Network Monitoring & Forensics: Jim Irving
Network Monitoring & Forensics: Jim Irving
Network Monitoring & Forensics: Jim Irving
Forensics
Jim Irving
1
Agenda
Network Forensics Host Forensics
Usefulness PCAP and flow recap
Intro to forensic data types Working with logs and alerts
Working with PCAP data What they look like
What it looks like How to interpret them
How to interpret it Getting them all in one place
How to get it SIEM’s and their familiars
Working with flow data Fielding a monitoring solution
What it looks like
How to interpret it
How to get it
2
Introduction
Network forensics is the capture, recording,
and analysis of network events in order to
discover the source of security attacks or
other problem incidents.
Course Goal: To give the student a broad
understanding of the main types of network forensic
data gathering and an introduction to low level
concepts necessary for a proper understanding of the
task of performing network forensics. After
completion, a student should be able to plan and
execute a reasonable network monitoring program
and use the gathered forensic data to perform a wide
range of investigations.
3
Benefits
Why do you care
If this isn’t in your toolbelt already, you’ll get a
lot of new capabilities when you go on a
project.
If you’re already seasoned, you can learn from
everyone else here.
Why do I care
The Socratic method works.
4
Disclaimer
5
Agenda
Day 1 Day 2
Agenda and motivation PCAP and flow recap
Intro to forensic data types Working with logs and alerts
Working with PCAP data What they look like
What it looks like How to interpret them
How to interpret it Getting them all in one place
How to get it SIEM’s and their familiars
Working with flow data Fielding a monitoring solution
What it looks like
How to interpret it
How to get it
6
Performing Network Forensics
What do we need to know?
What does our network even look like?
Are we being attacked?
Is anything compromised?
How did it get compromised?
Where are the attacks coming from?
7
Performing Network Forensics
What do we have to work with?
Loads of recorded network data
(PCAP and flow)
Logs and alerts from security products
Logs from applications
8
Main types of forensic data
We’ll be grouping forensic data into three
main data types based on the tools and
analysis techniques used
9
Forensic Data Type #1
Full Packet Capture (PCAP)
A full copy* of a set of packets travelling
over the network
The most complete form of monitoring
possible
Takes up a lot of space
10
Forensic Data Type #2
Flow Data
Records of conversations on the network
Stores info such as time, duration,
number of packets, total bytes sent,
received, etc.
Does not contain any application layer
data
Good for understanding how data flows on
your network quickly
11
Forensic Data Type #3
Log/Alert data
Any text that gets written to a file that we
can monitor
Some of it is very important (firewall
alerts, availability alerts, etc.) and some
of it is less so
We have to set up things to produce
GOOD alerts
There are a lot of log sources, so some
sort of management is preferable
12
Forensic Bonus Data
People
This is when someone comes up to you
and tells you that they can’t connect to
the network, the mail server is down, etc.
Pretty darned close to real time
Hard to digitize…
13
Forensic Data Type Comparison
How do they differ?
Collection Storage What it Tools used Typical use
can reveal to Analyze
PCAP Done by Consumes lots Exactly what Wireshark, Deep dive,
machines on of disk space. went across Firewalls, finding out
the network, For a project of the network. Content Filters, exactly what
taps, and any size, you’ll etc. commands
anything that have to spend were issued
can read 1’s money on a and how
and 0’s off the storage compromises
network solution. occurred.
Flow Done by apps Low space Patterns about Silk, Argus, Retrospective
on computers requirements, conversations, etc. analysis,
on the network so it’s easy. amount of finding
or by decent Generally data sent, attackers and
routers unified for large time, etc. compromised
networks. machines.
Log/Alert Done by Generally either Events that Splunk, Alerting us to
whatever app left where they occur and are Arcsight, major
creates them, were created or noticed by SIEM’s problems when
wherever it’s consolidated by some piece of they occur (or
set to write a log manager software, e.g. as soon as our
them. or SIEM attacks, log handling
outages, etc. methodology
shows it to us)14
So what do we capture and when?
Whatever they’ll let you capture
A lot of times the people/systems that you’re
working with will be totally opposed to you
actually using the network for anything
because the world might end or people might
explode. I’ll try to give you ways to work your
way around this.
15
So what do we capture and when?
First get your easy wins
Turn on flow data recording on your switches
and routers and pump it to some machine.
Figure out what log and alert sources are
already present and get them into a log
manager.
16
So what do we capture and when?
Find out what you’re missing
Look at your network diagram and if there’s
any part where you’re not getting data from,
toss a sensor out there.
Look at your data and find trouble spots
Find events/hosts of interest by analyzing the
flow and log data that you’re getting. (More on
how to do this later.)
17
So what do we capture and when?
Increase monitoring in trouble spots
Grab PCAP data from links where you think
compromises are occurring.
Set up IDS/SIEM/etc. products to produce
alerts tailored to the problems you see.
Throw host based monitoring apps on suspect
machines.
18
So what do we capture and when?
Breakdown
Log/alert data: Whenever possible, and
particularly once you’ve tweaked your
alerts.
Flow data: Whenever possible. It’s easy to
capture and easy to work with.
PCAP data: When you need to look closer
than flow or log/alert data allows OR
when you have tons of resources to blow
on disk space.
19
How you’ll typically start an
investigation
SIEM pops up an alert to your screen, fellow coworker, cell
phone, etc saying “Something is horribly wrong on host X!”
Then you open up your flow data for the time in question.
See any patterns? Identify suspicious conversations, capture
the packets (if you can) and investigate further. Mount some
sort of defense against whatever you find.
OR
20
How you’ll typically start an
investigation
Somebody hands you a big pile of PCAP or flow data.
Put it through an app to create flow data or IDS alert data (if
you don’t have it already)
Figure out what kind of monitoring you need to get the data
you truly need to find the problem, catch the bad guy, or get
the conviction. Then go deploy it, assuming you can get client
buy-in. (or… create ticket, walk away)
21
How we’re going to learn this
22
Agenda
Day 1 Day 2
Agenda and motivation PCAP and flow recap
Intro to forensic data types Working with logs and alerts
Working with PCAP data What they look like
What it looks like How to interpret them
How to interpret it Getting them all in one place
How to get it SIEM’s and their familiars
Working with flow data Fielding a monitoring solution
What it looks like
How to interpret it
How to get it
23
PCAP data
Things to think about
PCAP is a straight copy of ALL* network
traffic that flows through the pipe for as
long as you keep recording. That can be
a LOT of data!
How long do you need to listen?
Can your NIC capture it fast enough?
Can your hard drive store it fast enough?
How long can you listen before you have
to free up space?
24
PCAP data
Line speed and storage
Link type mb/s ~MB/s ~GB/day Keep in mind, a single
width PCI slot can
handle, at most, 133
MB/s. Past that you’ll
Ethernet 10 1 87
need PCI-E NIC’s to
capture.
27
PCAP data
How we get it
Network taps - keywords
Half-duplex: Multiple monitor ports only
reproduce one side of the conversation at once
Regenerating: Incoming data is copied to
multiple monitor ports (for multiple receivers)
Aggregating: Receives on multiple ports and
combines the data onto a single (full-duplex)
monitor port (see problems with
oversubscription and timing?)
Fail open/closed: when depowered, open lets
traffic through, closed does not
28
PCAP data
How we get it
Network taps – dealing with fiber
29
PCAP data
How we get it
Network taps
Source: thnetos.wordpress.com
31
PCAP data
How we get it
SPAN ports
Ports on most enterprise grade
switches/routers which mirror all* traffic on
other ports.
Will drop packets if there’s not enough
bandwidth on the port.
You’ll still need a machine connected to it to do
the capture.
DON’T FORGET TO DO TX AND RX!
Make your own impromptu SPAN port with the
ARP flood trick
32
PCAP data
How we get it
SPAN ports
Source: datacomsystems.com
33
PCAP data
How we get it
Direct capture from the NIC on a machine
You’ll always do this at some point.
Very easy and convenient in low traffic
settings. Just start capturing to the hard drive
and stop when you feel like it.
Storage becomes an issue when
(traffic * time) > hard drive capacity OR
(traffic / time) > hard drive write speed
Can only see the traffic going to that host (so
use taps or SPAN ports to gain visibility)
34
PCAP data
How we get it
Direct capture from the NIC on a machine
tcpdump
wireshark
Netwitness
etc.
35
Network coverage – an aside
Network coverage is how much of the
traffic on the network that your sensor
network can see. You can have different
types of monitoring on different parts of
the network, but the main idea is to avoid
blind spots. This applies to PCAP, flow,
logs, and everything else.
36
Network coverage – an aside
Since different segments of the network
carry different traffic, where you decide to
place you sensors will determine what you
can see.
37
Network coverage – an aside
Things to think about
NAT – solve with placement of sensors
VPN – solve with placement of sensors
or VLAN specific configuration
Multiple border gateways – solve using
channel bonding/aggregation
38
Network coverage – an aside
On the outside of your firewall, you see
the attacks that didn’t get through in
addition to the things that did. On the
inside of your firewall you see things that
actually got through. The outside tells
you who’s attacking and how. The inside
tells you what attacks worked.
39
Network coverage – an aside
In addition to the amount of the network
that’s covered, we can also think about
WHEN the network is being covered.
40
PCAP data
Hands on
41
PCAP data
Doing analysis - Wireshark
42
PCAP data
Doing analysis - Wireshark
What we’ll be doing today
Learning the layout of the interface
Capturing PCAP data
Looking at the structure of packets
Filtering packets to find interesting things
Following a TCP session
Carving files
Reading emails
43
PCAP data
Doing analysis - Wireshark
Sources for pcaps
http://wiki.wireshark.org/SampleCaptures
http://packetlife.net/captures/
http://www.pcapr.net
http://www.icir.org/enterprise-
tracing/download.html
Your own machine
44
PCAP data
Doing analysis - Wireshark
So that’s Wireshark. Pretty nice, huh?
When it comes to finding out exactly how
your machine got pwned (aka owned,
pwnt, etc.), it’s pretty effective.
45
PCAP data
Doing analysis - Wireshark
But what if we don’t have time to do all
that poking about and sifting through
packets? Is there a better way to look
through a big pile of PCAP data?
46
PCAP data
Doing analysis - Netwitness
What we’ll be doing today
Learning the interface
Importing some PCAP data
Doing (almost) everything we just did in
Wireshark in less time than it took us before
Catching things that we might have missed
before
47
PCAP data
Doing analysis - Netwitness
Netwitness is a tool for getting a quick
picture of what someone was doing on the
network, especially if you’re going after less
advanced threats, like insider threats or the
average criminal.
48
PCAP data
Doing analysis – Other tools
In addition to sitting down and doing
deep dive analysis on PCAP data by hand,
we can also run it through automated
processes (sometimes even at line
speed!) to do all sorts of other stuff. This
is how firewalls and IDS work, after all.
49
PCAP data
Generating flow and alert data
Useful when someone hands you a big
wad of PCAP and you have no other data
Can be done when you’ve got data from
before you fielded your flow monitoring or
alert generating apps (IDS, firewall, etc.)
Makes analysis of large data sets easier
since it’s faster to look at coarse grained
data.
We’ll cover this when appropriate.
50
PCAP Data
Conclusion
When you have PCAP you can see pretty
much everything.
52
Flow data
Things to keep in mind
53
Flow data
What is flow data?
There’s some variation, but generally a
record contains the following:
Source and dest ip
Source and dest port
Protocol
Start time + (duration | end time)
# of packets
# of bytes
Directionality? Depends on format.
54
Flow data
Netflow v5 protocol
Source: caida.org/tools/utilities/flowscan/arch.xml 55
Flow data
Command line output
56
Flow data
Directionality
Some types of flow records are unidirectional
(SiLK, rw tools), and others are bidirectional
(argus, ratools, original flow data).
58
Flow data
Cutoff and Aging
Until conversations end, their flow data sits in the
router/switch/etc. memory, taking up space (DOS?).
So if we’ve got lots of very long lived flows or flows
that didn’t end well (FIN ACK) we need to free up
that memory and write the flows.
59
Flow data
Sampling
When there’s too much traffic for your
switch, NIC, or whatever to handle,
sampling is used to throttle the workload.
60
Flow data
Formats
And then there are different formats…
61
Flow data
Formats
There isn’t a current standard for how to
store flow data on disk, so different
software suites will store it differently to
suit their search and compression
capabilities. Choose your software suite
based on what formats it can consume,
and be prepared to perform a conversion
if you switch.
62
Flow data
Capturing
Switches and routers
Flow data is gathered by the network
hardware, and then sent over the network to
one or more listeners.
To set up collection and forwarding, look up
instructions particular to your device and the
revision of its OS (typically Cisco IOS).
Remember, this is going over the network, so it
can be intercepted, falsified, or blocked by
attackers, outages, and misconfigurations!
63
Flow data
Capturing
Machines on the network
Creates flow data based on what network
traffic that machine can see.
Can either generate flow data and forward it to
another collector, store it locally, or both.
Also possible to collect flow data from other
machines or network hardware.
Eventually your flow data will have to end up
somewhere. You want that somewhere to be
handy to your analysts.
64
Flow data
Analyzing with argus
Argus is another popular tool which is much
easier to deploy, so we’ll be using it to do
some sleuthing.
Become familiar with a few of the tools
Locate a scanning machine
Detect beaconing
Find activities by a compromised machine
Find routing misconfigurations
65
Flow data
Capturing with SiLK
YAF – yet another flowmeter
Produces IPFIX data from files or network
traffic
Can write to disk or push out over network
Lightweight, easy to install
Works well with SiLK tools
66
Flow data
Capturing – consolidating in SiLK
rwflowpack
Part of the SiLK toolset
Designed to receive input from multiple
sensors and build a consolidated repository for
analysis
Just one of the pieces of a full sensor network.
67
Flow data
Analyzing with SiLK
SiLK tools
Produced by CERT NetSA
Relatively easy to use
We’ve already been using them and have done
a decent amount of writing on how to use them
(check my transfer folder)
68
Flow data
SiLK tools - conclusion
Free, very powerful, extensible, pretty easy to
use.
Command line tools are great for things that
we have running as daemons, but for
visualizing flow data we can find a better
interface. With the right tools, we can add
better visualization.
69
Flow data
Visualizing
Open source
Afterglow + graphviz: cheap, but too much
work to set up
Free/commercial
Scrutinizer: quick and easy, consumes pretty
much any flow data, free version is limited to
24 hours of data
Lynxeon: belongs in the SIEM category,
visualization tool is worth a mention though,
60 day trial
70
Flow data
Visualization
http://www.networkuptime.com/tools/netflow/
http://freshmeat.net/search/?q=netflow§ion=projects
TONS more
72
Agenda
Day 1 Day 2
Agenda and motivation PCAP and flow recap
Intro to forensic data types Working with logs and alerts
Working with PCAP data What they look like
What it looks like How to interpret them
How to interpret it Getting them all in one place
How to get it SIEM’s and their familiars
Working with flow data Fielding a monitoring solution
What it looks like
How to interpret it
How to get it
73
PCAP reCAP
Most granular data we can collect
Takes a lot of resources to gather
Great for finding out how machines got
pwned
Bad for figuring out what’s going on
quickly
Can be converted into flow and alert data
with the right tools
74
FLOW reFLOW
Info about conversations on the network
Cheap and easy to collect
Quick to analyze with the right tools
Different analysis suites, formats
75
Learning styles to use
More tool use?
More theory?
More collaboration!
You’ve got threats. I’ve got solutions.
76
Questions about anything up
to now?
77
Agenda
Day 1 Day 2
Agenda and motivation PCAP and flow recap
Intro to forensic data types Working with logs and alerts
Working with PCAP data What they look like
What it looks like How to interpret them
How to interpret it Getting them all in one place
How to get it SIEM’s and their familiars
Working with flow data Fielding a monitoring solution
What it looks like
How to interpret it
How to get it
78
Log/Alert data
What are we dealing with?
Logs are any continual text output stored
by applications or devices in the process
of their functioning.
79
Log data
Typical sources
Web server
Web proxy
DNS
Operating system (/var/log/*)
SMTP
Whatever you’re using to manage logons
Building access controls
HVAC/ICS/SCADA/Power
80
Alert data
Typical sources
IDS
Firewall
Host based IDS
SIEM (Security Information & Event Manager)
Your server uptime and HA (high availability)
stuff
What else?
81
Alert data
Redundant IDS, etc?
Extra configuration
Add personnel
When one dies- “Multiple TippingPoint IPS
Malformed Packet Detection Bypass
Vulnerability”
Increased attack surface
More filtration, more rules, etc.
82
Alert data
Let’s go set up some triggers
Here’s how you go about getting good alerts
Find an incident that you want to be alerted about
Continue testing…
83
Alert data
What will we use as a trigger?
Snort!
Open source, support packages available
Basis for Sourcefire appliances
Very popular, good support among SIMs
Very robust community providing rules,
extensions, add ons, and anything else you
can think of
Rule set subscriptions can be had from
Sourcefire, and rules become free 30 days
after they’re made available to subscribers
84
Alert data
How Snort works
1. Reads traffic from network
2. Decodes packets
3. Performs stream reassembly
4. Applies filters
5. Upon the first filter match, an alert is
generated
85
Alert data
Writing Snort rules
86
Alert data
Writing better rules
Write to the vulnerability, not the exploit
Inspection chain
87
Log/Alert data
Priority of sources
Obviously not all data is equal, so here’s the
basic order of which ones you should
concentrate on first.
88
Log/Alert data
What does it look like?
Tons of formats, most of them
customizable and flexible, some standards
Often application specific
Hard to read straight through, even using
search…
90
Log/Alert data
Dealing with disparate data
There’s too much text and not enough
context. We need a way to get to the
important logs and alerts quickly.
91
Log/Alert data
SIM, SEM, SIEM…
SIM = Security Information Management
92
Log/Alert data
SIEMs
Perform event correlation, reduce false
positives
95
Log/Alert data
Some common managers/SIEMs
http://www.gartner.com/technology/media-products/reprints/nitrosecurity/article1/article1.html
Source: Gartner (May 2010)
96
Log/Alert data
Arcsight event priority
Recalculated by ESM
Factors in:
Normalized Severity S [0—10]
Model of Confidence MCR [0—1]
& Relevance
Security History H [1—1.3]
Asset Criticality C [0.8—1.3]
Priority = S * MCR * H * C
97
Log/Alert data
Arcsight event priority
Priority = S * MCR * H * C
98
Log/Alert data
Using SIEMs effectively
Understand the complexity of the tools you are
using and allocate personnel appropriately.
99
Deploying a monitoring solution
What you need to monitor a network will
vary greatly depending on the size of the
network, its purpose, the threats it will
face, the technology used to build it, and
countless other things.
Now go to
www.ratemynetworkdiagram.com and
let’s play pin the sensor on the network.
100
Extended topics
(if we have time)
Privacy/confidentiality laws
Attacking network monitoring devices
Evading network monitoring
Wireless monitoring
What products have you used and which
ones did you like?
What else?
101
The End!
102