NetworkForensics.pptVIP

Network Forensics OSI Layers Source to Destination Delivery Physical Addresses Physical Addresses Also called mac addresses... IP Addresses IP Addresses Also called network address, logical address Port Addresses Collecting Network-Based Evidence Types of NBE Full content data Every packet is captured Excellent for analysis, but requires much work Session data Summaries of data transfer, including time and duration of transfer, and parties involved Alert data Responding to occurrence of a keyword (shipment) Statistical data Examining which services or protocols are being used more and for longer periods of time Evidence Collection NBE collected: Before a compromise: proactive network security monitoring (NSM) During a compromise: reactive NSM Standard Intrusion Attack Intrusion Phases Reconnaissance: intruder (1st IP address) checks connectivity and vulnerabilities of Web server (victim) Exploitation: launch attack from 2nd IP address against Web server Reinforcement: store tools at 3rd IP address, connect to Web server (backdoor) Consolidation: intruder communicates with backdoor using 4th IP address Pillage: sensitive information is stolen, or base built for further attacks Attack Phases Gaining access to network traffic Hubs A hub forwards a packet to all ports other than the one that received it, thus, all traffic passing by can be seen and collected Taps Test Access Ports are placed between a firewall and router or between switches; cost is ~ 4 or 5 times that of hubs Inline device – homemade tap; computer that supports bridging Switched Port Analyzer (SPAN port) – copy to a mirror port on the switch Tools Full Content: Tcpdump, Ethereal, Flowgrep, hexdump Session: Argus can also run in live mode, Tcptrace Alert: Snort, Bro Statistical: Tcpdstat, Tcpstat Windows Intrusion Situation BankTwo collected network-based evidence while troubleshooting a network problem. The bank did not have a full suite of security monitoring tools, but it was collecting full c