Docstoc

intrusion_detection

Document Sample
intrusion_detection Powered By Docstoc
					  Network Forensics: When
conventional forensic analysis
        is not enough
    Manuel Humberto Santander Peláez
 GIAC GCFA Gold, GNET Silver, GCIA Gold
Network Security Perimeter
•   Firewalls
•   NIDS/NIPS
•   VPN Concentrator
•   NAC (Switches)
•   Antivirus
•   Antispyware
•   Content Filtering
Network Security Perimeter
                                    VPN
                                 Concentrator
Firewall   Switch (NAC)




                                                NIDS




                Security Event
                  Correlator
Network Forensics
• Capture, recording and analysis of network
  events
• Need to discover source and type of network
  attacks
• Big amount of logs and traffic
• Network Security Perimeter devices gives lots
  of interesting info
Network Forensics
• Network traffic gives evidence of attacks like:
   – Exploit attacks
   – Virus breach attempts
   – MITM
• Valuable if possible to correlate to computer
  breaches.
• Can find the missing information on a
  computer attack (“missing puzzle”)
Billing Information Change
using a network attack
• Colombia Utility Company is the biggest
  utility company in all Colombia
• Massive change of billing amount on 10000
  installations, about 40% less on each invoice
• Once invoice is delivered, no change can be
  made (Law 142 of 1994 Colombian Congress)
• Where was the breach? How can this be
  prevented?
Billing Information Change
using a network attack
• Billing process is a daily batch process
• 98% of invoices were altered
• Billing Calculations are done by stored
  procedures on the database
• First evidence gathered was report of users
  executing the offending transactions on the
  application (August 25/2007)
Billing Information Change
using a network attack
Billing Information Change
using a network attack




   Same result obtained on every computer
   analyzed from the obtained table
Billing Information Change
using a network attack
• IDS alerts showed ARP address change for
  main router several times, No firewall or NAC
  alert
• Found 4970 alerts for August 25/2007
• Investigation showed a local desktop machine
  claimed to be the router for the whole network
  segment
• All billing department people in that segment
  logged on the application
Billing Information Change
using a network attack
Billing Information Change
using a network attack




Oexplore access time matches the first access at the
database. Passwords found cracked by Cain.
Billing Information Change
using a network attack
Billing Information Change
using a network attack
Lessons Learned
• Network Forensics completes computer
  forensic evidence when evidence found inside
  computers doesn’t give enough clues.
• Network Forensics evidence must be
  correlated with the evidence found in
  computers to be valuable.
• Security Perimeter devices gives valuable
  information if well configured.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:9
posted:3/5/2012
language:
pages:15