Network Forensics and Lessons Learnt from the July 07 London Attacks

Geoff HarrisAlderbridge Consulting Ltdgeoff.harris@alderbridge.comwww.alderbridge.com0044 1423 321900

Conferencia FIST Enero/Madrid 2008 @

Sponsored by:

2

About the Author

Background in Military Communications Design

CEO Alderbridge Consulting formed 1997

ISSA-UK President

UK Government CLAS Consultant

CISSP, ITPC, BSc, DipEE, C.Eng

3

4

5

Early Firewall Adoption

6

DMZs & De-Perimeterisation

7

An early Intrusion Prevention System – Is IDS dead?

8

Forensics – fingerprints & DNA

Edward Henry appointed as Assistant Commissioner of Police at New Scotland Yard and began to introduce his fingerprint system. The first British court conviction by fingerprints in 1902

9

11 March 2004 – Madrid Train Bombings

10 explosions on 4 commuter trains (cercanías)

killing 191 people and wounding 1,755

10

7 July 2005 - London

3 tube explosions and 1 bus explosion

Entire London Underground system shut down

11

Post 7 July 2005 – London Investigations

12 July 2005 Idenitifed three suspects from CCTV footage, a missing person's report and documents found in the debris at each bomb site.Luton railways station is closed as police investigate a car parked there and believed to be associated with the suspects caught on CCTV cameras.

12

The Dummy Run

“Police trawl through 80,000 CCTV tapes”

“Ten weeks after the attacks, CCTV footage was released of three of the bombers setting out on a "practice run".

Mohammad Sidique Khan, Germaine Lindsay and Shehzad Tanweer - but not Hasib Hussain - met at Luton station at around 0810 BST on June 28.

13

The Dummy Run

Video cameras showed them buying tickets before they boarded a train to King's Cross, where they arrived at 0855 and made their way to the Underground network. Police said they were seen at Baker Street at midday before they returned to King's Cross at 1250, arriving back in Luton 50 minutes later.

14

Detecting The IT Network Attack

• Firewall logs• System Logs• IDS – Host IDS & Network IDS• Correlation of events – SEM tools

Management Overhead - MSS

15

Hiding In The Noise

• The Slow Scan• Random Ports – Random Port Hopping• Trojan/Covert channels over well used ports• The outgoing IRC, http, https threat

16

Site A

WAN

Site B

Points of interception for passive network sniffing

“Network CCTV” as a Forensic Tool

Commonly Used Existing Sniffing Products

Microsoft Net Mon

NAI Sniffer

Ethereal 

Problem – the ability to capture the moment of attack at the right time and understand what lead up to the attack

17

“Network CCTV” as a Forensic Tool

For the IDS & Network CCTV - NIKSUN NetDetector

Other products such as NetIntercept

18

“Network CCTV” as a Forensic Tool

FW1

Internet

FW1

Netw ork IDS Sensor

Leeds

FW1

Stealth Monitoring LAN (RESTRICTED)

Web Server

VPN Gateway

Trusted LAN (RESTRICTED)

MailServer

Central Security Server

FW1

FW1

Server

(RESTRICTED)

Trusted LAN (UNCLASSIFIED)

WAN

Manchester

FW1

Proposed Netw ork Recorder

FW1Security LAN(RESTRICTED)

Server

(UNCLASSIFIED)

London - HQ

FW1FW1

InternetInternet

FW1FW1FW1

Netw ork IDS Sensor

Leeds

FW1FW1

Stealth Monitoring LAN (RESTRICTED)

Web Server

VPN Gateway

Trusted LAN (RESTRICTED)

MailServer

Central Security Server

FW1FW1

FW1FW1

Server

(RESTRICTED)

Trusted LAN (UNCLASSIFIED)

WAN

Manchester

FW1FW1

Proposed Netw ork Recorder

FW1FW1Security LAN(RESTRICTED)

Server

(UNCLASSIFIED)

London - HQ

19

Hiding In The Noise

20

Network Packet Decode

21

Summary

• CCTV in UK has been highly successful• Social issues – invasion of privacy• “Network CCTV” is very powerful as a forensic tool• Employee and citizen rights here too• Threat to corporate and government networks due to terrorism and espionage continues to grow

22

Attribution. You must give the original author credit.

         Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one.

For any reuse or distribution, you must make clear to others the license terms of this work.

Any of these conditions can be waived if you get permission from the author.

Your fair use and other rights are in no way affected by the above.

This work is licensed under the Creative Commons Attribution-ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Creative Commons Attribution-ShareAlike 2.0

You are free:

•to copy, distribute, display, and perform this work

•to make commercial use of this work

Under the following conditions:

23

@ with the sponsorship of:www.fistconference.org

Geoff HarrisAlderbridge Consulting Ltdgeoff.harris@alderbridge.comwww.alderbridge.com0044 1423 321900