E N D
1. Lecture 9Data Collection and Analysis ISA 564Mohamed Sharif
2. Lecture 9 Covers the following chapters in the text
Chapter 3
Data Recovery
Chapter 10
Intrusion Detection Systems (IDSs)
Chapter 11
File Integrity Checkers
Chapter 12
Computer Forensic
3. Intrusion Detection System
4. Intrusion Detection SystemsPrinciples Assume intruder behavior differs from legitimate users
Identify apparent attacks
Problems with Accuracy
Too many false positives (false alarms)
Too many false negatives (overlooked incidents)
Event logging in log files for analysis
Log files for retrospective analysis by humans
Elements of an IDS
Event logging
Analysis method
Action
Management
5. Distributed IDS
6. Distributed IDSs Manager
Agents
Distribution of functionality between agents and managers (analysis and action)
Batch versus Real-Time Data Transfer
Batch mode: Every few minutes or hours; efficient
Real-time: As events occur or shortly afterward; little or no data loss if attacker eliminates log file on agent’s computer
Must have secure manager-agent communication
Must have automatic vendor updates with secure communication
7. Network IDSs (NIDSs) Located at crucial network nodes (switches, routers, etc.)
Can collect data on all ports
Collect data to and from many hosts
Weaknesses
Only see traffic passing through their locations
Cannot filter encrypted packets
8. HOST IDSs Located on individual host computers
Collects the same type of information as a NIDS but only for that host
Might see data after decryption
Other host-based tools
File integrity checker programs
Operating System Monitors
Application Monitors
Weaknesses of Host IDSs
Limited Viewpoint; Only see events on one host
If host is hacked, Host IDS can be attacked and disabled
9. Log Files Flat files of time-stamped events
Individual logs only see what the host, switch, or router can see
Integrated logs
Aggregation of event logs from multiple IDS agents
Difficult to create because of format incompatibilities
Time synchronization of IDS event logs is crucial (Network Time Protocol or NTP)
Can see suspicious patterns in a series of events across multiple devices
10. Analysis Methods Static packet filtering
Stateful filtering
Full protocol decoding (filters based upon stage in dialogue—login, etc.)
Statistical analysis (frequency thresholds for reporting)
Anomaly detection (compares normal and current operation)
Creates many false positives
11. Actions Alarms
Interactive analysis
Manual event inspection of raw log file
Pattern retrieval
Reporting
Automated response
Dangerous
Special danger of attack-back (might be illegal; might hurt victim)
Automation for clear attacks brings speed of response
12. Intrusion Response Initiation and Analysis
Initiation
Report a potential incident
Everyone must know how to report incidents
Analysis
Confirm that the incident is real
Determine its scope: Who is attacking; what are they doing
Containment
Disconnection of the system from the site network or the site network from the internet (damaging)
Harmful, so must be done only with proper authorization
Black-holing the attacker (only works for a short time)
Sometimes, continue to collect data (allows harm to continue) to understand the situation better
13. Intrusion Response Recovery
Repair of running system (hard to do but keeps system operating with no data loss)
Restoration from backup tapes (loses data since last backup)
Reinstallation of operating system and applications
Must have good configuration documentation before the incident
Protecting the System After the Attack
Hacked system must be hardened
Especially important because many hackers will attack it in following weeks or months
14. Intrusion Prevention Systems (IPS) Recent addition to security products which
Can block traffic like a firewall
Using IDS algorithms
May be network or host based
15. Intrusion Prevention Systems Actions
Drop packets
Limit bandwidth of attack stream to a server
When attack packets and legitimate packets to a host cannot be separated accurately
Still hurts legitimate packets to that host
Protects other traffic from overload
16. IDS and IPS Placement
17. Firewalls, IDSs, and IPSs Firewalls Versus IDSs
Firewalls drop packets
IDSs only generate alarms
Too many false positives (false alarms) to drop suspicious packets safely
IDSs versus IPSs
IDSs merely send alarms
IPSs, using the same filtering mechanisms, actually drops suspicious packets with high confidence of being attacks
18. Honeypots Are decoy systems
filled with fabricated info
instrumented with monitors / event loggers
divert and hold attacker to collect activity info
without exposing production systems
Initially were single systems
More recently are/emulate entire networks
19. Honeypot Deployment
20. Computer Forensic Computer Forensic is a process which tries provide an accurate account of computer system violations which include the following:
Recovering deleting files
Unauthorized access
Unauthorized use of resources
Discovering illegal data on computer system
Recovering damaged file information
Monitoring live activity
21. Steps Of Computer Forensics Tries to address the following
How, what, where, who, and why
By forming the following steps
Acquisition
Getting access to computer
Identification
Identifying what and where
Use computer forensic tools
Evaluation
Determining How, why and who
Presentation
Writing a technical report
22. Information on the Computer Open Network Connections
Communication between this computer and other systems in the network
Active Processes
Processes currently active on the system
Log Files
Such as browser history, event viewer, and intrusion detection file
Logged-on Users
Users are currently connected to the computer
Files
Currently or recently in use such as libraries and spyware etc.
Management files
Configuration settings, system files and registry settings
24. Computer Forensic Requirements Familiar with all internal and external devices/components of a computer
Hardware
BIOS
Operation Systems
Software
Popular software packages
Forensic and Anti-Forensic Tools
Methods of Hiding information
Stegonagraphy
Hidden drive spaces
Bad sectors
Slack Spaces
Encryption
Hashing Functions
25. Data Recovery (DR) DR is a process that allow computer user to recover lost or damaged file
DR is possible because the file and information about the file are two different things and stored in two different places
Windows operating system uses two file systems to keep track of which files are on the hard drive and where those files are stored
File Allocation Table (FAT)
New Technology File System (NTFS)
Cluster remapping
Transaction logging
26. Lab 9 Data Collection and Analysis Software download website:
http://wps.prenhall.com/bp_boyle_ais_1/121/31018/7940852.cw/index.html
Become familiar with labs in chapter 3,10,11, &12 specially the following tools
Data Recovery
RECUVA
ERASER
IDS & Honeypot
Honeypot
SNORT
File Integrity Checkers
HASHCALC
File Vertifier++
Forensic
BGINFO
NIGILANT32
Write a short analysis with emphasis
The underline technology
Type of system or network used to perform these labs
The strength and weakness of these tools
27. References Applied Information Security, by R. Boyle
Computer Security: Principles and Practice, by W. Stallings and L. Brown.
Corporate Computer and Network Security, by R. Panko
Network Security Essentials 3rd Edition by W. Stallings.
Cryptography and Network Security 4th Edition by W. Stallings
Computer Security, Art and Science, by Matt Bishop
Security in Computing, 4/e, by C. Pfleeger and S. Pfleeger
Network Security, Private Communication in a Public World 2nd Edition by C. Kaufman, R. Perlman and M. Speciner.
Data Communications and Networking, 4th, B. Forouzan
Computer Networking, 3rd, by J. Kurose and K. Ross
Applied Cryptography 2nd Edition by B. Schneier
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
Designing Network Security by M. Kaeo – Cisco Press
http://wins.kocaeli.edu.tr/akavak/438lecture4.ppt