460 likes | 562 Views
Intrusion Detection and Analysis for Windows-Based Computers Rutgers University Office of Information Technology. Bruce Rights Systems Administrator Information Protection and Security, Enterprise Systems and Services. Presented By:. Housekeeping. Hours Bathrooms Fire exits
E N D
Intrusion Detection and Analysis for Windows-Based Computers Rutgers University Office of Information Technology Bruce Rights Systems Administrator Information Protection and Security, Enterprise Systems and Services Presented By:
Housekeeping • Hours • Bathrooms • Fire exits • Telephones • Recycling • Smoking • Contact information IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion Detection & Analysis for Windows-Based Computers • Welcome • Introduction IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Expectations and Objectives • What would you like to get out of this? • What are your past experiences • What has happened in the last month? IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Analysis and detection tools: built-in; free; third-party • Logging and Auditing • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Analysis and detection tools: built-in; free; third-party • Logging and Auditing • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: a definition • Intrude- to thrust oneself in; to enter uninvited or unwelcome, to force in. • intrusion - act of intruding IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples • Viruses • Worms • Trojans • Spyware • Browser Helper Objects (BHO) • P2P leverage • Data theft • Denial of service • Remote Control IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples • ‘I was just looking around’ • Keystroke logger • Rootkits • Cross Site Scripting • Man in the Middle • Sniffing • Buffer Overflow • SQL Injection • Password Cracking IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: viruses • Sasser, Melinda, Sobig, Mydoom, etc. • Self-propagating • Purely malicious IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: worms • Code Red • Nimda • Slammer • Blaster IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: trojans • “a Trojan horse is a malicious program that is disguised as or embedded within legitimate software. The term is derived from the classical myth of the Trojan Horse. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.” IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: spyware • “…applications [that] collect information, may or may not install in stealth, and are designed to transmit that information to 2nd, or 3rd parties covertly employing the user's connection without their consent and knowledge. The word defines the actual intent; this is software (ware) that is designed to collect information in secret (spy).” IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: browser helper objects • BHOs - a DLL that allows developers to customize and control Internet Explorer • Most are good: • Google Toolbar • Some are bad: • CoolWebSearch • Bonzai Buddy IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: P2P leverage • Attacker is looking to set up a music or movie download site • They are looking to use your resources • They are looking to hide their tracks • Bittorrent, port 6881 IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: denial-of-service • lsass.exe exploit (sasser) • Traffic flooding: • (Syn flood, Ping-of-death) • E-mail flooding • Log filling IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: remote control • Remore Desktop • VNC • Go-To-My-PC • PCAnywhere • Back Orifice • Beast IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: remote control • Dameware – a remote control utility • It has been hijacked by the bad guys • Processes to look for include DNTUCli.exe,DNTUCnvt.exe, DNTUS26.exe, DWADEA.exe, DWExp.exe, DWMacDis.exe, DWRCC.exe, DWRCCMD.exe, DWRCCnvt.exe, DWRCINS.exe, DWRCS.exe, DWRCST.exe, DWRTDE.exe • TCP Port 6129 IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: just looking around • Attacker could be practicing techniques, takes nothing, but leaves a ‘calling card’ • Or they could be waiting to see if they get caught. • Or they were looking for something specific you did not have. IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: keystroke logger • Can be a hardware or software device • How many of you check your keyboard connector every morning? • http://www.keyghost.com • Ctrl-Alt-Del provides some protection IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: rootkits • Malware which hides itself from typical detection methods • Can be persistent or memory-based • User-mode rootkits modify API calls (such as Windows Explorer) • Kernel-mode rootkits modify calls to Task Manager • BlackLight: http://www.f-secure.com/blacklight • Rootkit Revealer: http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx • http://invisiblethings.org/ • http://www.rootkit.com/ IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Analysis and detection tools: built-in; free; third-party • Logging and Auditing • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Anatomy of an intrusion: Typical process • Reconnaissance • Scanning • Exploit systems • Keeping access • Covering tracks IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Anatomy of an intrusion: sql injection • From an article by Jesper Johansson, Microsoft, which appeared in Technet magazine, Winter 2005 IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Anatomy of an intrusion: sql injection Bad Guy Firewall Web Server Internet Internal Domain SQL Server 192.168.2.30 Router 172.17.0.1 Data Center DC 10.1.2.x Firewall Router 172.17.0.2 IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Analysis and detection tools: built-in; free; third-party • Logging and Auditing • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Analysis and detection tools: built-in • Task Manager • Add / Remove Programs • Event Viewer • Perfmon • ADUC / Computer Management MMC • Msconfig • IE Add-In Manager • Command line tools, e.g., netstat • Windows Explorer IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Analysis and detection tools: free • Spybot, http://safer-networking.org • Ad-Aware, http://www.lavasoftusa.com • RADS, http://software.rutgers.edu • Silent Runners, http://www.silentrunners.org • HijackThis, http://www.merijn.org • CWShredder, http://www.merijn.org IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Analysis and detection tools: third-party • Trojan Hunter, http://www.trojanhunter.com • http://www.misec.net/ IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Analysis and detection tools: built-in; free; third-party • Logging and Auditing • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Logging and Auditing • Establish an auditing and logging policy • This will include what to audit, and how to store and read the logs • Know what you are looking for – events like 513, 529, 530, 531 and 539 • Read the logs using filtering, Event CombMT or MOM IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Analysis and detection tools: built-in; free; third-party • Logging and Auditing • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers
IDS and HIDS • Analyze incoming traffic at the application layer, looking for malicious payloads • Reconnaissance attacks, exploit attacks, DoS attacks • They use a combination of anomaly detection, and signature recognition • HIDS often utilizes information in the Event Logs • Honeypots IT Certificate Program – Intrusion Analysis for Windows-Based Computers
IDS and HIDS • TrendMicro firewall • WireShark – http://www.wireshark.org/ • IDS - Cisco Secure IDS, http://www.cisco.com • IDS – Snort, http://www.snort.org • HIDS - BlackIce Defender, http://www.iss.net/products_services/products.php (IBM) • Honeypots – http://www.honeypots.net IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Rootkits • Analysis and detection tools: built-in; free; third-party • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Incidence Response • Preparation • Identification • Containment • Eradication • Recovery • Lessons Learned IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Incidence Response • Do you have a plan? • Phone numbers (vendors, colleagues, managers, IPS, RUPD); installation CDs; IP addresses; firewall and router configs; passwords; phone-tree to notify users • Will you clean the infected machine(s), rebuild or call the police? • What do you need to do to comply with the law? • Who is the decision-maker? • Will you keep the logs for analysis? • Will you be prepared to take notes to document every stage of the response? • www.sans.org/score/incidentforms • www.net-security.org/article.php?id=775 IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Rootkits • Analysis and detection tools: built-in; free; third-party • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Forensics • What are you trying to achieve? • Best left to outside agency / LEO • Kits are available IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview • Intrusions - definitions and examples • Anatomy of an Intrusion • Rootkits • Analysis and detection tools: built-in; free; third-party • IDS and HIDS • Incidence Response • Forensics • Final Thoughts • Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Final thoughts • The focus needs to be on where the attacks are coming from • http://www.dshield.org IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Questions • What questions do you have that I did not answer? • What does the future hold? IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Questions? • Contact Details: • Bruce Rights • brights@rutgers.edu • 732-445-8702 IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Thank you for coming • This course is an elective component of the IT Certificate Program, a collaborative effort of the Office of Information Technology, University Human Resources, and the Internal Audit Department • http://uhr.rutgers.edu/profdev/it-cert-program-info.asp IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Information Protection & Security(A Division of the Office of Information Technology [OIT]) • ASB Annex 1 Room 102 Busch campus 56 Bevier road Piscataway, NJ 08854 phone: (732) 445-8011 fax: (732) 445-8023 rusecure@rutgers.edu IT Certificate Program – Intrusion Analysis for Windows-Based Computers