intrusion detection and analysis for windows-based computers rutgers university

Intrusion Detection and Analysis for Intrusion Detection and Analysis for Windows-Based ComputersWindows-Based Computers

Rutgers University Rutgers University Office of Information TechnologyOffice of Information Technology

Presented By: Bruce Rights

Systems Administrator

Information Protection and Security, Enterprise Systems and Services

April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers

Housekeeping

Hours Bathrooms Fire exits Telephones Recycling Smoking Contact information


Intrusion Detection & Analysis Intrusion Detection & Analysis for Windows-Based Computersfor Windows-Based Computers

Welcome Introduction


Expectations and Objectives

What would you like to get out of this?

What are your past experiences What has happened in the last

month?


Overview Intrusions - definitions and examples Anatomy of an Intrusion Analysis and detection tools: built-in; free;

third-party Logging and Auditing IDS and HIDS Incidence Response Forensics Final Thoughts Questions


Intrusion: a definition

Intrude - to thrust oneself in; to enter uninvited or unwelcome, to force in.

intrusion - act of intruding


Intrusion: examples Viruses Worms Trojans Spyware Browser Helper Objects (BHO) P2P leverage Data theft Denial of service Remote Control


Intrusion: examples ‘I was just looking around’ Keystroke logger Rootkits Cross Site Scripting Man in the Middle Sniffing Buffer Overflow SQL Injection Password Cracking


Intrusion: examples: viruses

Sasser, Melinda, Sobig, Mydoom, etc. Self-propagating Purely malicious


Intrusion: examples: worms

Code Red Nimda Slammer Blaster


Intrusion: examples: trojans

“a Trojan horse is a malicious program that is disguised as or embedded within legitimate software. The term is derived from the classical myth of the Trojan Horse. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.”


Intrusion: examples: spyware

“…applications [that] collect information, may or may not install in stealth, and are designed to transmit that information to 2nd, or 3rd parties covertly employing the user's connection without their consent and knowledge. The word defines the actual intent; this is software (ware) that is designed to collect information in secret (spy).”


Intrusion: examples: browser helper objects

BHOs - a DLL that allows developers to customize and control Internet Explorer

Most are good: Google Toolbar

Some are bad: CoolWebSearch Bonzai Buddy


Intrusion: examples: P2P leverage

Attacker is looking to set up a music or movie download site

They are looking to use your resources

They are looking to hide their tracks Bittorrent, port 6881


Intrusion: examples: denial-of-service

lsass.exe exploit (sasser) Traffic flooding:

(Syn flood, Ping-of-death)

E-mail flooding Log filling


Intrusion: examples: remote control

Remore Desktop VNC Go-To-My-PC PCAnywhere Back Orifice Beast


Intrusion: examples: remote control

Dameware – a remote control utility It has been hijacked by the bad guys Processes to look for include

DNTUCli.exe,DNTUCnvt.exe, DNTUS26.exe, DWADEA.exe, DWExp.exe, DWMacDis.exe, DWRCC.exe, DWRCCMD.exe, DWRCCnvt.exe, DWRCINS.exe, DWRCS.exe, DWRCST.exe, DWRTDE.exe

TCP Port 6129


Intrusion: examples: just looking around

Attacker could be practicing techniques, takes nothing, but leaves a ‘calling card’

Or they could be waiting to see if they get caught.

Or they were looking for something specific you did not have.


Intrusion: examples: keystroke logger

Can be a hardware or software device How many of you check your

keyboard connector every morning? http://www.keyghost.com Ctrl-Alt-Del provides some protection


Intrusion: examples: rootkits

Malware which hides itself from typical detection methods

Can be persistent or memory-based User-mode rootkits modify API calls (such as Windows

Explorer) Kernel-mode rootkits modify calls to Task Manager BlackLight: http://www.f-secure.com/blacklight Rootkit Revealer:

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

http://invisiblethings.org/ http://www.rootkit.com/


Anatomy of an intrusion: Typical process

Reconnaissance Scanning Exploit systems Keeping access Covering tracks


Anatomy of an intrusion: sql injection

From an article by Jesper Johansson, Microsoft, which appeared in Technet magazine, Winter 2005


Internet

Bad Guy Firewall Web Server

Router

Router

SQL Server

Data Center DC

Firewall

Internal Domain

Anatomy of an intrusion: sql injection

192.168.2.30

172.17.0.1

172.17.0.2

10.1.2.x


Overview Intrusions - definitions and examples Anatomy of an Intrusion Analysis and detection tools: built-in;

free; third-party Logging and Auditing IDS and HIDS Incidence Response Forensics Final Thoughts Questions


Analysis and detection tools: built-in

Task Manager Add / Remove Programs Event Viewer Perfmon ADUC / Computer Management MMC Msconfig IE Add-In Manager Command line tools, e.g., netstat Windows Explorer


Analysis and detection tools: free

Spybot, http://safer-networking.org Ad-Aware,

http://www.lavasoftusa.com RADS, http://software.rutgers.edu Silent Runners,

http://www.silentrunners.org HijackThis, http://www.merijn.org CWShredder, http://www.merijn.org


Analysis and detection tools: third-party

Trojan Hunter, http://www.trojanhunter.com

http://www.misec.net/


Logging and Auditing Establish an auditing and logging

policy This will include what to audit, and

how to store and read the logs Know what you are looking for –

events like 513, 529, 530, 531 and 539

Read the logs using filtering, Event CombMT or MOM


IDS and HIDS Analyze incoming traffic at the application

layer, looking for malicious payloads Reconnaissance attacks, exploit attacks,

DoS attacks They use a combination of anomaly

detection, and signature recognition HIDS often utilizes information in the Event

Logs Honeypots


IDS and HIDS TrendMicro firewall WireShark – http://www.wireshark.org/ IDS - Cisco Secure IDS,

http://www.cisco.com IDS – Snort, http://www.snort.org HIDS - BlackIce Defender,

http://www.iss.net/products_services/products.php (IBM)

Honeypots – http://www.honeypots.net


Overview Intrusions - definitions and examples Anatomy of an Intrusion Rootkits Analysis and detection tools: built-in; free;

third-party IDS and HIDS Incidence Response Forensics Final Thoughts Questions


Incidence Response

Preparation Identification Containment Eradication Recovery Lessons Learned


Incidence Response Do you have a plan? Phone numbers (vendors, colleagues, managers, IPS,

RUPD); installation CDs; IP addresses; firewall and router configs; passwords; phone-tree to notify users

Will you clean the infected machine(s), rebuild or call the police?

What do you need to do to comply with the law? Who is the decision-maker? Will you keep the logs for analysis? Will you be prepared to take notes to document every

stage of the response? www.sans.org/score/incidentforms www.net-security.org/article.php?id=775


Forensics

What are you trying to achieve? Best left to outside agency / LEO Kits are available


Final thoughts

The focus needs to be on where the attacks are coming from

http://www.dshield.org


Questions

What questions do you have that I did not answer?

What does the future hold?


Questions? Contact Details:

Bruce Rights [email protected] 732-445-8702


Thank you for coming

This course is an elective component of the IT Certificate Program, a collaborative effort of the Office of Information Technology, University Human Resources, and the Internal Audit Department

http://uhr.rutgers.edu/profdev/it-cert-program-info.asp


Information Protection & Security(A Division of the Office of Information Technology [OIT])

ASB Annex 1Room 102Busch campus56 Bevier roadPiscataway, NJ 08854 phone: (732) 445-8011fax: (732) 445-8023 [email protected]

intrusion detection and analysis for windows-based computers rutgers university

Documents

intrusion act

malicious program

detection tools

trojansa trojan horse

enterprise systems

classical myth

past experienceswhat

legitimate software