Chapter 9: Cyber Network Defense using Advanced Log Analysis
description
Transcript of Chapter 9: Cyber Network Defense using Advanced Log Analysis
Lecture Materials for the John Wiley & Sons book:Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
April 21, 2023 DRAFT 1
Chapter 9: Cyber Network Defense using Advanced Log Analysis
Introduction to Cyber Network Defense•Cyber Network Defense (CND) is continuously
improving process for defending IT assets•The CND approach in this Chapter includes:
–Lightweight process for CND–Set of open source scripts for network
monitoring and Advanced Log Analysis (ALA) on Backtrack–Agile strategy for escalating defenses–Cyber investigations process–Scenario for eradicating browser-based spyware–Instructions for implementing the processes
04/21/23 DRAFT 2Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
General Method and Tools for Cyber Investigations•Investigations are based upon
The Scientific Method to focus activities:
–Observation–Hypothesis–Evaluation: Analyze and Interpret
Data–Prediction–Repeat the method to validate
predictions
04/21/23 DRAFT 3Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Continuous Cyber Investigation Strategy•Full packet capture when network
quiet•Capture IDS alerts during busy hours•Investigation of suspicious alerts•Host-Based Security (HBS)•Firewalls•Regular updates/upgrades to
processes and technical components•Integrated CND
04/21/23 DRAFT 4Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Summary of Cyber Investigation Process
•Use the custom CND scripts, a daily monitoring & investigation process:•# ./snortcap - Run IDS on overnight packet
capture.•# ./headcap | wc - How many alerts overnight?•# ./statcap - Count and rank the top
alerts.•# ./hostcap - Which are the top alerting
hosts?•# ./alertipcap 10.10.100.10 - What are the alert details
for that host?•# sort sum*10.10* | uniq –c | sort –rn - Rank the top
alerts for IP•# ./iporgcap 10.10.100.10 - Which external domains are
alerting for IP?•# whois 64.94.107.15 - Who owns this unresolved domain?•Use an Internet browser to investigate external IPs and
domains. Discover these domains with the following command:•# ./orgcap - What are all the external
alerting domains?
04/21/23 DRAFT 5Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Network Monitoring
•Establish Switched Port Analyzer (SPAN) on the core switch or firewall
–Mirrors all network traffic for IDS
•To begin the IDS in real time, you can use the following daycap script:
–#!/bin/bash–# Add a parameter like ./daycap keep -- in order to
append to logs–# By default, daytime logs are deleted to conserve
space–if [$1 -eq ""]; then rm /tmp/alert /tmp/snort.log.*;
fi–/usr/local/bin/snort -A full -c /etc/snort/snort.conf
-l /tmp
04/21/23 DRAFT 6Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Advanced Text Log Analysis•A set of custom scripts are explained in
detail in Chapter 9 – teaching you gawk•Example: The statcap script creates a
histogram of the most frequent alerts:–#!/bin/bash–gawk "BEGIN {FS=\"\n\";RS=\"\n\n\"} {print
$1}" alert | gawk '/\[\*\*\]/' | sort | uniq -c | sort -rn | less•The hostcap script finds the host
generating the most alerts:–#!/bin/bash–cat alert | gawk '{FS="\n";RS="\n\n"; /TCP/;
print $3}' | gawk '{print $2}' | gawk -F\: '{print $1}' | gawk '/[0-9\.]+/' | sort | uniq -c | sort –rn
04/21/23 DRAFT 7Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Advanced Binary Log Analysis: Wireshark
04/21/23 DRAFT 8Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Advanced Binary Log Analysis: tcpdump
04/21/23 DRAFT 9Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Reporting Cyber Investigations•Lesson Learned: Do not go to a
cybersecurity professional and inform them that their machine is generating copious beacons – Panic ensues!•Instead, approach reporting in a
non-judgemental, diplomatic manner•Provide proof of your findings–It will certainly be requested
•Empower people to resolve the problem with guidance and mentoring
04/21/23 DRAFT 10Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Elimination of Cyber Threats•Block suspicious IPs using the host file (Windows and Linux):
–127.0.0.1 ak.quantcast.com•Block suspicious IPs from entire net at firewall (e.g.
CISCO):–$ enable–Password:–# config t–(config)# object-group network Blocked_IPs–(config-network)# network-object 64.94.107.0 255.255.255.0–(config-network)# network-object 66.235.147.0 255.255.255.0–<repeat for additional IPs>–(config-network)# exit–(config)# access-list in2out2 extended deny ip any object-group
Blocked_IPs–(config)# access-list in2out2 extended permit ip any any–(config)# access-group in2out2 in int inside–(config)# show config–(config)# wr mem–(config)# exit–# exit
04/21/23 DRAFT 11Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Logs on Various OS/Services
04/21/23 DRAFT 12Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Intrusion Discovery on Windows•To detect intrusions, seek
out:–Unusual processes and services–Unusual files and registry keys–Unusual network activity–Unusual scheduled tasks–Unusual accounts–Unusual log entries
04/21/23 DRAFT 13Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
REVIEW Chapter Summary
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
04/21/23 DRAFT 14