Attacks and Intrusion

Attacks and Intrusion

Intruders significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders: masquerader misfeasor clandestine user varying levels of competence

Intruders clearly a growing publicized problem from Wily Hacker in 1986/87 to clearly escalating CERT stats range benign: explore, still costs resources serious: access/modify data, disrupt system led to the development of CERTs intruder techniques & behavior patterns constantly shifting, have common features

Examples of Intrusion remote root compromise web server defacement guessing / cracking passwords copying viewing sensitive data / databases running a packet sniffer distributing pirated software using an unsecured modem to access net impersonating a user to reset password using an unattended workstation

Hackers motivated by thrill of access and status hacking community a strong meritocracy status is determined by level of competence benign intruders might be tolerable do consume resources and may slow performance can t know in advance whether benign or malign IDS / IPS / VPNs can help counter awareness led to establishment of CERTs collect / disseminate vulnerability info / responses

Hacker Behavior Example 1. select target using IP lookup tools 2. map network for accessible services 3. identify potentially vulnerable services 4. brute force (guess) passwords 5. install remote administration tool 6. wait for admin to log on and capture password 7. use password to access remainder of network

Criminal Enterprise organized groups of hackers now a threat corporation / government / loosely affiliated gangs typically young often Eastern European or Russian hackers often target credit cards on e-commerce server criminal hackers usually have specific targets once penetrated act quickly and get out IDS / IPS help but less effective sensitive data needs strong protection

Criminal Enterprise Behavior 1. act quickly and precisely to make their activities harder to detect 2. exploit perimeter via vulnerable ports 3. use trojan horses (hidden software) to leave back doors for re-entry 4. use sniffers to capture passwords 5. do not stick around until noticed 6. make few or no mistakes.

Insider Attacks among most difficult to detect and prevent employees have access & systems knowledge may be motivated by revenge / entitlement when employment terminated taking customer data when move to competitor IDS / IPS may help but also need: least privilege, monitor logs, strong authentication, termination process to block access & mirror data

Insider Behavior Example 1. create network accounts for themselves and their friends 2. access accounts and applications they wouldn't normally use for their daily jobs 3. e-mail former and prospective employers 4. conduct furtive instant-messaging chats 5. visit web sites that cater to disgruntled employees, such as f'dcompany.com 6. perform large downloads and file copying 7. access the network during off hours.

Intrusion Techniques aim to gain access and/or increase privileges on a system often use system / software vulnerabilities key goal often is to acquire passwords so then exercise access rights of owner basic attack methodology target acquisition and information gathering initial access privilege escalation covering tracks

Password Guessing one of the most common attacks attacker knows a login (from email/web page etc) then attempts to guess password for it defaults, short passwords, common word searches user info (variations on names, birthday, phone, common words/interests) exhaustively searching all possible passwords check by login or against stolen password file success depends on password chosen by user surveys show many users choose poorly

Password Capture another attack involves password capture watching over shoulder as password is entered using a trojan horse program to collect monitoring an insecure network login eg. telnet, FTP, web, email extracting recorded info after successful login (web history/cache, last number dialed etc) using valid login/password can impersonate user users need to be educated to use suitable precautions/countermeasures

Intrusion Detection inevitably will have security failures so need also to detect intrusions so can block if detected quickly act as deterrent collect info to improve security assume intruder will behave differently to a legitimate user but will have imperfect distinction between

Intrusion Detection

Approaches to Intrusion Detection statistical anomaly detection attempts to define normal/expected behavior threshold profile based rule-based detection attempts to define proper behavior anomaly penetration identification

Audit Records fundamental tool for intrusion detection native audit records part of all common multi-user O/S already present for use may not have info wanted in desired form detection-specific audit records created specifically to collect wanted info at cost of additional overhead on system

Statistical Anomaly Detection threshold detection count occurrences of specific event over time if exceed reasonable value assume intrusion alone is a crude & ineffective detector profile based characterize past behavior of users detect significant deviations from this profile usually multi-parameter

Audit Record Analysis foundation of statistical approaches analyze records to get metrics over time counter, gauge, interval timer, resource use use various tests on these to determine if current behavior is acceptable mean & standard deviation, multivariate, markov process, time series, operational key advantage is no prior knowledge used

Rule-Based Intrusion Detection observe events on system & apply rules to decide if activity is suspicious or not rule-based anomaly detection analyze historical audit records to identify usage patterns & autogenerate rules for them then observe current behavior & match against rules to see if conforms like statistical anomaly detection does not require prior knowledge of security flaws

Rule-Based Intrusion Detection rule-based penetration identification uses expert systems technology with rules identifying known penetration, weakness patterns, or suspicious behavior compare audit records or states against rules rules usually machine & O/S specific rules are generated by experts who interview & codify knowledge of security admins quality depends on how well this is done

Base-Rate Fallacy practically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms if too few intrusions detected -> false security if too many false alarms -> ignore / waste time this is very hard to do existing systems seem not to have a good record

Distributed Intrusion Detection traditional focus is on single systems but typically have networked systems more effective defense has these working together to detect intrusions issues dealing with varying audit record formats integrity & confidentiality of networked data centralized or decentralized architecture

Distributed Intrusion Detection - Architecture

Distributed Intrusion Detection Agent Implementation

Honeypots decoy systems to lure attackers away from accessing critical systems to collect information of their activities to encourage attacker to stay on system so administrator can respond are filled with fabricated information instrumented to collect detailed information on attackers activities single or multiple networked systems cf IETF Intrusion Detection WG standards

Footprinting

Τι είναι το Footprint To footprint ή στα Ελληνικά ιχνηλάτηση είναι το πρώτο βήμα που εφαρμόζεται από κάποιο κυβερνοεγκληματία. Έχει σαν σκοπό να μαζέψει πληροφορίες για τα συστήματα, τις συσκευές και το δίκτυο. Μετά από αυτό το βήμα ένας Penetration tester μπορεί να δει ακριβώς πως ένα hacker βλέπει μια εταιρία.

Γιατί το χρησιμοποιούν οι hackers Για να βρουν τον πιο εύκολο τρόπο ώστε να διεισδύσουν σε μια εταιρία Μπορούν να δημιουργήσουν ένα πιο οργανωμένο hacking plan Μειώνουν την περιοχή επίθεσης Μαζί με άλλα εργαλεία όπως το tracert σχηματίζουν ένα διάγραμμα του δικτύου ενός οργανισμού

Είδη footprinting 1. Passive ή Open Source 2. Active 3. Anonymous 4. Pseudonymous 5. Organization or Private 6. Internet Τι είναι το καθένα;

Μεθοδολογία 1/7 Μέσα από μηχανές αναζήτησης, εξαγωγή πληροφοριών όπως: Πλατφόρμες χρήσης Πληροφορίες Υπαλλήλων Σελίδες που κάνουν σύνδεση με κωδικούς Intranet Forum που είναι γραμμένο το προσωπικό του IT (Τι μπορεί να μας δώσει αυτό;)

Μεθοδολογία 2/7 Εύρεση Εξωτερικών και Εσωτερικών συνδέσμων Εργαλεία για εσωτερικούς συνδέσμους: Netcraft, Link Extractor Εύρεση ιστοσελίδων ανοιχτών για όλους και περιορισμένες Μάζεμα Πληροφοριών Τοποθεσίας (Προγράμματα;) Μάζεμα πληροφοριών για υπαλλήλους http://pipl.com http://www.spokeo.com Programs (Zaba Search, Zoominfo) Other?

Μεθοδολογία 3/7 Μάζεμα οικονομικών στοιχείων Μπορούμε έτσι να αποκτήσουμε πρόσβαση σε κωδικούς και λογαριασμούς Να στείλουμε phishing emails Ψάξιμο σε ιστοσελίδες εύρεσης δουλειάς http://www.monster.com http://www.careerbuilder.com http://www.dice.com http://www.indeed.com

Μεθοδολογία 4/7 Website Footprinting telnet tool (που χρησιμεύει;) Netcraft tool Burp suite Html Source (γιατί;) Cookies (γιατί;) Mirroring (Δώστε κάποια tools) Archive.org (γιατί;)

Μεθοδολογία 5/7 Email Headers (που χρησιμεύει;) Email Tracking Tools emailtrackerpro Email Lookup Read Notify Trace Email MSGTAG Zendio Pointofmail

Μεθοδολογία 6/7 Πότε ξεκίνησε η εταιρία; Τι κατασκευάζει; Ποια είναι τα μελλοντικά της σχέδια; WHOIS DNS

Μεθοδολογία 7/7 Google Hacking. Ποιο δημοφιλείς operators.site allinurl Inurl allintitle Intitle Inanchor Allinanchor Τι μπορεί να κάνει κάποιος hacker με αυτούς;

Scanning Γιατί το χρησιμοποιούν οι hackers; Ποιο διαδομένο εργαλείο για αυτό το σκοπό το nmap. Υπάρχει και για Windows και για Linux

Mέθοδοι Scanning Ping Sweep ή αλλιώς ICMP Sweep (Τι είναι το ICMP; Γιατί το χρησιμοποιούμε συνήθως;) Hping2/Hping3

Mέθοδοι Scanning (συνέχεια) TCP Connect / Full Open Scan Stealth Scans: SYN Scan (Half-open Scan); XMAS Scan, FIN Scan, NULL Scan IDLE Scan ΙCMP Echo Scanning/List Scan SYN/FIN Scanning Using IP Fragments UDP Scanning Inverse TCP Flag Scanning ACK Flag Scanning

Mέθοδοι Scanning (συνέχεια) Θυμάστε το 3-way handshake; (Τι είναι;)

TCP Communication Flags

TCP Communication Flags (συνέχεια) Standard TCP communications monitor the TCP packet header that holds the flags. These flags govern the connection between hosts, and give instructions to the system. The following are the TCP communication flags: Synchronize alias "SYN": SYN notifies transmission of a new sequence number Acknowledgement alias "ACK": ACK confirms receipt of transmission, and identifies next expected sequence number Push alias "PSH": System accepting requests and forwarding buffered data Urgent alias "URG": Instructs data contained in packets to be processed as soon as Possible Finish alias "FIN": Announces no more transmissions will be sent to remote system Reset alias "RST": Resets a connection

Mέθοδοι Scanning (συνέχεια) TCP Connect / Full Open Scan TCP Connect / Full Open Scan είναι από τις πιο αξιόπιστες μεθόδους για TCP scanning. Η κλίση τις TCP connect() system call που παρέχεται από το λειτουργικό σύστημα χρησιμοποιείτε για να ανοιχθεί μια πόρτα στον υπολογιστή. Αν στην πόρτα υπάρχει μια υπηρεσία ή κάτι που να «ακούει» η connect() θα επιστρέψει ότι πέτυχε. Σε αντίθετη περίπτωση η πόρτα δεν θα είναι προσβάσιμη.

Mέθοδοι Scanning (συνέχεια) Μειονεκτήματα: Ανιχνεύεται εύκολα και μπορεί να μπλοκαριστεί

Mέθοδοι Scanning (συνέχεια) Xmas Scan ΤCP frame αποστολή σε target με ACK, RST, SYN, URG, PSH, and FIN flags set

Mέθοδοι Scanning (συνέχεια) Πλεονεκτήματα: Μπορείς να ξεγελάσεις το IDS Μειονεκτήματα: Σε Windows δεν δουλεύει

Mέθοδοι Scanning (συνέχεια) FIN SCAN Ποία θα είναι η απάντηση αν το port είναι κλειστό;

Mέθοδοι Scanning (συνέχεια)

Mέθοδοι Scanning (συνέχεια) NULL Scan

Mέθοδοι Scanning (συνέχεια) Πλεονεκτήματα: Μπορείς να ξεγελάσεις το IDS Μειονεκτήματα: Σε Windows δεν δουλεύει

Mέθοδοι Scanning (συνέχεια) IDLE Scan Είναι πιο sophisticated attack. Χρησιμοποιείς ένα zombie δηλ. ένα άλλο υπολογιστή που έχεις παραβιάσει με σκοπό να κρύψεις το ip σου. Eίναι σαν το open port scan αλλά με zombie.

Mέθοδοι Scanning (συνέχεια) UDP Scan

Mέθοδοι Scanning (συνέχεια) Advantage: The UDP scan is less in forma l regarding an open p o r t, since there's no overhead o f a TCP handshake. However, if ICMP is responding to each unavailable port, the number of total frames can exceed a TCP scan. Microsoft-based operating systems do not usually implement any type of ICMP rate limiting, so this scan operates very efficiently on Windows -b ased devices.

Mέθοδοι Scanning (συνέχεια) Disadvantage: The UDP scan provides port information only. If additional version information is needed, the scan must be supplemented with a version detection scan (-sv) or the operating system fingerprint ing option (-0). The UDP scan requires privileged access, so this scan option is only available on systems with the appropriate user permissions. Most networks have huge amounts o f TCP traffic ; as a result, the efficiency o f the UDP scan is lost. The UDP scan will locate these open ports and provide the security manager with valuable in formation that can be used to identify these invasions achieved by the attacker on open UDP ports caused by spyware applications, Trojan horses, and other malicious software.

Mέθοδοι Scanning (συνέχεια) Inverse TCP Flag Scanning

Mέθοδοι Scanning (συνέχεια) Πλεονεκτήματα: Μπορείς να ξεγελάσεις το IDS Μειονεκτήματα: Α) Θέλει πρόσβαση στα network sockets και αυτό σημαίνει ότι πρέπει να τρέχει το πρόγραμμα σαν administrator Β)Είναι πιο αποτελεσματικό σε μηχανήματα που χρησιμοποιούν BSD-derived TCP/IP stack. Δεν είναι ιδιαίτερα αποτελεσματικό σε Microsoft Windows hosts.

Mέθοδοι Scanning (συνέχεια) ACK Scanning

Scanning Tools PRTG Network Monitor available at http://www.paessler.com Net Tools available at http://mabsoft.com IP Tools available at http://www.ks-soft.net MegaPing available at http://www.magnetosoft.com Network Inventory Explorer available at http://www.10-strike.com Global Network Inventory Scanner available at http://www.magnetosoft.com SoftPerfect Network Scanner available at http://www.softpe r fect.com Advanced Port Scanner available at http://www.radmin.com Netifera available at http://netifera.com Free Port Scanner available at http://www.nsauditor.com

Reserve Ports http://www.ingate.com/files/422/fwmanual-en/xa10285.html

Vulnerability Scanning Saint GFI LanGuard Nessus OpenVAS Accunetix Core Impact

Sniffing ARP Spoofing MAC Spoofing DNS Poisoning ARP Poisoning DHCP Attacks Password Sniffing Spoofing attacks

Passive Sniffing Trojan Horse στο δίκτυο ή παραβίαση φυσικής ασφάλειας

Active Sniffing On switch MAC flooding ARP spoofing DHCP starvation MAC duplicating

Αναγνώριση ότι ο υπολογιστής έχει Virus/Trojan 1/2 Antivirus software is disabled or does not work properly The taskbar disappears Windows color settings change Computer screen flips upside down or inverts Screensaver's settings change automatically Wallpaper or background settings change

Αναγνώριση ότι ο υπολογιστής έχει Virus/Trojan 2/2 Windows Start button disappears Mouse pointer disappears or moves by itself The computer shuts down and powers off by itself Ctrl+Alt+Del stops working Repeated crashes or programs open/close unexpectedly The computer monitor turns itself off and on

Συνήθης πόρτες trojans 1/2

Συνήθης πόρτες trojans 2/2

Ανίχνευση Virus/Trojan Antivirus Sensor Systems Ηost Base IDS Network Activity File Activity Process Activity

Δεκάλογος ανίχνευσης Trojan Sc an for suspicious OPEN PORTS (Πώς) Scan for suspicious RUNNING PROCESSES Scan for suspicious REGISTRY ENTRIES Scan for suspicious DEVICE DRIVERS installed on the computer Scan for suspicious WINDOWS SERVICES Scan for suspicious STARTUP PROGRAMS Scan for suspicious FILES and FOLDERS Scan for suspicious NETWORK ACTIVITIES Scan for suspicious modification to OPERATING SYSTEM FILES Run Trojan SCANNER to detect Trojans

Sheep Dip Computer: Τρέχει προγράμματα παρακολούθησης πορτών επικοινωνίας και δικτυακών πόρων Τρέχει προγράμματα παρακολούθησης χρηστών, ομάδων, δικαιωμάτων ομάδων και χρηστών καθώς και διαδικασιών συστήματος Τρέχει προγράμματα παρακολούθησης οδηγών συσκευών και αρχείων Τρέχει προγράμματα παρακολούθησης του πυρήνα του λειτουργικού και του registry

Διαδικασία Ανάλυσης Κακόβουλου λογισμικού Online analysis (Anubis, Virustotal) Antivirus (Kaspersky, Nod32, Symantec, McAfee) Process Monitor Netresident OllyDB, IDA Pro Network Monitor Registry Monitor File System Monitor Users, Groups Privileges NTFS Stream Detection

Εργαλεία για memory dumps DD for windows FTK Imager DumpIT.exe Nigilant32 Memparser Memoryze FastDump MoonSols...

Malware forensics Μια ραγδαία αναπτυσσόμενη περιοχή Malware forensics ΔΕΝ είναι προστασία antivirus Ανάλυση κακόβουλου λογισμικού σε μολυσμένη συσκευή Εκτίμηση πραγματικής ζημιάς εργαλεία: Cuckoo sandbox (www.cuckoosandbox.org) capturebat

Live system forensics Σενάριο: Σύστημα παραβιασμένο από rootkit Ερώτηση: Πως θα διεαξχθεί η έρευνα; Θα τρέξουμε εντολές; ls, ps, netstat, lsof, top,...

Εργαλεία Συλλογή Forensic Tool Kit Imager EnCase dd First Responders Utility Commandline - FRUC Forensic Acquisition Utilities (Microsoft) Helix LiveCD (e-fense) Backtrack LiveCD DeviceSeizure (Paraben) Autopsy

Εργαλεία Εξέταση & Ανάλυση Forensic Tool Kit EnCase Password Recovery Tool Kit Registry Viewer F.I.R.E. (Forensic and Incident Response Environment) Livewire Investigator SysAnalyzer LiveView...

Software Patches Deploy Offline Updates Download (http://download.wsusoffline.net/) PDQ Deploy Dameware NT Utilities Remote Exec

Αντίμετρα 1/3 Install antivirus software that detects and removes infections as they appear Generate an antivirus policy for safe computing and distribute it to the staff Pay attention to the instructions while downloading files or any programs from the Internet Update the antivirus software on the a monthly basis, so that it can identify and clean out new bugs

Αντίμετρα 2/3 Avoid opening the attachments received from an unknown sender as viruses spread via email attachments Possibility of virus infection may corrupt data, thus regularly maintain data back up Schedule regular scans for all drives after the installation of antivirus software Do not accept disks or programs without checking them first using a current version of an antivirus program Ensure the executable code sent to the organization is approved Run disk clean up, registry scanner, and defragmentation once a week

Αντίμετρα 3/3 Do not boot the machine with infected bootable system disk Turn on the firewall if the OS used is Windows XP Keep informed about the latest virus threats Run anti-spyware or adware once in a week Check the DVDs and CDs for virus infection Block the files with more than one file type extension Ensure the pop-up blocker is turned on and use an Internet firewall Be cautious with the files being sent through the instant messenger

Χρήσιμα links http://e-evidence.info/ http://www.cftt.nist.gov/ http://www.linuxleo.com/ http://windowsir.blogspot.com/ http://www.crime-research.org/ http://datalossdb.org/ http://www.forensix.org/ Anubis: Analyzing Unknown Binaries available at http://anubis.iseclab.org Avast! Online Scanner available at http://onlinescan.avast.com Malware Protection Center available at https://www.microsoft.com ThreatExpert available at http://www.threatexpert.com Dr. Web Online Scanners available at http://vms.drweb.com Metascan Online available at http://www.metascan-online.com Bitdefender QuickScan available at http://www.bitdefender.com GFI SandBox available at http://www.gfi.com UploadMalware.com available at http://www.uploadmalware.com Fortinet available at http://www.fortiguard.com