Network Forensics
-
Upload
conferencias-fist -
Category
Technology
-
view
193 -
download
2
Transcript of Network Forensics
![Page 1: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/1.jpg)
Network Forensics and Lessons Learnt from the July 07 London Attacks
Geoff HarrisAlderbridge Consulting [email protected] 1423 321900
Conferencia FIST Enero/Madrid 2008 @
Sponsored by:
![Page 2: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/2.jpg)
2
About the Author
Background in Military Communications Design
CEO Alderbridge Consulting formed 1997
ISSA-UK President
UK Government CLAS Consultant
CISSP, ITPC, BSc, DipEE, C.Eng
![Page 3: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/3.jpg)
3
![Page 4: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/4.jpg)
4
![Page 5: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/5.jpg)
5
Early Firewall Adoption
![Page 6: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/6.jpg)
6
DMZs & De-Perimeterisation
![Page 7: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/7.jpg)
7
An early Intrusion Prevention System – Is IDS dead?
![Page 8: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/8.jpg)
8
Forensics – fingerprints & DNA
Edward Henry appointed as Assistant Commissioner of Police at New Scotland Yard and began to introduce his fingerprint system. The first British court conviction by fingerprints in 1902
![Page 9: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/9.jpg)
9
11 March 2004 – Madrid Train Bombings
10 explosions on 4 commuter trains (cercanías)
killing 191 people and wounding 1,755
![Page 10: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/10.jpg)
10
7 July 2005 - London
3 tube explosions and 1 bus explosion
Entire London Underground system shut down
![Page 11: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/11.jpg)
11
Post 7 July 2005 – London Investigations
12 July 2005 Idenitifed three suspects from CCTV footage, a missing person's report and documents found in the debris at each bomb site.Luton railways station is closed as police investigate a car parked there and believed to be associated with the suspects caught on CCTV cameras.
![Page 12: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/12.jpg)
12
The Dummy Run
“Police trawl through 80,000 CCTV tapes”
“Ten weeks after the attacks, CCTV footage was released of three of the bombers setting out on a "practice run".
Mohammad Sidique Khan, Germaine Lindsay and Shehzad Tanweer - but not Hasib Hussain - met at Luton station at around 0810 BST on June 28.
![Page 13: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/13.jpg)
13
The Dummy Run
Video cameras showed them buying tickets before they boarded a train to King's Cross, where they arrived at 0855 and made their way to the Underground network. Police said they were seen at Baker Street at midday before they returned to King's Cross at 1250, arriving back in Luton 50 minutes later.
![Page 14: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/14.jpg)
14
Detecting The IT Network Attack
• Firewall logs• System Logs• IDS – Host IDS & Network IDS• Correlation of events – SEM tools
Management Overhead - MSS
![Page 15: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/15.jpg)
15
Hiding In The Noise
• The Slow Scan• Random Ports – Random Port Hopping• Trojan/Covert channels over well used ports• The outgoing IRC, http, https threat
![Page 16: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/16.jpg)
16
Site A
WAN
Site B
Points of interception for passive network sniffing
“Network CCTV” as a Forensic Tool
Commonly Used Existing Sniffing Products
Microsoft Net Mon
NAI Sniffer
Ethereal
Problem – the ability to capture the moment of attack at the right time and understand what lead up to the attack
![Page 17: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/17.jpg)
17
“Network CCTV” as a Forensic Tool
For the IDS & Network CCTV - NIKSUN NetDetector
Other products such as NetIntercept
![Page 18: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/18.jpg)
18
“Network CCTV” as a Forensic Tool
FW1
Internet
FW1
Netw ork IDS Sensor
Leeds
FW1
Stealth Monitoring LAN (RESTRICTED)
Web Server
VPN Gateway
Trusted LAN (RESTRICTED)
MailServer
Central Security Server
FW1
FW1
Server
(RESTRICTED)
Trusted LAN (UNCLASSIFIED)
WAN
Manchester
FW1
Proposed Netw ork Recorder
FW1Security LAN(RESTRICTED)
Server
(UNCLASSIFIED)
London - HQ
FW1FW1
InternetInternet
FW1FW1FW1
Netw ork IDS Sensor
Leeds
FW1FW1
Stealth Monitoring LAN (RESTRICTED)
Web Server
VPN Gateway
Trusted LAN (RESTRICTED)
MailServer
Central Security Server
FW1FW1
FW1FW1
Server
(RESTRICTED)
Trusted LAN (UNCLASSIFIED)
WAN
Manchester
FW1FW1
Proposed Netw ork Recorder
FW1FW1Security LAN(RESTRICTED)
Server
(UNCLASSIFIED)
London - HQ
![Page 19: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/19.jpg)
19
Hiding In The Noise
![Page 20: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/20.jpg)
20
Network Packet Decode
![Page 21: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/21.jpg)
21
Summary
• CCTV in UK has been highly successful• Social issues – invasion of privacy• “Network CCTV” is very powerful as a forensic tool• Employee and citizen rights here too• Threat to corporate and government networks due to terrorism and espionage continues to grow
![Page 22: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/22.jpg)
22
Attribution. You must give the original author credit.
Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one.
For any reuse or distribution, you must make clear to others the license terms of this work.
Any of these conditions can be waived if you get permission from the author.
Your fair use and other rights are in no way affected by the above.
This work is licensed under the Creative Commons Attribution-ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Creative Commons Attribution-ShareAlike 2.0
You are free:
•to copy, distribute, display, and perform this work
•to make commercial use of this work
Under the following conditions:
![Page 23: Network Forensics](https://reader033.fdocuments.us/reader033/viewer/2022060111/55635f2ed8b42a734b8b4dae/html5/thumbnails/23.jpg)
23
@ with the sponsorship of:www.fistconference.org
Geoff HarrisAlderbridge Consulting [email protected] 1423 321900