Lecture 9 Data Collection and Analysis ISA 564 Mohamed Sharif

1. Lecture 9Data Collection and Analysis ISA 564Mohamed Sharif

2. Lecture 9 Covers the following chapters in the text Chapter 3 Data Recovery Chapter 10 Intrusion Detection Systems (IDSs) Chapter 11 File Integrity Checkers Chapter 12 Computer Forensic

3. Intrusion Detection System

4. Intrusion Detection SystemsPrinciples Assume intruder behavior differs from legitimate users Identify apparent attacks Problems with Accuracy Too many false positives (false alarms) Too many false negatives (overlooked incidents) Event logging in log files for analysis Log files for retrospective analysis by humans Elements of an IDS Event logging Analysis method Action Management

5. Distributed IDS

6. Distributed IDSs Manager Agents Distribution of functionality between agents and managers (analysis and action) Batch versus Real-Time Data Transfer Batch mode: Every few minutes or hours; efficient Real-time: As events occur or shortly afterward; little or no data loss if attacker eliminates log file on agent�s computer Must have secure manager-agent communication Must have automatic vendor updates with secure communication

7. Network IDSs (NIDSs) Located at crucial network nodes (switches, routers, etc.) Can collect data on all ports Collect data to and from many hosts Weaknesses Only see traffic passing through their locations Cannot filter encrypted packets

8. HOST IDSs Located on individual host computers Collects the same type of information as a NIDS but only for that host Might see data after decryption Other host-based tools File integrity checker programs Operating System Monitors Application Monitors Weaknesses of Host IDSs Limited Viewpoint; Only see events on one host If host is hacked, Host IDS can be attacked and disabled

9. Log Files Flat files of time-stamped events Individual logs only see what the host, switch, or router can see Integrated logs Aggregation of event logs from multiple IDS agents Difficult to create because of format incompatibilities Time synchronization of IDS event logs is crucial (Network Time Protocol or NTP) Can see suspicious patterns in a series of events across multiple devices

10. Analysis Methods Static packet filtering Stateful filtering Full protocol decoding (filters based upon stage in dialogue�login, etc.) Statistical analysis (frequency thresholds for reporting) Anomaly detection (compares normal and current operation) Creates many false positives

11. Actions Alarms Interactive analysis Manual event inspection of raw log file Pattern retrieval Reporting Automated response Dangerous Special danger of attack-back (might be illegal; might hurt victim) Automation for clear attacks brings speed of response

12. Intrusion Response Initiation and Analysis Initiation Report a potential incident Everyone must know how to report incidents Analysis Confirm that the incident is real Determine its scope: Who is attacking; what are they doing Containment Disconnection of the system from the site network or the site network from the internet (damaging) Harmful, so must be done only with proper authorization Black-holing the attacker (only works for a short time) Sometimes, continue to collect data (allows harm to continue) to understand the situation better

13. Intrusion Response Recovery Repair of running system (hard to do but keeps system operating with no data loss) Restoration from backup tapes (loses data since last backup) Reinstallation of operating system and applications Must have good configuration documentation before the incident Protecting the System After the Attack Hacked system must be hardened Especially important because many hackers will attack it in following weeks or months

14. Intrusion Prevention Systems (IPS) Recent addition to security products which Can block traffic like a firewall Using IDS algorithms May be network or host based

15. Intrusion Prevention Systems Actions Drop packets Limit bandwidth of attack stream to a server When attack packets and legitimate packets to a host cannot be separated accurately Still hurts legitimate packets to that host Protects other traffic from overload

16. IDS and IPS Placement

17. Firewalls, IDSs, and IPSs Firewalls Versus IDSs Firewalls drop packets IDSs only generate alarms Too many false positives (false alarms) to drop suspicious packets safely IDSs versus IPSs IDSs merely send alarms IPSs, using the same filtering mechanisms, actually drops suspicious packets with high confidence of being attacks

18. Honeypots Are decoy systems filled with fabricated info instrumented with monitors / event loggers divert and hold attacker to collect activity info without exposing production systems Initially were single systems More recently are/emulate entire networks

19. Honeypot Deployment

20. Computer Forensic Computer Forensic is a process which tries provide an accurate account of computer system violations which include the following: Recovering deleting files Unauthorized access Unauthorized use of resources Discovering illegal data on computer system Recovering damaged file information Monitoring live activity

21. Steps Of Computer Forensics Tries to address the following How, what, where, who, and why By forming the following steps Acquisition Getting access to computer Identification Identifying what and where Use computer forensic tools Evaluation Determining How, why and who Presentation Writing a technical report

22. Information on the Computer Open Network Connections Communication between this computer and other systems in the network Active Processes Processes currently active on the system Log Files Such as browser history, event viewer, and intrusion detection file Logged-on Users Users are currently connected to the computer Files Currently or recently in use such as libraries and spyware etc. Management files Configuration settings, system files and registry settings

24. Computer Forensic Requirements Familiar with all internal and external devices/components of a computer Hardware BIOS Operation Systems Software Popular software packages Forensic and Anti-Forensic Tools Methods of Hiding information Stegonagraphy Hidden drive spaces Bad sectors Slack Spaces Encryption Hashing Functions

25. Data Recovery (DR) DR is a process that allow computer user to recover lost or damaged file DR is possible because the file and information about the file are two different things and stored in two different places Windows operating system uses two file systems to keep track of which files are on the hard drive and where those files are stored File Allocation Table (FAT) New Technology File System (NTFS) Cluster remapping Transaction logging

26. Lab 9 Data Collection and Analysis Software download website: http://wps.prenhall.com/bp_boyle_ais_1/121/31018/7940852.cw/index.html Become familiar with labs in chapter 3,10,11, &12 specially the following tools Data Recovery RECUVA ERASER IDS & Honeypot Honeypot SNORT File Integrity Checkers HASHCALC File Vertifier++ Forensic BGINFO NIGILANT32 Write a short analysis with emphasis The underline technology Type of system or network used to perform these labs The strength and weakness of these tools

27. References Applied Information Security, by R. Boyle Computer Security: Principles and Practice, by W. Stallings and L. Brown. Corporate Computer and Network Security, by R. Panko Network Security Essentials 3rd Edition by W. Stallings. Cryptography and Network Security 4th Edition by W. Stallings Computer Security, Art and Science, by Matt Bishop Security in Computing, 4/e, by C. Pfleeger and S. Pfleeger Network Security, Private Communication in a Public World 2nd Edition by C. Kaufman, R. Perlman and M. Speciner. Data Communications and Networking, 4th, B. Forouzan Computer Networking, 3rd, by J. Kurose and K. Ross Applied Cryptography 2nd Edition by B. Schneier Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. Designing Network Security by M. Kaeo � Cisco Press http://wins.kocaeli.edu.tr/akavak/438lecture4.ppt