Network Security Monitoring

CEENET/GEANT Security Workshop Sofia, 2014 Network Security Monitoring An Introduction to the world of Intrusion Detection Systems Irvin Homem irvin@dsv.su.se Stockholm University

Who am I? Of Indian and Portuguese origin; Born and raised in Kenya (East Africa) Worked at Deloitte Eastern Africa (Enterprise Risk Services) MSc. Information & Communication Systems Security at the Royal Institute of Technology (KTH) Currently a PhD student at Stockholm University Automation of Digital Forensics

Cybersecurity is both a National and Economic security issue. Governments worldwide wage clandestine battles everyday in cyberspace. Richard Beijtlich, CSO Mandiant

History Stalking the Wily Hacker (Cliff Stoll, 1988) Accounting error of 75 cents between 2 systems in 1986 Looking for abnormal behavior Todd Heberlein Developed the first network IDS The Network Security Monitor (1988)

Network Security Monitoring The collection, analysis and escalation of indications and warnings to detect and respond to intrusions Simply: A way to find intruders on your network and do something about them before they do too much damage to your systems

Why NSM? Prevention eventually fails 100% security does not exist NSM doesn t prevent intrusions Provides transparency Improve for next time Defense in depth Source: Richard Bejtlich,The Practice of Network Security Monitoring, No Starch Press, 20

Defense in Depth Pfleeger&Pfleeger, Computing in Security, 3rd Edition, Prentice Hall,2003

Source: Richard Bejtlich,The Practice of Network Security Monitoring, No Starch Press, 2013

Why NSM? The time factor. Most attackers seek persistence today Persistence takes time to achieve South Carolina Dept. of Revenue incident Source: Richard Bejtlich,The Practice of Network Security Monitoring, No Starch Press, 2013

The Data we observe.

Legality and Privacy concerns Never do NSM on non private networks Always check the legality within your jurisdiction Wiretap Act (US Code 18 2511)... not unlawful for an operator, officer, employee or agent of wire or electronic communication service to intercept, disclose, or use that communication in the normal course of his employment Also not unlawful if one is party to a communication, or prior consent is given. In the EU, a little more strict Consult local law + Workers unions/councils + Privacy experts/unions

Types of NSM Data Full content Source: Richard Bejtlich,The Practice of Network Security Monitoring, No Starch Press, 2013

Types of NSM Data (2) Extracted content HTML from webpages Images Downloaded files PDFs Exe s Docs Emails

Types of NSM Data (3) Session data Source: Richard Bejtlich,The Practice of Network Security Monitoring, No Starch Press, 2013

Types of NSM Data (4) Transaction data Source: Richard Bejtlich,The Practice of Network Security Monitoring, No Starch Press, 2013

Types of NSM Data (5) Statistical data Source: Richard Bejtlich,The Practice of Network Security Monitoring, No Starch Press, 2013

Types of NSM Data (6) Metadata Data about data WhoIS IP / Domain name FIRE Finding Rogue networks Source: Richard Bejtlich,The Practice of Network Security Monitoring, No Starch Press, 2013

Types of NSM Data (7) Alert data Events trigger rules to fire alerts Mainly logs from snort or suricata Can be aggregated and presented in interfaces like Snorby and Sguil Source: Richard Bejtlich,The Practice of Network Security Monitoring, No Starch Press, 2013

Main Categories of NSM / IDS Host based IDS Snapshotting; Known File Hashes; System Files, config files Log all user activity and system calls E.g: OSSEC Network Node IDS Examine traffic on a particular node

Main Categories Network based IDS Promiscuous mode; listens to all network traffic Snort, Suricata, Bro Hybrid Combination of NIDS and HIDS

Placing your NIDS sensors (1)

Placing your NIDS sensors (2)

Getting Physical Access to Network Traffic From Switches Port Mirroring (Dell/Juniper) / Switched Port Analyzer (Cisco) One to one copy of traffic on switch ports is duplicated onto a dedicated port Using Network Taps Dedicated physical device put in between physical transmission media (cables) Copy traffic to dedicated port(s). One to one interface. Capturing traffic directly on a host or intermediate device E.g Firewalls / Routers but not very efficient due to lack sufficient storage Endpoints, especially servers. In Cloud infrastructures??

IDS Essential Mechanisms Signature based Signatures created by vendors, or sysadmins Based on previous knowledge of indicators in packets of an attack Depends on constant updates Fails with previously unheard of attack vectors / Zero day s Anomaly based Trained on normal network behavior Detects deviations from the norm Packets graded with Normalcy scores / abnormal threshold Stateful Protocol Analysis / State based Initial state Compromised state

Security Onion History: Originator Doug Burks Started in 2008 Followed the Ubuntu release schedule (more or less) Picked up a lot in 2011 Now has Ubuntu packages for the main tools (directly from Ubuntu ppa ) Get it here: https://code.google.com/p/security onion/

Easy wizard setup next, next, next

Security Onion toolbox (1) Source: Richard Bejtlich,The Practice of Network Security Monitoring, No Starch Press, 2013

Security Onion toolbox (2) Supporting tools: PF_RING (For process based load balancing) SOup (Security Onion Update) Salt (Like Puppet configuration management Salt Master/Salt minion) BPF (Berkley Packet Filters)

Salt Manually configuring multiple sensors? 5, 10, 50 sensors? Configuration management and updates Salt master + Salt minions Remote command execution E.g: Salt * command.run <mycommand> Sets up authentication automatically Updated rule sets at master periodically polled by minions User Management Users and SSH keys managed from master and pushed out to minions

Data Types Network based IDS alerts SNORT/ Suricata Host based IDS alerts OSSEC Syslog data syslog ng Asset data Bro/ PRADS Session data Argus/ Bro / PRADS Transaction data [http/ftp/dns/ssl and more] logs from Bro Full content data netsniff ng

IDS Silver Bullet CAN Add a greater degree of integrity to the rest of you infrastructure Trace user activity from point of entry to point of impact Recognize and report alterations to data Automate a task of monitoring the Internet searching for the latest attacks Detect when your system is under attack Detect errors in your system configuration Make the security management of your system possible by non expert staff CANNOT Compensate for a weak identification and authentication mechanisms Conduct investigations of attacks without human intervention Compensate for weaknesses in network protocols Compensate for problems in the quality or integrity of information a system provides Analyze all the traffic on a busy network Detect all packet level attacks Deal with some of the modern network hardware and features

NSM / IDS Drawbacks Encryption VPNs and Wireless networks Complicated network architecture can obscure transparency E.g: NAT ing Mobile platforms may never use a segment monitored by the NSM platform Massive network traffic can overwhelm sensors Privacy and legal concerns may limit capabilities

References The Practice of Network Security Monitoring Richard Bejtlich Understanding Intrusion Detection Systems SANS Reading Room, 2001

Thank you Questions?