intrusion detection and analysis for windows-based computers rutgers university
DESCRIPTION
Intrusion Detection and Analysis for Windows-Based Computers Rutgers University Office of Information Technology. Bruce Rights Systems Administrator Information Protection and Security, Enterprise Systems and Services. Presented By:. Housekeeping. Hours Bathrooms Fire exits - PowerPoint PPT PresentationTRANSCRIPT
Intrusion Detection and Analysis for Intrusion Detection and Analysis for Windows-Based ComputersWindows-Based Computers
Rutgers University Rutgers University Office of Information TechnologyOffice of Information Technology
Presented By: Bruce Rights
Systems Administrator
Information Protection and Security, Enterprise Systems and Services
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Housekeeping
Hours Bathrooms Fire exits Telephones Recycling Smoking Contact information
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion Detection & Analysis Intrusion Detection & Analysis for Windows-Based Computersfor Windows-Based Computers
Welcome Introduction
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Expectations and Objectives
What would you like to get out of this?
What are your past experiences What has happened in the last
month?
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview Intrusions - definitions and examples Anatomy of an Intrusion Analysis and detection tools: built-in; free;
third-party Logging and Auditing IDS and HIDS Incidence Response Forensics Final Thoughts Questions
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview Intrusions - definitions and examples Anatomy of an Intrusion Analysis and detection tools: built-in; free;
third-party Logging and Auditing IDS and HIDS Incidence Response Forensics Final Thoughts Questions
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: a definition
Intrude - to thrust oneself in; to enter uninvited or unwelcome, to force in.
intrusion - act of intruding
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples Viruses Worms Trojans Spyware Browser Helper Objects (BHO) P2P leverage Data theft Denial of service Remote Control
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples ‘I was just looking around’ Keystroke logger Rootkits Cross Site Scripting Man in the Middle Sniffing Buffer Overflow SQL Injection Password Cracking
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: viruses
Sasser, Melinda, Sobig, Mydoom, etc. Self-propagating Purely malicious
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: worms
Code Red Nimda Slammer Blaster
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: trojans
“a Trojan horse is a malicious program that is disguised as or embedded within legitimate software. The term is derived from the classical myth of the Trojan Horse. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.”
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: spyware
“…applications [that] collect information, may or may not install in stealth, and are designed to transmit that information to 2nd, or 3rd parties covertly employing the user's connection without their consent and knowledge. The word defines the actual intent; this is software (ware) that is designed to collect information in secret (spy).”
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: browser helper objects
BHOs - a DLL that allows developers to customize and control Internet Explorer
Most are good: Google Toolbar
Some are bad: CoolWebSearch Bonzai Buddy
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: P2P leverage
Attacker is looking to set up a music or movie download site
They are looking to use your resources
They are looking to hide their tracks Bittorrent, port 6881
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: denial-of-service
lsass.exe exploit (sasser) Traffic flooding:
(Syn flood, Ping-of-death)
E-mail flooding Log filling
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: remote control
Remore Desktop VNC Go-To-My-PC PCAnywhere Back Orifice Beast
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: remote control
Dameware – a remote control utility It has been hijacked by the bad guys Processes to look for include
DNTUCli.exe,DNTUCnvt.exe, DNTUS26.exe, DWADEA.exe, DWExp.exe, DWMacDis.exe, DWRCC.exe, DWRCCMD.exe, DWRCCnvt.exe, DWRCINS.exe, DWRCS.exe, DWRCST.exe, DWRTDE.exe
TCP Port 6129
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: just looking around
Attacker could be practicing techniques, takes nothing, but leaves a ‘calling card’
Or they could be waiting to see if they get caught.
Or they were looking for something specific you did not have.
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: keystroke logger
Can be a hardware or software device How many of you check your
keyboard connector every morning? http://www.keyghost.com Ctrl-Alt-Del provides some protection
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Intrusion: examples: rootkits
Malware which hides itself from typical detection methods
Can be persistent or memory-based User-mode rootkits modify API calls (such as Windows
Explorer) Kernel-mode rootkits modify calls to Task Manager BlackLight: http://www.f-secure.com/blacklight Rootkit Revealer:
http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
http://invisiblethings.org/ http://www.rootkit.com/
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview Intrusions - definitions and examples Anatomy of an Intrusion Analysis and detection tools: built-in; free;
third-party Logging and Auditing IDS and HIDS Incidence Response Forensics Final Thoughts Questions
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Anatomy of an intrusion: Typical process
Reconnaissance Scanning Exploit systems Keeping access Covering tracks
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Anatomy of an intrusion: sql injection
From an article by Jesper Johansson, Microsoft, which appeared in Technet magazine, Winter 2005
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Internet
Bad Guy Firewall Web Server
Router
Router
SQL Server
Data Center DC
Firewall
Internal Domain
Anatomy of an intrusion: sql injection
192.168.2.30
172.17.0.1
172.17.0.2
10.1.2.x
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview Intrusions - definitions and examples Anatomy of an Intrusion Analysis and detection tools: built-in;
free; third-party Logging and Auditing IDS and HIDS Incidence Response Forensics Final Thoughts Questions
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Analysis and detection tools: built-in
Task Manager Add / Remove Programs Event Viewer Perfmon ADUC / Computer Management MMC Msconfig IE Add-In Manager Command line tools, e.g., netstat Windows Explorer
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Analysis and detection tools: free
Spybot, http://safer-networking.org Ad-Aware,
http://www.lavasoftusa.com RADS, http://software.rutgers.edu Silent Runners,
http://www.silentrunners.org HijackThis, http://www.merijn.org CWShredder, http://www.merijn.org
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Analysis and detection tools: third-party
Trojan Hunter, http://www.trojanhunter.com
http://www.misec.net/
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview Intrusions - definitions and examples Anatomy of an Intrusion Analysis and detection tools: built-in; free;
third-party Logging and Auditing IDS and HIDS Incidence Response Forensics Final Thoughts Questions
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Logging and Auditing Establish an auditing and logging
policy This will include what to audit, and
how to store and read the logs Know what you are looking for –
events like 513, 529, 530, 531 and 539
Read the logs using filtering, Event CombMT or MOM
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview Intrusions - definitions and examples Anatomy of an Intrusion Analysis and detection tools: built-in; free;
third-party Logging and Auditing IDS and HIDS Incidence Response Forensics Final Thoughts Questions
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
IDS and HIDS Analyze incoming traffic at the application
layer, looking for malicious payloads Reconnaissance attacks, exploit attacks,
DoS attacks They use a combination of anomaly
detection, and signature recognition HIDS often utilizes information in the Event
Logs Honeypots
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
IDS and HIDS TrendMicro firewall WireShark – http://www.wireshark.org/ IDS - Cisco Secure IDS,
http://www.cisco.com IDS – Snort, http://www.snort.org HIDS - BlackIce Defender,
http://www.iss.net/products_services/products.php (IBM)
Honeypots – http://www.honeypots.net
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview Intrusions - definitions and examples Anatomy of an Intrusion Rootkits Analysis and detection tools: built-in; free;
third-party IDS and HIDS Incidence Response Forensics Final Thoughts Questions
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Incidence Response
Preparation Identification Containment Eradication Recovery Lessons Learned
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Incidence Response Do you have a plan? Phone numbers (vendors, colleagues, managers, IPS,
RUPD); installation CDs; IP addresses; firewall and router configs; passwords; phone-tree to notify users
Will you clean the infected machine(s), rebuild or call the police?
What do you need to do to comply with the law? Who is the decision-maker? Will you keep the logs for analysis? Will you be prepared to take notes to document every
stage of the response? www.sans.org/score/incidentforms www.net-security.org/article.php?id=775
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview Intrusions - definitions and examples Anatomy of an Intrusion Rootkits Analysis and detection tools: built-in; free;
third-party IDS and HIDS Incidence Response Forensics Final Thoughts Questions
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Forensics
What are you trying to achieve? Best left to outside agency / LEO Kits are available
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Overview Intrusions - definitions and examples Anatomy of an Intrusion Rootkits Analysis and detection tools: built-in; free;
third-party IDS and HIDS Incidence Response Forensics Final Thoughts Questions
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Final thoughts
The focus needs to be on where the attacks are coming from
http://www.dshield.org
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Questions
What questions do you have that I did not answer?
What does the future hold?
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Questions? Contact Details:
Bruce Rights [email protected] 732-445-8702
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Thank you for coming
This course is an elective component of the IT Certificate Program, a collaborative effort of the Office of Information Technology, University Human Resources, and the Internal Audit Department
http://uhr.rutgers.edu/profdev/it-cert-program-info.asp
April 22, 2023IT Certificate Program – Intrusion Analysis for Windows-Based Computers
Information Protection & Security(A Division of the Office of Information Technology [OIT])
ASB Annex 1Room 102Busch campus56 Bevier roadPiscataway, NJ 08854 phone: (732) 445-8011fax: (732) 445-8023 [email protected]