1 / 16

SI 2007 Project Team “ Packet Storm ” Matthew Baron Charlie Hughes Matt Mayberry Bryce Theobald

SI 2007 Project Team “ Packet Storm ” Matthew Baron Charlie Hughes Matt Mayberry Bryce Theobald Project Leaders Prasad Calyam Aaron Lafferty. Network Forensics. Background on Cyber Crimes Our Network Forensic Investigation Case Investigation Methodology Forensic Evidence

soren
Download Presentation

SI 2007 Project Team “ Packet Storm ” Matthew Baron Charlie Hughes Matt Mayberry Bryce Theobald

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SI 2007 Project Team“Packet Storm” Matthew Baron Charlie Hughes Matt Mayberry Bryce Theobald Project Leaders Prasad Calyam Aaron Lafferty Network Forensics

  2. Background on Cyber Crimes Our Network Forensic Investigation Case Investigation Methodology Forensic Evidence Expert Opinion upon Investigation Conclusion (Animation) Topics of Discussion

  3. Hackers are intruders who compromise or incapacitate computer systems using the Internet A.k.a. “Cyber-criminals” Motivations of a Hacker to perform Cyber-crimes Sabotage for Money (Blackmail) Hatred towards victim (Government cyber-wars) Social acceptance (Redirect websites) “FOR FUN!” Hackers are difficult to track-down Hide behind the world-wide Internet USA-Border jurisdiction issues for FBI or CIA “Hackers”

  4. “Bot” – a simple program planted on a computer that accesses a “Command Center” (E.g. IRC Channel) A huge group of bots on the Internet is called a “Botnet” Botnets are rented out for launching cyber attacks and spam services Hackers use “Botnets” To Victim Internet Hacker controls all the Bots using the Internet Botnet of Bots

  5. Coordinated attacks from botnets that slow down victim servers Ping Flood, Smurf (slow down servers) Companies hire “DDoS mafias” to attack competitors and attract their customers Distributed Denial of Service attacks (DDoS attacks) SMURF ATTACK Attacker Victim Broadcast Network Adopted from www.networkdictionary.com

  6. “Cyber Games, Ltd.” (fictional) is maliciously cyber-attacked by “Not-So-Good Cyber Games Inc.” Not-So-Good Cyber Games Inc. employs DDoS “Mafia” Cyber Games, Ltd. customers experience slow response and service disruptions from servers during Gaming Customers unsubscribe from Cyber Games, Ltd. services and signup for Not-So-Good Cyber Games Inc. services Due to month long DDoS attacks, Cyber Games Ltd., lost customers, reputation and revenue DDoS Attack Investigation Case

  7. Cyber Games, Ltd. hired us - the Network Forensics Experts We investigate the DDoS attacks, identify the cyber-criminals and prosecute them Network Forensic Science is complex! Hackers are one-step ahead always Required diverse expertise in areas: Networking Software Programming Legal Procedures Criminal Psychology Network Forensic Experts

  8. Technologies Used Honey Pot A network setup to trap DDoS attacks at Cyber Games, Ltd. Snort An Intrusion detection tool Perl A Programming language MySQL A Database Investigation Methodology

  9. Honey Pot is a network of computers that need to be protected It appears to a hacker as a real-system while in fact, it carefully monitors the hacker attacks Collects clues to trace the hacker’s location on the Internet It includes a “Network Monitor” that hosts Snort, MySql, etc. Snort rules need to be configured for creating logs that contain: Alert Timestamp Source and Destination IPs Alert Signature (E.g. could be DDoS attack, Port-scanning) Honey Pot

  10. Honey Pot Snort, Mysql

  11. Snort Workflow 2007-07-13 07:15:47 Ping_Flood 250.52.15.4 ---------------------------- 2007-07-13 07:55:00 DNS_Poisoning 19.80.124.164 ---------------------------- 2007-07-13 08:39:44 Buffer_Overflow 19.89.174.34 ---------------------------- 2007-07-13 08:57:59 SSL_Auth 127.166.92.101 Packet Decoder Logging and Alerting System Detection Engine Preprocessors Packets Are Dropped

  12. We wrote Perl script “log_analysis.pl” to parse Snort log data into MySql database Based on Source IP address, geographic location of Hacker can be determined Every IP address has network part and local part Perl and MySql Timestamp Attack Type Source IP Destination IP 2007-07-13 07:15:47 2007-07-13 07:55:00 2007-07-13 08:39:44 2007-07-13 08:57:59 2007-07-13 08:59:29 2007-07-13 09:38:13 Ping_Flood DNS_Poisoning Buffer_Overflow SSL_Auth VNC_Auth DNS_Poisoning 250.52.15.4 19.80.124.164 19.89.174.34 127.166.92.101 4.5.131.172 1.96.72.163 15.160.2.100 15.160.2.100 15.160.2.100 15.160.2.100 15.160.2.100 15.160.2.100

  13. Forensic Evidence includes anything used in court to prove the validity or falsity of a statement Cannot be “Hearsay” (E.g. monitor 1 or 2 days and point fingers at attack sources) Routine monitoring is hence vital Promotes custody of regular records of cyber activity Has to present information beyond reasonable doubt We wrote a Perl script “db_reader.pl” to query the daily-attacks data from MySQL We use the queried data to create a visualization which we present as our evidence DDoS Mafia hired by Not-so-good Gaming, Inc. captured by FBI in Antarctica! Forensic Evidence

  14. No network is fully secure Cyber Games, Ltd. did several good things Had a Honey Pot installed with Firewall Maintained clear records of attack logs Both weak and severe Ensured no attacks had source within their network Notified us and co-operated to trace the attackers Hence, they deserve to be compensated for the damages caused by Not-so-good Cyber Games, Inc. Expert Opinion upon Investigation Super-smart Hacker

  15. Does the hacker live in the USA? Money to prosecute the hacker in court Revenue, Customers, Reputation lost due to the DDoS attacks Staff time and services of Network Forensic Experts for the investigation Variables for Compensation

  16. Damages Compensation ITEM COST Expenses for 3 FTE staff for assisting in 2 weeks of forensic investigation $15,000 Expense for hiring the Network Forensic Experts from SI 2007 $100,000 Lost revenue during the 5 days of decreased performance or loss of service $250,000 Loss of customers, reputation and subscriber recruiting/advertisement $500,000 Court costs + Attorney cost for civil trial proceedings $300,000 Total Cost $1,165,000

More Related