Post on 25-Jun-2020
Five Code RED Security Threats to Windows Servers – How to Detect them The Importance of Consolidation, Detection – Enterprise Security Series
White Paper
White Paper
Five Code RED Security Threats to Windows Servers
Abstract How important is it for your organization to stop an intrusion? How important is it for your organization
to keep critical applications available at all times? The purpose of this white paper is to identify and
demonstrate how to detect five of the most significant indications that a security breach is being
attempted or is under way. Critical alert notifications and an effective resolution strategy will reduce IT
costs, while increasing service availability and enhancing the security of your enterprise.
The information contained in this document represents the current view of EventTracker on the
issues discussed as of the date of publication. Because EventTracker must respond to changing
market conditions, it should not be interpreted to be a commitment on the part of EventTracker,
and EventTracker cannot guarantee the accuracy of any information presented after the date of
publication.
This document is for informational purposes only. EventTracker MAKES NO WARRANTIES, EXPRESS
OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, this paper may be freely distributed without permission from EventTracker,
if its content is unaltered, nothing is added to the content and credit to EventTracker is provided.
EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from EventTracker, the furnishing of this document does not give you
any license to these patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, people and events depicted herein are fictitious.
No association with any real company, organization, product, person or event is intended or should
be inferred.
© 2017 EventTracker Security LLC. All rights reserved. The names of actual companies and products
mentioned herein may be the trademarks of their respective owners.
White Paper
Five Code RED Security Threats to Windows Servers
Introduction For a secure corporate network, firewalls and anti-virus software are absolute requirements but they are
still not enough to stop all of the critical security threats to your network. In addition, while the greater
quantity of computer attacks come from the outside, the most serious and costliest to an organization
often come from inside, from your own users – and firewalls and anti-virus can do little to prevent these
types of attacks. With the proliferation of USB flash drives sometimes the biggest risk an organization can
face is as simple as insiders copying sensitive information onto a portable drive.
Even attacks from the outside can evade firewall security. Hackers that have procured a user list and are
attacking through a password-guessing scheme are sophisticated enough to realize that systems will lock
them out after a certain amount of unsuccessful login attempts and they will rotate their attempts through
different accounts and different machines until they find a combination that gets them in. Each of these
actions alone will not trigger suspicion; only by associating these seemingly disconnected events can a
connection be made that an attack is in progress.
Malware and Spyware is another problem facing organizations today. Anti-virus companies are in a
constant race to keep up with the release of new threats into the wild; however, there is a delay from
detection to fix and in that time the damage can be done. Most threats out there do two things: first, get
installed on the host system – that requires a new file or a change to an existing file and the file registry;
second, most malware starts to communicate to the outside world, sending information and asking for
instructions. These symptoms can be detected through change monitoring and network connection
monitoring.
To proactively detect and prevent these types of security threats, you need to consolidate and mine your
event log information using Security Information and Event Management solutions such as EventTracker.
White Paper
Five Code RED Security Threats to Windows Servers
Threat 1: Intrusion Attempts Intrusion attempts by hackers or internal users occur frequently in many mediums to large sized
organizations, especially universities and financial institutions.
A hacker, from their workstation, can run an automated script, and attempt to logon to different servers
with different username and password combinations. The hacker is well aware that most systems will lock
them out after three failed attempts with the same username. To avoid this, they will use different
usernames and passwords on different network servers until they gain unauthorized entry. Once in the
server, they can access critical data or compromise security.
The Windows operating system records each user attempt to login to the individual server in its event
logs. However, it is only possible to detect the above scenario by methodical analysis of each server log.
This type of intensive analysis is generally only performed post mortem, after the user has damaged the
system and security is compromised. According to security experts, this can cost an organization from
$100K to $1M, based on the value of the data compromised and the size of the company.
EventTracker can help EventTracker identifies the source of logon attempts, and detects hacks before it is too late. EventTracker
monitors real-time user activity events from all systems at a central location, and maps all user activity to
the IP address.
White Paper
Five Code RED Security Threats to Windows Servers
The example event shows the suspicious IP address because dozens of logon attempts are initiated from
this IP address in less than two minutes. This event is generated in real-time and is a clear indication that
an intrusion is in progress. In a large organization where there is always a significant volume of login
failures due to user error, this ability to trace to a single login point is invaluable. EventTracker can also
alert on a simple threshold of overall failed logins.
What happens if the Hacker is able to gain access? Often an easy way to detect a successful penetration
is to monitor for unusual user logon-logoff activity.
Most users have common logon-logoff patterns. Users are responsible for certain numbers of events
shown in the event log per day, including a number of logons, logoffs, logon failures and other common
events. The number of events logged per user generally varies between 50 and 100 events per day in most
organizations.
If you continuously monitor user activity patterns, it is possible to detect when this behavior pattern
changes. When a user begins to have unusual login patterns this requires the immediate attention of IT
security. Worst-case scenario: Someone is trying to gain unauthorized access to the system by using
specific user rights. It is also possible that it is not malicious activity by a user, but a faulty application
generating large numbers of events with a specific username. While it may not be a security issue, it is an
operational issue, which requires the system administrator’s attention to identify why and which
application is generating the extreme number of events.
EventTracker can help EventTracker monitors activities performed by each normal and administrative user in real-time. If
activities performed by a user appear to be outside the predefined normal pattern, EventTracker
immediately identifies the user and sends an alert in real-time. The alert also includes a trace to all of the
user activities.
White Paper
Five Code RED Security Threats to Windows Servers
The example alert indicates the user John.Smith has over 6,000 logon-logoff related activities since 12
A.M. ---unusually high by any standard. Further investigation is warranted to trace log activities by
John.Smith to find out which workstation or process is logging these events.
Threat- 2: Excessive access failures by a user Identifying repeated and persistent attempts by a user to gain unauthorized access to files and directories
is another first step to detection of a potential attack. It could be an attempt by an inside user to access
the resources for which they do not have permission or even worse, somebody purposely trying to find a
weak spot.
An attacker rarely will gain access to directories or files on the first attempt. Multiple access failures by a
user can indicate a potential hacking attempt, and an investigation is warranted. If the security officer can
be warned in real-time, they immediately can catch the likely threat.
EventTracker can help
EventTracker maintains a list of all access failures by user and by IP address. When access failure counts
are exceeded within a predefined time, EventTracker generates an alert and identifies the user or IP
address. You can also run a report of all access failure attempts by user to identify which resources they
tried to access.
White Paper
Five Code RED Security Threats to Windows Servers
The above event identifies the user Jagat as attempting to gain unauthorized access to data in real-time.
The system administrator can run a report to identify which file or resource the user Jagat is trying to
access and decide the correct course of action.
The example report indicates which files the user Jagat unsuccessfully tried to access and at what time.
Threat- 3: Suddenly emerged listening ports or
services on a server The most common sense approach to security is to know, watch and protect all entry points into a system,
and to ensure that before anyone gains entry, credentials are checked. One entry point to the server is
system logons. In most organizations, logons are well watched and well protected. However, users also
gain entry to applications running on a server through well-known TCP ports, which listen for incoming
requests from users. Before users get access to an application, it is the application’s responsibility to check
the credentials of the user.
White Paper
Five Code RED Security Threats to Windows Servers
It is common for a new application or an update in an existing application to introduce new TCP ports and
listen for new connections. If this is not an approved change, you might have opened a gate for hackers
to come in to your server.
TCP ports represent a backdoor entry to the server and hackers know that these entry points are generally
not closely watched or well protected. Additionally, Malware and Spyware in an attempt to communicate
to the outside world will also turn on different ports on a system.
Two critical questions an IT security team must ask themselves: 1) Do they know all the entry points to
user systems? 2) Do they have a way to track when a new entry point is opened on a critical server?
EventTracker can help EventTracker monitors all incoming and outgoing TCP connections. It also maintains the baseline listening
ports for each system. If an application starts a new listening port, EventTracker immediately generates
an alert in real-time to inform the security manager or system administrator.
Threat- 4: Data Leak Prevention Flash Drives are huge productivity enhancers, but a security nightmare. Small devices with large capacity
that can slip into a pocket and inserted in a machine in seconds enable large quantities of sensitive data
to be copied quickly. For the mobile worker they make taking work home a snap, but in cases that are
more sinister, they allow large amounts of sensitive data to move quickly off premises. Even in a more
innocent use case, the accidental loss of a knowledge worker’s USB can have significant impact.
White Paper
Five Code RED Security Threats to Windows Servers
Flash Drives, because of their usefulness, cannot simply be banned in most cases, so monitoring their use
is crucial, especially on server systems.
EventTracker can help Within EventTracker’s policy console, security personnel can define a list of permitted USB devices (by
their serial numbers) for each Windows machine or group of machines. Using the EventTracker Windows
agent, this list of permitted devices is pushed out to the local machines so access can be controlled
immediately with no requirement to look up policy on an EventTracker Console.
Every time a USB is inserted, the EventTracker agent looks at its permission list, and if there is no violation
of policy, permits the device access, while logging the insert activity. If a violation of policy is detected,
access is prevented and the violation is immediately sent to the EventTracker Console. In cases where
access is permitted, EventTracker also begins to actively monitor all activity on the device, and every file
that is written to or deleted from the device is recorded. A complete audit trail that consists of the user,
device type, serial number, time and all the file activity is captured and sent as an event to the
EventTracker Console for processing.
Sample Report #1: USB Activity Report by Machine
Sample Report #2: Summary Report
White Paper
Five Code RED Security Threats to Windows Servers
Threat-5: Unexpected changes to exe, .dll and .ini
files On the Windows platform, change is constant. Applications are updated, patches are downloaded and
installed. Every piece of software installed, intentionally or not, adds, deletes or changes exe’s, dll’s or ini
files. There are two potential ways of dealing with this. On critical production servers, the policy is often
to lock the machine down. Nothing is changed on these systems other than data files, log files and error
files. Any necessary changes are performed after careful review and during planned maintenance
windows.
On systems that are not completely locked down this constantly changing environment can lead to the
introduction of malware or spyware, or simply destabilize the system. Regardless whether the system is
locked down or not, it is critical to monitor for changes on servers. On the locked down machines any
change warrants investigation where on the less locked down system it is a good idea to review changes
for potential anomalies.
EventTracker can help EventTracker tracks all changes on Windows platforms and can automatically generate a daily report for
alEXE/DLL/INI changes on the servers. System and Security administrators can review the report to verify
authorized or unauthorized changes. Unexpected, surprise changes may require an investigation or
rollback.
The example change report shows system file changes for the last 24 hours.
White Paper
Five Code RED Security Threats to Windows Servers
Conclusion Consolidating and mining system and application event logs represents a powerful tool to detect the
subtle signs around the corporate network that indicate either there is an increased security risk or an
actual security breach in progress.
Event Log Management is recognized as a critical requirement to meet corporate compliance objectives,
but the investment made for compliance can also be leveraged to substantially increase the overall
security of the network, decrease expensive system downtime by preventing security breaches, and
increase overall operational efficiency of the IT department.
The EventTracker Solution The EventTracker solution is a scalable, enterprise-class Security Information and Event Management
(SIEM) solution for Windows systems, Syslog/Syslog NG (UNIX and many networking devices), SNMP V1/2,
legacy systems, applications and databases. EventTracker enables “defense in depth”, where log data is
automatically collected, correlated and analyzed from the perimeter security devices down to the
applications and databases. To prevent security breaches, event log data becomes most useful when
interpreted in near real time and in context. Context is vitally important because often the critical
indications of impending problems and security violations are only detected by watching patterns of
events across multiple systems. EventTracker enables complex rules to be run on the event stream to
detect signs of such a breach. EventTracker also provides real-time alerting capability in the form of an
email, page or SNMP message to proactively alert security personnel to an impending security breach.
The original event log data is also securely stored in a highly compressed event repository for compliance
purposes and later, forensic analysis. For compliance, EventTracker provides a powerful reporting
interface, scheduled or on-demand report generation, automated compliance workflows that prove to
auditors that reports are being reviewed and many other features. With pre-built, auditor grade reports
included for most of the compliance standards (FISMA, HIPAA, SOX, GLBA, and NISPOM); EventTracker
represents a compliance solution that is second to none. EventTracker also provides advanced forensic
capability where all the stored logs can be quickly searched through a powerful Google-like search
interface to perform quick problem determination.
EventTracker lets users completely meet the logging requirements specified in the National Institute for
Standards and Technology (NIST) Special Publication 800-92 Guide to Computer Security Log
Management, which has emerged as a well-recognized guide for Log Management. EventTracker also
includes Host-based Intrusion Prevention, Change Monitoring and USB activity tracking on Windows
systems, all in a turnkey, off the shelf, affordable, software solution.
White Paper
Five Code RED Security Threats to Windows Servers
EventTracker provides the following benefits
A highly scalable, component-based architecture that consolidates all Windows, SNMP V1/V2,
legacy platforms, Syslog received from routers, switches, firewalls, critical UNIX servers (Red Hat
Linux, Solaris, AIX etc), Solaris BSM, workstations and various other SYSLOG generating devices.
Automated archival mechanism that stores activities over an extended period to meet auditing
requirements. The complete log is stored in a highly compressed (>90%), secured archive that is
limited only by the amount of disk storage.
Real-time monitoring and parsing of all logs to analyze user activities such as logon failures and
failed attempts to access restricted information.
Full support for monitoring of virtualized enterprises.
Alerting interface that generates custom alert actions via email, pager, beep, console message,
etc.
Event correlation to constantly monitor for malicious hacking activity. In conjunction with alerts,
this is used to inform network security officers and security administrators in real time. This helps
minimize the impact of breaches.
Various types of network activity reports, which can be scheduled or generated as required for any
investigation or meeting audit compliances.
Host-based Intrusion Detection (HIDS).
Role-based, secure event and reporting console for data analysis.
Change Monitoring on Windows machines
USB Tracking, including restricted use, insert/removal recording, and a complete audit trail of all
files copied to the removable device.
About EventTracker EventTracker’s advanced security solutions protect enterprises and small businesses from data breaches
and insider fraud, and streamline regulatory compliance. The company’s EventTracker platform comprises
SIEM, vulnerability scanning, intrusion detection, behavior analytics, a honeynet deception network and
other defense in-depth capabilities within a single management platform. The company complements its
state-of-the-art technology with 24/7 managed services from its global security operations center (SOC)
to ensure its customers achieve desired outcomes—safer networks, better endpoint security, earlier
detection of intrusion, and relevant and specific threat intelligence. The company serves the retail,
hospitality, healthcare, legal, banking and financial services, utilities and government sectors.
EventTracker is a division of Netsurion, a leader in remotely-managed IT security services that protect
multi-location businesses’ information, payment systems and on-premise public and private Wi-Fi
networks. www.eventtracker.com.