Intrusion Detection and Analysis for Windows-Based Computers Rutgers University Office of Information Technology Presented By: Bruce Rights Systems Administrator Information Protection and Security, Enterprise Systems and Services Housekeeping Hours Bathrooms Fire exits Telephones Recycling Smoking Contact information IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Intrusion Detection & Analysis for Windows-Based Computers Welcome Introduction IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Expectations and Objectives What would you like to get out of this? What are your past experiences What has happened in the last month? IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Overview Intrusions - definitions and examples Anatomy of an Intrusion Analysis and detection tools: built-in; free; third-party Logging and Auditing IDS and HIDS Incidence Response Forensics Final Thoughts Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Overview Intrusions - definitions and examples Anatomy of an Intrusion Analysis and detection tools: built-in; free; third-party Logging and Auditing IDS and HIDS Incidence Response Forensics Final Thoughts Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Intrusion: a definition Intrude - to thrust oneself in; to enter uninvited or unwelcome, to force in. intrusion - act of intruding IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Intrusion: examples Viruses Worms Trojans Spyware Browser Helper Objects (BHO) P2P leverage Data theft Denial of service Remote Control IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Intrusion: examples ‘I was just looking around’ Keystroke logger Rootkits Cross Site Scripting Man in the Middle Sniffing Buffer Overflow SQL Injection Password Cracking IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Intrusion: examples: viruses Sasser, Melinda, Sobig, Mydoom, etc. Self-propagating Purely malicious IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Intrusion: examples: worms Code Red Nimda Slammer Blaster IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Intrusion: examples: trojans “a Trojan horse is a malicious program that is disguised as or embedded within legitimate software. The term is derived from the classical myth of the Trojan Horse. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.” IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Intrusion: examples: spyware “…applications [that] collect information, may or may not install in stealth, and are designed to transmit that information to 2nd, or 3rd parties covertly employing the user's connection without their consent and knowledge. The word defines the actual intent; this is software (ware) that is designed to collect information in secret (spy).” IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Intrusion: examples: browser helper objects BHOs - a DLL that allows developers to customize and control Internet Explorer Most are good: Google Toolbar Some are bad: CoolWebSearch Bonzai Buddy IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Intrusion: examples: P2P leverage Attacker is looking to set up a music or movie download site They are looking to use your resources They are looking to hide their tracks Bittorrent, port 6881 IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Intrusion: examples: denial-of-service lsass.exe exploit (sasser) Traffic flooding: (Syn flood, Ping-of-death) E-mail flooding Log filling IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Intrusion: examples: remote control Remore Desktop VNC Go-To-My-PC PCAnywhere Back Orifice Beast IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Intrusion: examples: remote control Dameware – a remote control utility It has been hijacked by the bad guys Processes to look for include DNTUCli.exe,DNTUCnvt.exe, DNTUS26.exe, DWADEA.exe, DWExp.exe, DWMacDis.exe, DWRCC.exe, DWRCCMD.exe, DWRCCnvt.exe, DWRCINS.exe, DWRCS.exe, DWRCST.exe, DWRTDE.exe TCP Port 6129 IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Intrusion: examples: just looking around Attacker could be practicing techniques, takes nothing, but leaves a ‘calling card’ Or they could be waiting to see if they get caught. Or they were looking for something specific you did not have. IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Intrusion: examples: keystroke logger Can be a hardware or software device How many of you check your keyboard connector every morning? http://www.keyghost.com Ctrl-Alt-Del provides some protection IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Intrusion: examples: rootkits Malware which hides itself from typical detection methods Can be persistent or memory-based User-mode rootkits modify API calls (such as Windows Explorer) Kernel-mode rootkits modify calls to Task Manager BlackLight: http://www.f-secure.com/blacklight Rootkit Revealer: http://www.microsoft.com/technet/sysinternals/utiliti es/RootkitRevealer.mspx http://invisiblethings.org/ http://www.rootkit.com/ IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Overview Intrusions - definitions and examples Anatomy of an Intrusion Analysis and detection tools: built-in; free; third-party Logging and Auditing IDS and HIDS Incidence Response Forensics Final Thoughts Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Anatomy of an intrusion: Typical process Reconnaissance Scanning Exploit systems Keeping access Covering tracks IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Anatomy of an intrusion: sql injection From an article by Jesper Johansson, Microsoft, which appeared in Technet magazine, Winter 2005 IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Anatomy of an intrusion: sql injection Bad Guy Firewall Web Server Internet Internal Domain SQL Server 172.17.0.1 192.168.2.30 Router Data Center DC 10.1.2.x Router Firewall 172.17.0.2 IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Overview Intrusions - definitions and examples Anatomy of an Intrusion Analysis and detection tools: built-in; free; third-party Logging and Auditing IDS and HIDS Incidence Response Forensics Final Thoughts Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Analysis and detection tools: built-in Task Manager Add / Remove Programs Event Viewer Perfmon ADUC / Computer Management MMC Msconfig IE Add-In Manager Command line tools, e.g., netstat Windows Explorer IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Analysis and detection tools: free Spybot, http://safer-networking.org Ad-Aware, http://www.lavasoftusa.com RADS, http://software.rutgers.edu Silent Runners, http://www.silentrunners.org HijackThis, http://www.merijn.org CWShredder, http://www.merijn.org IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Analysis and detection tools: third-party Trojan Hunter, http://www.trojanhunter.com http://www.misec.net/ IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Overview Intrusions - definitions and examples Anatomy of an Intrusion Analysis and detection tools: built-in; free; third-party Logging and Auditing IDS and HIDS Incidence Response Forensics Final Thoughts Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Logging and Auditing Establish an auditing and logging policy This will include what to audit, and how to store and read the logs Know what you are looking for – events like 513, 529, 530, 531 and 539 Read the logs using filtering, Event CombMT or MOM IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Overview Intrusions - definitions and examples Anatomy of an Intrusion Analysis and detection tools: built-in; free; third-party Logging and Auditing IDS and HIDS Incidence Response Forensics Final Thoughts Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 IDS and HIDS Analyze incoming traffic at the application layer, looking for malicious payloads Reconnaissance attacks, exploit attacks, DoS attacks They use a combination of anomaly detection, and signature recognition HIDS often utilizes information in the Event Logs Honeypots IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 IDS and HIDS TrendMicro firewall WireShark – http://www.wireshark.org/ IDS - Cisco Secure IDS, http://www.cisco.com IDS – Snort, http://www.snort.org HIDS - BlackIce Defender, http://www.iss.net/products_services/prod ucts.php (IBM) Honeypots – http://www.honeypots.net IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Overview Intrusions - definitions and examples Anatomy of an Intrusion Rootkits Analysis and detection tools: built-in; free; third-party IDS and HIDS Incidence Response Forensics Final Thoughts Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Incidence Response Preparation Identification Containment Eradication Recovery Lessons Learned IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Incidence Response Do you have a plan? Phone numbers (vendors, colleagues, managers, IPS, RUPD); installation CDs; IP addresses; firewall and router configs; passwords; phone-tree to notify users Will you clean the infected machine(s), rebuild or call the police? What do you need to do to comply with the law? Who is the decision-maker? Will you keep the logs for analysis? Will you be prepared to take notes to document every stage of the response? www.sans.org/score/incidentforms www.net-security.org/article.php?id=775 IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Overview Intrusions - definitions and examples Anatomy of an Intrusion Rootkits Analysis and detection tools: built-in; free; third-party IDS and HIDS Incidence Response Forensics Final Thoughts Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Forensics What are you trying to achieve? Best left to outside agency / LEO Kits are available IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Overview Intrusions - definitions and examples Anatomy of an Intrusion Rootkits Analysis and detection tools: built-in; free; third-party IDS and HIDS Incidence Response Forensics Final Thoughts Questions IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Final thoughts The focus needs to be on where the attacks are coming from http://www.dshield.org IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Questions What questions do you have that I did not answer? What does the future hold? IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Questions? Contact Details: Bruce Rights brights@rutgers.edu 732-445-8702 IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Thank you for coming This course is an elective component of the IT Certificate Program, a collaborative effort of the Office of Information Technology, University Human Resources, and the Internal Audit Department http://uhr.rutgers.edu/profdev/itcert-program-info.asp IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015 Information Protection & Security (A Division of the Office of Information Technology [OIT]) ASB Annex 1 Room 102 Busch campus 56 Bevier road Piscataway, NJ 08854 phone: (732) 445-8011 fax: (732) 445-8023 rusecure@rutgers.edu IT Certificate Program – Intrusion Analysis for Windows-Based Computers April 13, 2015