: denial-of-service
 lsass.exe exploit (sasser)
 Traffic flooding:
 (Syn flood, Ping-of-death)
 E-mail flooding
 Log filling
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: remote control






Remore Desktop
VNC
Go-To-My-PC
PCAnywhere
Back Orifice
Beast
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: remote control
 Dameware – a remote control utility
 It has been hijacked by the bad guys
 Processes to look for include
DNTUCli.exe,DNTUCnvt.exe, DNTUS26.exe,
DWADEA.exe, DWExp.exe, DWMacDis.exe,
DWRCC.exe, DWRCCMD.exe,
DWRCCnvt.exe, DWRCINS.exe,
DWRCS.exe, DWRCST.exe, DWRTDE.exe
 TCP Port 6129
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: just looking around
 Attacker could be practicing
techniques, takes nothing, but leaves
a ‘calling card’
 Or they could be waiting to see if
they get caught.
 Or they were looking for something
specific you did not have.
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: keystroke logger
 Can be a hardware or software device
 How many of you check your
keyboard connector every morning?
 http://www.keyghost.com
 Ctrl-Alt-Del provides some protection
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Intrusion: examples: rootkits
 Malware which hides itself from typical detection
methods
 Can be persistent or memory-based
 User-mode rootkits modify API calls (such as Windows
Explorer)
 Kernel-mode rootkits modify calls to Task Manager
 BlackLight: http://www.f-secure.com/blacklight
 Rootkit Revealer:
http://www.microsoft.com/technet/sysinternals/utiliti
es/RootkitRevealer.mspx
 http://invisiblethings.org/
 http://www.rootkit.com/
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview
 Intrusions - definitions and examples
 Anatomy of an Intrusion
 Analysis and detection tools: built-in; free;
third-party
 Logging and Auditing
 IDS and HIDS
 Incidence Response
 Forensics
 Final Thoughts
 Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Anatomy of an intrusion: Typical process





Reconnaissance
Scanning
Exploit systems
Keeping access
Covering tracks
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Anatomy of an intrusion: sql injection
 From an article by Jesper Johansson,
Microsoft, which appeared in Technet
magazine, Winter 2005
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Anatomy of an intrusion: sql injection
Bad Guy
Firewall
Web Server
Internet
Internal Domain
SQL Server
172.17.0.1
192.168.2.30
Router
Data Center DC
10.1.2.x
Router
Firewall
172.17.0.2
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview
 Intrusions - definitions and examples
 Anatomy of an Intrusion
 Analysis and detection tools: built-in;
free; third-party
 Logging and Auditing
 IDS and HIDS
 Incidence Response
 Forensics
 Final Thoughts
 Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Analysis and detection tools: built-in









Task Manager
Add / Remove Programs
Event Viewer
Perfmon
ADUC / Computer Management MMC
Msconfig
IE Add-In Manager
Command line tools, e.g., netstat
Windows Explorer
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Analysis and detection tools: free
 Spybot, http://safer-networking.org
 Ad-Aware,
http://www.lavasoftusa.com
 RADS, http://software.rutgers.edu
 Silent Runners,
http://www.silentrunners.org
 HijackThis, http://www.merijn.org
 CWShredder, http://www.merijn.org
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Analysis and detection tools: third-party
 Trojan Hunter,
http://www.trojanhunter.com
 http://www.misec.net/
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview
 Intrusions - definitions and examples
 Anatomy of an Intrusion
 Analysis and detection tools: built-in; free;
third-party
 Logging and Auditing
 IDS and HIDS
 Incidence Response
 Forensics
 Final Thoughts
 Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Logging and Auditing
 Establish an auditing and logging
policy
 This will include what to audit, and
how to store and read the logs
 Know what you are looking for –
events like 513, 529, 530, 531 and
539
 Read the logs using filtering, Event
CombMT or MOM
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview
 Intrusions - definitions and examples
 Anatomy of an Intrusion
 Analysis and detection tools: built-in; free;
third-party
 Logging and Auditing
 IDS and HIDS
 Incidence Response
 Forensics
 Final Thoughts
 Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
IDS and HIDS
 Analyze incoming traffic at the application
layer, looking for malicious payloads
 Reconnaissance attacks, exploit attacks,
DoS attacks
 They use a combination of anomaly
detection, and signature recognition
 HIDS often utilizes information in the Event
Logs
 Honeypots
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
IDS and HIDS
 TrendMicro firewall
 WireShark – http://www.wireshark.org/
 IDS - Cisco Secure IDS,
http://www.cisco.com
 IDS – Snort, http://www.snort.org
 HIDS - BlackIce Defender,
http://www.iss.net/products_services/prod
ucts.php (IBM)
 Honeypots – http://www.honeypots.net
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview









Intrusions - definitions and examples
Anatomy of an Intrusion
Rootkits
Analysis and detection tools: built-in; free;
third-party
IDS and HIDS
Incidence Response
Forensics
Final Thoughts
Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Incidence Response






Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Incidence Response
 Do you have a plan?
 Phone numbers (vendors, colleagues, managers, IPS,
RUPD); installation CDs; IP addresses; firewall and
router configs; passwords; phone-tree to notify users
 Will you clean the infected machine(s), rebuild or call the
police?
 What do you need to do to comply with the law?
 Who is the decision-maker?
 Will you keep the logs for analysis?
 Will you be prepared to take notes to document every
stage of the response?
 www.sans.org/score/incidentforms
 www.net-security.org/article.php?id=775
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview









Intrusions - definitions and examples
Anatomy of an Intrusion
Rootkits
Analysis and detection tools: built-in; free;
third-party
IDS and HIDS
Incidence Response
Forensics
Final Thoughts
Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Forensics
 What are you trying to achieve?
 Best left to outside agency / LEO
 Kits are available
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Overview









Intrusions - definitions and examples
Anatomy of an Intrusion
Rootkits
Analysis and detection tools: built-in; free;
third-party
IDS and HIDS
Incidence Response
Forensics
Final Thoughts
Questions
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Final thoughts
 The focus needs to be on where the
attacks are coming from
 http://www.dshield.org
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Questions
 What questions do you have that I
did not answer?
 What does the future hold?
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Questions?
 Contact Details:
 Bruce Rights
 [email protected]
 732-445-8702
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Thank you for coming
 This course is an elective component
of the IT Certificate Program, a
collaborative effort of the Office of
Information Technology, University
Human Resources, and the Internal
Audit Department
 http://uhr.rutgers.edu/profdev/itcert-program-info.asp
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015
Information Protection & Security
(A Division of the Office of Information
Technology [OIT])
 ASB Annex 1
Room 102
Busch campus
56 Bevier road
Piscataway, NJ 08854
phone: (732) 445-8011
fax: (732) 445-8023
[email protected]
IT Certificate Program – Intrusion Analysis for Windows-Based
Computers
April 13, 2015