Network Security: A New Perspective NIKSUN Inc.
Security: State of the Industry Case Study: Hacker University Questions
Dave Supinski VP of Regional Sales Supinski@niksun.com Cell Phone 215-292-4473 www.niksun.com
Needs: Reliance and dependency on e-business Need to interconnect networks Direct communication with suppliers and customers Risks: Sensitive information being compromised Increase number of intrusions and viruses Corporate policies being violated Constant attacks from sophisticated offenders
12 newborns would be given to the wrong parents each day. 291 pacemaker operations would be performed incorrectly. 315 entries in Webster's Dictionary will be misspelled. 3056 copies of tomorrow's Wall Street Journal would be missing one of the three sections. 18,322 pieces of mail would be mishandled every hour. 20,000 incorrect drug prescriptions would be written each year. 880,000 credit cards would have incorrect cardholder information on their magnetic strips.
1./ COST OF COMPUTER CRIME " & % $ # "! 3+2) 0*12 +/. (*),*- + 9/) 85,+76 5 /)14 ' '''' '' BASED ON RESPONSES FROM 538 SECURITY SPECIALISTS IN U.S. CORPORATIONS, GOVERNMENT AGENCIES AND UNIVERSITIES. SOURCE: 2001 COMPUTER SECURITY INSTITUTE/FBI COMPUTER CRIME AND SECURITY SURVEY
Expenses Associated With Electronic Crime Are High Hypothetical Scenario: $1 Million Stolen From a Small, Online Bank Source: Forrester Research
Who are the Hackers?
Employees Cause Most Digital Break-Ins BASED ON A SURVEY OF 1,600 SENIOR INFORMATION TECHNOLOGY PROFESSIONALS * MULTIPLE RESPONSES ACCEPTED, SOURCE: PRICEWATERHOUSECOOPERS AND INFORMATION WEEK E-commerce Firms At A Higher Risk
Three-Tier Security Approach Avoidance Apply protective mechanisms (technologies) to reduce unauthorized access and intrusion attacks Intrusion Detection Security Investigation Try to detect intrusions and attempted intrusions by reviewing audit logs and installing intrusion detection systems. Enable users to recover from security breach damage, prevent breaches from happening again, and prosecute offenders if necessary
Even the most sophisticated mechanisms have been compromised by sophisticated hackers Firewalls, VPNs, and encryption technologies are complex to deploy and manage leading to holes and vulnerabilities
Only detects attacks identified on the signature database Large number of false positives and no dealing with false negatives Low throughput rates Limited post-event analysis capabilities Limited evidence gathering
Requires lots of storage heavily used networks become a challenge Collects all information Advanced monitoring system required to find appropriate information quickly
Hackers usually come through back door Hijacking computers, Installation of Trojan Horses, Any hacker who breaks into a site erases all logs which are capable of tracking them Log analysis tools can be ineffective Correlation of log data is difficult because of lack of synchronization between systems Sifting through tons of log data / alarms requires trained resources and time No data for real evidence
Web Defacements Domain Name Service (DNS) Attacks Distributed Denial of Service (DDoS) Attacks Virus and Worms Routing Vulnerabilities Infrastructure Attacks Compound Attacks
12:13 Scan detected from host x.x.x.x 12:14 Buffer overflow on host y.y.y.y Internal hosts Internet x.x.x.x firewall NIDS r.r.r.r s.s.s.s t.t.t.t 12.13.01 tcp hosts x.x.x.x r.r.r.r 12.13.02 tcp hosts x.x.x.x s.s.s.s 12.13.03 tcp hosts x.x.x.x t.t.t.t 12.13.04 tcp hosts x.x.x.x y.y.y.y 12.14.13 tcp hosts x.x.x.x y.y.y.y 12.14.15 tcp hosts x.x.x.x y.y.y.y 13.00.45 tcp hosts x.x.x.x y.y.y.y 13.00.55 tcp hosts x.x.x.x y.y.y.y y.y.y.y
12:13 Denial of service attack Internal hosts NIDS x.x.x.x Service Provider router ISP router firewall Block tcp packets to address x.x.x.x Packet-level analysis to reconfigure ISP router 12:13 tcp traffic to x.x.x.x detailed data 12:14 tcp traffic to x.x.x.x detailed data 12:15 tcp traffic to x.x.x.x detailed data 12:16 tcp traffic to x.x.x.x detailed data 12:17 tcp traffic to x.x.x.x detailed data 12:18 tcp traffic to x.x.x.x detailed data 12:19 tcp traffic to x.x.x.x detailed data 12:20 tcp traffic to x.x.x.x detailed data 12:21 tcp traffic to x.x.x.x detailed data
Crime Scene: Hacker University Case: Student bringing down the grade server Verdict: Guilty of penetration, creation of a backdoor, leaving files behind, and launching a DoS attack
Proverbial Friday Morning Linux Server is not responding Incident Response plan is activated!
The screen shows all the traffic during 12:44 pm - 12:49 pm. Most of the traffic monitored was IP (99.91%). The plot reveals a relatively low level of activity and a sudden spike in traffic load at about 12:48:16. Analyzing this traffic segment in more detail reveals in a large number of ICMP packets generated from 205.152.118.182 as shown in the ICMP plots.
To discover what machines are out there on the network, applications like telnet or ping are employed. We first filter on all telnet traffic to see who was using telnet. The top 20 host pair connections are shown. Notice that there are lots of telnet sessions that involved the IP address 139.92.137.2 with a lot of other machines. All the other machines reside on two known local subnets, 171.64.250.xx and 130.237.15.xx. This clearly indicates that a user on an external host, 139.92.137.2, was trying to find a particular machine on the university's local subnets.
By filtering on all IP traffic involving the host 139.92.137.2, we can focus on everything that this particular user did. The user performed a variety TCP transactions and sent or received two UDP packets. The time plots suggest that the user surfed around, looking for a vulnerable machine, then broke in somewhere and performed some data transfers (as shown in the traffic spikes on the right hand side).
Next, we list out all the TCP flows that the attacker was engaged in. Here, we clearly see the sequential progression of actions that the attacker took. First the attacker was hunting for a particular machine to penetrate. In total, 15 different IP hosts were visited before the attacker found what he/she was looking for.
We see that the attacker sent some packets to this machine addressed to the sunrpc port. The two UDP packets that we recorded were also targeted to this machine. The method of break-in was a buffer overflow on the sunrpc port. The subsequent result of this was that the attacker gained root access to the machine which allowed him/her to basically take over the machine. The user creates a "backdoor" through port 60000 which allows him to gain automatic root access via this port.
After breaking into a local machine, the attacker then performs file transfers of various tools to setup for the attack. The key file that the user transfers is a set of his/her own unix tools. The source code for these tools are bundled in the file tb which he downloads from his home server.
The attacker performs two ftp file transfers back to his/her home server to download two key files: smurf.c which is the code used to instigate the denial of service attack (via broadcast pings) and newones which is a list of 560 IP hosts involved in the attack. These addresses are the destination addresses in the ICMP ping packets sent by 205.152.118.182.
NetDetector Security Camera for Your Network WAN/LAN Networks up to gigabit speeds Store up to 1 TB of Data Integrated IDS Application reassembly Telnet Email Instant Messenger Web VoIP
IDS and Anomaly Detection: customize alerts to identify malicious attacks, worms, spoofing, SNORT etc. Investigation of Security Alerts: identify real threats from false positives, fine tune security parameters Security Impact Analysis: conduct complete analysis of security breach - determine source, identify systems and information compromised Law-Enforcement / Auditing: record traffic for auditing and legal requirements Monitoring of Unauthorized Network Usage: reconstruction of web pages, emails, telnet, chat and other applications to determine source of violation
Network Security & Intelligence At Your Fingertips