TheTao of Network Security Monitoring

Transcription

1 TheTao of Network Security Monitoring BEYOND INTRUSION DETECTION Richard Bejtiich A Addison-Wesley Boston San Francisco New York Toronto Montreal London Munich Paris Madrid Capetown Sydney Tokyo Singapore Mexico City

2 Contents Foreword Preface About the Author About the Contributors xvii xix xxxi xxxjii PART 1 Chapter 1 INTRODUCTION TO NETWORK SECURITY MONITORING The Security Process What Is Security? What Is Risk? Threat Vulnerability Asset Value A Case Study on Risk Security Principles: Characteristics of the Intruder Some Intruders Are Smarter Than You Many Intruders Are Unpredictable Prevention Eventually Fails Security Principles: Phases of Compromise Reconnaissance Exploitation Reinforcement Consolidation Pillage IS VII

3 Security Principles: Defensible Networks 20 Defensible Networks Can Be Watched 20 Defensible Networks Limit an Intruder's Freedom to Maneuver 21 Defensible Networks Offer a Minimum Number of Services 23 Defensible Networks Can Be Kept Current Chapter 2 What Is Network Security Monitoring? 25 Indications and Warnings 25 Collection, Analysis, and Escalation 28 Detecting and Responding to Intrusions 29 Why Do IDS Deployments Often Fail? 3 0 Outsiders versus Insiders: What Is NSM's Focus? 3 I Security Principles: Detection 34 Intruders Who Can Communicate with Victims Can Be Detected 35 Detection through Sampling Is Better Than No Detection 35 Detection through Traffic Analysis Is Better Than No Detection 36 Security Principles: Limitations 37 Collecting Everything Is Ideal but Problematic 3 7 Real Time Isn't Always the Best Time 3 8 Extra Work Has a Cost 3 9 What NSM Is Not 40 NSM Is Not Device Management 40 NSM Is Not Security Event Management 40 NSM Is Not Network-Based Forensics 41 NSM Is Not Intrusion Prevention 41 NSM in Action Chapter 3 Deployment Considerations 45 Threat Models and Monitoring Zones 45 The Perimeter 48 The Demilitarized Zone 49 The Wireless Zone 50 The Intranet 50 Accessing Traffic in Each Zone 5 I Hubs 52 SPAN Ports 56 VIII

4 Taps Inline Devices Wireless Monitoring Sensor Architecture Hardware Operating System Sensor Management Console Access In-Band Remote Access Out-of-Band Remote Access PART II Chapter 4 Chapter 5 NETWORK SECURITY MONITORING PRODUCTS The Reference Intrusion Model The Scenario The Attack Full Content Data A Note on Software Libpcap Tcpdump Basic Usage of Tcpdump Using Tcpdump to Store Full Content Data Using Tcpdump to Read Stored Full Content Data Timestamps in Stored Full Content Data Increased Detail in Tcpdump Full Content Data Tcpdump and Berkeley Packet Filters Tethereal Basic Usage of Tethereal Using Tethereal to Store Full Content Data Using Tethereal to Read Stored Full Content Data Getting More Information from Tethereal Snort as Packet Logger Basic Usage of Snort as Packet Logger Using Snort to Store Full Content Data Using Snort to Read Stored Full Content Data IX

5 Finding Specific Parts of Packets with Tcpdump, Tethereal, and Snort 154 Ethereal 162 Basic Usage of Ethereal 162 Using Ethereal to Read Stored Full Content Data 164 Using Ethereal to Rebuild Sessions 167 Other Ethereal Features 169 A Note on Commercial Full Content Collection Options Chapter 6 Additional Data Analysis 173 Editcap and Mergecap 173 Tcpslice 174 Tcpreplay 179 Tcpflow 182 Ngrep 185 IPsumdump 189 Etherape 191 Netdude 193 Using Netdude 193 What Do Raw Trace Files Look Like? 196 POf Chapter 7 Session Data 211 Forms of Session Data 212 Cisco's NetFlow 214 Fprobe 220 Ng_netflow 222 Flow-tools 224 Flow-capture 225 Flow-cat and Flow-print 229 sflow and sflow Toolkit 232 Argus 234 Argus Server 236 Ra Client 238 Tcptrace

6 Chapter 8 Statistical Data 247 What Is Statistical Data? 248 Cisco Accounting 249 Ipcad 255 Ifstat 257 Bmon 258 Trafshow 260 Ttt 264 Tcpdstat 266 MRTG 271 Ntop Chapter 9 Alert Data: Bro and Prelude 285 Bro 286 Installing Bro and BRA 287 Interpreting Bro Output Files 292 Bro Capabilities and Limitations 297 Prelude 298 Installing Prelude 299 Interpreting Prelude Output Files 307 Installing PIWI 309 Using PIWI to View Prelude Events 31 I Prelude Capabilities and Limitations Chapter 10 Alert Data: NSM Using Sguil 317 Why Sguil? 318 So What Is Sguil? 319 The Basic Sguil Interface 3 21 Sguil's Answer to "Now What?" 323 Making Decisions with Sguil 329 Sguil versus the Reference Intrusion Model 3 3 I SHELLCODE x86 NOOP and Related Alerts 332 FTP SITE Overflow Attempt Alerts 339 SCAN nmap TCP Alerts 340 MISC MS Terminal Server Request Alerts XI

7 PART III Chapter NETWORK SECURITY MONITORING PROCESSES Best Practices Assessment Defined Security Policy Protection Access Control Traffic Scrubbing Proxies Detection Collection Identification Validation Escalation Response Short-Term Incident Containment Emergency Network Security Monitoring Back to Assessment Analyst Feedback Chapter 12 Case Studies for Managers Introduction to Hawke Helicopter Supplies Case Study 1: Emergency Network Security Monitoring Detection of Odd Orders System Administrators Respond Picking Up the Bat Phone Conducting Incident Response Incident Response Results Case Study 2: Evaluating Managed Security Monitoring Providers HHS Requirements for NSM HHS Vendor Questionnaire Asset Prioritization Case Study 3: Deploying an In-House NSM Solution Partner and Sales Offices HHS Demilitarized Zone Wireless Network Internal Network xii

8 "But Who Shall Watch the Watchers?" Other Staffing Issues PART IV Chapter 13 Chapter 14 NETWORK SECURITY MONITORING PEOPLE Analyst Training Program Weapons and Tactics Definition Tasks References Telecommunications Definition Tasks References System Administration Definition Tasks References Scripting and Programming Definition Tasks References Management and Policy Definition Tasks References Training in Action Periodicals and Web Sites Case Study: Staying Current with Tools Discovering DNS Normal Port 53 Traffic Normal Port 53 UDP Traffic Normal Port 53 TCP Traffic XIII

9 Suspicious Port 53 Traffic Suspicious Port 53 UDP Traffic Suspicious Port 53 TCP Traffic Malicious Port 53 Traffic Malicious Port 53 UDP Traffic Malicious Port 53 TCP and UDP Traffic Chapter 15 Harnessing the Power of Session Data The Session Scenario Session Data from the Wireless Segment Session Data from the DMZ Segment Session Data from the VLANs Session Data from the External Segment Chapter 16 Packet Monkey Heaven Truncated TCP Options SCAN FIN Chained Covert Channels PART V Chapter 17 THE INTRUDER VERSUS NETWORK SECURITY MONITORING Tools for Attacking Network Security Monitoring Packit IP Sorcery Fragroute LFT Xprobe2 Cisco IOS Denial of Service Solaris Sadmin Exploitation Attempt Microsoft RPC Exploitation XIV

10 Chapter 18 Tactics for Attacking Network Security Monitoring Promote Anonymity Attack from a Stepping-Stone Attack by Using a Spoofed Source Address Attack from a Netblock You Don't Own Attack from a Trusted Host Attack from a Familiar Netblock Attack the Client, Not the Server Use Public Intermediaries Evade Detection Time Attacks Properly Distribute Attacks Throughout Internet Space Employ Encryption Appear Normal Degrade or Deny Collection Deploy Decoys Consider Volume Attacks Attack the Sensor Separate Analysts from Their Consoles Self-inflicted Problems in NSM Epilogue The Future of Network Security Monitoring Remote Packet Capture and Centralized Analysis Integration of Vulnerability Assessment Products Anomaly Detection NSM Beyond the Gateway PART VI APPENDIXES 661 Appendix A Protocol Header Reference 663 Appendix B Intellectual History of Network Security Mohitoring 685 Appendix C Protocol Anomaly Detection 757 Index 765 xv