Tag Archives: information security

How to get a fabulous Intrusion Detection System with Full Packet capture on a shoestring budget!

Recently, I have been involved in configuring an Intrusion Detection System IDS (IDS) with full packet capture using the SecurityOnion distribution (distro) in the production environment. Previously, I had set up a SOHO IDS environment when I was learning during the first Compromise, Detect and Respond (CDR) project. But that IDS deployment was done using a different distro and it also did not have the full packet capture capabilities. So in order to better familiarize myself with SecurityOnion, I decided to do a quick post about it.

Just in case you are not familiar with SecurityOnion, you can check out their awesome page here. I am not going to try to explain much about the distro itself because my explanation will not do it enough justice. Besides, their website has a whole lot more information than I can provide. They do a great job in explaining how you can start from scratch and have a system up and running in no time. They even go over how you can customize it for your specific environment and maintain the system going forward.

I followed the installation steps here and the post-installation guide here and within an hour, give or take, I had the IDS up and running (including the time it took to download the 1.3GB ISO image over my home connection). And just like my previous labs, the whole setup here was very simple: I used my laptop’s VMware Workstation for the SecurityOnion and placed the network interface in promiscuous mode to capture traffic from the host and also from other virtual machines—and, yes, using this method results in a significant packet loss, but you get the idea.

NETWORK PROMISCUOUS MODE

Enabling and verifying promiscuous mode configuration

After finishing the IDS configuration, my Snorby screen looked like the above. You will notice that there isn’t much activity here compared to what we saw during the first CDR project. The main reason for this is that in the previous setup we had Metasploit running and we were playing around with some exploits, but this setup is pretty vanilla. But still, it’s pretty sweet to be able to get basic IDS up and running easily and quickly.

So, in order to generate some interesting IDS alerts, I set up TOR in my test environment, and as you can see, it has triggered some high severity events:
Sample Alert

Now we can select any of the above alerts to view the packet details. Here are the steps for that: Select the event that you want to analyze > Select “Packet Capture Options” on the top right-hand corner > select “Custom” and then “Fetch Packet“.

Packet Analysis

After you have completed the above steps, you will be presented with a new page: “capME!”

CapME

After logging into the new interface above, you will be able to view the assembled packet behind the event. Pretty cool, huh?!

But our IDS interface is only displaying events that have some potential malicious behavior associated with them. However, there are a whole lot of packets stored in the back end of our SecurityOnion server that we can review via the following path: /nsm/sensor_data/seconion-virtual-machine-eth0/dailylogs:

DailyLogs

You will now see logs broken up into multiple files. Depending on the volume, you may see several files for each day. In my case, there are only two files (2014-11-27 is the latest and has the most amount of data).

We can open the snot.log.xxxxxxxxx file using a number of tools, e.g. Wireshark, TCPdump, SiLK, Netwitness, etc. I opened mine using Wireshark (depending on the file size and your machine’s power, this may take some time).

TOR traffic was definitely the loudest, making up most of the logs:

Encrypted Traffic

And when we try to reassemble it, this is what we get:

TCP Stream_Encrypted

Enabling and verifying promiscuous mode configuration

But by looking at the Protocol Stats, we notice that there is a bunch of other traffic in this capture as well:

Traffic Protocol Statistics Wireshark Protocol Hierarchy ]

Now, we will do some SiLK kung-fu and see what we can pull out of this capture.
The first step is to open the snot.log.xxxxxxxxx file using Wireshark (or any similar tool) and save it as a new .pcap file. In the second step, I used SiLK’s rwp2yaf2sillk to convert our newly created .pcap file into flow format.

# rwp2yaf2silk –in=1417046408.pcap –out=1417046408.silk

Now, we will go through the basic analysis on our capture using various SiLK commands.

5 largest senders of bytes of data:largest-senders

5 TCP connection per source and destination IP:5-tcp-connections

Show all records from the capture with either a source or destination IP of TOR:specific-ip-find

TCP flows with a source IP of our VM and determines the top 5 destination ports by the number of flow records:top-5-destination-ports

Per above output, the majority of our destination ports are 443, with the second largest being port 9001 with 15 total records. Let’s see the amount of data associated with this port:unique-port

Now, as the last step, we will go back to Wireshark and see if we can find the data that is going to port 9001:TCP Port eq 9001Based on the above, it seems like the traffic generated on port 9001 (default TOR port) are simply connection synchronization attempts followed by erupt connection resets.

Anyway, this concludes my quick walk through to setting up IDS with full packet capture using the SecurityOnion distro. I also used Wireshark and SiLK to do a basic triage of the packets. Super cool!

Advertisements
Tagged , ,

Traditional Threats

Below is my take on the common threats against our systems:

In today’s technological environment, risks to computer information are everywhere. These risks start when you power-on your system and save any information on it. However, the risks exponentially grow when you connect your system to a network and access the internet.

Information security is known as the process of implementing the necessary measurements to not only protect the physical environment but also prevent modification, deletion and unauthorized access to information.

The need for information security is vital more than ever. The numbers of the incident that involve information breaches have dramatically increased in last few years. Most of these computer attacks exploit confidential information from companies’ networks (Tarte). Experts believe that the reason behind this increase is due to open vulnerabilities in corporate networks.  Attackers are able to easily abuse these weaknesses and gain access to confidential information. However, attacks have also grown to be more sophisticated than ever. In most cases, victims do not realize that they are under attack until it is too late. It’s hard to believe but attackers are able to remain “inside a compromised organization for months, gathering information with which they design and build even more sophisticated attacks” (Neal).

 In addition, these cyber attacks are not only aimed at governments and major corporation networks but also to average consumers. A study conducted by Symantec shows that “65% of people globally have experienced some type of cybercrime” (Schwartz). Almost half of these incidents were caused by viruses and malware; while others were caused by phishing and social networking attacks (Schwartz). Moreover, the most common threat to today’s systems is from malicious codes. This category of software threat includes viruses, Trojan horses, logical bombs, and worms.

Malicious code is a threat which is defined to perform unlawfully, the desired function which allows unauthorized access to confidential information.  These codes are capable of bypassing security software and destroy the system. It is very important that the necessary steps are taken to protect systems against these malicious codes. However, it is vital that we first differentiate among varies malicious codes (Computer virus: the types of viruses out there).

Viruses are the most common type of malicious code. This software enters the system using one the following ways: through email, peer-to-peer sites or by using infected removal media, such as flash drive. In some cases viruses simply reside on the victim’s system, however, usually, viruses are designed to destroy the data and operating system as well as spread to other systems. Upon getting infected, viruses usually take complete control of the system; by flashing annoying pop-ups and denying users full access. However, in rare cases, viruses hide their presence from the user. In both cases, the system significantly slows down and free disk space rapidly decreases. In severe instances, the system could mysteriously shut itself down and/or doesn’t reboot with, BSOD (Blue Screen of Death) error (Dulaney).

Moreover, viruses are programmed to conduct two terrible tasks: bring your system to a halt, where it is no longer usable or to use your system as means to spread to other systems. Upon infecting a system, the virus attaches itself to all the data and system files on that particular computer. This makes it easy for the virus to spread to other systems. The most common method of spreading is through Flash drives; however, the more sophisticated viruses could attach themselves to emails without user’s awareness.

Unlike before, the security administrators of today are faced with the difficulty of identifying the exact type and characterizes of the certain virus before taking the necessary removal actions. Following are the most common and challenging virus types. An armored virus is programmed to hide from any anti-virus software. It does that by having a second set of code or a decoy code which protects the actual code from detection.  Companion virus works similar to an armored virus in a sense that it hides from detection; however, it accomplishes such task by associating itself as an extension to a legitimate application. When a user opens that application, companion virus executes instead of the actual application. This type of virus is often used to corrupt Windows systems by manipulating the Registry (Computer virus: the types of viruses out there).

Moreover, the goal of a computer is to make lives of its users easier, and macro offers exactly that. It allows the user to code series of commands which are saved and can be executed automatically and repeatedly. These macros are usually used for Microsoft applications such as Word and Excel. Macro virus exploits the actual function of the macros and spread itself to other systems. “Macro viruses are the fastest growing exploitation today” (Dulaney).  In addition, there is another type of virus which attacks the system in several different ways. Multipartite virus embeds itself in the boot sector of the operating system as well as it attaches to all the executable files in the system. The idea behind this virus is that the user won’t be able to control this virus and meanwhile virus will continue infestation process (Dulaney). Likewise, stealth virus also attaches itself to the boot sector of the hard drive. When a user runs anti-virus software, stealth virus redirects the commands around itself which makes it hard to detect this infection. This virus holds the capabilities of relocating itself from one location to another while the anti-virus software is in process.

Moreover, phage virus attaches itself to programs and databases but it also modifies applications. The only way to successfully remove this infection is by reinstalling the application. The reason for that is because if any file is missed, the infection processes will initiate again and spread throughout the system.  Another powerful infection is polymorphic virus. Unlike all the other infections, this virus encrypts part of itself to avoid detection. This makes it difficult for anti-virus software to detect this infection (Dulaney). Polymorphic viruses’ characteristics are referred to as mutation because it changes itself often to hide from antivirus software. Similarly, retrovirus bypasses itself and gets access to the system. Unlike all other infections that hide from anti-virus software, retrovirus directly attacks the anti-virus software installed on the system. Due to the power of this virus, it destroys the systems anti-virus software where it’s no longer functional. However, the user continues to believe that the installed anti-virus software is fully functional and that the system is protected (Dulaney).

It is important to differentiate additional threats that are often misinterpreted as viruses.

The two most common troublesome non-virus threats are spam and worms.

Spam is defined as “copies of the same message, in an attempt to force the message to people who would not otherwise choose to receive it” (Mueller). Most often spam consists private advertising and “get-rich-quick” schemes (Mueller). The attacker gathers information by stealing mailing lists and retrieving email addresses from the web. Even though most users ignore spam and mark it as junk to prevent receiving it in the future. However, users that open spam ultimately get overwhelmed by the amount of spam they begin to receive. Besides being annoying, spam does cost the Internet Service Provider to transmit which in result costs the end user (Mueller).

On the other hand, a worm is different from a typical virus in a sense that I can reproduce itself without the need of any host. “Many of the so-called viruses that have made the papers and media were, in actuality, worms and not viruses” (Dulaney). The most devastating example of a worm is Melissa, which spread to more than 100,000 systems and one location was attacked with 32,000 copies in 45-minutes (Dulaney). Worms are designed to propagate using TCP/IP, emails, internet services and other means.

Protection:   

Even though it is impossible to completely protect your system, however, if proper procedure is followed the likelihood of becoming a victim decreases. “The best defense against a virus attack is up-to-date antivirus software installed and running” (Dulaney). Usually, the systems that become the victim of attacks don’t have updated anti-virus installed or there wasn’t automatic scan setup. In addition, if you have multiple systems it is recommended that you install anti-virus software from a different vendor on each system. However, the most common mistake that users make is that they install two different anti-virus software on the same system. Doing so makes both software work against each other and ultimately provides no protection to the system. Lastly, it is vital that the user is educated on preventing methods. Regardless of how superior your anti-virus software it; eventually the responsibility comes down to the end user. The user needs to be made aware of the potential threats and how to protect the system from them. “They need to scan every disk, e-mail, and documents they receive before they open them” (Dulaney). Education is the key to protecting information security. In the corporate environment, all the staff members need to be trained on the importance of information security. This training should be followed by consequences for individuals who consistently fail to take information security seriously.

________________________________________________________________________________

References

Computer virus: the types of viruses out there. (n.d.). Retrieved September12, 2010, from http://www.spamlaws.com/virus-types.html
Dulaney, E. (2009). Comptia security+ deluxe. Indianapolis, Indiana: Wiley Publishing, Inc.
McGraw, G, & Morrisett, Greg. (2000). Attacking malicious code: a report to the infosec research council. IEEE Software.
Mueller, S. (n.d.). What is spam?. Retrieved September 27, 2010, from, http://spam.abuse.net/overview/whatisspam.shtml
Neal, D. (2010, September 17). Cyber attacks growing in number and sophistication. Retrieved September 19, 2010, from http://www.v3.co.uk/v3/news/2269980/firms-open-range-security?page=1
Online threats. (n.d.). Retrieved September 18, 2010, from http://www.staysafeonline.org/content/online-threats
Parks, D. (2009, August 28). The common threats to it security. Retrieved September 15, 2010, from, http://www.articlesbase.com/software-articles/the-common-threats-to-it-security-1171518.html
Scwartz, Mathew. (2010, September 08). Symantec finds 65% have been hit by cybercrime. Retrieved September 15, 2010 from, http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=227300362&subSection=Attacks/breaches
Tagged , , , ,
Advertisements
Advertisements