1 / 14

Chapter 9: Cyber Network Defense using Advanced Log Analysis

Chapter 9: Cyber Network Defense using Advanced Log Analysis. Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions. Introduction to Cyber Network Defense.

nelly
Download Presentation

Chapter 9: Cyber Network Defense using Advanced Log Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 9: Cyber Network Defense using Advanced Log Analysis Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  2. Introduction to Cyber Network Defense • Cyber Network Defense (CND) is continuously improving process for defending IT assets • The CND approach in this Chapter includes: • Lightweight process for CND • Set of open source scripts for network monitoring and Advanced Log Analysis (ALA) on Backtrack • Agile strategy for escalating defenses • Cyber investigations process • Scenario for eradicating browser-based spyware • Instructions for implementing the processes Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  3. General Method and Tools for Cyber Investigations • Investigations are based upon The Scientific Method to focus activities: • Observation • Hypothesis • Evaluation: Analyze and Interpret Data • Prediction • Repeat the method to validate predictions Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  4. Continuous Cyber Investigation Strategy • Full packet capture when network quiet • Capture IDS alerts during busy hours • Investigation of suspicious alerts • Host-Based Security (HBS) • Firewalls • Regular updates/upgrades to processes and technical components • Integrated CND Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  5. Summary of Cyber Investigation Process • Use the custom CND scripts, a daily monitoring & investigation process: • # ./snortcap - Run IDS on overnight packet capture. • # ./headcap | wc - How many alerts overnight? • # ./statcap - Count and rank the top alerts. • # ./hostcap - Which are the top alerting hosts? • # ./alertipcap 10.10.100.10 - What are the alert details for that host? • # sort sum*10.10* | uniq –c | sort –rn - Rank the top alerts for IP • # ./iporgcap 10.10.100.10 - Which external domains are alerting for IP? • # whois 64.94.107.15 - Who owns this unresolved domain? • Use an Internet browser to investigate external IPs and domains. Discover these domains with the following command: • # ./orgcap - What are all the external alerting domains? Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  6. Network Monitoring • Establish Switched Port Analyzer (SPAN) on the core switch or firewall • Mirrors all network traffic for IDS • To begin the IDS in real time, you can use the following daycap script: • #!/bin/bash • # Add a parameter like ./daycap keep -- in order to append to logs • # By default, daytime logs are deleted to conserve space • if [$1 -eq ""]; then rm /tmp/alert /tmp/snort.log.*; fi • /usr/local/bin/snort -A full -c /etc/snort/snort.conf -l /tmp Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  7. Advanced Text Log Analysis • A set of custom scripts are explained in detail in Chapter 9 – teaching you gawk • Example: The statcap script creates a histogram of the most frequent alerts: • #!/bin/bash • gawk "BEGIN {FS=\"\n\";RS=\"\n\n\"} {print $1}" alert | gawk '/\[\*\*\]/' | sort | uniq -c | sort -rn | less • The hostcap script finds the host generating the most alerts: • #!/bin/bash • cat alert | gawk '{FS="\n";RS="\n\n"; /TCP/; print $3}' | gawk '{print $2}' | gawk -F\: '{print $1}' | gawk '/[0-9\.]+/' | sort | uniq -c | sort –rn Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  8. Advanced Binary Log Analysis: Wireshark Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  9. Advanced Binary Log Analysis: tcpdump Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  10. Reporting Cyber Investigations • Lesson Learned: Do not go to a cybersecurity professional and inform them that their machine is generating copious beacons – Panic ensues! • Instead, approach reporting in a non-judgemental, diplomatic manner • Provide proof of your findings • It will certainly be requested • Empower people to resolve the problem with guidance and mentoring Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  11. Elimination of Cyber Threats • Block suspicious IPs using the host file (Windows and Linux): • 127.0.0.1 ak.quantcast.com • Block suspicious IPs from entire net at firewall (e.g. CISCO): • $ enable • Password: • # config t • (config)# object-group network Blocked_IPs • (config-network)# network-object 64.94.107.0 255.255.255.0 • (config-network)# network-object 66.235.147.0 255.255.255.0 • <repeat for additional IPs> • (config-network)# exit • (config)# access-list in2out2 extended deny ip any object-group Blocked_IPs • (config)# access-list in2out2 extended permit ip any any • (config)# access-group in2out2 in int inside • (config)# show config • (config)# wr mem • (config)# exit • # exit Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  12. Logs on Various OS/Services Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  13. Intrusion Discovery on Windows • To detect intrusions, seek out: • Unusual processes and services • Unusual files and registry keys • Unusual network activity • Unusual scheduled tasks • Unusual accounts • Unusual log entries Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  14. Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions REVIEW Chapter Summary

More Related